A small security research group with solid background.     We do research to solve real problems with real solutions.
Hector Ismael

Main Results
Code analysis and exploitation
Offset2lib (bypass ASLR)
• CRTμROP (bypass ASLR)
• Jmp2non-ssp (bypass SSP)

Defensive techniques
RenewSSP
ASLR-NG


Honors & Awards      
Google Inc. (Mar, 2016)
Google Inc. (Sep, 2015)
Google Inc. (Aug, 2015)
Google Inc. (Jul, 2015)
PacketStorm Security (2014)

In the News


Publications
"On the Effectiveness of Full-ASLR on 64-bit Linux", (DeepSEC, 2014) [DOI]

"On the Effectiveness of NX, SSP, RenewSSP, and ASLR against Stack Buffer Overflows", (NCA, 2014) [DOI]

"Emerging trends in ICT security", (Elsevier Inc, 2013) [DOI]

"Preventing brute force attacks against stack canary protection on networking servers", (NCA, 2013) [DOI]

more . . .

Highlights
ASLR-NG: Address Space Layout Randomization Next-Generation
    ASLR is a widely used and very effective mitigation technique against most memory error bugs. The effectiveness of the ASLR relies on keeping secret the memory layout of the target process. Therefore, the more randomness, the more secure is the process.
    We have designed and implemented (beta) a new ASLR design, which maximizes the entropy and does not jeopardizes the fragmentation.

RenewSSP: Improved Stack Smashing Protector (SSP)
    Is a new technique (Patent Pending: US14341118) to augment the effectiveness of the stack smashing protection mechanism which:
  • Eliminates brute force attacks against the canary.
  • When combined with the ASLR, it has a multiplicative effect.
  • The overhead is negligible, and zero cost during the execution of the application.
  • No need to modify the applications (binary or source).
  • It can be used by just pre-loading a tiny library.


Accepted CVEs
CVE Product Description Vulnerability/WeaknessCVSS
CVE-2016-3672 Linux kernel Disable ASLR ASLR Weakness N.A.
CVE-2015-8370 GRUB2 Integer Overflow IX Jornadas STIC CCN-CERT 6.9
CVE-20XX-XXXX Linux Kernel Reduced mmap entropy Improper mask manipulation N.A.
CVE-2015-1593 Linux Kernel Integer overflow Reduced randomised range 5.0
CVE-2015-1574 Email Android Denial of Service Incorrect headers handling 5.0
CVE-2013-6825 DCMTK Root privilege escalation Drop privileges failed 7.2
CVE-2013-4788 glibc Weak pointer protection Improper Input Validation 5.1
CVE-2013-6876 s3dvt Root shell (I) Drop privileges failed N.A.
CVE-2014-1226 s3dvt Root shell (II) Drop privileges failed N.A.
CVE-2014-5439 sniffit Root shell Stack buffer overflow N.A.
. . . . . . . . . . . . . . .

Other Security Issues
Product Description Vulnerability/Weakness
glibc Bypass pointer guard Improper Input Validation
Linux AMD Bulldozer ASLR Reduced randomization
Bash Root shell Drop privileges failed
Bash Crash Improper input handling
Network printer Credentials compromised To be disclosed
Android Infoleak To be disclosed
Background
Dynamic memory
• TLSF
 Virtualisation
• XtratuM hypervisor
• NEXX hypervisor
• STP
Real-Time systems
• RTLinux (historical)

Bachelor Degree Projects
Fernando Vañó :: ROPs for ARM
Pau Sastre :: N-Variant Monitor, impl.
Jordi Chulia :: N-Variant Monitor, eval.

Research Projects
Latest projects:

"Trusted Embedded Computing", Ministerio de Industria, Energía y Turismo, ITEA-2, Spain

"System Impact Of Distributed Multicore Systems", ESAproject leaded by Astrium SAS, France

"Securely Partitioning Spacecraft Computing Resources", ESA project leaded by ASTRIUM SAS, France

"Open VEhiculaR SEcurE platform", European Union, FP7.

"Xtratum Microkernel Porting on LEON Target", CNES, France.

more . . .

  Contact us Home