search menu icon-carat-right cmu-wordmark

Subject: Research

Vulnerability IDs, Fast and Slow

Vulnerability IDs, Fast and Slow

• CERT/CC Blog
Allen Householder

The CERT/CC Vulnerability Analysis team has been engaged in a number of community-based efforts surrounding Coordinated Vulnerability Disclosure lately. I've written previously about our involvement in the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities. Today I'll highlight our ongoing work in the Forum for Incident Response and Security Teams (FIRST). We are currently active in two vulnerability-related working groups within the FIRST organization: the Vulnerability Coordination SIG (recently merged with the NTIA Multiparty Disclosure working group),...

Read More
Domain Blacklist Ecosystem - A Case Study

Domain Blacklist Ecosystem - A Case Study

• CERT/CC Blog
Jonathan Spring

Hi all, this is Jonathan Spring with my colleagues Leigh Metcalf and Rhiannon Weaver. We've been studying the dynamics of the Internet blacklist ecosystem for a few years now and the 2015 Verizon Data Breach Investigations Report has corroborated our general results. We get a lot of questions about which list is which and if we can recommend a list. We won't reveal which is which generally, but in this blog post we'll make a...

Read More
Blacklist Ecosystem Analysis

Blacklist Ecosystem Analysis

• CERT/CC Blog
Jonathan Spring

Hi all. Leigh Metcalf and I have been continuing our study of the cybersecurity ecosystem. Last year we published a long white paper telling you everything you wanted to know about blacklists. Turns out, that did not save the Internet on its own. We're extending that analysis with more blacklist ecosystem analysis this year....

Read More
 What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

What's Different About Vulnerability Analysis and Discovery in Emerging Networked Systems?

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. In my previous post, I introduced our recent work in surveying vulnerability discovery for emerging networked systems (ENS). In this post, I continue with our findings from this effort and look at the differences between ENS and traditional computing in the context of vulnerability discovery, analysis, and disclosure....

Read More
Domain Name Parking

Domain Name Parking

• CERT/CC Blog
Jonathan Spring

Hello, this is Jonathan Spring with my colleague Leigh Metcalf. Today, we're releasing a CERT/CC whitepaper on our investigations into domain name parking. The title summarizes our findings neatly: "Domain Parking: Not as Malicious as Expected." First, let's review some definitions to make sure we're all on the same page. Domain parking is the practice of assigning a nonsense location to a domain when it is not in use to keep it ready for "live"...

Read More
Vulnerability Discovery for Emerging Networked Systems

Vulnerability Discovery for Emerging Networked Systems

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. I want to introduce some recent work we're undertaking to look at vulnerability discovery for emerging networked systems (including cyberphysical systems like home automation, networked cars, industrial control systems and the like). In this post I cover the background and motivation for this work, our approach, and some preliminary findings. In future posts I will cover additional results from this effort....

Read More
Domain Blocking: The Problem of a Googol of Domains

Domain Blocking: The Problem of a Googol of Domains

• CERT/CC Blog
Jonathan Spring

Hi all, this is Jonathan Spring. I've written a bit about some challenges with blacklisting, such as about the dynamics of domain take-down: why e-crime pays (domains are so cheap it almost always pays) and comparisons among blacklists (they are largely disjoint, calling into question comprehensiveness)....

Read More
Why Cybersecurity Is Not Like the Immune System

Why Cybersecurity Is Not Like the Immune System

• CERT/CC Blog
Jonathan Spring

The idea of a cyber-immune system sometimes circulates through the community. It seems that such proposals either do not properly frame how the immune system works, how good computer security would work, or both. I'm going to try to put both of those in context in order to make clear why cybersecurity is not like the immune system, but why it would be nice if it were....

Read More
Analyzing Routing Tables

Analyzing Routing Tables

• CERT/CC Blog
Timur Snoke

Hi, Timur Snoke here with a description of maps I've developed that use Border Gateway Protocol routing tables to show the evolution of public-facing autonomous system numbers. Organizations that route public internet protocol (IP) addresses receive autonomous system numbers (ASNs), which uniquely identify networks on the Internet. To coordinate traffic between ASNs, the Border Gateway Protocol (BGP) advertises available routing paths that network traffic could take to access other IP addresses. BGP tables select and...

