LABS
RESEARCH
At CENSUS we have a strong passion about applied security research. Results from our laboratories, cleared for public disclosure, and related presentation material are collected and made available here.
Vulnerability Discovery
- Fuzzing
- Knowledge-based Evolutionary Fuzzing (presentation, Choronzon fuzzer)
- Efficient Android Fuzzing
- Fuzzing Android's ART runtime
- Tracing
- Binary Diffing (Efficient Features for Function Matching between Binary Executables)
- Program Instrumentation (With and Without Source Code, Overview for Developers)
- Firmware Assessments (Attacking Qualcomm Hexagon aDSP firmware, Reverse Engineering the Apple iOS Sandbox Kernel Extension, Microchip SDK bugs, ARM toolchain bugs, Android multimedia framework ("libstagefright") bugs)
- Embedded System Emulation (Samsung RKP Hypervisor inspection through QEMU ARM hardware emulation)
- Vulnerabilities discovered in popular software (Advisories)
Exploit Engineering
- Kernel Exploitation (incl. Windows, Linux, MacOS XNU, FreeBSD and OpenSolaris)
- Userland Exploitation (incl. heap exploitation primitives, jemalloc exploitation on FreeBSD libc/NetBSD libc/Android libc/Firefox/vlc, Adobe Flash exploitation)
- Mobile App Exploitation (Remote exploitation of a WhatsApp man-in-the-disk vulnerability)
- Virtualization Exploitation (VMware workstation guest-to-host escape)
Device Exploitation
Penetration Testing
- IDS evasion (Context-keyed Payload Encoding)
- Anti-virus evasion (Metamorphic PE Packing)
- WiFi Phishing (Process automation, Getting the most out of Evil Twin, Lure10 attack against Windows 10 Automatic Association Algorithm, Known Beacons attack)
- Physical Security Testing (Network backdoor planting)
- ICS/SCADA & IoT Security Testing (for Critical Infrastructure)
Proactive Defenses
- Software Hardening (incl. Kernel Exploitation Mitigations)
- Bypassing filters and Web Application Firewalls through automata learning (Lightbulb Framework)
- Examining the value of Android's SafetyNet Attestation as an application integrity security control
Software
Guides and Reports
- Securing the Building Blocks of Embedded Software
- Securing Military Communications (Whitepaper)
- Medical Application Assessment (Case Study)
- Kernel Debugging (FreeBSD)
- Stack canary randomization (Linux)
- Secure Programming in C
- Digital Forensics (with Open Source Tools)
- Rootkit Analysis (Linux Rootkit Case Study)
- Securing infrastructures (with Open Source Tools)
Other Presentations
- IoT Security Assessments (Methodology, Skills and Tools)
- Medical Device Security
- Mobile App Threat Landscape (first presentation, second presentation)
- Side-channel leaks in Mobile Applications
- Secure Mobile App Development Lifecycle
- Enhancing Penetration Testing (through Vulnerability Research)
- Integrating "malicious" technologies/techniques within the SDLC
- Web Application Firewalls
- Privacy Attacks