jabley + security   726

Erays: Reverse Engineering Ethereum’s Opaque Smart Contracts
Interacting with Ethereum smart contracts can have potentially
devastating financial consequences. In light of
this, several regulatory bodies have called for a need to
audit smart contracts for security and correctness guarantees.
Unfortunately, auditing smart contracts that do
not have readily available source code can be challenging,
and there are currently few tools available that aid in
this process. Such contracts remain opaque to auditors.
To address this, we present Erays, a reverse engineering
tool for smart contracts. Erays takes in smart contract
from the Ethereum blockchain, and produces high-level
pseudocode suitable for manual analysis. We show how
Erays can be used to provide insight into several contract
properties, such as code complexity and code reuse in
the ecosystem. We then leverage Erays to link contracts
with no previously available source code to public source
code, thus reducing the overall opacity in the ecosystem.
Finally, we demonstrate how Erays can be used for
reverse-engineering in four case studies: high-value multisignature
wallets, arbitrage bots, exchange accounts, and
finally, a popular smart-contract game, Cryptokitties. We
conclude with a discussion regarding the value of reverse
engineering in the smart contract ecosystem, and how
Erays can be leveraged to address the challenges that lie
infosec  security  filetype:pdf  paper  toread  contracts  ethereum  cryptocurrency  vm  reverse-engineering 
august 2018 by jabley
So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users
It is often suggested that users are hopelessly lazy and
unmotivated on security questions. They chose weak
passwords, ignore security warnings, and are oblivious
to certificates errors. We argue that users’ rejection
of the security advice they receive is entirely rational
from an economic perspective. The advice offers to
shield them from the direct costs of attacks, but burdens
them with far greater indirect costs in the form of effort.
Looking at various examples of security advice we find
that the advice is complex and growing, but the benefit
is largely speculative or moot. For example, much of the
advice concerning passwords is outdated and does little
to address actual treats, and fully 100% of certificate
error warnings appear to be false positives. Further, if
users spent even a minute a day reading URLs to avoid
phishing, the cost (in terms of user time) would be two
orders of magnitude greater than all phishing losses.
Thus we find that most security advice simply offers a
poor cost-benefit tradeoff to users and is rejected. Security
advice is a daily burden, applied to the whole
population, while an upper bound on the benefit is the
harm suffered by the fraction that become victims annually.
When that fraction is small, designing security
advice that is beneficial is very hard. For example, it
makes little sense to burden all users with a daily task
to spare 0.01% of them a modest annual pain.
security  infosec  usability  paper  filetype:pdf  economics  time  risk 
august 2018 by jabley
Man-in-the-Machine: Exploiting Ill-Secured Communication Inside the Computer
Operating systems provide various inter-process communication
(IPC) mechanisms. Software applications typically
use IPC for communication between frontend and
backend components, which run in different processes
on the same computer. This paper studies the security
of how the IPC mechanisms are used in PC, Mac and
Linux software. We describe attacks where a nonprivileged
process impersonates the IPC communication endpoints.
The attacks are closely related to impersonation
and man-in-the-middle attacks on computer networks but
take place inside one computer. The vulnerable IPC
methods are ones where a server process binds to a name
or address and waits for client communication. Our results
show that application developers are often unaware
of the risks and secure practices in using IPC. We find attacks
against several security-critical applications including
password managers and hardware tokens, in which
another user’s process is able to steal and misuse sensitive
data such as the victim’s credentials. The vulnerabilities
can be exploited in enterprise environments with
centralized access control that gives multiple users remote
or local login access to the same host. Computers
with guest accounts and shared computers at home are
similarly vulnerable.
