What a roller coaster of a year! Well, outside of our office. Inside, 2017 was excellent.
We published novel research that advanced – among others – the practices of automated bug discovery, symbolic execution, and binary translation. In the process, we improved many foundational tools that an increasing number of security researchers will come to rely on. We scaled up our work on securing smart contracts and established ourselves as a premiere blockchain security firm. Finally, as in years past, we shared what lessons we could and supported others to do the same.
Whether you’re a client, a long-time follower, or a budding security researcher, thank you for your interest and contribution.
Below, find 12 highlights from 2017; each one is a reason to stick around in 2018.
This field really picked up momentum in 2017. If you weren’t paying close attention, the flurry of developments was easy to miss. That’s why we gave atour of the field’s recent advances at IT Defense ,BSidesLisbon, and CyCon .
But ‘unused tools don’t find bugs,’ and many roadblocks still stand in the way of widespread adoption. We’re changing that in the defense industry. We won contracts with Lockheed Martin and the Department of Defense’s DIUx to apply and scale our Cyber Reasoning System.
If you’re wondering about the future role of humans in the secure development lifecycle, we maintain that these tools will always require expert operators.
If you’re on a team developing an automated bug discovery tool, you’ll be happy to know that we ported the CGC’s Challenge Binaries to Windows, macOS, and Linux. Now you have an objective benchmark for evaluating your tool’s performance.
Need something to watch this Friday afternoon? How about Dan Guido speaking on the Smart Fuzzer Revolution? https://t.co/WK2eoXQJms
— :cactus: Tony Towry :cactus: (@anthonytowry) August 11, 2017
Weopen-sourced Manticore , to some applause in the community. Manticore is a highly flexible symbolic execution tool, which we rely on for binary analysis and rapid prototyping of new research techniques.
Parts of Manticore underpinned our symbolic execution capabilities in the Cyber Grand Challenge. Since then, it has been an integral component of our research for DARPA’sLADS (Leveraging the Analog Domain for Security) program.
In only one year after Manticore’s public release, we’ve adapted the tool to amplify the abilities of smart contract auditors and contribute to the security of the Ethereum platform. In December, weexplained how we use Manticore for our work on Ethereum Virtual Machine (EVM) bytecode. When applied to Ethereum, symbolic execution can automatically discover functions in a compiled contract, generate transactions to trigger contract states, and check for failure states.
— Julien Vanegue (@jvanegue) April 25, 2017
In early 2017, we decided to give McSema a fresh coat of paint . We cleaned up the code, and made it more portable and easier to install. It ran faster. The code it produced was better. But we know we could push it further.
Since we released McSema four years ago, programs have adopted modern x86 features at an increasing rate, and our lifting goals have expanded to include AArch64, the architecture used by modern smartphones.
So, we made a series ofmajor enhancements. For example, we completely separated the instruction semantics from the control flow recovery and created Remill . McSema is now a client that uses the Remill library for binary lifting. To borrow an analogy, McSema is to Remill as Clang is to LLVM. If you want access to lifting capabilities in your own app, you should use Remill.
The work that the ToB folks are doing with McSema / Remill is *really* cool. Binary -> LLVM IR lifting, compilable back to other archs. https://t.co/oATeOx1XGG
— Nick Mooney (@wellhydrated) January 24, 2018
In response to the surge of interest in Ethereum smart contracts and blockchain technology, we launchednew services and created tools that offer verifiable security gains to the community. We adapted Manticore into an industry-leading security tool, and developed a suite of additional tools that help others write more secure smart contracts.
In a short period of time, we’ve become one of the industry’s most trusted providers of audits, tools, and best practices for securing smart contracts and their adjacent technologies. We’ve secured token launches, decentralized apps, and entire blockchain platforms. See our public reports forRSK and DappHub’sSai.
We focused the year’s final Empire Hacking meetup on how to write secure smart contracts, and hack them. Two of the six speakers came from our team. In November, we were the first tofinish Zeppelin’s Ethereum CTF, Ethernaut.
We became the first information security company to join the Enterprise Ethereum Alliance (EEA) , the world’s largest open source blockchain initiative. As one of the industry’s top smart contract auditors, we’re excited to contribute our unparalleled expertise and unique toolset to the EEA’s working groups.
— Amber (@AmberBaldet) December 13, 2017
Following ourport of Facebook’s open source endpoint instrumentation and monitoring agent to Windows in 2016, we’ve continued to contribute to osquery’s development and adoption.
We made foundational enhancements that increased the framework’s raw capabilities. Adding auditd-based file integrity monitoring required a redesign from the ground up. As a result, end users get better performance, no fake or broken events, and new file integrity monitoring.
