Seminar on Software Security, Vulnerabilities, and Compiler Optimizations

Registration: https://www.eventbrite.com/e/seminar-on-software-security-vulnerabilities-and-compiler-optimizations-tickets-64498606067

Description

I am pleased to invite you to the first Zeus San Francisco Bay Area Seminar on September 20, 2019.

In the seminar, secure coding expert Robert C. Seacord with NCC Group will lecture on the increasing risk of software vulnerabilities resulting from compiler optimizations. Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This seminar reviews some common optimizations, describes how these can lead to software vulnerabilities, and explains how to avoid these optimizations by writing correct code free undefined behaviors. Additionally, Robert will lecture on secure coding in C and C++. He will describe stack smashing attacks that can be used by attackers to overwrite the return address on the stack and transfer control to arbitrary code. The lecture will examine the behaviors of the program stack that allow these attacks to succeed, and specific exploit techniques including code injection, arc injection, and return-oriented programming.

Following Robert's lecture, Alex G. Lee with Zeus SW Defender, LLC will present a demo of Zeus technology that performs the dynamic re-encryption of code pointers to protect C and C++ software programs from buffer overflow attacks for interception and disclosure of control-flow. Zeus can successfully mitigate real world cyber-attacks reported in real world attacks described in CVEs.

Date/Time: September 20 (Friday), 2019 13:30 – 16:30

Venue: Seaport Conference Center, 459 Seaport Ct, Redwood City, CA 94063

Map: http://www.seaportconferencecenter.com/contact/

Agenda:

1:00 - 1:30 pm: check-in and registration

1:30 - 2:20 pm: Secure coding in C and C++

2:20 - 3:10 pm: Zeus demo

3:10 - 3:30 pm: Coffee Break

3:30 - 4:20 pm: Compiler optimizations

4:20 - 5:00 pm: Q&A and networking

Zeus Details: Patent pending Zeus technology performs the dynamic re-encryption of code pointers to protect software programs written in the C and C++ programming languages from buffer overflow attacks for interception and disclosure of control-flow. Zeus can successfully mitigate real world cyber attacks reported in real world attacks described in CVEs.

As examples, Zeus can block control-flow hijacking caused by a stack buffer overflow vulnerability CVE-2018-18409 in the open source TCPFLOW project (https://github.com/simsong/tcpflow/wiki); CVE-2018-17439 and CVE-2018-15671 of the HDF5 library (https://www.hdfgroup.org/downloads); and CVE-2013-2028 of Nginx web server leaking a return address byte-by-byte (https://www.rapid7.com/db/vulnerabilities/nginx-cve-2013-2028). Zeus injects instructions into programs at compile time programs to harden them against buffer overflows by encrypting and decrypting pointers at runtime. Zeus has low execution time overhead and does not require any additional security features outside of the program. Because Zeus can cover zero-day attacks, Zeus dramatically reduces the risks caused by buffer overflow. Zeus can be implemented in C and C++ Compliers.

Company Details:

NCC Group (https://www.nccgroup.trust/us/) is an information assurance firm headquartered in Manchester, United Kingdom. Its service areas cover software escrow and verification, cyber security consulting and managed services, website performance, software testing and domain services. NCC Group claims over 15,000 clients worldwide.

Zeus SW Defender, LLC (http://www.zeusswdef.com/) is based in Boston, and is operated for Zeus software defender technology development, commercialization, and monetization.

Speaker Details:

Robert Seacord Linkedin Profile: https://www.linkedin.com/in/robertseacord/

Alex G. Lee Linkedin Profile: https://www.linkedin.com/in/alexgeunholee/

How To Protect Software From Cyber Security Attacks?

Zeus Software Defender technology can defend against attacks exploiting software vulnerabilities which are serious threats to software for cyber/IT systems and applications.

BOSTON, December 27, 2018 /Press Rease/ -- Zeus SW Defender, LLC (http://www.zeusswdef.com) has announced the Zeus Software Defender Technology (“Zeus”) for protecting software programs from potential cyber security attacks by hardening the software programs.

Among various ways of cyber security, protection of software becomes a key issue in cyber security as the deployments of embedded software systems such as in IoT (Internet of Things) Devices, Drones, and Autonomous Vehicles are increasing exponentially. Software vulnerabilities exist in all types of software. A well known software vulnerability is the buffer overflow. The buffer overflow occurs when a software program attempts to write data into a memory buffer beyond its boundary. Attackers exploit buffer overflow to intercept control-flow of software programs or disclose information critical to security. In particular, attackers employ buffer overflow to overwrite a pointer, i.e. a memory location that contains an address of an instruction which the processor will jump to and execute during program execution. For information leak, attackers overwrite a specific memory location checking if crash occurs. If not, the written bits are what are at the location.

Patent pending Zeus technology performs the dynamic re-encryption of code pointers to protect software programs written in C/C++ programming language from buffer overflow attacks for interception and disclosure of control-flow. As examples, Zeus can block  control-flow hijacking caused by a stack buffer overflow vulnerability CVE-2018-18409 of an open source tcpflow (https://github.com/simsong/tcpflow/wiki); CVE-2018-17439 and CVE-2018-15671of a data management SW HDF5 (https://www.hdfgroup.org/downloads); and CVE-2013-2028 of  Nginx web server leaking a return address byte-by-byte (https://www.rapid7.com/db/vulnerabilities/nginx-cve-2013-2028). Zeus injects code fragments into programs at compile time so that the programs harden themselves by encryption and re-encryption at runtime. Zeus has low overhead in execution time and does not require any additional security features outside of the program. Since Zeus can cover zero-day attacks, Zeus dramatically reduces the risks caused by buffer overflow. Zeus can be implemented into C/C++ Compliers.

For more information regarding Zeus, please contact

Alex G. Lee, PhD, Esq., CLP

Managing Partner

Zeus SW Defender, LLC

alexglee@zeussfdef.com

https://www.linkedin.com/in/alexgeunholee

Zeus SW Defender, LLC is based in Boston, and is operated for Zeus Software Defender technology and related intellectual property development, commercialization, and monetization.

SOURCE Zeus SW Defender, LLC

Related Links

Zeus Introduction: https://www.slideshare.net/alexglee/zeus-sw-defender-technology-introduction

Zeus Demo: https://www.youtube.com/watch?v=Xl8HR0ucZf4&t=55s