paper  filetype:pdf  infosec  password-manager  vulnerability  security 
august 2018 by jabley
How to generate 2TB/s reflection DDoS data flow via a family network
filetype:pdf  security  memcached  udp  network  attack  amplification  paper  infosec  vulnerability 
march 2018 by jabley
« earlier      
per page:    204080120160

related tags

0days  1password  2fa  3d  3rd-party  academia  accenture  acm  activerecord  activism  admin  adoption  advertising  advice  advocacy  aes  aggregation  agile  agl  ai  aircraft  airport  airtravel  ajax  akamai  alerting  algorithm  algorithms  allspaw  amazon  amd  amplification  analysis  analytics  android  angularjs  anonymity  anonymous  anti-patterns  anti-virus  antivirus  apache  api  app  apple  application  applications  apps  appsec  architecture  archive  arm  arrays  ars  arstechnica  art  article  articles  assessment  assurance  attack  audit  australia  authentication  authorisation  authorization  automation  aws  back-door  backdoor  backups  banking  banks  bastion  bcrypt  belay  bestpractice  bestpractices  beyondcorp  bfg  bgp  big-data  bigdata  binary  biometric  bitcoin  blackberry  blackhat  blockchain  blog  boingboing  bomb  book  bookmarklet  bookmarklets  bootstrap  border  boringssl  botnet  bounty  brain  brazil  breach  brendangregg  brexit  broadcom  browser  browsers  bruntonspall  bsd  bsdiff  bug  bugs  bugzilla  build  bullshit  business  c  c++  c-lang  c2  ca  cache  caching  cambridge  camera  canada  capabilities  car  casestudy  cdn  censorship  ceo  certificate  certificate-transparency  certificates  cesg  challenge  charliestross  chat  cheatsheet  checklist  children  china  chip  chrome  chromebook  chromeos  chroot  ci  cia  ciphers  cispa  citibank  cleaner  clickjacking  clinton  cloud  cloud-foundry  cloudbleed  cloudflare  cloudfoundry  code  coding  collision  comic  common-sense  communication  community  company  comparison  compilers  compression  compsci  computer  computers  computing  confidentiality  config-management  configmanagement  configuration  congress  conservative  constraints  container  containers  continuations  continuousdelivery  continuousdeployment  continuousintegration  contracts  cookie  cookies  cool  coreos  corruption  cost  counterfeit  cpu  cracked  cracking  craftconf  credentials  credit-card  crime  criticism  crypto  cryptocurrency  cryptography  csp  csrf  css  ctf  culture  curl  currency  customs  cyber  cybersecurity  cyberwar  data  data-protection  database  data_mining  ddos  debugging  decentralisation  deception  defaults  defcon  defence  defense  deployment  deprecation  description  design  dev  dev-tools  development  devops  diff  diffie-hellman  digital  digitalocean  digitalsignature  disclosure  distributed  django  dkim  dma  dns  dnssec  docker  doctorow  dom  domain  domains  domcrypt  dos  download  drie  drone  dropbox  drugs  eavesdropping  ec2  ecc  economics  economist  edge  education  efail  eff  elasticsearch  election  electronic  electronics  elgamal  email  encfs  enclave  encoding  encryption  engineering  enterprise  entrepreneur  escalation  escrow  espionage  etag  etcd  ethereum  ethics  etsy  events  evolution  example  examples  exams  expense  experience  exploit  extension  facebook  factoring  fail  failure  family  fascism  fastmail  fatigue  fbi  fcgi  federation  filesystem  filetype:pdf  filters  finance  fingerprint  firefox  firewall  firewalls  firewire  firmware  fis  flash  flask  fog  font  forbes  forensics  forwarding  fragile  fragments  framework  fraud  free  freebsd  freedom  fud  fun  funny  future  fuzzing  gaap  gae  game  gametheory  garethr  gauntlt  gawker  gcc  gchq  gdb  gdpr  gds  geek  gems  geo  geoip  geolocation  git  github  glibc  gmail  gnu  godaddy  golang  google  google+  gotofail  gov.uk  government  gpg  gps  graphs  greenwald  guardian  guidance  guide  guidelines  guns  hack  hacker  hackers  hacking  hacks  hadleybeeman  handcuffs  haproxy  hardware  hash  hashicorp  hashing  hashtable  haskell  hbgary  header  headers  health  healthcare  heartbleed  helm  history  hmac  home  homebrew  honeypot  hospital  hosts  hotel  howto  html  html5  http  http2  httpd  https  huffman  human-factors  human-rights  humanrights  humour  hygiene  iaas  iam  icloud  icon  ideal  ideas  identity  ids  ie  igvita  im  image  immigration  immutable  implementation  important  imported  imposter-syndrome  improvement  incident  industry  infographic  information  infosec  infrastructure  injection  inspiration  inspiring  instagram  integer-overflow  integrity  intel  intelligence  interesting  internat  internet  interview  ios  iot  ip  ipad  ipbill  