This past week at the Blue Hat security conference, Lurene Grenier from Sourcefire gave an impressive presentation about exploit and signature development. She rapidly creates proof-of-concept exploits following Microsoft’s patch release on the second Tuesday of every month. Thanks to years of experience, the whole process only takes a few hours. It would be exceedingly difficult for prospective hackers to create and use a weaponized exploit any faster than signatures are pushed out by intrusion detection system (IDS) vendors. However, it may be possible to create a working exploit that escapes detection entirely. This article takes a look at issues related to completeness of IDS signatures. (more…)

David Brumley gave a presentation at the USENIX Security conference about automatically generating program inputs that cause different outputs across implementations, for use in fingerprint generation and error detection. The paper won the best paper award. Brumley et al. developed a system that analyzes execution for a given starting input and looks for differences in the internal decision-making process between two programs. It then examines the two execution paths and attempts to derive an input that will cause only one of the programs to end up in the original output state. Last, it checks if the new input does actually generate different outputs for the two programs. The authors tested their system with three HTTP and two NTP implementations, and were able to automatically derive inputs that exposed deviations across the different programs. This article discusses the applicability of their approach and its limitations when trying to differentiate very similar programs. (more…)