Research

The public release of our research tends to broadly influence the direction of the security research community. Our reports and presentations are based on current attack trends, techniques and our own discoveries.

Security Research

  • From One Ivory Tower to the Next [slides]
    • ACM CCS, November 2013, Berlin, Germany
  • MAST: Mobile Application Security Transforms
    • DARPA Cyber Fast Track, March 2013
  • Scalable Graph-theoretical Analysis for Qualitative Program Security Assessment
    • DARPA Cyber Fast Track, December 2012
  • Using Concolic Execution to Measure a Program's Susceptibility to Code-reuse Attacks
    • DARPA Cyber Fast Track, April 2012

Security Strategy

  • Countermeasure 2013 Keynote [slides]
    • Countermeasure, November 2013, Ottawa, Canada
  • EIP Revisited: Exploitation and Defense in 2013 [slides]
    • BruCon, September 2013, Ghent, Belgium
    • DARPA, October 2013, Arlington, VA
    • CIO Global Forum, October 2013, Philadelphia, PA
  • The Mobile Exploit Intelligence Project [3] [2] [1] [podcast] [video] [alt]
    • Blackhat EU, March 2012, Amsterdam, Netherlands
    • SOURCE Boston, April 2012, Boston, MA
    • TechTarget InfoSec Decisions, May 2012, New York, NY
    • AT&T Cyber Security, June 2012, New York, NY
    • ShakaCon, June 2012, Honolulu, HI
    • GFIRST, August 2012, Atlanta, GA
    • CSAW:THREADS, November 2012, Brooklyn, NY
    • BlackBerry Security Summit, June 2013, Waterloo, Canada
    • Performed in collaboration with Mike Arpaia
  • The Exploit Intelligence Project [slides] [alt] [paper] [video] [alt]
    • SOURCE Boston, April 2011, Boston, MA
    • Kaspersky Analyst's Summit, June 2011, Malaga, Spain
    • SummerC0n, June 2011, New York, NY
    • Security Confab, July 2011, Monterey, CA
    • The UNITED Summit, August 2011, San Francisco, CA
  • Attacker Math 101 [slides] [video]
    • Kaspersky Analyst's Summit, June 2011, Malaga, Spain
    • SummerC0n, June 2011, New York, NY
    • SOURCE Boston, April 2011, Boston, MA
  • 0wning the Enterprise [slides]
    • Financial Information Security Decisions, June 2008, New York, NY

Mobile Security

  • A Tale of Mobile Threats [slides] [video]
    • CSAW:THREADS, November 2012, New York, NY
    • OWASP Italy Day 2012, November 2012, Rome, Italy
    • ISSA International Security Conference, October 2012, Anaheim, CA
    • Qualcomm Security Summit, October 2012, San Diego, CA
  • iOS Jailbreak Analysis [slides] [video]
    • CSAW:THREADS, November 2012, New York, NY
    • Blackberry Security Summit, June 2012, Waterloo, Canada
  • iOS Hacker's Update [video]
    • CodenomiCON, August 2012, Las Vegas, US
    • RSA, January 2011, San Francisco, US
    • Performed in collaboration with Charlie Miller
  • iOS 4 Security Evaluation [slides] [paper] [blog]
    • Blackhat USA, August 2011, Las Vegas, NV
    • Hacker Halted, October 2011, Miami, FL

Exploitation

  • Stale Pointers are the New Black [slides] [paper]
    • Blackhat DC, January 2011, Washington DC
    • CanSecWest, March 2011, Vancouver, Canada
    • Performed on behalf of Zynamics and in collaboration with Giovanni Gola
  • Everybody Be Cool, this is a ROPpery [slides] [paper] [video]
    • Blackhat USA, August 2010, Las Vegas, NV
    • Microsoft Bluehat, November 2010, Redmond, WA
    • Performed on behalf of Zynamics and in collaboration with Tim Kornau and Ralf-Philipp Weinmann
  • Practical Return-Oriented Exploitation [slides] [video]
    • RSA, March 2010, San Francisco, CA
    • SOURCE Boston, April 2010, Boston, MA
    • RECon, July 2010, Montreal, Canada
    • Blackhat USA, August 2010, Las Vegas, NV
  • Bypassing Memory Protections: The Future of Exploitation [slides]
    • USENIX Security, August 2009, Montreal
    • MIT, February 2010, Cambridge, MA
  • Mac OS Xploitation [slides]
    • SOURCE Boston, March 2009, Boston, MA
  • Bypassing browser memory protections in Windows Vista [slides] [paper] [code]
    • SyScan, July 2008, Singapore
    • BlackHat USA, August 2008, Las Vegas, NV
    • ToorCon, September 2008, San Diego, CA
    • BA-Con, October 2008, Buenos Aires, Argentina
    • This work was performed in collaboration with Mark Dowd
  • Heap Feng Shui in JavaScript [slides] [paper] [code]
    • BlackHat Europe, March 2007, Amsterdam, Netherlands
    • SyScan, July 2007, Singapore
    • BlackHat USA, August 2007, Las Vegas, NV

Exploit Payloads

  • Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone [slides]
    • Blackhat USA, August 2009, Las Vegas, NV
    • This work was performed on behalf of Zynamics and in collaboration with Charlie Miller
  • Post Exploitation Techniques on OS X and iPhone [slides]
    • EUSecWest, June 2009, Amsterdam, Netherlands
    • This work was performed on behalf of Zynamics
  • Fun and Games with OS X and iPhone Payloads [slides] [paper] [video]
    • Blackhat EU, April 2009, Amsterdam, Netherlands
    • This work was performed on behalf of Zynamics and in collaboration with Charlie Miller
  • Let Your Mach-O Fly [slides] [paper] [video]
    • Blackhat DC, January 2009, Washington DC

Vulnerability Discovery

  • A Sandbox Odyssey [slides]
    • iSEC Open Forum NYC, October 2011, New York, NY
    • Infiltrate, January 2012, Miami, FL
    • Blackhat EU, March 2012, Amsterdam, Netherlands
  • 0-Knowledge Fuzzing [slides] [paper]
    • Blackhat DC, January 2010, Washington DC
    • US-CERT Vulnerability Discovery Workshop, February 2010, Pittsburg, PA
    • Blackhat EU, April 2010, Barcelona, Spain
    • This work was performed on behalf of Zynamics
  • Blackbox Reversing of Cross-Site Scripting Filters [slides] [video] [code]
    • RECon, June 2008, Montreal, Cananda
    • ekoparty, October 2008, Buenos Aires, Argentina

Rootkits

  • Advanced Mac OS X Rootkits [paper] [code]
    • Blackhat USA, July 2009, Las Vegas, NV
  • Hardware Virtualization Rootkits [slides]
    • BlackHat USA, August 2006, Las Vegas, NV
    • Microsoft BlueHat, October 2006, Redmond, WA
    • This work was performed on behalf of Matasano Security

Security Education

  • So you want to train an army of ninjas... [slides]
    • SOURCE Boston, March 2009, Boston, MA

Wireless

  • Attacking Automatic Wireless Network Selection [slides] [paper]
    • PacSec.JP 2004, November 2004, Tokyo, Japan
    • Microsoft BlueHat 2005, Redmond, WA
    • CanSecWest/core05, May 2005, Vancouver, Canada
    • IEEE Information Assurance Workshop, June 2005, West Point, NY
    • This work was performed in collaboration with Shane Macaulay

Cryptography

  • Analyzing the MD5 Collision in Flame [slides] [blog]
    • SummerC0n, June 2012, New York, NY
  • Breaking the Security Myths of Extended Validation SSL Certificates [slides] [paper]
    • CanSecWest, March 2009, Vancouver
    • BlackHat USA, August 2009, Las Vegas
    • This work was performed in collaboration with Mike Zusman
  • MD5 Considered Harmful Today: Creating a Rogue CA Certificate [slides] [paper]
    • 25th CCC, December 2008, Berlin, Germany
    • CRYPTO 2009, Santa Barbara, California (Best Paper Award)