Applied security research is a major driving force in CENSUS, defining its culture, its services and its approach towards actionable security in the product and enterprise domains. This page presents an overview of the CENSUS laboratory facilities and highlights results from its in-house research efforts.
HARDWARE & RADIO TESTING LABS
CENSUS operates specialized Hardware and Radio Laboratory facilities to evaluate the security posture of electronic devices and their communications. The resident engineers use state-of-the-art equipment to setup and execute experiments that evaluate a product's defenses against a wide range of adversarial scenarios. This process may sometimes also include the development of custom hardware and software.
Beyond the realms of Product Security and Vulnerability Research, the lab team is also commonly involved in the production of custom apparatus for the testing of enterprise security controls of clients during Organization Security Testing projects.
You can find more information about the Hardware and Radio Laboratory capabilities and their relation to CENSUS services in our whitepaper.
RESEARCH
At CENSUS we have a strong passion about applied security research. Results from our laboratories, cleared for public disclosure, and related presentation material are collected and made available here.
Vulnerability Discovery
- Fuzzing
- Knowledge-based Evolutionary Fuzzing (presentation, Choronzon fuzzer)
- Efficient Android Fuzzing
- Fuzzing Android's ART runtime
- Tracing
- Binary Diffing (Efficient Features for Function Matching between Binary Executables)
- Program Instrumentation (With and Without Source Code, Overview for Developers)
- Firmware Assessments (Attacking Qualcomm Hexagon aDSP firmware, Reverse Engineering the Apple iOS Sandbox Kernel Extension, Microchip SDK bugs, ARM toolchain bugs, Android multimedia framework ("libstagefright") bugs)
- Embedded System Emulation (Samsung RKP Hypervisor inspection through QEMU ARM hardware emulation)
- Vulnerabilities discovered in popular software (Advisories)
Exploit Engineering
- Kernel Exploitation (incl. Windows, Linux, MacOS XNU, FreeBSD and OpenSolaris)
- Userland Exploitation (incl. heap exploitation primitives, jemalloc exploitation on FreeBSD libc/NetBSD libc/Android libc/Firefox/vlc, Adobe Flash exploitation)
- Mobile App Exploitation (Remote exploitation of a WhatsApp man-in-the-disk vulnerability)
- Virtualization Exploitation (VMware workstation guest-to-host escape)
Device Exploitation
Penetration Testing
- IDS evasion (Context-keyed Payload Encoding)
- Anti-virus evasion (Metamorphic PE Packing)
- WiFi Phishing (Process automation, Getting the most out of Evil Twin, Lure10 attack against Windows 10 Automatic Association Algorithm, Known Beacons attack)
- Physical Security Testing (Network backdoor planting)
- ICS/SCADA & IoT Security Testing (for Critical Infrastructure)
Proactive Defenses
- Software Hardening (incl. Kernel Exploitation Mitigations)
- Bypassing filters and Web Application Firewalls through automata learning (Lightbulb Framework)
- Examining the value of Android's SafetyNet Attestation as an application integrity security control
Software
Guides and Reports
- Securing the Building Blocks of Embedded Software
- Securing Military Communications (Whitepaper)
- Medical Application Assessment (Case Study)
- Kernel Debugging (FreeBSD)
- Stack canary randomization (Linux)
- Secure Programming in C
- Digital Forensics (with Open Source Tools)
- Rootkit Analysis (Linux Rootkit Case Study)
- Securing infrastructures (with Open Source Tools)
Other Presentations
- IoT Security Assessments (Methodology, Skills and Tools)
- Medical Device Security
- Mobile App Threat Landscape (first presentation, second presentation)
- Side-channel leaks in Mobile Applications
- Secure Mobile App Development Lifecycle
- Enhancing Penetration Testing (through Vulnerability Research)
- Integrating "malicious" technologies/techniques within the SDLC
- Web Application Firewalls
- Privacy Attacks