[Online Event] Talkin' Security Part 1 - April 2020
Details
Join us on Thursday, April 9th for the first Talkin' Security event of April 2020.
=====
ATTENTION!
Online meeting details below
Meeting link: https://cisco.webex.com/cisco/j.php?MTID=m8e7eb0278b486f426056e239fc13207f
Meeting number (access code): 209 158 883
Meeting password: m8Wem37uMqv (68936378 from phones)
=====
AGENDA
6:45 - 7:00pm: Introduction
7:00 - 8:00pm: Isaac Evans - Detect complex code patterns using semantic grep.
Speaker Bio: Isaac Evans is the leader of r2c, a startup working on giving security tools directly to developers. Previously, he conducted research into binary exploitation bypasses for techniques like control-flow integrity and novel hardware defenses on new architectures like RISC-V as a researcher at the US Defense Department under a SFS program and at MIT Lincoln Laboratory. Isaac received his BS/MS degrees in EECS from MIT. Other interests include next-generation programming languages, secure-by-design frameworks, software-defined radio, and the intersection of cryptography and public policy.
Summary of the Talk: We’ll discuss a program analysis tool we’re developing called sgrep. It's a multilingual semantic tool for writing security and correctness queries on source code (for Python, Java, Go, C, and JS) with a simple “grep-like” interface. The original author, Yoann Padioleau, worked on sgrep’s predecessor, Coccinelle (http://coccinelle.lip6.fr/), for Linux kernel refactoring, and later developed sgrep while at Facebook. He’s now full time with us at r2c (https://r2c.dev/).
sgrep is the query system underpinning Bento (https://bento.dev/), a free open-source program analysis toolkit that finds bugs using custom analysis we’ve written and OSS code checks. Bento is ideal for security researchers, product security engineers, and developers who want to find complex code patterns without extensive knowledge of ASTs or advanced program analysis concepts.
For example, find subprocess calls with shell=True in Python using the query:
subprocess.open(..., shell=True)
This will even find snippets like:
import subprocess as s
s.open(f'rm {args}', shell=True)
Or find hardcoded credentials using the query:
boto3.client(..., aws_secret_access_key=”...”, aws_access_key_id=”...” )