Read More
Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

Attaching the Rocket to the Chainsaw - Behind the Scenes of BFF and FOE's Crash Recycler

• CERT/CC Blog
Allen Householder

Hi folks, Allen Householder here. As Will Dormann's earlier post mentioned, we have recently released the CERT Basic Fuzzing Framework (BFF) v2.7 and the CERT Failure Observation Engine (FOE) v2.1. To me, one of the most interesting additions was the crash recycling feature. In this post, I will take a closer look at this feature and explain why I think it's so interesting....

Read More
Mining Ubuntu for Interesting Fuzz Targets

Mining Ubuntu for Interesting Fuzz Targets

• CERT/CC Blog
Jonathan Foote

Hello, Jonathan Foote here. In this post I'll explain how to use information from databases in stock Ubuntu systems to gather the parameters needed to perform corpus distillation (gathering of seed inputs) and fuzzing against the installed default file type handlers in Ubuntu Desktop 12.04. This technique applies to most modern versions of Ubuntu....

Read More
Domains That Are Typos of Other Domains

Domains That Are Typos of Other Domains

• CERT/CC Blog
Jonathan Spring

Hello, this is Jonathan Spring. I've been investigating the usage of domains that are typos of other domains. For example, foogle.com is a typo of google.com, and it's a common one since 'f' is next to 'g' on the standard keyboard. The existing hypothesis has been that typo domains would be used for malicious purposes. Users would commonly mistype the domain they are going to, and some of the less scrupulous domain owners could take...

Read More
Watching Domains That Change DNS Servers Frequently

Watching Domains That Change DNS Servers Frequently

• CERT/CC Blog
Leigh Metcalf

Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains that change their name servers frequently....

Read More
Forking and Joining Python Coroutines to Collect Coverage Data

Forking and Joining Python Coroutines to Collect Coverage Data

• CERT/CC Blog
Jonathan Foote

In this post I'll explain how to expand on David Beazley's cobroadcast pattern by adding a join capability that can bring multiple forked coroutine paths back together. I'll apply this technique to create a modular Python script that uses gcov, readelf, and other common unix command line utilities to gather code coverage information for an application that is being tested. Along the way I'll use ImageMagick under Ubuntu 12.04 as a running example....

Read More
CERT Linux Triage Tools 1.0 Released

CERT Linux Triage Tools 1.0 Released

• CERT/CC Blog
Jonathan Foote

As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called "exploitable" that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post contains an overview of the extension and how it works....

Read More
CNAME flux

CNAME flux

• CERT/CC Blog
Jonathan Spring

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name....

Read More
Study of Malicious Domain Names: TLD Distribution

Study of Malicious Domain Names: TLD Distribution

• CERT/CC Blog
Chad Dougherty

Hello, folks. This post comes to you courtesy of Aaron Shelmire from the Network Situational Awareness team. Aaron writes: Recently the Network Situational Awareness team at CERT has been researching the characteristics of malicious network touchpoints. The findings of this initial research are very telling as to the true state of security on the internet....

Read More
Release of Dranzer ActiveX Fuzzing Tool

Release of Dranzer ActiveX Fuzzing Tool

• CERT/CC Blog
Will Dormann

Hi, it's Will. As previously mentioned, we have been investigating and discovering ActiveX vulnerabilities over the past few years. Today we released the Dranzer tool that we have developed to test ActiveX controls. We've been using the Dranzer ActiveX fuzz testing tool for over three years, and we've found a large number of vulnerabilities with it. I've tagged a few of the US-CERT Vulnerability notes with the "Dranzer" keyword to show the sort of vulnerabilities...

Read More
Windows Installer Application Resiliency

Windows Installer Application Resiliency

• CERT/CC Blog
Will Dormann

Hi, it's Will again. Recently, I was investigating the effectiveness of the workarounds for the Adobe Reader JBIG2 vulnerability, and I encountered an unexpected situation. In certain situations, the application resiliency feature of Windows Installer can actually undo some of the steps taken to mitigate a vulnerability....

Read More