Blog
Anatomy and Taxonomy of a Fuzzer
Fuzzing is an increasingly popular method for software and hardware quality assurance. A fuzzer is a program or framework that generates pseudo-random inputs, evaluates them, and measures the success or failure of the evaluations. This may be a greatly oversimplified explanation, but it bears the familiar look and feel of test vector sets and unit test frameworks used by engineers since the advent of computers.
ReadCITL Static Analysis Release
Today CITL is open sourcing our static analysis tooling. Doing so we hope to share our methods for analyzing binary hardening with a wider audience. Our static analysis tooling ingests binary files (PE/ELF/MachO), of multiple architectures (ELF supports: x86, x86-64, arm, arm/thumb, aarch64, mips, ppc) and reports on the hardening of the binary. It supports a range of different hardening techniques via its plugable analyzer model.
ReadCITL Fuzzer Early Data
CITL’s primary research goal has been focused around if we could formalize a technique security practitioners use for identifying potentially vulnerable code. We wanted to know if we could automatically detect patterns that are used for prioritization in a standard security audit? We started with simple questions based on common indicators. For example:
“Does using strcpy()
more often mean that software will crash more?”.
CITL Releasing 7000 defects/vulnerabilities
CITL is making ~7,000 defects/vulns, across 3,243 Ubuntu APT packages, available to package maintainers.
ReadA Case for Improving Security Ergonomics of Compilers
by Sarah Zatko We published a study a while back showing the failure of the IoT industry to adhere to basic build safety best practices over the past 15 years. In the light of this failure, I wanted to unpack what some of the root causes might be, and make a case for why better usability and transparency for security features in compiler toolchains would help.
ReadEvolution of Android Binary Hardening
How has Google’s Android platform evolved with regards to build safey?
ReadBinary Hardening in IoT products
Last year, the team at CITL looked into the state of binary hardening features in IoT firmware. Since then we’ve added more vendors and refreshed our analytic techniques. This post will catch you up on the latest findings and developments.
ReadA look at home routers, and a surprising bug in Linux/MIPS
We reviewed 28 popular home routers for basic hardening features. None performed well. Oh, and we found a bug in the Linux/MIPS architecture.
ReadBuilding on research success, CITL grows and focuses on scale
In the past year a lot has happened at CITL
ReadCITL Status Report
Some people have been asking when they're going to get to see all the great output and data we're generating, so this seemed like a good time to explain where we're at right now.
ReadTo Upgrade or not? A look at Office 2016 for OSX
When a new suite of a familiar piece of software comes out, you have to decide if you want to upgrade or not.
ReadFortify Source: A Deeper Dive into Function Hardening on Linux and OS X
Source fortification is a powerful tool in modern compilers. When enabled, the compiler will inspect the code and attempt to automatically replace risky functions
ReadRevisiting the Linux Score Distribution
A while back, we showed what the score distributions were for base installs of three major platforms.
ReadSoftware Application Risks on the OSX Continuum
In our previous post about the score histograms for Windows, Linux, and OSX, we promised deeper dives to come.
ReadScore Distributions in OSX, Win10, and Linux
The data we're sharing first is the data from what we refer to as our static analysis. (Fuzzing and dynamic analysis data will be described later).
ReadOur Static Analysis Metrics and Features
If you've seen our post about the score distributions in OSX, Linux, and Windows 10 base installs, your first question is probably about what factors go into computing those scores.
ReadOther Industries that Inspired Us
Evaluating the risk profile of software is a technically complex task, but there are lots of other industries where consumers have to engage in complex decision-making.
ReadCITL's Reception at Black Hat and Defcon
So, first off, thank you! We've been thrilled so far by the media coverage and security community reaction we received.
ReadCITL at Black Hat and Def Con!
The first public talks about CITL, including details about our metrics and preliminary data, will be at this year's Black Hat and Def Con!
ReadThe Problem With Standards and Certifications
One of the common misconceptions about our work at CITL is that we’re certifying software products, or in some way asserting that they meet a particular standard.
Read