Among numerous other improvements , we showed how osquery can find notable industry issues like theCCleaner malware, and contributed the features needed to detect them. For additions that aren’t native operating system functions, we’vecreated a maintained repository of osquery extensions.
In an effort to promote osquery’s long-term success, we shared theexperiences,pains and wishes of users at five major tech firms. We hope the findings will help the community to chart a course forward, and help the undecided to determine if and how to deploy osquery in their companies.
I've known @dguido and the @trailofbits crew for a long time and I absolutely love this blog series that they're doing on the @osquery community. I can't wait to read the rest of their articles! https://t.co/JcYlcZuMZ8
— Mike Arpaia (@mikearpaia) November 9, 2017
Wereleased iVerify, an App-Store-compatible library of the most comprehensive iOS jailbreak checks in the industry. The checks are maintained by our team of experts; some of the world’s foremost authorities in iOS security internals.
App developers deserve to know when their apps are installed on jailbroken phones. However, ineffective jailbreak detection can be worse than no jailbreak detection at all.
iVerify detects jailbreaks on iOS 10 and 11 right now. We’re committed to updating the library as new versions of iOS are released, and as more effective checks capable of finding known and unknown jailbreaks are developed.
— Trail of Bits (@trailofbits) October 12, 2017
In late 2016, we released our self-hosted personal VPN server. Algo is designed for ease of deployment and security, it relies on only modern protocols and ciphers, it includes only the minimal software you need, and it’s free.
Then, in 2017, interest in protecting one’s online activity exploded. We can’t bring ourselves to thank the FCC for relaxing ISP commercialization rules, but we are glad that more people are putting more thought into their digital privacy.
And yes, we are very grateful to:
We’ll continue to work aggressively toward simplifying and automating Algo’s installation so those who lack the technical expertise to build and maintain their own VPNs aren’t left exposed.
— The Register (@TheRegister) January 27, 2017
Following our discussions of Control Flow Integrity (CFI) andControl Flow Guard (CFG), we sharedour attempt to compare clang’s implementation of CFI against Visual Studio’s Control Flow Guard by applying both to osquery. Instead of a direct comparison, we generated a case study of how seemingly small tradeoffs in security mitigations have serious implications for usability. Our discussion shows developers how to use these mitigations and includes sample programs that showcase the bugs they mitigate.
A wonderful blog post relating to the ease-of-use / security trade off: https://t.co/gzSNNHn6eG
— Chris Valasek (@nudehaberdasher) February 23, 2017
Months later, when Microsoft was caught on the wrong end of a ‘tradeoff’ with serious implications for its users, we applied AppJailLauncher-rs to Windows Defender on the software giant’s behalf. The result, Flying Sandbox Monster , is the industry’s first sandboxed anti-virus scanner for Windows. Wedescribed the process and results of creating the tool, as well as its Rust-based framework to contain untrustworthy apps in AppContainers.
Someone finally sandboxed Windows Defender, and well, it's not Microsoft ¯_(ツ)_/¯ https://t.co/mO1q0s90tP
— Harvester (@Harvesterify) August 2, 2017
Combining Control Flow Integrity with sandboxing makes for an incredible challenge for attackers. Unfortunately, they’re also a challenge for developers to use! In creating the above materials, we lowered the learning curve for the community.
We think that Vector35 ’s versatile reversing platform doesn’t get the respect it deserves. We worked to help others understand Binary Ninja’s capabilities by:
— Mari0n (@pinkflawd) June 24, 2017
The next generation.We care about giving younger people opportunities to learn and develop skills in the industry, so we continued our sponsorship of capture the flag competitions like UIUC CTF , HSCTF , and CSAW . We contributed both financial support and unique challenges.
The InfoSec community.We want to share our research with a larger audience and help others gain access to it, so we sponsored conferences like GreHack ,Infiltrate, and ISSISP . We provided both financial support and workshops on new techniques and Manticore.
The Truth.We care about getting accurate information out there, so we’re always happy to sponsor the industry’s best podcast host: Patrick Gray at Risky Business . We appreciate his cutting commentary on industry news. Listen to our interviews in episodes #449 and #474 on exploit mitigations and security engineering, respectively.
— Eric Hennenfent (@Eric_Hennenfent) April 28, 2017
As in years past, when we come across something that would improve the state of security, and it isn’t covered under an NDA, we share it. To that end, we:
— Rich Smith (@iodboi) November 1, 2017
This has been another wonderful year for our team. Weexpanded our numbers. We went toInfiltrate in Miami and Whistler for company retreats. Josselin earned his PhD. We tacked on more NOP certifications, and hosted some wonderful interns .
Well done, everyone!
This year, we will continue to publish more of our research, advance our commitment to our open source projects, and share more of the tools we’ve developed in-house. Look for more soon about: