Presented at
Black Hat Europe 2017,
Dec. 6, 2017, 11:45 a.m.
(60 minutes)
Network protocol normalization and reassembly is the basis of traffic inspection performed by NGFW and IPS devices. Even common network protocols are complex with multiple possible interpretations for the same traffic sequence. We present a novel method for automated discovery of errors in traffic normalization by targeted protocol stack fuzzing. These errors can be used by attackers to evade detection and bypass security devices. We will demonstrate the techniques against up-to-date security devices and show that many security devices still have basic evasion vulnerabilities. The tools used will be publicly available after this presentation.
Presenters:
-
Olli-Pekka Niemi
- Director of Research, Forcepoint
Olli-Pekka Niemi has been working with internet security since 1996. He started his career with two hats, penetration tester and sysadmin. In December 2000, he joined Finnish security company called Stonesoft and founded IPS-development project. Ever since he has been developing intrusion prevention systems and firewalls. Currently Mr. Niemi works in Forcepoint, where he is director of research, focusing on security research, emerging threats and new technologies. Mr. Niemi has given presentations at numerous security conferences such as T2, DeepSec, Positive Hack Days, 44con, B-Sides LV, SIGCOMM and BlackHat.
-
Antti Levomäki
- Research Scientist, Forcepoint
Antti Levomäki is a Research Scientist at Forcepoint, where his work focuses on researching network evasion techniques and writing testing tools. He holds a Master of Computer Science degree from the University of Helsinki, and has spoken at a number of security conferences including Blackhat USA and T2. In his free time he writes fuzzers and breaks things.
Links:
Similar Presentations: