SlideShare a Scribd company logo

Where is my silver bullet?!

Ivan Novikov
Ivan Novikov

In the past two years, companies all over the world spent $157 billion on information security products. For comparison, the total expenses of the state government of New York amounted to $150.7 billion in 2016. Just for our amusement, let's imagine a silver bullet with a cost comparable to information security expenses. It would weigh 302.5 tons since silver costs $515.70 per kilogram (actual price on the day this article was written)! Therefore, it is either a really heavy bullet the size of a 10-story building, or it isn't made of silver. I could continue hypothesizing about potential raw materials for such a bullet, but I'd rather discuss the reasons behind such a state of affairs. In short, it is unclear what needs to be protected and from what. I will elaborate on these two problems below.

Technology
1 of 18
Download to read offline
Where is my silver bullet?! Or how to bypass any intrusion detection system RUCTF 2017
@d0znpp BIO ● Bug bounty ● SSRF bible https://goo.gl/AQiZt8 ● Wallarm CEO ● Twitter, Medium, Facebook, Telegram: @d0znpp
“Gartner Says Worldwide Information Security Spending Will Grow 7.9 Percent to Reach $81.6 Billion in 2016” 2015 $75 B 2016 $81.6 B This bullet definitely costs more than $156.6 B It’s not a silver… Or the weight is about 269’400 tons
One simple question
How it works?
Why? Two important things since the 30s No documentation (because of the Apple and UX) ● Try to find documentation for Chrome :) ● How to understand that it’s the bug but not a backdoor Closed source software (because of the Intel et al.) ● What’s does “Intel inside” really mean?
Layer cake How many layers do you know? I spent last 10 year for the security and don't sure that know about all of them
Do you know this guy?
Chomsky hierarchy ● Turing machine ● Linear bounded automaton (LBA) ● LL parser ● Regular expression
Parsers. Grammars. Interpreters. Layers. Products AV is a good example here. ● Binary program (ASM) ● Signature (regular expression) The same as ● IPS ● IDS ● WAF ● XXX
What should we detect? ● What is a vulnerability? ● Taxonomy/classification! ● Is it a bug or a backdoor? ● Can there be one thing malicious in one case and completely normal in another
Classification issues ● CWE. Complicated hierarchy. Overlaps and intersections. ● OWASP. Something strange. ● WASC. Too old and non-formal.
Computer science
Information security
Make it science! Dear students! The world needs your help. It is necessary to describe what a vulnerability is in terms of Turing machines or other formal models. Do this before you work for someone and these studies will become a private patents!
Thanks! Follow me: @d0znpp Twitter, Medium, Facebook, Telegram, Snapchat

Recommended

ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...Santhosh Tuppad
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptxssuser152aeb
 
Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)
Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)
Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)Ömer Çıtak
 
Phishing101
Phishing101Phishing101
Phishing101Bitdefender
 
What is Social Influence Marketing?
What is Social Influence Marketing?What is Social Influence Marketing?
What is Social Influence Marketing?Farnaz Fanaian
 
Privacy and Security in Online Social Media : Misinformation on Social Media
Privacy and Security in Online Social Media : Misinformation on Social MediaPrivacy and Security in Online Social Media : Misinformation on Social Media
Privacy and Security in Online Social Media : Misinformation on Social MediaIIIT Hyderabad
 
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016Ömer Çıtak
 
How to hack. Cyprus meetup
How to hack. Cyprus meetupHow to hack. Cyprus meetup
How to hack. Cyprus meetupIvan Novikov
 

Recommended

ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...Santhosh Tuppad
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptxssuser152aeb
 
Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)
Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)
Bir Şeyi Hacklemek (DEU ACM Bilişim Günleri 2016)Ömer Çıtak
 
Phishing101
Phishing101Phishing101
Phishing101Bitdefender
 
What is Social Influence Marketing?
What is Social Influence Marketing?What is Social Influence Marketing?
What is Social Influence Marketing?Farnaz Fanaian
 
Privacy and Security in Online Social Media : Misinformation on Social Media
Privacy and Security in Online Social Media : Misinformation on Social MediaPrivacy and Security in Online Social Media : Misinformation on Social Media
Privacy and Security in Online Social Media : Misinformation on Social MediaIIIT Hyderabad
 
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016
Web Çatı Şablonlarının Güvenliği (SSTI) - Özgür Web Günleri 2016Ömer Çıtak
 
How to hack. Cyprus meetup
How to hack. Cyprus meetupHow to hack. Cyprus meetup
How to hack. Cyprus meetupIvan Novikov
 
Safety Bot Guaranteed -- Shmoocon 2017
Safety Bot Guaranteed -- Shmoocon 2017Safety Bot Guaranteed -- Shmoocon 2017
Safety Bot Guaranteed -- Shmoocon 2017Richard Seymour
 
Machine intelligence to free human intelligence: How automation helps you win
Machine intelligence to free human intelligence: How automation helps you winMachine intelligence to free human intelligence: How automation helps you win
Machine intelligence to free human intelligence: How automation helps you winRoger Chen
 
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)Nick Malcolm
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansFelipe Prado
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)PROIDEA
 
Future of Search and Links - The iGaming Summit Malta #sigma2014
Future of Search and Links - The iGaming Summit Malta #sigma2014Future of Search and Links - The iGaming Summit Malta #sigma2014
Future of Search and Links - The iGaming Summit Malta #sigma2014Jan-Willem Bobbink - Freelance SEO Consultant
 
Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 
IT in 2017
IT in 2017IT in 2017
IT in 2017Dhaval Anjaria
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?Gordon Haff
 
IoT: Entering an Era of Perfect Information
IoT: Entering an Era of Perfect InformationIoT: Entering an Era of Perfect Information
IoT: Entering an Era of Perfect InformationChristopher Mohritz
 
Data Scientist's Daily Life
Data Scientist's Daily LifeData Scientist's Daily Life
Data Scientist's Daily LifeBryan Yang
 
OpenFest 2012 : Leveraging the public internet
OpenFest 2012 : Leveraging the public internetOpenFest 2012 : Leveraging the public internet
OpenFest 2012 : Leveraging the public internettkisason
 
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Secure All Teh Things - Add 2 factor authentication to your own CFML projectsSecure All Teh Things - Add 2 factor authentication to your own CFML projects
Secure All Teh Things - Add 2 factor authentication to your own CFML projectsRob Dudley
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
 
Perfect Information - How IoT empowers you to know anything, anytime, anywhere
Perfect Information - How IoT empowers you to know anything, anytime, anywherePerfect Information - How IoT empowers you to know anything, anytime, anywhere
Perfect Information - How IoT empowers you to know anything, anytime, anywhere10x Nation
 
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...Bishop Fox
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)Ivan Novikov
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 

More Related Content

Similar to Where is my silver bullet?!

Safety Bot Guaranteed -- Shmoocon 2017
Safety Bot Guaranteed -- Shmoocon 2017Safety Bot Guaranteed -- Shmoocon 2017
Safety Bot Guaranteed -- Shmoocon 2017Richard Seymour
 
Machine intelligence to free human intelligence: How automation helps you win
Machine intelligence to free human intelligence: How automation helps you winMachine intelligence to free human intelligence: How automation helps you win
Machine intelligence to free human intelligence: How automation helps you winRoger Chen
 
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)Nick Malcolm
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansFelipe Prado
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)PROIDEA
 
Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextSteve Poole
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?Gordon Haff
 
IoT: Entering an Era of Perfect Information
IoT: Entering an Era of Perfect InformationIoT: Entering an Era of Perfect Information
IoT: Entering an Era of Perfect InformationChristopher Mohritz
 
Data Scientist's Daily Life
Data Scientist's Daily LifeData Scientist's Daily Life
Data Scientist's Daily LifeBryan Yang
 
OpenFest 2012 : Leveraging the public internet
OpenFest 2012 : Leveraging the public internetOpenFest 2012 : Leveraging the public internet
OpenFest 2012 : Leveraging the public internettkisason
 
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Secure All Teh Things - Add 2 factor authentication to your own CFML projectsSecure All Teh Things - Add 2 factor authentication to your own CFML projects
Secure All Teh Things - Add 2 factor authentication to your own CFML projectsRob Dudley
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?SahilRao25
 
Perfect Information - How IoT empowers you to know anything, anytime, anywhere
Perfect Information - How IoT empowers you to know anything, anytime, anywherePerfect Information - How IoT empowers you to know anything, anytime, anywhere
Perfect Information - How IoT empowers you to know anything, anytime, anywhere10x Nation
 
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...Bishop Fox
 

Similar to Where is my silver bullet?! (20)

Safety Bot Guaranteed -- Shmoocon 2017
Safety Bot Guaranteed -- Shmoocon 2017Safety Bot Guaranteed -- Shmoocon 2017
Safety Bot Guaranteed -- Shmoocon 2017
 
Machine intelligence to free human intelligence: How automation helps you win
Machine intelligence to free human intelligence: How automation helps you winMachine intelligence to free human intelligence: How automation helps you win
Machine intelligence to free human intelligence: How automation helps you win
 
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humans
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
 
Future of Search and Links - The iGaming Summit Malta #sigma2014
Future of Search and Links - The iGaming Summit Malta #sigma2014Future of Search and Links - The iGaming Summit Malta #sigma2014
Future of Search and Links - The iGaming Summit Malta #sigma2014
 
Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
IT in 2017
IT in 2017IT in 2017
IT in 2017
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?
 
IoT: Entering an Era of Perfect Information
IoT: Entering an Era of Perfect InformationIoT: Entering an Era of Perfect Information
IoT: Entering an Era of Perfect Information
 
Data Scientist's Daily Life
Data Scientist's Daily LifeData Scientist's Daily Life
Data Scientist's Daily Life
 
OpenFest 2012 : Leveraging the public internet
OpenFest 2012 : Leveraging the public internetOpenFest 2012 : Leveraging the public internet
OpenFest 2012 : Leveraging the public internet
 
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Secure All Teh Things - Add 2 factor authentication to your own CFML projectsSecure All Teh Things - Add 2 factor authentication to your own CFML projects
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
 
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
AI and Machine Learning In Cybersecurity | A Saviour or Enemy?
 
Perfect Information - How IoT empowers you to know anything, anytime, anywhere
Perfect Information - How IoT empowers you to know anything, anytime, anywherePerfect Information - How IoT empowers you to know anything, anytime, anywhere
Perfect Information - How IoT empowers you to know anything, anytime, anywhere
 
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
InfoSec World 2013 – W4 – Using Google to Find Vulnerabilities in Your IT Env...
 

More from Ivan Novikov

OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)Ivan Novikov
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attackDistributed computing in browsers as client side attack
Distributed computing in browsers as client side attackIvan Novikov
 
Yandex rewards. ONsec experience
Yandex rewards. ONsec experienceYandex rewards. ONsec experience
Yandex rewards. ONsec experienceIvan Novikov
 

More from Ivan Novikov (6)

OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attackDistributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
 
Yandex rewards. ONsec experience
Yandex rewards. ONsec experienceYandex rewards. ONsec experience
Yandex rewards. ONsec experience
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Where is my silver bullet?!

  • 1. Where is my silver bullet?! Or how to bypass any intrusion detection system RUCTF 2017
  • 2. @d0znpp BIO ● Bug bounty ● SSRF bible https://goo.gl/AQiZt8 ● Wallarm CEO ● Twitter, Medium, Facebook, Telegram: @d0znpp
  • 3.
  • 4. “Gartner Says Worldwide Information Security Spending Will Grow 7.9 Percent to Reach $81.6 Billion in 2016” 2015 $75 B 2016 $81.6 B This bullet definitely costs more than $156.6 B It’s not a silver… Or the weight is about 269’400 tons
  • 7. Why? Two important things since the 30s No documentation (because of the Apple and UX) ● Try to find documentation for Chrome :) ● How to understand that it’s the bug but not a backdoor Closed source software (because of the Intel et al.) ● What’s does “Intel inside” really mean?
  • 8. Layer cake How many layers do you know? I spent last 10 year for the security and don't sure that know about all of them
  • 10. Chomsky hierarchy ● Turing machine ● Linear bounded automaton (LBA) ● LL parser ● Regular expression
  • 11. Parsers. Grammars. Interpreters. Layers. Products AV is a good example here. ● Binary program (ASM) ● Signature (regular expression) The same as ● IPS ● IDS ● WAF ● XXX
  • 12. What should we detect? ● What is a vulnerability? ● Taxonomy/classification! ● Is it a bug or a backdoor? ● Can there be one thing malicious in one case and completely normal in another
  • 13. Classification issues ● CWE. Complicated hierarchy. Overlaps and intersections. ● OWASP. Something strange. ● WASC. Too old and non-formal.
  • 14.
  • 17. Make it science! Dear students! The world needs your help. It is necessary to describe what a vulnerability is in terms of Turing machines or other formal models. Do this before you work for someone and these studies will become a private patents!
  • 18. Thanks! Follow me: @d0znpp Twitter, Medium, Facebook, Telegram, Snapchat