The Cost of Complexity: Different Vulnerabilities While Implementing the Same RFC

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 12:30 p.m. (40 minutes)

<div><span>Our presentation discusses a simple question: What is the security cost of complexity and ambiguity? We analyze this as measured in terms of vulnerable implementations.</span></div><div><span><br><br></span></div><div><span>To explore this question, we analyzed a very specific part of multiple TCP/IP stacks: their implementation of RFC 1035, sub-chapter 4.1.4 titled "Message Compression". This part of the specification is less than 500 words long and is not as complex as its name might suggest. However, as it turns out, it is quite tricky to implement.</span></div><div><span><br><br></span></div><div><span>Our research shows that these few lines of specification, which may be solving a problem that no longer exists, were implemented in multiple different ways, with different interpretations, and interestingly with similar vulnerabilities in several stacks. In total, including our own vulnerabilities and those previously reported, we will discuss over 15 stacks with vulnerable implementations of this feature.</span></div><div><span><br><br></span></div><div><span>We will describe how exploits for these vulnerabilities can be detected using common and not too complex rules and talk about what this means for vulnerability research – e.g., whether this could be used to discover close variants of vulnerabilities that exist cross-codebase.</span></div>

Presenters:

  • Shlomi Oberman - CEO, JSOF
    Shlomi Oberman is an experienced security researcher and leader with over a decade of experience in security research and product security. In the past few years, his interest has been helping secure Software - while it is being written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and has many years of experience in the private sector working with companies who are leaders in their field. He has spoken internationally and his research has been presented in industry conferences such as Black Hat and DEF CON as well as other conferences. He is also an experienced teacher, training researchers and engineers in Embedded Exploitation and Secure Coding, as well as an organizer of local community cyber-security events. Shlomi has the unique advantage of a broad technical understanding of the Security Field as well as deep knowledge of an attacker's mindset, which is extremely useful when securing software. Prior to Founding JSOF, Shlomi worked as an independent consultant, where he advised and performed R&D for many leading companies, Shlomi has the unique advantage of a broad technical understanding of the Security Field as well as deep knowledge of an attacker's mindset.
  • Daniel dos Santos - Security Researcher, Forescout Technologies
    Daniel dos Santos holds a PhD in computer science from the University of Trento, Italy, has published over 30 journal and conference papers on cybersecurity and has spoken at conferences such as Black Hat Europe. He has experience in software development, security testing, and research. He is now a Research Manager at Forescout Technologies, leading a vulnerability and threat research team, as well as collaborating on the research and development of innovative features for network security monitoring.

Links:

Similar Presentations: