What a roller coaster of a year! Well, outside of our office. Inside, 2017 was excellent.
We published novel research that advanced – among others – the practices of automated bug discovery, symbolic execution, and binary translation. In the process, we improved many foundational tools that an increasing number of security researchers will come to rely on. We scaled up our work on securing smart contracts and established ourselves as a premiere blockchain security firm. Finally, as in years past, we shared what lessons we could and supported others to do the same.
Whether you’re a client, a long-time follower, or a budding security researcher, thank you for your interest and contribution.
Below, find 12 highlights from 2017; each one is a reason to stick around in 2018.
Automated bug discovery entered the real world
This field really picked up momentum in 2017. If you weren’t paying close attention, the flurry of developments was easy to miss. That’s why we gave a tour of the field’s recent advances at IT Defense, BSidesLisbon, and CyCon.
But ‘unused tools don’t find bugs,’ and many roadblocks still stand in the way of widespread adoption. We’re changing that in the defense industry. We won contracts with Lockheed Martin and the Department of Defense’s DIUx to apply and scale our Cyber Reasoning System.
If you’re wondering about the future role of humans in the secure development lifecycle, we maintain that these tools will always require expert operators.
If you’re on a team developing an automated bug discovery tool, you’ll be happy to know that we ported the CGC’s Challenge Binaries to Windows, macOS, and Linux. Now you have an objective benchmark for evaluating your tool’s performance.
Manticore improved the state of accessible symbolic execution tooling
We open-sourced Manticore, to some applause in the community. Manticore is a highly flexible symbolic execution tool, which we rely on for binary analysis and rapid prototyping of new research techniques.
Parts of Manticore underpinned our symbolic execution capabilities in the Cyber Grand Challenge. Since then, it has been an integral component of our research for DARPA’s LADS (Leveraging the Analog Domain for Security) program.
In only one year after Manticore’s public release, we’ve adapted the tool to amplify the abilities of smart contract auditors and contribute to the security of the Ethereum platform. In December, we explained how we use Manticore for our work on Ethereum Virtual Machine (EVM) bytecode. When applied to Ethereum, symbolic execution can automatically discover functions in a compiled contract, generate transactions to trigger contract states, and check for failure states.
McSema 2.0 brought us closer to treating binaries like source code
In early 2017, we decided to give McSema a fresh coat of paint. We cleaned up the code, and made it more portable and easier to install. It ran faster. The code it produced was better. But we knew we could push it further.
Since we released McSema four years ago, programs have adopted modern x86 features at an increasing rate, and our lifting goals have expanded to include AArch64, the architecture used by modern smartphones.
So, we made a series of major enhancements. For example, we completely separated the instruction semantics from the control flow recovery and created Remill. McSema is now a client that uses the Remill library for binary lifting. To borrow an analogy, McSema is to Remill as Clang is to LLVM. If you want access to lifting capabilities in your own app, you should use Remill.
Ethereum’s foundation firmed up
In response to the surge of interest in Ethereum smart contracts and blockchain technology, we launched new services and created tools that offer verifiable security gains to the community. We adapted Manticore into an industry-leading security tool, and developed a suite of additional tools that help others write more secure smart contracts.
In a short period of time, we’ve become one of the industry’s most trusted providers of audits, tools, and best practices for securing smart contracts and their adjacent technologies. We’ve secured token launches, decentralized apps, and entire blockchain platforms. See our public reports for RSK and DappHub’s Sai.
We focused the year’s final Empire Hacking meetup on how to write secure smart contracts, and hack them. Two of the six speakers came from our team. In November, we were the first to finish Zeppelin’s Ethereum CTF, Ethernaut.
We became the first information security company to join the Enterprise Ethereum Alliance (EEA), the world’s largest open source blockchain initiative. As one of the industry’s top smart contract auditors, we’re excited to contribute our unparalleled expertise and unique toolset to the EEA’s working groups.
osquery expanded its reach and abilities
Following our port of Facebook’s open source endpoint instrumentation and monitoring agent to Windows in 2016, we’ve continued to contribute to osquery’s development and adoption.
We made foundational enhancements that increased the framework’s raw capabilities. Adding auditd-based file integrity monitoring required a redesign from the ground up. As a result, end users get better performance, no fake or broken events, and new file integrity monitoring.
Among numerous other improvements, we showed how osquery can find notable industry issues like the CCleaner malware, and contributed the features needed to detect them. For additions that aren’t native operating system functions, we’ve created a maintained repository of osquery extensions.
In an effort to promote osquery’s long-term success, we shared the experiences, pains and wishes of users at five major tech firms. We hope the findings will help the community to chart a course forward, and help the undecided to determine if and how to deploy osquery in their companies.
iVerify satisfied a fundamental need for iPhone users
We released iVerify, an App-Store-compatible library of the most comprehensive iOS jailbreak checks in the industry. The checks are maintained by our team of experts; some of the world’s foremost authorities in iOS security internals.
App developers deserve to know when their apps are installed on jailbroken phones. However, ineffective jailbreak detection can be worse than no jailbreak detection at all.
iVerify detects jailbreaks on iOS 10 and 11 right now. We’re committed to updating the library as new versions of iOS are released, and as more effective checks capable of finding known and unknown jailbreaks are developed.
Algo brought self-hosted VPN services to the masses
In late 2016, we released our self-hosted personal VPN server. Algo is designed for ease of deployment and security, it relies on only modern protocols and ciphers, it includes only the minimal software you need, and it’s free.
Then, in 2017, interest in protecting one’s online activity exploded. We can’t bring ourselves to thank the FCC for relaxing ISP commercialization rules, but we are glad that more people are putting more thought into their digital privacy.
And yes, we are very grateful to:
- The 70 Github contributors who racked up 704 contributions to Algo’s core.
- Motherboard for its endorsement.
- The many users who’ve recommended it to their followers.
- The organizations that referenced or promoted Algo, including: Github, Radical Networks, Stonybrook University, DC Legal Hackers, Georgian Partners podcast, and the VUC livecast.
We’ll continue to work aggressively toward simplifying and automating Algo’s installation so those who lack the technical expertise to build and maintain their own VPNs aren’t left exposed.
Learn & Share
Helped the industry deploy new exploit mitigations
Following our discussions of Control Flow Integrity (CFI) and Control Flow Guard (CFG), we shared our attempt to compare clang’s implementation of CFI against Visual Studio’s Control Flow Guard by applying both to osquery. Instead of a direct comparison, we generated a case study of how seemingly small tradeoffs in security mitigations have serious implications for usability. Our discussion shows developers how to use these mitigations and includes sample programs that showcase the bugs they mitigate.
Months later, when Microsoft was caught on the wrong end of a ‘tradeoff’ with serious implications for its users, we applied AppJailLauncher-rs to Windows Defender on the software giant’s behalf. The result, Flying Sandbox Monster, is the industry’s first sandboxed anti-virus scanner for Windows. We described the process and results of creating the tool, as well as its Rust-based framework to contain untrustworthy apps in AppContainers.
Combining Control Flow Integrity with sandboxing makes for an incredible challenge for attackers. Unfortunately, they’re also a challenge for developers to use! In creating the above materials, we lowered the learning curve for the community.
Shone a spotlight on Binary Ninja
We think that Vector35’s versatile reversing platform doesn’t get the respect it deserves. We worked to help others understand Binary Ninja’s capabilities by:
- Describing the fundamentals of Binary Ninja’s Low Level IL, and how the Python API can be used to interact with it.
- Demonstrating how to easily develop platform-agnostic tools harnessing the power of Binary Ninja’s LLIL and its dataflow analysis.
- Explaining how we analyzed this year’s DEF CON CTF challenges with our own Binary Ninja processor module, now available for anyone interested in trying out the challenges.
- Sharing at Infiltrate and Summercon how Binary Ninja makes program analysis more accessible and useful.
Sponsored the causes that matter to us
The next generation. We care about giving younger people opportunities to learn and develop skills in the industry, so we continued our sponsorship of capture the flag competitions like UIUC CTF, HSCTF, and CSAW. We contributed both financial support and unique challenges.
The InfoSec community. We want to share our research with a larger audience and help others gain access to it, so we sponsored conferences like GreHack, Infiltrate, and ISSISP. We provided both financial support and workshops on new techniques and Manticore.
The Truth. We care about getting accurate information out there, so we’re always happy to sponsor the industry’s best podcast host: Patrick Gray at Risky Business. We appreciate his cutting commentary on industry news. Listen to our interviews in episodes #449 and #474 on exploit mitigations and security engineering, respectively.
Advanced the public’s understanding of security
As in years past, when we come across something that would improve the state of security, and it isn’t covered under an NDA, we share it. To that end, we:
- Published a brand new archive of all of our public presentations.
- Contributed our expertise to policy makers for publications such as Too Connected to Fail and Zero Days, Thousands of Nights.
- Gave talks at O’Reilly Security, GreHack, and NYC Python on symbolic execution research and Manticore.
- Shared our experiences pushing the limits of program analysis research in Joy of Pwning, The spirit of the 90’s is still alive in Brooklyn, and Be a binary rockstar.
- Put our weight behind Ethereum, starting with automated bug finding for the blockchain at EkoParty.
- Contextualized the recent advances in automated bug finding at IT Defense.
Grew as a team
This has been another wonderful year for our team. We expanded our numbers. We went to Infiltrate in Miami and Whistler for company retreats. Josselin earned his PhD. We tacked on more NOP certifications, and hosted some wonderful interns.
Well done, everyone!
More in store for 2018
This year, we will continue to publish more of our research, advance our commitment to our open source projects, and share more of the tools we’ve developed in-house. Look for more soon about:
- DIUx – The Department of Defense’s experimental innovation unit DIUx recently awarded us a seven-figure contract to take our Cyber Reasoning System (CRS) to the next level as part of project Voltron.
- Blockchain – As this area becomes a larger part of our business, expect to see more of our discoveries about the security of smart contracts, the security implications of the Solidity language and the Ethereum Virtual Machine.
- Open source support – We are taking new projects under our wing (Google Santa, Google Omaha, and more), in addition to the major contributions we have in the works for osquery.
- iVerify – We plan to release a standalone version that allows anyone to check whether their phone has been jailbroken. The service is intended for high-risk users like journalists and activists operating in high threat environments.
- Algo – We’ll be making it easier to use for those who don’t want to use a terminal.
- Accessible tooling – We’ll make advanced tools and technologies available to greater numbers of software engineers with new releases of DeepState, Manticore, and fcd-remill.
- And finally, Operation Waking Shark – Keep an eye out for these team fleeces at an upcoming Empire Hacking.