Top 3 Technical Barriers to Fuzzing

Fuzz testing is an effective technique for uncovering serious defects in software. From the Heartbleed vulnerability in 2014 to the infamous Jeep Cherokee hacking in 2015, fuzz testing is the technique that has made many high-profile discoveries possible. Consistently, fuzzing is proven to be a powerful tool for ensuring the safety, security,..

Read More

Uncovering Memory Defects in cereal (CVE-2020-11104 & CVE-2020-11105)

Introduction

Deserialization of untrusted input is a common attack vector, making both the MITRE top-25 most dangerous software errors. Even without an attacker, mistakes in serialization or deserialization decrease the reliability of your code.  

Read More

Uncovering vulnerabilities in Cryptographic libraries: Mayhem, Matrixssl, and WolfSSL

Introduction

As part of a recent initiative at ForAllSecure to analyze more open source software with Mayhem, a next-generation fuzzing solution, we decided to investigate some cryptographic libraries.

Read More

Game Theory: Why System Security Is Like Poker, Not Chess

The 1980’s film “Wargames” asked a computer to learn whether global thermonuclear war made sense. In the film, thermonuclear war didn’t make sense but what if, in real life, preemptive cyberattacks were our best hope for winning? Or better yet, what are the cyberwar scenarios and incentives when peace is the best strategy, just like “Wargames”?..

Read More

Mayhem Moves to Production with the Department of Defense

In 2016, Mayhem -- then still a research prototype -- showed that fully autonomous cybersecurity was possible. This was just the first step.

Read More

Demystifying a Docker Image

Six months ago ForAllSecure started analyzing Docker images. What does this mean?  Imagine we have a user who wants us to fuzz their application. How do they give it to us?  Do they tar it up? Do they give us access to an environment where it’s running?  Do we integrate into their build pipeline? Applications are an entire ecosystem -- they..

Read More

Decipher Security Podcast with ForAllSecure CEO David Brumley

The Decipher Security podcast by Duo Security analyzes the news, explores the impact of the latest risks, and provides informative and educational material for readers intent on understanding how security affects our world. Their mission is to amplify the voices of those who look at security through the prism of how it affects victims, and..

Read More

Top Takeaways from the “Knowing the Unfuzzed and Finding Bugs with Coverage Analysis” Webinar

The adoption of fuzzing has resulted in vulnerabilities being found and fixed at scale. Although it is known for a number of its benefits never seen before in other application security testing techniques, advanced users have eventually come across two key questions: 

Read More

Uncovering OpenWRT remote code execution (CVE-2020-7982)

Introduction

For ForAllSecure, I’ve been focusing on finding bugs in OpenWRT using their Mayhem software. My research on OpenWRT has been a combination of writing custom harnesses, running binaries of the box without recompilation, and manual inspection of code.

Read More

ForAllSecure's Response to COVID-19

COVID-19 is a global pandemic that affects everyone. We all need to work together, and I wanted to share with you some of the things ForAllSecure is doing.

Read More

Stay Connected

Information Management Today

Subscribe to updates