Young hacker smiling

Zero false positives

Expert intelligence + effective automation

Photo by KP Bodenstein on Unsplash:

Fool the machine

Trick neural network classifiers

Artificial Neural Networks (ANNs) are certainly a wondrous achievement. They solve classification and other learning tasks with great accuracy. However, they are not flawless and might misclassify certain inputs. No problem, some error is expected. But what if you could give it two inputs that are virtually the same, and …

Toasting Marshmallow. Photo by hcmorr on Unsplash:

Roasting Kerberos

Attacking a DC using kerberoast

Kerberos is a protocol developed by the MIT used to authenticate network services, is built using secret key cryptography and using a trusted third party server (named Authentication Server). This protocol authenticates users and services using tickets, when a client wants to log in it authenticates with the...

Git. Photo by Yancy Min on Unsplash:

Big Code

Learning from open source

In our Machine Learning (ML) for secure code series the mantra has always been the same: to figure out how to leverage the power of ML to detect security vulnerabilities in source code, regardless of the technique, be it deep learning, graph mining, natural language processing, or anomaly detection. In …

Photo by Andres Urena on Unsplash. Credits:

Natural code

Natural language processing for code security

Our return to the Machine Learning (ML) for secure code series is a bit of a digression, but one too interesting to resist. At the same time, it is not, since the Natural Language Processing (NLP) field is also part of what, at least today, is considered to be Artificial …

Binary machine learning. Credits:

Binary learning

Learning to exploit binaries

While our main focus, as stated previously, is to apply machine learning (ML) techniques to the discovery of vulnerabilities in source code, that is, a white-box approach to ML-guided hacking, we’ve come across an interesting approach called VDiscover, which is radically different in the following sense: Works on …

Depiction of a deep neural network. Credits:

Deep Hacking

Deep learning for vulnerability discovery

If we have learned anything so far in our quest to understand how machine learning (ML) can be used to detect vulnerabilities in source code, it’s that what matters the most in this process are the different representations of source code which are later fed to the actual ML …

Chucky the actual serial killer doll

The anomaly serial killer doll

Hunting missing checks with anomaly detection

In our previous article we focused on taint-style vulnerabilites, i.e., those that are essentially due to the lack of input sanitization which allows tainted, user-controlled data to reach sensitive functions. Some of these arise due to missing checks in code, such as: failure to check authentication, authorization...

Screen showing source code

Exploiting code graphs

Mining graph representations for vulnerabilities

As we have seen in our previous revision article, probably the most interesting and successful approach to automated vulnerability detection is the pattern-based approach. Since we expect to extract meaningful patterns from the code, we also need a "comprehensive and feature-rich representation"[1] of it. Other...

greek statue with small angels.

Asymmetric DoS, slow HTTP attack

The story of David and Goliath

Have you ever heard the story of David and Goliath? David, a young boy, goes out to confront a giant, named Goliath. David is the underdog in this fight and is expected to lose. But, everyone underestimates David and his prowess with a slingshot. When David ultimately kills Goliath, he …

Can machines learn to hack?

Machine-learning to hack

Machine learning for vulnerability discovery

To date the most important security vulnerabilities have been found via laborius code auditing. Also, this is the only way vulnerabilities can be found and fixed during development. However, as software production rates increase, so does the need for a reliable, automated method for checking or classifiying this code in …

Vulnerability disclosure

Vulnerability disclosure ecosystem

Responsible vulnerability disclosure

An information security vulnerability is a flaw or a weakness in a system or application that a malicious attacker could exploit, and could result in a compromise of the confidentiality, integrity or availability of both software and hardware systems. We, as Security Testers (or pentesters, white hat hackers), every day …

Release the beast

Release the BEAST!

Understanding the BEAST

The Browser Exploit Attack on SSL/TLS (B.E.A.S.T), - bet you thougth it was a rampage hack that launched nukes - it is a practical attack demonstrated by Thai Duong and Julian Rizzo at ekoparty in 2011. That was the lamest introduction ever, it’s not because the …

Service status - Terms of Use