|
Security tools
|
| ■ |
NEW!
Skipfish is a ridiculously fast and sleek
active web application security scanner. It is capable of reaching over 2000 requests per second and detecting tricky problems such
as stored XSS, blind SQL injection, or XSRF flaws
[Slashdot].
|
| ■ |
Ratproxy is a passive security testing proxy that observes user interactions with JavaScript-rich
web applications, and automatically annotates it with security-relevant information
[Slashdot]. A small companion bookmarklet, unlocker,
is also available.
|
| ■ |
Tmin is a small, simple, and
convenient fuzzing crash case minimizer. Unlike delta, it does not require the data format to be tokenized and
then re-serialized, and integrates with typical fuzzing scenarios rather well.
|
| ■ |
Bunny is an experimental C code fuzzer that automatically injects closed-loop instrumentation
into tested programs at compile time to optimize execution flow coverage, and bail out early on dead-end fuzzing strategies. The performance impact is
very modest, and the tool works in a plug-and-play fashion even with large codebases.
|
| ■ |
Stompy is a fairly advanced entropy verifier for session cookies, XSRF tokens, OTPs, and other random data. It
goes well beyond FIPS-140-2, performing n-dimensional spectral testing as well.
|
| ■ |
P0f is a 100% passive OS fingerprinter capable of identifying endpoing operating systems in observed communications,
detecting NAT, connection sharing, and so forth. It is integrated with
OpenBSD,
amavisd,
milter, etc. Some useful compation articles:
"Nmap's Silent Partner",
"Dynamic Honeypots".
|
| ■ |
Fl0p is a passive, layer 7 flow fingerprinter that does not look at packet payloads, only at their
relative sizes, direction, and timing. It can be used to peek into encrypted tunnels, automatically telling interactive typing from batch
operations, GETs from POSTs, successful from failed login attempts, and much more. You can also out some sample signatures, or
check out a related blog post.
|
| ■ |
Memfetch is a simple utility to dump all memory of a running process, either immediately or when a fault
condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers - and a
convenient way to grab "screenshots" from many types of text-based interactive utilities.
|
| ■ |
0trace is a traceroute tool that can be run within an existing, open TCP connection - therefore bypassing some
types of stateful packet filters with ease. You probably want to use Jagger's improved version or
Jon Oberheide's Python port, though.
|
| ■ |
Various small fuzzers - these may be of interest to some readers:
ref_fuzz for DOM bindings - crashed every browser on the market;
mangleme for HTML and image parsing routines - ditto, also won me the
this spiffy title
[Slashdot];
DOM Checker for validating SOP rules - found several UXSS bugs;
Canvas fuzzer - crashed every browser that supports <canvas>; or
transition fuzzer - exposed fun bugs in MSIE.
|
| ■ |
Tools of historical interest - these programs are ancient, and may no
longer work, or be broken in other ways:
Fenris - a cool annotating runtime tracer;
fakebust - a step-by-step malware analyzer;
2c2 - deniable file encryption;
snowdrop - watermarking for C code and text files;
bugger - a fuzzer that tweaks client state instead of the exchanged data;
netsed - string replacement proxy;
therev - document change history spider;
uc - unix socket netcat;
uptime - uptime changer;
poink - nosuid TCP ping;
ld-expl - world's best exploit; or
afx - a simple fuzzing framework.
|
|
|
Security writings
|
| ■ |
NEW!
My blog is an up-to-date source for industry-themed rants that would otherwise never see the
light of day. Some of my posts get occasionally re-published at ZDnet, and then - no idea why - by
Slashdot.
|
| ■ |
Browser Security Handbook is probably the first reasonably comprehensive attempt to
examine and enumerate the security-relevant properties of modern browsers
[Slashdot]. It is about 60 pages long - and I am using the material collected
as a part of this project for my upcoming book.
|
| ■ |
"Silence on the Wire" is my 2005 book: an illustrated guide through some of the more challenging and subtle problems in
information security (there is no talk of buffer overflows and cross-site scripting, to be sure). French, German, Italian, Polish, Chinese, and Russian
translations are available.
|
| ■ |
Cracking safes with thermal imaging is a goofy experiment in using thermal cameras to read latent keypad patterns in
real-world settings [Hack-a-Day,
Schneier].
|
| ■ |
"Strike that out..." is a quirky after-hours project that amounted to spidering microsoft.com for change tracking data still
embedded in the published Word documents. The findings are rather amusing, and demonstrate how tricky it is to get this functionality under control,
even when dealing with your own products [Slashdot].
|
| ■ |
TCP/IP ISN research (and a 2002 followup) is a detailed study of 3-dimensional attractor
reconstruction as a method of attacting PRNGs used by TCP/IP stacks. These papers are widely cited in various literature, and inspired related work
by Dan Kaminsky and Joe Stewart
[Slashdot 1, Slashdot 2].
