IPS’ are just fun, aren’t they? Bunch of high-speed pattern matchers with built-in protocol decodes. Well, I built one a while back and got tired after 5 years. There’re only so many signatures you can have in a product before you run out of DFA/NFA space and you have to resort to turning off less important ones (i.e., *ahem* low severity) for the sake of performance. Interestingly enough, performance and security are at cross-roads. The more secure you are, the slower you run. Just the way things works, I suppose.

More »

If you’ve gone through my CanSecWest slides, I talk a lot about Field’s and how they are the fundamental units of protocols (network or file formats). The linkage information between the Field’s and across messages is a pretty powerful way to infer the cyclomatic complexity of the code that parses these messages. When generating test cases (fuzzing being one kind), we can leverage these structural and semantic linkages to generate systematic constraint violations that ultimately exercise the various branches taken in the parser.

More »

Sitting at the airport in Vancouver on my way back home. It’s going to be good to go back to sunny California. It’s pretty gloomy out here with occasional rain and snow. But anyways, I had a blast at the conference and thank to Dragos and Yuriko (and I’m sure countless others that I don’t know about) for organizing this. It was also good to meet people that I’ve exchanged emails with.

More »

XDR, as specified in rfc-4506, forms the underpinnings of Mount, NFS, NFS4 and a host of other protocols. Broadly all of this can be grouped under Sun RPC for implementing Remote Procedure Calls.

The XDR is truly an IDL (Interface Definition Language) for a Sun RPC service. On most *nix operating systems you will find a set of .x files located in:

/usr/include/rpcsvc/

that specify how to talk to these services.
More »

The Mu Security Research Team released advisory “MU-200803-01” today. Details: MU-200803-01

The Mu Security Research Team released advisory “MU-200802-01” today. Details: Mu-200802-01

More »

CHSM is a pretty nifty way to model finite state machines in Java or C++. It uses a DSL (Domain Specific Language) with embedded code blocks which is then compiled into the actual source. This FSM in Ruby is an attempt to model something very similar as a DSL.

More »

The universal TUN/TAP drivers have been shipping with the Linux kernel for a while now. vtun builds on this to set up point-to-point tunnels that essentially encapsulate Ethernet frames over a TCP connection. Here’s the Ruby code to setup a tap interface so we can start receiving raw Ethernet frames that are being written to this interface.

More »

Take a number and think of all the possible ways you can encode them. Make up some new rules because you feel like it. Oh wait, maybe you should throw in some custom encoding because it feels right. That pretty much sums for the 50 ways you can encode numbers in Packed Encoding Rules.
More »

Every now and then you look back and think about all the time you spent working on something that was so pointlessly convoluted and intentionally perverse, you wonder what’s wrong with the world. You heard me kvetch about ASN. Well, it’s another incarnation of the same beast, except it’s PER. It, BTW, stands for Perverse Encoding Rules. The true 50-ways-to-encode-your-lover.

More »