Security: Open Source Workshop Speakers

Mike Arpaia

Bio: Mike Arpaia is the CSO and Co-Founder of Kolide and the original creator of osquery, which he created, open-sourced, and widely deployed while working at Facebook. While at Facebook, he then went on to lead the company's intrusion detection efforts, where he was responsible for all infrastructure and network instrumentation. Before his time at Facebook, Mike worked at Etsy, on a custom host intrusion detection product, which he deployed and managed across Etsy's corporate infrastructure. Mike is excited to continue working on open source technologies in the operating system instrumentation and analytics domain, which continues to be a passion area for him.

Title: Building successful open source security software

Abstract: Released in 2014 by Facebook, osquery is an open source operating system instrumentation framework and toolset. In this talk, I will reflect on some of the original motivations for creating osquery and discuss the concepts of openness in the information security industry. As a case-study, I'll break down the attributes of high-quality open source security software by comparing osquery with some of my prior contributions to the open source host instrumentation ecosystem. Finally, I'll share some tips and tricks when it comes to managing an open source project, gleaned from years of managing the most popular open source security software on GitHub.

Félix Cloutier

Bio: Félix received his software engineering degree in École de technologie supérieure in Montréal at the beginning of 2016. Having been a reverse engineering enthusiast for several years, he was convinced to jump into the security world during the CSAW’13 Quals. Fcd started in 2015 as his bachelor’s senior project.

Abstract: There are very few open-source decompilers that target machine code in the wild, and most of them produce dishearteningly poor results. Fcd is a burgeoning decompiler that aims to have decent output out of the box for regular programs and provide enough extension points to complete one-off odd jobs. This talk discusses some challenges of decompiling and shows how fcd can be used and adapted to solve them.

Patrick Hulin

Bio: Patrick Hulin is a technical staff member at MIT Lincoln Laboratory and one of the lead developers of the PANDA, the Platform for Architecture-Neutral Dynamic Analysis. His current research lies primarily in the areas of virtual machine introspection, automated software reverse engineering, dynamic program analysis, and vulnerability understanding. He holds a bachelor’s degree in mathematics from MIT.

Title: Deterministic Differential Debugging: Finding Root Causes with Record and Replay

Abstract: When a developer encounters a bug, they try to understand why it happens and change the code to prevent it from happening again. Unfortunately, programs are stateful, so the immediate cause of a bug (e.g. a segmentation violation) might lead to another cause, which also has to be understood. Following this causal chain backwards in order to find the original error in the program can be difficult and time-consuming, especially in programs whose execution is largely driven by state. Furthermore, traditional debugging tools work forwards, but we want to execute backwards to find a bug's root cause. Fortunately, a well-studied research area, deterministic record and replay, can help us solve these problems. At each step in a bug's causal chain, we can use memory watchpoints and reverse execution to find the piece of code which most recently touched that part of program state. If we have a way of evaluating whether the program’s state is valid at any given point, we can do even better: a binary search over time to pinpoint the code which causes the first corruption. One way to approach this is by using a known-good version of the program and comparing state at any point. This approach can be automated, and I will demonstrate a tool which automatically uses one record-and-replay system to find root causes for bugs in another.

Jamie Levy

Bio: Jamie Levy is a senior researcher and developer. In the past, she worked on various R&D projects and forensic cases at Guidance Software, Inc. Jamie has taught classes in Computer Forensics and Computer Science at Queens College (CUNY) and John Jay College (CUNY). She has an MS in Forensic Computing from John Jay College and is an avid contributor to the open source Computer Forensics community. She is an active core developer on The Volatility Framework. Jamie has authored peer-reviewed conference publications and presented at conferences (OMFW, CEIC, IEEE ICC) on the topics of memory, network, and malware forensics analysis.

Title: Taking Memory Forensics to the Next Level

Abstract: You've probably heard of the Volatility Framework. Maybe you've learned about it, or you use it on a daily basis. If so, you've probably asked yourself how you could utilize it on an Enterprise scale. As DFIR investigations become more complicated, often spanning several machines, there is a need to employ some mechanisms in the memory forensics realm which are already heavily used in disk forensics. Some of these mechanisms include: whitelisting/blacklisting, indicators of compromise (IOCs), and profiling. This talk will show you how to take memory forensics to the next level.

Jonathan Salwan & Romain Thomas

Bio, Jonathan Salwan: Jonathan Salwan is a security research engineer at Quarkslab focusing on both static and dynamic program analysis, reverse engineering and vulnerability research. He's immersed in the field for the last decade and has developed several tools like the Triton project to help reverse engineers. Since January 2016, he has started a Ph.D around software verification and formal proof where he tries to find a right balance between the academic theory and its practicability into the industrial world.

Bio, Romain Thomas: Romain Thomas is a junior security researcher at Quarkslab. His works focus on code obfuscation and reverse engineering. He previously developed a cross-platform library to manipulate binary formats (PE, ELF, Mach-O).

Title: How Triton can help to reverse virtual machine based software protections

Abstract: Triton is a dynamic binary analysis (DBA) framework. It provides several components like a Dynamic Symbolic Execution (DSE) engine, a Taint Engine, AST representations of x86 and x86-64 instruction sets semantics, SMT simplification passes, an SMT Solver Interface and, last but not least, Python bindings.

The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include a live demonstration on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution and SMT simplifications.

Andrew Dutcher

Bio: Andrew Dutcher is an undergraduate student working in the computer security lab at the University of California, Santa Barbara. They do research on type inference and binary rewriting and are a core developer on the angr project. Andrew also enjoys CTF, playing on teams Shellphish and 1064CBread (a founding member), and are playing in the CSAW CTF this year on team 1064 Shellphish.

Abstract: Binary analysis is daunting. Several years ago, very few usable tools existed to facilitate it, and the few that did required in-depth knowledge of OCAML or were early-stage research prototypes. Then, the UC Santa Barbara computer security lab released angr, the a next-generation research platform for binary analysis, and made everything even worse.

In all seriousness, angr was designed to offer the power for cutting-edge binary analysis to researchers, students, and enthusiasts an easy-to-use and extremely flexible package. It's been used for automatic vulnerability discovery, automatic vulnerability exploitation, automatic vulnerability patching, binary rewriting, exploit development, exploit stealing, *Cyber Reasoning*, and the solving of many a CTF challenge. Thanks to community involvement, it has grown into an amazing system and is used by academics, security researchers, and hacker punks around the world.

Unfortunately, big systems, written by small teams of overworked graduate students and research interns, have warts. In our case, angr's single biggest issue is documentation, and the philosophy
behind the project, the points of interaction and expansion that angr provides, and the different ways of mitigating complications involved in binary analysis are not forthcoming from the existing docs. In this session, we will try to fill in the gaps. We'll learn about angr's design, angr's flexibility, and angr's failings and the art of addressing them. Coming out of this workshop, you will know enough to Not Panic the next time you need to reach for the angr within you.

Ryan Stortz

Bio: Ryan Stortz is a principal security researcher at Trail of Bits.

Title: Firing Rounds at the Analysis Shooting Gallery

Abstract: DARPA spent hundreds of thousands of my tax dollars creating small C and C++ programs that include exploitable software flaws. We took those programs, ported them to Linux and OS X, and used them as a shooting gallery for static and dynamic analysis tools. Let’s see where each tool excels and where each tool fails.