RESEARCH

At CENSUS we have a strong passion about applied security research. Results from our laboratories, cleared for public disclosure, and related presentation material are collected and made available here.

Vulnerability Discovery

• Fuzzing
  • Knowledge-based Evolutionary Fuzzing (presentation, Choronzon fuzzer)
  • Efficient Android Fuzzing
  • Fuzzing Android's ART runtime
• Tracing
  • Using DTrace on OSX
  • Inspecting unbound memory overflows with SystemTap
• Binary Diffing (Efficient Features for Function Matching between Binary Executables)
• Program Instrumentation (With and Without Source Code, Overview for Developers)
• Firmware Assessments (Attacking Qualcomm Hexagon aDSP firmware, Reverse Engineering the Apple iOS Sandbox Kernel Extension, Microchip SDK bugs, ARM toolchain bugs, Android multimedia framework ("libstagefright") bugs)
• Embedded System Emulation (Samsung RKP Hypervisor inspection through QEMU ARM hardware emulation)
• Vulnerabilities discovered in popular software (Advisories)

Exploit Engineering

• Kernel Exploitation (incl. Windows, Linux, MacOS XNU, FreeBSD and OpenSolaris)
• Userland Exploitation (incl. heap exploitation primitives, jemalloc exploitation on FreeBSD libc/NetBSD libc/Android libc/Firefox/vlc, Adobe Flash exploitation)
• Mobile App Exploitation (Remote exploitation of a WhatsApp man-in-the-disk vulnerability)
• Virtualization Exploitation (VMware workstation guest-to-host escape)

Device Exploitation

• Airport POS exploitation
• Fitness Equipment exploitation

Penetration Testing

• IDS evasion (Context-keyed Payload Encoding)
• Anti-virus evasion (Metamorphic PE Packing)
• WiFi Phishing (Process automation, Getting the most out of Evil Twin, Lure10 attack against Windows 10 Automatic Association Algorithm, Known Beacons attack)
• Physical Security Testing (Network backdoor planting)
• ICS/SCADA & IoT Security Testing (for Critical Infrastructure)

Proactive Defenses

• Software Hardening (incl. Kernel Exploitation Mitigations)
• Bypassing filters and Web Application Firewalls through automata learning (Lightbulb Framework)
• Examining the value of Android's SafetyNet Attestation as an application integrity security control

Software

• Published software

Guides and Reports

• Securing the Building Blocks of Embedded Software
• Securing Military Communications (Whitepaper)
• Medical Application Assessment (Case Study)
• Kernel Debugging (FreeBSD)
• Stack canary randomization (Linux)
• Secure Programming in C
• Digital Forensics (with Open Source Tools)
• Rootkit Analysis (Linux Rootkit Case Study)
• Securing infrastructures (with Open Source Tools)

Other Presentations

• IoT Security Assessments (Methodology, Skills and Tools)
• Medical Device Security
• Mobile App Threat Landscape (first presentation, second presentation)
• Side-channel leaks in Mobile Applications
• Secure Mobile App Development Lifecycle
• Enhancing Penetration Testing (through Vulnerability Research)
• Integrating "malicious" technologies/techniques within the SDLC
• Web Application Firewalls
• Privacy Attacks