I feel like finding good information on types of vulnerabilities affecting different technologies has become much harder. Regardless of what you look for, the first few pages are vendor blogs with copy/pasted fragments of handwavy explanations compiled by marketing departments.

I don't like CVSS scores. That's not how you talk about art.

Yay! Our proposal for BSides Cape Town was accepted! David Baker Effendi and I will be speaking about the real-world challenges of automatically extracting gadget chains for Java deserialization vulnerabilities.

BSides Cape Town is excited to announce our next speaker! Speaker: David Baker Effendi / Fabian Yamaguchi Title: Forging Chains: The Java Blacksmith Track and timing to follow! Follow them on X: David Baker Effendi / Fabian Yamaguchi Tickets on Sale Now! quicket.co.za/events/216929-…

I will be giving a keynote talk entitled "Everything is (still) broken - looking back on 20 years of hacking" at threatcon.co.za in the "Securing the Network" session. I have a feeling this will be therapeutic for me and traumatic for the audience.

Here are the slides of this morning's talk "Everything is (still) broken - looking back at 20 years of hacking." whirlylabs.com/pdf/threat2023… - don't take it too serious, I know I don't.

3013e3f8f222328e4ef3bb75f940124d43c6b6a4276f2e3265c22612f872c1f9 (SHA256 - amusing bug in a web framework).

We presented the first iteration of our work on mining Java deserialization gadgets at BSides Cape Town. This includes exploit chains against ZK framework and Groovy. Slides are available at whirlylabs.com/pdf/bsides2023… - recording will follow.

The cat's out of the bag! The sha256 sums we tweeted coming up to the event were the PoC exploits we presented at BSides Cape Town. We only had so much time, and so many more gadgets to show, but we're confident we made our point - don't use `readObject`!

Articles worth reading discovered last week: 🗞 whirlylabs.com/pdf/bsides2023… 🗞 portswigger.net/research/blind… 🗞 cwiki.apache.org/confluence/plu… 🗞 github.blog/2023-12-06-cue… 🗞 synacktiv.com/sites/default/… 🗞 pathonproject.com/zb/?c7abeb823e… #PentesterLabWeekly

Forging Chains: The Java Blacksmith by Fabian Yamaguchi & David Baker Effendi youtube.com/watch?v=8qo0ZG…

One of the two Test of Time awards is „Modeling and Discovering Vulnerabilities with Code Property Graphs“ (sec.cs.tu-bs.de/pubs/2014-ieee…) - pretty cool paper with lots of impact. Congratulations Fabian Yamaguchi, Konrad Rieck 🌈, Daniel Arp and Nico Golde 🎉

Amazing! Thank you for this award, it is a great honor. Thank you also to my co-authors and friends Daniel Arp Konrad Rieck 🌈 and Nico Golde!

Today, Felix is presenting our SoK paper on target selection for directed fuzzing at AsiaCCS. We analyzed 9 common selection methods on 1600 crashes, and guess what: simple software metrics still outperform all others. LLMs come in second only😲 mlsec.org/docs/2024c-asi…

And, Jonas is presenting our work on differential testing of JSON parsers at AsiaCCS. We introduce a new testing approach and apply it to 22 parsers. We find countless discrepancies🤷‍♂️. Key result: Ask two JSON parsers, and you'll get three opinions. mlsec.org/docs/2024b-asi…

Finally, we're presenting our paper on pre-trained embeddings for binary code analysis at AsiaCCS! We evaluated recent embeddings for assembly code. Surprisingly, they mostly didn't improve performance😢Pre-training is cool but not always necessary. mlsec.org/docs/2024a-asi…

Concerning Crowdstrike, the big question on my mind is not what the concrete bug was but rather how a bug that prevents the machine from booting made it through automated testing. Was it a corner case? Then why were so many installations affected?

I think a big problem in the security industry is how much compliance matters compared to security. If it was about security, a lot of the big products would not sell.

I don't think it matters whether it's a null pointer deref or a buffer over-read. What matters is that it blue screens and still makes it through testing, which suggest that QA at the smoke test level was not performed.

𝐁𝐒𝐢𝐝𝐞𝐬 𝐂𝐚𝐩𝐞 𝐓𝐨𝐰𝐧 is proud to announce WHIRLYLABS as one of our SILVER Sponsors this year! whirlylabs.com - "Educate & Automate" Grab your tickets today: linktr.ee/bsidescpt