OffensiveCon: Field Report on a Zero-Day Machine

What if we could build a machine that eats code on a large scale and outputs accurate information about all the ways in which this program exposes itself to the attacker, fails to be cautious about the input it receives, and leaks information? 

In this presentation we explore a new language which allows us to specify exactly what an attacker can do, which input she/he controls, and where data may leak to her/him. We show how this information, combined with language-neutral formulations of typical vulnerability patterns allow for cross-language identification of many classes of vulnerabilities, including object deserialization vulnerabilities, command injections and cross site scripting. 

To see how the zero-day machine works on your application, sign-up for a free data leakage assessment or free trial now!


Fabian Yamaguchi
Fabian Yamaguchi