Fabian Yamaguchi (@fabsx00) 's Twitter Profile
Fabian Yamaguchi

@fabsx00

Vulnerabilities and Exploits. CTO/Founder @whirlylabs, Core developer @joernio, Professor @StellenboschUni

ID: 108579648

linkhttps://fabianyamaguchi.com calendar_today26-01-2010 11:28:01

1,1K Tweet

3,3K Takipçi

469 Takip Edilen

Fabian Yamaguchi (@fabsx00) 's Twitter Profile Photo

I feel like finding good information on types of vulnerabilities affecting different technologies has become much harder. Regardless of what you look for, the first few pages are vendor blogs with copy/pasted fragments of handwavy explanations compiled by marketing departments.

Fabian Yamaguchi (@fabsx00) 's Twitter Profile Photo

Yay! Our proposal for BSides Cape Town was accepted! David Baker Effendi and I will be speaking about the real-world challenges of automatically extracting gadget chains for Java deserialization vulnerabilities.

BSides Cape Town (@bsidescapetown) 's Twitter Profile Photo

BSides Cape Town is excited to announce our next speaker! Speaker: David Baker Effendi / Fabian Yamaguchi Title: Forging Chains: The Java Blacksmith Track and timing to follow! Follow them on X: David Baker Effendi / Fabian Yamaguchi Tickets on Sale Now! quicket.co.za/events/216929-…

BSides Cape Town is excited to announce our next speaker!

Speaker: David Baker Effendi / Fabian Yamaguchi 
Title: Forging Chains: The Java Blacksmith

Track and timing to follow!
Follow them on X: <a href="/SDBakerEffendi/">David Baker Effendi</a> / <a href="/fabsx00/">Fabian Yamaguchi</a> 

Tickets on Sale Now!
quicket.co.za/events/216929-…
Fabian Yamaguchi (@fabsx00) 's Twitter Profile Photo

I will be giving a keynote talk entitled "Everything is (still) broken - looking back on 20 years of hacking" at threatcon.co.za in the "Securing the Network" session. I have a feeling this will be therapeutic for me and traumatic for the audience.

Fabian Yamaguchi (@fabsx00) 's Twitter Profile Photo

Here are the slides of this morning's talk "Everything is (still) broken - looking back at 20 years of hacking." whirlylabs.com/pdf/threat2023… - don't take it too serious, I know I don't.

WHIRLYLABS (@whirlylabs) 's Twitter Profile Photo

We presented the first iteration of our work on mining Java deserialization gadgets at BSides Cape Town. This includes exploit chains against ZK framework and Groovy. Slides are available at whirlylabs.com/pdf/bsides2023… - recording will follow.

David Baker Effendi (@sdbakereffendi) 's Twitter Profile Photo

The cat's out of the bag! The sha256 sums we tweeted coming up to the event were the PoC exploits we presented at BSides Cape Town. We only had so much time, and so many more gadgets to show, but we're confident we made our point - don't use `readObject`!

PentesterLab (@pentesterlab) 's Twitter Profile Photo

Articles worth reading discovered last week: 🗞 whirlylabs.com/pdf/bsides2023… 🗞 portswigger.net/research/blind… 🗞 cwiki.apache.org/confluence/plu… 🗞 github.blog/2023-12-06-cue… 🗞 synacktiv.com/sites/default/… 🗞 pathonproject.com/zb/?c7abeb823e… #PentesterLabWeekly

Thorsten Holz (@thorstenholz) 's Twitter Profile Photo

One of the two Test of Time awards is „Modeling and Discovering Vulnerabilities with Code Property Graphs“ (sec.cs.tu-bs.de/pubs/2014-ieee…) - pretty cool paper with lots of impact. Congratulations Fabian Yamaguchi, Konrad Rieck 🌈, Daniel Arp and Nico Golde 🎉

Konrad Rieck 🌈 (@mlsec) 's Twitter Profile Photo

Today, Felix is presenting our SoK paper on target selection for directed fuzzing at AsiaCCS. We analyzed 9 common selection methods on 1600 crashes, and guess what: simple software metrics still outperform all others. LLMs come in second only😲 mlsec.org/docs/2024c-asi…

Today, Felix is presenting our SoK paper on target selection for directed fuzzing at <a href="/ASIACCS2024/">AsiaCCS</a>. We analyzed 9 common selection methods on 1600 crashes, and guess what: simple software metrics still outperform all others. LLMs come in second only😲 
mlsec.org/docs/2024c-asi…
Konrad Rieck 🌈 (@mlsec) 's Twitter Profile Photo

And, Jonas is presenting our work on differential testing of JSON parsers at AsiaCCS. We introduce a new testing approach and apply it to 22 parsers. We find countless discrepancies🤷‍♂️. Key result: Ask two JSON parsers, and you'll get three opinions. mlsec.org/docs/2024b-asi…

And, Jonas is presenting our work on differential testing of JSON parsers at <a href="/ASIACCS2024/">AsiaCCS</a>. We introduce a new testing approach and apply it to 22 parsers. We find countless discrepancies🤷‍♂️. Key result: Ask two JSON parsers, and you'll get three opinions. mlsec.org/docs/2024b-asi…
Konrad Rieck 🌈 (@mlsec) 's Twitter Profile Photo

Finally, we're presenting our paper on pre-trained embeddings for binary code analysis at AsiaCCS! We evaluated recent embeddings for assembly code. Surprisingly, they mostly didn't improve performance😢Pre-training is cool but not always necessary. mlsec.org/docs/2024a-asi…

Finally, we're presenting our paper on pre-trained embeddings for binary code analysis at <a href="/ASIACCS2024/">AsiaCCS</a>! We evaluated recent embeddings for assembly code. Surprisingly, they mostly didn't improve performance😢Pre-training is cool but not always necessary. mlsec.org/docs/2024a-asi…
Fabian Yamaguchi (@fabsx00) 's Twitter Profile Photo

Concerning Crowdstrike, the big question on my mind is not what the concrete bug was but rather how a bug that prevents the machine from booting made it through automated testing. Was it a corner case? Then why were so many installations affected?

Fabian Yamaguchi (@fabsx00) 's Twitter Profile Photo

I think a big problem in the security industry is how much compliance matters compared to security. If it was about security, a lot of the big products would not sell.

Fabian Yamaguchi (@fabsx00) 's Twitter Profile Photo

I don't think it matters whether it's a null pointer deref or a buffer over-read. What matters is that it blue screens and still makes it through testing, which suggest that QA at the smoke test level was not performed.

BSides Cape Town (@bsidescapetown) 's Twitter Profile Photo

𝐁𝐒𝐢𝐝𝐞𝐬 𝐂𝐚𝐩𝐞 𝐓𝐨𝐰𝐧 is proud to announce WHIRLYLABS as one of our SILVER Sponsors this year! whirlylabs.com - "Educate & Automate" Grab your tickets today: linktr.ee/bsidescpt

𝐁𝐒𝐢𝐝𝐞𝐬 𝐂𝐚𝐩𝐞 𝐓𝐨𝐰𝐧 is proud to announce <a href="/whirlylabs/">WHIRLYLABS</a> as one of our SILVER Sponsors this year! 

whirlylabs.com - "Educate &amp; Automate"

Grab your tickets today: linktr.ee/bsidescpt