jabley + infosec   143

Erays: Reverse Engineering Ethereum’s Opaque Smart Contracts
Interacting with Ethereum smart contracts can have potentially
devastating financial consequences. In light of
this, several regulatory bodies have called for a need to
audit smart contracts for security and correctness guarantees.
Unfortunately, auditing smart contracts that do
not have readily available source code can be challenging,
and there are currently few tools available that aid in
this process. Such contracts remain opaque to auditors.
To address this, we present Erays, a reverse engineering
tool for smart contracts. Erays takes in smart contract
from the Ethereum blockchain, and produces high-level
pseudocode suitable for manual analysis. We show how
Erays can be used to provide insight into several contract
properties, such as code complexity and code reuse in
the ecosystem. We then leverage Erays to link contracts
with no previously available source code to public source
code, thus reducing the overall opacity in the ecosystem.
Finally, we demonstrate how Erays can be used for
reverse-engineering in four case studies: high-value multisignature
wallets, arbitrage bots, exchange accounts, and
finally, a popular smart-contract game, Cryptokitties. We
conclude with a discussion regarding the value of reverse
engineering in the smart contract ecosystem, and how
Erays can be leveraged to address the challenges that lie
infosec  security  filetype:pdf  paper  toread  contracts  ethereum  cryptocurrency  vm  reverse-engineering 
august 2018 by jabley
So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
It is often suggested that users are hopelessly lazy and
unmotivated on security questions. They chose weak
passwords, ignore security warnings, and are oblivious
to certificates errors. We argue that users’ rejection
of the security advice they receive is entirely rational
from an economic perspective. The advice offers to
shield them from the direct costs of attacks, but burdens
them with far greater indirect costs in the form of effort.
Looking at various examples of security advice we find
that the advice is complex and growing, but the benefit
is largely speculative or moot. For example, much of the
advice concerning passwords is outdated and does little
to address actual treats, and fully 100% of certificate
error warnings appear to be false positives. Further, if
users spent even a minute a day reading URLs to avoid
phishing, the cost (in terms of user time) would be two
orders of magnitude greater than all phishing losses.
Thus we find that most security advice simply offers a
poor cost-benefit tradeoff to users and is rejected. Security
advice is a daily burden, applied to the whole
population, while an upper bound on the benefit is the
harm suffered by the fraction that become victims annually.
When that fraction is small, designing security
advice that is beneficial is very hard. For example, it
makes little sense to burden all users with a daily task
to spare 0.01% of them a modest annual pain.
security  infosec  usability  paper  filetype:pdf  economics  time  risk 
august 2018 by jabley
Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer
Operating systems provide various inter-process communication
(IPC) mechanisms. Software applications typically
use IPC for communication between frontend and
backend components, which run in different processes
on the same computer. This paper studies the security
of how the IPC mechanisms are used in PC, Mac and
Linux software. We describe attacks where a nonprivileged
process impersonates the IPC communication endpoints.
The attacks are closely related to impersonation
and man-in-the-middle attacks on computer networks but
take place inside one computer. The vulnerable IPC
methods are ones where a server process binds to a name
or address and waits for client communication. Our results
show that application developers are often unaware
of the risks and secure practices in using IPC. We find attacks
against several security-critical applications including
password managers and hardware tokens, in which
another user’s process is able to steal and misuse sensitive
data such as the victim’s credentials. The vulnerabilities
can be exploited in enterprise environments with
centralized access control that gives multiple users remote
or local login access to the same host. Computers
with guest accounts and shared computers at home are
similarly vulnerable.
paper  filetype:pdf  infosec  password-manager  vulnerability  security 
august 2018 by jabley
How to generate 2TB/s reflection DDoS data flow via a family network
filetype:pdf  security  memcached  udp  network  attack  amplification  paper  infosec  vulnerability 
march 2018 by jabley
Browser Security White Paper
This white paper provides a technical comparison of the security features and attack surface of Google
Chrome, Microsoft Edge, and Internet Explorer. We aim to identify which browser provides the highest level
of security in common enterprise usage scenarios, and show how differences in design and implementation
of various security technologies in modern web browsers might affect their security.
Comparisons are done using a qualitative approach since many issues regarding browser security cannot
easily be quantified. We focus on the weaknesses of different mitigations and hardening features and take
an attacker’s point of view. This should give the reader an impression about how easy or hard it is to attack
a certain browser.
The analysis has been sponsored by Google. X41 D-Sec GmbH accepted this sponsorship on the condition
that Google would not interfere with our testing methodology or control the content of our paper. We
are aware that we could unconsciously be biased to produce results favorable to our sponsor, and have
attempted to eliminate this by being as transparent as possible about our decision-making processes and
testing methodologies.
browser  edge  chrome  ie  web  security  paper  infosec  filetype:pdf 
september 2017 by jabley
« earlier      
per page:    204080120160

related tags

0days  2fa  accenture  adversarial  aggregation  agile  agl  ai  amazon  amplification  analysis  analytics  android  apache  apple  application  architecture  archive  arm  arstechnica  assurance  attack  aws  back-door  backup  banking  bestpractices  beyondcorp  big-data  bigdata  binary  blackhat  bomb  book  bounty  brazil  breach  browser  bruntonspall  bug  bugs  c2  cache  censorship  cesg  checklist  chrome  chromeos  cloud  cloud-foundry  cloudbleed  cloudflare  code  community  compilers  computers  computing  configuration  contracts  cpu  cracking  criticism  crypto  cryptocurrency  cryptography  csp  culture  cyber  cyber-security  cybersecurity  cyberwar  data  data-protection  database  ddos  deception  decompiler  defence  defense  description  design  development  disclosure  dkim  dns  domain  economics  economist  edge  efail  elasticsearch  election  email  encoding  encryption  engineering  enterprise  escalation  espionage  etcd  ethereum  ethics  events  experience  exploit  filetype:pdf  finance  firefox  firmware  flask  fraud  free  fuzz  fuzzing  game  gchq  gds  git  github  gmail  golang  google  government  gpg  gps  guidance  hack  hacking  hardware  header  homebrew  honeypot  howto  http  http2  https  identity  ie  immutable  imposter-syndrome  incident  infosec  infrastructure  intel  internet  ios  iot  iphone  ithc  javascript  jit  jwt  kernel  kpti  krebs  law  leak  legal  legislation  level-up  lifestyle  linux  llvm  logging  macos  malware  management  maps  mbs  medium  meltdown  memcached  memory  metasploit  microsoft  mindset  modelling  monitoring  monzo  mutual-authentication  ncsc  network  networking  newyorker  node  node.js  nodejs  npm  nsa  online  opsec  os  osx  outsourcing  palantir  panama  paper  password  password-manager  passwords  pen-test  penetration-test  pgp  phishing  pki  poisoning  politics  porn  post-mortem  power  practice  presentation  prison  privacy  process  programming  protobuf  proxies  puppet  putin  rant  realtime  research  responsibility  responsible-disclosure  reverse-engineering  review  risc  risk  rowhammer  rsa  russia  rust  saas  safety  saml  sandbox  schools  search  secrets  security  sha1  shodan  slides  snooping  software  spectre  spoofing  ssl  startups  storage  study  surveillance  sysadmin  tax  technology  telecoms  testing  time  tls  tls13  tools  tor  toread  transparency  transport  travel  traversal  trello  trump  trust  tutorial  twitter  udp  uk  university  urls  usa  usability  vm  vpn  vpnfilter  vulnerability  walkthrough  war  web  webex  whatsapp  wifi  windows  wired  wordpress  worm  xss 

Copy this bookmark: