A small security research group with solid background.     We do research to solve real problems with real solutions.
Hector Ismael

Main Results
Code analysis and exploitation
Offset2lib (bypass ASLR)
• CRTμROP (bypass ASLR)
• Jmp2non-ssp (bypass SSP)

Defensive techniques
RenewSSP
ASLR-NG


Honors & Awards      
IBM Corp. (July, 2016)
Google Inc. (Mar, 2016)
Google Inc. (Sep, 2015)
Google Inc. (Aug, 2015)
Google Inc. (Jul, 2015)
PacketStorm Security (2014)

In the News


Publications

"Abusing LUKS to Hack the System", (DeepSEC, 2016) [URL]

"Exploiting Linux and PaX ASLR's Weaknesses on 32-bit and 64-bit Systems", (Black Hat Asia 2016) [URL]

"On the Effectiveness of Full-ASLR on 64-bit Linux", (DeepSEC, 2014) [URL]

"On the Effectiveness of NX, SSP, RenewSSP, and ASLR against Stack Buffer Overflows", (NCA, 2014) [DOI]

"Emerging trends in ICT security", (Elsevier Inc, 2013) [DOI]

"Preventing brute force attacks against stack canary protection on networking servers", (NCA, 2013) [DOI]

more . . .

Highlights
ASLR-NG: Get the maximum protection for your applications
    ASLR is a widely used and very effective mitigation technique against most memory error bugs. The effectiveness of the ASLR relies on keeping secret the memory layout of the target process. Therefore, the more randomness, the more secure is the process.
    We have designed and implemented (beta) a new ASLR design, which maximizes the entropy and does not jeopardizes the fragmentation.

RenewSSP: Improve the Security of your Servers
    Is a new technique (Patent Pending: US14341118) to augment the effectiveness of the stack smashing protection mechanism which:
  • Eliminates brute force attacks against the canary (SSP).
  • When combined with the ASLR, it has a multiplicative effect.
  • The overhead is negligible, and zero cost during the execution of the application.
  • No need to modify the applications (binary or source).
  • It can be used by just pre-loading a tiny library.


Accepted CVEs
CVE Product Description Vulnerability/Weakness CVSS
v2.0 v3.0
CVE-2016-4484 Cryptsetup(Initrd) Incorrect error handling Not failing securely 7.2 6.8
CVE-2016-3672 Linux kernel Disable ASLR ASLR Weakness 4.6 7.8
CVE-2015-8370 GRUB2 Integer overflow IX Jornadas STIC CCN-CERT 6.9
CVE-2015-1593 Linux Kernel Integer overflow Reduced randomised range 5.0
CVE-2015-1574 Email Android Denial of Service Incorrect headers handling 5.0
CVE-2013-6825 DCMTK Root privilege escalation Drop privileges failed 7.2
CVE-2013-4788 Glibc Weak pointer protection Improper Input Validation 5.1
CVE-2013-6876 s3dvt Root shell (I) Drop privileges failed N.A.
CVE-2014-1226 s3dvt Root shell (II) Drop privileges failed N.A.
CVE-2014-5439 sniffit Root shell Stack buffer overflow N.A.
. . . . . . . . . . . . . . .

Other Security Issues
Product Description Vulnerability/Weakness
Linux kernel Reduced mmap entropy Improper mask manipulation
Glibc Bypass pointer guard Improper Input Validation
Linux Kernel AMD Bulldozer ASLR Reduced randomization
Bash Root shell Drop privileges failed
Bash Crash Improper input handling
Network printer Credentials compromised To be disclosed
Android Infoleak To be disclosed
Background
Dynamic memory
• TLSF
 Virtualisation
• XtratuM hypervisor
• NEXX hypervisor
• STP
Real-Time systems
• RTLinux (historical)

Bachelor Degree Projects
Fernando Vañó :: ROPs for ARM
Pau Sastre :: N-Variant Monitor, impl.
Jordi Chulia :: N-Variant Monitor, eval.


Teaching
Hacking Ético (Tienes que estar dispuesto a aprender)
Ciberseguridad
Student satisfaction: average >9, since 2013. (range: 0..10)

Past Research Projects
Latest projects:

"Trusted Embedded Computing", Ministerio de Industria, Energía y Turismo, ITEA-2, Spain

"System Impact Of Distributed Multicore Systems", ESAproject leaded by Astrium SAS, France

"Securely Partitioning Spacecraft Computing Resources", ESA project leaded by ASTRIUM SAS, France

"Open VEhiculaR SEcurE platform", European Union, FP7.

"Xtratum Microkernel Porting on LEON Target", CNES, France.

more . . .

  Contact us Home