Seminar on Software Security, Vulnerabilities, and Compiler Optimizations

Registration: https://www.eventbrite.com/e/seminar-on-software-security-vulnerabilities-and-compiler-optimizations-tickets-64498606067

Description

I am pleased to invite you to the first Zeus San Francisco Bay Area Seminar on September 20, 2019.

In the seminar, secure coding expert Robert C. Seacord with NCC Group will lecture on the increasing risk of software vulnerabilities resulting from compiler optimizations. Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This seminar reviews some common optimizations, describes how these can lead to software vulnerabilities, and explains how to avoid these optimizations by writing correct code free undefined behaviors. Additionally, Robert will lecture on secure coding in C and C++. He will describe stack smashing attacks that can be used by attackers to overwrite the return address on the stack and transfer control to arbitrary code. The lecture will examine the behaviors of the program stack that allow these attacks to succeed, and specific exploit techniques including code injection, arc injection, and return-oriented programming.

Following Robert's lecture, Alex G. Lee with Zeus SW Defender, LLC will present a demo of Zeus technology that performs the dynamic re-encryption of code pointers to protect C and C++ software programs from buffer overflow attacks for interception and disclosure of control-flow. Zeus can successfully mitigate real world cyber-attacks reported in real world attacks described in CVEs.

Date/Time: September 20 (Friday), 2019 13:30 – 16:30

Venue: Seaport Conference Center, 459 Seaport Ct, Redwood City, CA 94063

Map: http://www.seaportconferencecenter.com/contact/

Agenda:

1:00 - 1:30 pm: check-in and registration

1:30 - 2:20 pm: Secure coding in C and C++

2:20 - 3:10 pm: Zeus demo

3:10 - 3:30 pm: Coffee Break

3:30 - 4:20 pm: Compiler optimizations

4:20 - 5:00 pm: Q&A and networking

Zeus Details: Patent pending Zeus technology performs the dynamic re-encryption of code pointers to protect software programs written in the C and C++ programming languages from buffer overflow attacks for interception and disclosure of control-flow. Zeus can successfully mitigate real world cyber attacks reported in real world attacks described in CVEs.

As examples, Zeus can block control-flow hijacking caused by a stack buffer overflow vulnerability CVE-2018-18409 in the open source TCPFLOW project (https://github.com/simsong/tcpflow/wiki); CVE-2018-17439 and CVE-2018-15671 of the HDF5 library (https://www.hdfgroup.org/downloads); and CVE-2013-2028 of Nginx web server leaking a return address byte-by-byte (https://www.rapid7.com/db/vulnerabilities/nginx-cve-2013-2028). Zeus injects instructions into programs at compile time programs to harden them against buffer overflows by encrypting and decrypting pointers at runtime. Zeus has low execution time overhead and does not require any additional security features outside of the program. Because Zeus can cover zero-day attacks, Zeus dramatically reduces the risks caused by buffer overflow. Zeus can be implemented in C and C++ Compliers.

Company Details:

NCC Group (https://www.nccgroup.trust/us/) is an information assurance firm headquartered in Manchester, United Kingdom. Its service areas cover software escrow and verification, cyber security consulting and managed services, website performance, software testing and domain services. NCC Group claims over 15,000 clients worldwide.

Zeus SW Defender, LLC (http://www.zeusswdef.com/) is based in Boston, and is operated for Zeus software defender technology development, commercialization, and monetization.

Speaker Details:

Robert Seacord Linkedin Profile: https://www.linkedin.com/in/robertseacord/

Alex G. Lee Linkedin Profile: https://www.linkedin.com/in/alexgeunholee/

Xanadu Cloud Computing Use Case: Protection of PCs from Ransomware

Xanadu Cloud Computing Use Case

Demo: Daeil Foreign Language High School, S. Korea

https://www.youtube.com/watch?v=FQcMrd6Jczw&feature=youtu.be

Xanadu is a key-value NoSQL big data management platform technology that provides fault tolerant ACID property and high throughput/low latency with massive scalability. Xanadu is designed for the heaviest workloads, and supports support concurrent queries without conflict.

Xanadu can be exploited for the back-end storage technology that allows remote client computers can access data and computing/application resources via the standard iSCSI network protocol. With iSCSI supported natively by any operating system, Xanadu makes it easy to securely store and access data from any machine on the network. Xanadu also can be used for providing services that allow remote computer systems to “boot” from a stored system drive image. With diskless units on users’ desks and all data (including the operating system disk) remains in the secure cloud servers, administrators are free to deploy diskless PCs to the desktop with their inherent advantages of higher data security, quicker disaster recovery, smaller office footprint and better energy consumption.

In-built deduplication functionality of Xanadu enable saving of cloud data storage resources a lot. For example, Xanadu can store thousands of 25GB basic Windows 7 disk images in only a few hundred gigabytes of actual storage. Xanadu, therefore, enables a simple and highly efficient means to centrally manage cloud data storage, particularly for standardised PC installations that need to be booted almost identically in many places. Time stamping functionality of Xanadu also offers an efficient snapshot capability that enables users to “reset” their stores to a previous saved “good” state. Especially, this resetting capability will be a good solution for proving protection of client PCs from malwares including notorious Ransomwares.

Xanadu for Protection of PCs from Ransomware.

https://www.youtube.com/watch?v=lB3-mfupjNo&feature=youtu.be

Contact: Alex G. Lee (alexglee@xanadubigdata.com)

IoT (Internet of Things) Security

Source: ComputerScienceZone.org

Security and the Internet of Things

The Internet of Things includes both traditional electronics and everyday “things” embedded with sensors, computing, and networking capabilities.

Coffee Makers
Thermostats
Refrigerators
Cars
Even Cows: wireless sensors tell farmers when cows get sick or pregnant, transmitting 200 MB per cow a year

Even now the Internet of things is all around us:

Connected homes:
Smart thermostats
Smart Appliances
HVAC systems
Security
Smart Lighting
Entertainment Systems
Risks: Intrusion of privacy, risk to your physical home

Wearables:
Fitness bands
Smart Watches
Smart Glasses
Action Cameras
Risks: Financial Information, Location

Industrial Internet:
Real-time analytics
Factory automation
Robotics
Supply Chain Efficiency
Risks: Financial Information, trade secrets

Connected Cities:
Smart Meter Technology
Smart Traffic Lights
Smart Parking Meters
Electric Vehicle Parking
Real-time analytics
Risks: Safety, Financial Information, Location

Connected Cars:
Safety
Vehicle Diagnostics
Information and Navigation
Fleet Management
Risks: Safety, location

The Internet of things is growing faster than our ability to secure it:

4.9 billion connected “things” will be in use by 2015
Almost one for every man, woman, and child on Earth
And 25 billion by 2020
2.5 per estimated population of 2020[2]

Currently, people living in large urban environments are surrounded by thousands of trackable objects at every moment.

Leaving an increasing digital trail offering new forms of cyber security risks…

By the end of 2011 20 typical households generated more Internet traffic than the entire Internet in 2008.[3] With 1 billion more Internet users today than in 2011.[6] (2011 2.2 billion Internet users, today 3 billion+)

Large Cyber security Breaches by Year:
(breaches with over 30,000 records stolen)[4]

2015: 5 so far…
2014: 20
2013: 27
2012: 20
2011: 36
2010: 20
2009: 14
2008: 16
2007: 14
2006: 5
2005: 4
2004: 1

With several data breaches much larger than the rest.
And some information is particularly sought after.

Cyber security professionals, and detailed cyber security plans within new businesses are necessary.
74% growth in cyber security jobs in the last 6 years[7] Nearly twice the rate of other IT jobs

Growing Threats:

Many cyber attackers are hardened veterans with more experience than the IT professionals meant to defend against attacks
Organizations defending against disruptive threats are outdated. Threats today are “campaigns” aiming at disrupting entire business sectors in many-waved attacks.

The barrier of entry in tech has never been lower, leaving many new organizations to later grapple with unsatisfactory security.

Because isn’t a secure future just a lot more fun?

Citations:

• http://www.gartner.com/newsroom/id/2905717
• http://www.marketwatch.com/story/global-suicide-2020-we-cant-feed-10-billion-2012-02-14
• http://share.cisco.com/internet-of-things.html
• http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• http://www.goldmansachs.com/our-thinking/outlook/iot-infographic.html
• http://www.internetworldstats.com/emarketing.htm
• http://www.umuc.edu/cybersecurity/careers/
• http://news.dice.com/2015/02/16/10-reasons-need-cybersecurity-plan/