A chapter of SotW is dedicated to these problems.
|
| ■ |
IP fragmentation flaw: as it turns out, the way IP fragmentation interacts with TCP checksums permits attackers to blindly
spoof portions of TCP/IP packets without the need to guess sequence numbers. There are some mitigating factors, but it's an interesting design glitch.
A more general discussion of this problem can be, again, found in SotW.
|
| ■ |
Delivering signals for fun and profit is a 2001 paper describing a class of race conditions vulnerabilities triggered by
asynchronous signal delivery to privileged applications (both locally and over the network). The problem plagued most of the software back then
(Sendmail included), and isn't quite sorted out today.
|
| ■ |
The absence of fd-based unlink() causes an interesting range of /tmp-related issues on most unix systems, as explored
in this 2002 paper. While several complex designs can be employed to work around this flaw, most implementations remain vulnerable to this day.
|
| ■ |
Recent vulnerabilities - I generally do not post individual vulnerability notes here; you can use
SecurityFocus, PacketStorm, or
Google, if you are interested in looking up a good subset of them. Here's some Slashdot
coverage of random high-profile bugs in recent years, though, for your amusement:
link 1,
link 2,
link 3,
link 4,
link 5,
link 6.
|
| ■ |
Writings of historical interest - assorted stuff that seems grossly outdated or inadequate by today's
standards, but happens to be signed with my name:
network-based parasitic storage;
Museum of Broken Packets;
Rise of the robots;
"I don't think I really love you" (+ unicorns).
|
|
|
Robots and CNC
|
| ■ |
NEW!
Guerrilla guide to CNC machining and resin casting - this is my epic, two volume, 60,000 word account of
everything I learned in the past 5 years when it comes to hobbyist CNC work. The guide is of interest to about five people in the world, but hey
[Makezine].
|
| ■ |
NEW!
Tinybot mkIII is my current robot project - painstakingly machined, cast, and assembled from scratch. It is probably
one of the most practically useful designs I created so far
[Makezine].
|
| ■ |
Geiger-Mueller mood lamp: prepare for doomsday in style! This lamp combines a high-voltage Russian military surplus
radiation detector with soothing LED array color transitions; just what your living room might need.
|
| ■ |
Simple 2.5D photography - this page documents an interesting experiment in laser-assisted scene acquisition for
computational photography purposes [Makezine].
|
| ■ |
NEW!
Shannon's Ultimate Machine - why not! My own take on the well-known theme: a machine that exists only to shut itself
off.
|
| ■ |
Perpetual robot works - just a confusing photo gallery of various prototypes and designs I experimented with.
|
| ■ |
Paper of historical interest: you can check out my old $50 robot building guide,
documenting my very first take on a mobile robot (somewhere in 2001) - photo.
The landscape has changed so significantly that following this advice makes little or no sense, though.
|
|
|
Photography and other diversions
|
| ■ |
Yes, I do photography. I started somewhere in 2001 (long before it seemed to be a mandatory occupation for all the
information security people ;-) - and the hobby sort of continues to this day. I progressed through a black-and-white and color darkroom, but am now
simply shooting digital. Of topical interest, you can also have a peek at QE2 cruise photos and fishtank outtakes.
|
| ■ |
Pointless pursuits:
I have a long history of ridiculous but amusing projects, including:
The Wreck of Steamer Stella - poetry as an interpreted language;
eProvisia - a laughable company that duped several mainstream media outlets and industry experts
[ZDnet, Slashdot,
Ars Technica];
Catty - a Google-based chatbot;
blog generator - a Catty-based blogging entity;
evil finder - a handy proving tool [Fark];
and lost souls, a page logging outlandish search referrers in real time.
|
| ■ |
Other people:
I have a kid, a wife, and several other pages to link to:
taviso,
scarybeasts,
asirap,
secret lives of numbers,
20q,
counter-script.
|
| ■ |
Projects of historical interest:
Argante,
culture shock,
who runs the alphabet,
assembler hell,
DIX,
text-based JPEG viewer,
and other assorted stuff in
this directory.
|
|
![[lcamtuf.coredump.cx]](logo_main.png){kind=logo}
