In this talk, we will show cutting edge research and a tool built to accurately detect vulnerabilities. The tool leverages the standard program execution to detect the full dataflow of vulnerabilities at runtime. It can be used both offensively and defensively. We will show how RAVAGE can be used to detect vulnerabilities, generate exploits, and integrate the newly found exploits into existing exploitation frameworks. In addition to the offensive usage, it can also be used defensively by running existing non-security-related test cases to detect security vulnerabilities.
We will open source RAVAGE as well as design documentation at Black Hat.
Xiaoran is a Product Security Engineer at salesforce.com. He is passionate about security, especially web application security. At work, he does architectural feature review for security, web penetration testing, security training, security automation, etc. In his personal time, he does security research in a variety of topics including exploit writing, malware analysis, vulnerability analysis, and tearing things apart. He has written many useful defensive tools as well. For example, he developed an add-on "Mixed Content Monitor" for Firefox to block and show the insecure resources loaded within https. He also developed "Process Injection Monitor" that does automatic malware analysis and extracts injected code to a binary when a malware process tries to inject itself into other processes. He holds a MS degree in Information Security from Carnegie Mellon University.
Yoel Gluck is a security researcher with 13 years of experience in the industry. He is currently a Researcher and Senior Manager of Product Security at Salesforce.com. Yoel graduated from Bar-Ilan University (Israel) with a B.Sc in Computer Science and Math. Using his experience as a software engineer, he attempts to break applications by analyzing developer design patterns. His research areas include web application, network, virtualization, encryption, and email security. When he's not busy analyzing security risks, he enjoys spending time with his three-year-old daughter. Past research: presented BREACH at Black Hat USA 2013.