35C3 - The Layman's Guide to Zero-Day Engineering
https://media.ccc.de/v/35c3-9979-the_layman_s_guide_to_zero-day_engineering
A demystification of the exploit development lifecycle
There's a certain allure to zero-day exploits. At the apex of the security industry, these elusive technologies are engineered by a persistent few to open doors of software systems that were never meant to exist. We go behind-the-scenes to provide an inside look at the zero-day development lifecycle, breaking common misconceptions regarding this increasingly difficult tradecraft.
In this talk, we will discuss the engineering process behind a zero-day that was used to exploit Apple Safari at PWN2OWN 2018. Rather than placing an intense focus on the technical challenges required to weaponize this particular chain of vulnerabilities, we reflect on this experience as a case-study of the analytical approach we employ to attack unfamiliar software targets. In addition to these methods, we will contrast how this process differs from CTF/Wargame challenges, highlighting the path one can take to graduate from casual enthusiast to security professional.
Markus Gaasedelen Amy (itszn)
https://fahrplan.events.ccc.de/congress/2018/Fahrplan/events/9979.html
Видео 35C3 - The Layman's Guide to Zero-Day Engineering канала media.ccc.de
A demystification of the exploit development lifecycle
There's a certain allure to zero-day exploits. At the apex of the security industry, these elusive technologies are engineered by a persistent few to open doors of software systems that were never meant to exist. We go behind-the-scenes to provide an inside look at the zero-day development lifecycle, breaking common misconceptions regarding this increasingly difficult tradecraft.
In this talk, we will discuss the engineering process behind a zero-day that was used to exploit Apple Safari at PWN2OWN 2018. Rather than placing an intense focus on the technical challenges required to weaponize this particular chain of vulnerabilities, we reflect on this experience as a case-study of the analytical approach we employ to attack unfamiliar software targets. In addition to these methods, we will contrast how this process differs from CTF/Wargame challenges, highlighting the path one can take to graduate from casual enthusiast to security professional.
Markus Gaasedelen Amy (itszn)
https://fahrplan.events.ccc.de/congress/2018/Fahrplan/events/9979.html
Видео 35C3 - The Layman's Guide to Zero-Day Engineering канала media.ccc.de
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
ShellShock & Kernel Exploits - TryHackMe! 0dayAuditing system calls for command injection vulnerabilities using Ghidra's PCode35C3 - The Ghost in the Machine35C3 - From Zero to Zero DayHow to find Zero Day exploitsAll Creatures WelcomeZeroLogon Exploit - Abusing CVE-2020-1472 (Way Too Easy!)35C3 - wallet.failJavaScript Engines: The Good Parts™ - Mathias Bynens & Benedikt Meurer - JSConf EU 2018Fuzzing with AFL - by Michael Macnair (Workshop)Finding Zero-days With GithubOmer Yair - Exploiting Windows Exploit Mitigation for ROP Exploits - DEF CON 27 ConferenceLet’s build a JavaScript Engine in Rust by Jason Williams | JSConf EU 201935C3 - The Mars Rover On-board Computer35C3 - What The Fax?!35C3 - MemsadFranziska Hinkelmann: JavaScript engines - how do they even? | JSConf EULearn2Learn: V8 ExploitationDEF CON 26 - Sanat Sharma - House of Roman a Leakless Heap Fengshui to Achieve RCE on PIE Binaries