Assessing and Exploiting BigNum Vulnerabilities
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the intricacies of BigNum vulnerabilities in cryptography implementations during this 49-minute Black Hat conference talk. Delve into the implications of bugs in multi-precision integer arithmetic and their potential for exploitation in asymmetric cryptographic primitives. Learn about bug patterns, exploitation requirements, and strategies for automated bug hunting. Examine case studies including CVE-2014-3570 in OpenSSL, GMP 5 multiplication bugs, and issues in libgcrypt 1.6.0. Discuss challenges in symbolic execution, alternative property-based bug hunting methods, and fuzzing techniques. Gain insights into assessing and exploiting these vulnerabilities to enhance cryptographic security.
Syllabus
Intro
Outline
Motivation: break crypto, maybe?
Introduction to BigNum Arithmetic
Widely used implementations
Anatomy of CVE-2014-3570
OpenSSL's impact assessment (1/2)
Counterargument
GMP 5 mult bugs
The patch
Bug pattern: carry mispropagation
libgcrypt 1.6.0
Symbolic Execution Challenges
Galois' SAW
Alternative property-based bug hunting
Fuzzing
Conclusions
Bibliography
Taught by
Black Hat
Related Courses
Formal Software VerificationUniversity System of Maryland via edX Software Analysis & Testing
Georgia Institute of Technology via Udacity Computer Systems Security
Massachusetts Institute of Technology via MIT OpenCourseWare Reverse Engineering 3201: Symbolic Analysis
OpenSecurityTraining2 via Independent angr: Binary Analysis Framework - Demonstration and Analysis
New York University (NYU) via YouTube