I am pleased to invite you to the first Zeus San Francisco Bay Area Seminar on September 20, 2019.
In the seminar, secure coding expert Robert C. Seacord with NCC Group will lecture on the increasing risk of software vulnerabilities resulting from compiler optimizations. Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This seminar reviews some common optimizations, describes how these can lead to software vulnerabilities, and explains how to avoid these optimizations by writing correct code free undefined behaviors. Additionally, Robert will lecture on secure coding in C and C++. He will describe stack smashing attacks that can be used by attackers to overwrite the return address on the stack and transfer control to arbitrary code. The lecture will examine the behaviors of the program stack that allow these attacks to succeed, and specific exploit techniques including code injection, arc injection, and return-oriented programming.
Following Robert's lecture, Alex G. Lee with Zeus SW Defender, LLC will present a demo of Zeus technology that performs the dynamic re-encryption of code pointers to protect C and C++ software programs from buffer overflow attacks for interception and disclosure of control-flow. Zeus can successfully mitigate real world cyber-attacks reported in real world attacks described in CVEs.
Date/Time: September 20 (Friday), 2019 13:30 – 16:30
Venue: Seaport Conference Center, 459 Seaport Ct, Redwood City, CA 94063
1:00 - 1:30 pm: check-in and registration
1:30 - 2:20 pm: Secure coding in C and C++
2:20 - 3:10 pm: Zeus demo
3:10 - 3:30 pm: Coffee Break
3:30 - 4:20 pm: Compiler optimizations
4:20 - 5:00 pm: Q&A and networking
Zeus Details: Patent pending Zeus technology performs the dynamic re-encryption of code pointers to protect software programs written in the C and C++ programming languages from buffer overflow attacks for interception and disclosure of control-flow. Zeus can successfully mitigate real world cyber attacks reported in real world attacks described in CVEs.
As examples, Zeus can block control-flow hijacking caused by a stack buffer overflow vulnerability CVE-2018-18409 in the open source TCPFLOW project (https://github.com/simsong/tcpflow/wiki); CVE-2018-17439 and CVE-2018-15671 of the HDF5 library (https://www.hdfgroup.org/downloads); and CVE-2013-2028 of Nginx web server leaking a return address byte-by-byte (https://www.rapid7.com/db/vulnerabilities/nginx-cve-2013-2028). Zeus injects instructions into programs at compile time programs to harden them against buffer overflows by encrypting and decrypting pointers at runtime. Zeus has low execution time overhead and does not require any additional security features outside of the program. Because Zeus can cover zero-day attacks, Zeus dramatically reduces the risks caused by buffer overflow. Zeus can be implemented in C and C++ Compliers.
NCC Group (https://www.nccgroup.trust/us/) is an information assurance firm headquartered in Manchester, United Kingdom. Its service areas cover software escrow and verification, cyber security consulting and managed services, website performance, software testing and domain services. NCC Group claims over 15,000 clients worldwide.
Zeus SW Defender, LLC (http://www.zeusswdef.com/) is based in Boston, and is operated for Zeus software defender technology development, commercialization, and monetization.
Robert Seacord Linkedin Profile: https://www.linkedin.com/in/robertseacord/
Alex G. Lee Linkedin Profile: https://www.linkedin.com/in/alexgeunholee/