iphone  irc  isp  it  ithc  jail  java  javascript  jboss  jit  journalism  js  json  jsonp  jwt  k8s  kaspersky  kerberos  kernel  key  key-management  keys  kpti  krebs  kubernetes  language  laptop  latency  law  laws  lawsuit  leak  learning  legal  legislation  letsencrypt  level-up  libc  liberty  libraries  library  libressl  lifestyle  lightbluetouchpaper  link  links  linux  list  llvm  local  location  lockpicking  locks  log  logging  login  london  longform  low-level  lua  lying  lzo  mac  machinelearning  macos  macosx  mail  malloc  malware  management  maps  market  materials  math  mathematics  matrix  mbs  medical  medicine  medium  meltdown  memcached  memory  memset  messaging  metadata  microservices  microsoft  microsort  military  mindset  mitm  mobile  model  modelling  money  mongodb  monitoring  monzo  motivation  mozilla  mtls  mutual-authentication  mysql  nacl  names  native  ncsc  netflix  netsec  network  networking  news  newscientist  nfc  nginx  nlp  nmap  node  node.js  nodejs  noise  nokia  norway  notes  npm  nsa  ntp  null  nytimes  oauth  oauth2  obfuscation  olympics  online  open-source  opendata  openid  opensource  openssl  openwhispersystems  operating-systems  operations  opsec  opsmanual  optimization  oracle  orchestration  os  oscon  osx  ota  outsourcing  oversight  overview  owasp  p2p  p3p  packaging  palantir  panama  paper  papers  parenting  parser  parsing  passphrase  password  password-manager  passwords  patch  patent  payments  paypal  paypay  pc  pci  pcid  pdf  pen-test  penetration  penetration-test  penetration-testing  performance  permissions  permutations  persuasion  pgp  phishing  phone  phonegap  photo  photography  php  physical  physics  pin  pinning  pipeline  piracy  pkcs  pki  plan  plugin  plugins  poisoning  police  policestate  policy  politics  poodle  porn  port  portforwarding  post-mortem  postel  postmortem  power  practice  practices  prediction  predictions  presentation  presentations  press  principles  printing  prison  privacy  prng  process  productivity  programming  propaganda  protection  protobuf  protocol  proxies  proxy  psychology  publickey  publishing  puppet  purge  python  qrcode  quantum  racism  radiation  rails  rant  reaction  realtime  reddit  reference  regulation  report  reputation  research  responsibility  responsible-disclosure  reverse  reverse-engineering  review  revolution  rfid  rights  risc  risc-v  risk  role  roles  root  root-servers  rootkit  rosetta  ross-anderson  rossanderson  router  rowhammer  rsa  ruby  rubyonrails  runbook  russia  rust  s3  saas  safe  safecracking  safety  salt  saml  sandbox  sanitizer  satire  sax  scada  scala  scalability  scanners  schneier  schools  science  scm  sdk  search  seaside  secret  secrets  securid  security  security-theatre  seize  self-defense  sensors  serialization  server  service-discovery  services  sha1  shame  shodan  shopping  shortening  side-channel  signal  signed-commits  signing  sinatra  skype  slack  slashdot  slides  smartphone  smartphones  sms  snap  snoopers-charter  snooping  snowden  soap  social  social-engineering  socialmedia  society  software  spectre  spoofing  spy  spying  sql  sql-injection  sqli  squid  sri  ssh  ssl  sso  stackoverflow  standards  starttls  startups  statistics  stock  stolen  storage  story  strangeloop  strategy  stress  strings  stripe  students  study  subconscious  summary  surveillance  swatch  syadmin  syria  sysadmin  systems  tags  take-up  talks  tax  tcp  tcpip  tdd  tdl4  team  technical  technology  tee  telecoms  tenderlove  terraform  terrible  terrorism  tesco  testing  thattommyhall  theft  theory  threads  threat-modelling  time  timing  tips  tls  tls13  tool  tools  tor  toread  traceroute  tracking  training  transparency  transport  travel  traversal  trello  trends  trial  troll  trump  trust  tsa  tunnel  tutorial  tutorials  tv  twitter  twofactorauth  uav  ubuntu  UbuntuandFreeSoftwarelinks  udp  uk  unicode  unikernel  university  unix  unworkable  update  url  urls  usa  usability  usage  user-needs  utility  ux  value-stream  vault  vc  velocityconf  verify  verizon  vice  video  virtualization  virus  visualization  vm  vodafone  voip  voting  vpn  vpnfilter  vulnerability  waf  walkthrough  wayback-machine  weakness  web  web-archive  web-development  web-security  web2.0  webapp  webcam  webdesign  webdev  webdevelopment  webgl  weblogic  webops  webserver  webservices  website  websocket  websphere  whatsapp  whitelist  wifi  wiki  wikileaks  win  windows  wired  women  wordpress  workflow  workshop  worm  wpa  X  x-ray  x86  x86_64  xml  xss  yahoo  yaml  zero  zip  zlib 

Copy this bookmark: