Assessing and Exploiting BigNum Vulnerabilities
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the intricacies of BigNum vulnerabilities in cryptography implementations during this 49-minute Black Hat conference talk. Delve into the implications of bugs in multi-precision integer arithmetic and their potential for exploitation in asymmetric cryptographic primitives. Learn about bug patterns, exploitation requirements, and strategies for automated bug hunting. Examine case studies including CVE-2014-3570 in OpenSSL, GMP 5 multiplication bugs, and issues in libgcrypt 1.6.0. Discuss challenges in symbolic execution, alternative property-based bug hunting methods, and fuzzing techniques. Gain insights into assessing and exploiting these vulnerabilities to enhance cryptographic security.
Syllabus
Intro
Outline
Motivation: break crypto, maybe?
Introduction to BigNum Arithmetic
Widely used implementations
Anatomy of CVE-2014-3570
OpenSSL's impact assessment (1/2)
Counterargument
GMP 5 mult bugs
The patch
Bug pattern: carry mispropagation
libgcrypt 1.6.0
Symbolic Execution Challenges
Galois' SAW
Alternative property-based bug hunting
Fuzzing
Conclusions
Bibliography
Taught by
Black Hat
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network