With CYBERUK In Practice fast approaching, I wanted to paint a picture of what you can expect from Track 1, Vulnerabilities and Bug Hunting.
“Vulnerability” is a bit of a loaded term. It’s used to refer not only to the software vulnerabilities discovered by researchers across the world, but also the vulnerability of people, systems, organisations and even countries. This track is focused squarely on the discovery of software vulnerabilities.
We decided against stacking the track full of vulnerability discoveries, as much as some would have loved that! Instead, we’ve focused sessions on many different aspects of vulnerability discovery including crowdsourcing, web apps, and automated bug hunting at scale. We’re covering many aspects of the subject, but always with a hands-on feel.
And don’t worry, there will of course be plenty of presentations that do talk about vulnerabilities which have been discovered (and patched). This includes MWR’s Georgi and Rob, hot from their recent pwn2own efforts at CanSecWEST. They’ll be presenting on some of their Android vulnerability hunting. This pairs nicely with work done in academia by Sean Heelan on how to automate some of the challenges of heap exploitation.
Crowdsourcing is becoming increasingly popular, so we’ve chosen to devote two sessions to this. The first, with Katie Moussouris and myself, will talk about vulnerability handling. Then comes a real highlight of the track – a panel session bringing together several pillars of the crowdsourcing world for what will be a fascinating (and no doubt fruity) debate about the pros, cons and methodologies used for crowdsourcing.
It obviously wouldn’t be a complete agenda if we didn’t discuss web vulnerabilities. So we’ve put together a “Top 10” picture of the web, which will be presented by NCC Group’s Chris Anley. This will be followed swiftly by some of the efforts the NCSC are making to improve the web posture of UK Government.
We are covering a range of vulnerability discoveries highlighting the fact that ‘all-the-things’ have vulnerabilities, from web apps (with Chris McMahon Stone from Birmingham University) to routers (Daniel Cater from Context IS). And of course, no track on bug hunting would be complete without looking at some cute vulnerabilities on a core OS like Windows, so we have James Forshaw from Google taking care of that. This last presentation highlights that even the most mature software will still exhibit vulnerabilities.
Security conferences often focus on vulnerabilities and fail to look at improving the landscape. Although a lot of this will be covered by Track 2, Mitigations, we wanted to paint some positive outlooks in Track 1 as well. So, the penultimate session will show two areas where things are looking up. We have Microsoft presenting some excellent work they’ve been doing, hunting vulnerabilities at scale followed by a look at a relatively new programming language, RUST, which has been a topic of research for us at the NCSC.
The last session of day two should keep people interested with a batch of quick-fire presentations. These contain some extra highlights which I won’t spoil, other than to say that one of the presenters will be a non-human IoT device!
I welcome people to this track. Don’t be scared off by the chilli ratings, but please be warned…some of these talks are hot! To find out more about the track please see the latest agenda.
Technical Director for Vulnerability Research
Source: National Cyber Security Centre