My Projects

Ether: Malware Analysis via Hardware Virtualization Extensions

Ether is a malware analysis framework that is based on a novel application of hardware virtualization extensions such as Intel VT, and resides completely outside of the target OS environment. Ether is open source, and is distributed as a controller application and a patch set to the Xen hypervisor. At the time of creation, Ether was able to successfully and generically unpack numerous packed malware samples. It has been used as the data source for several really cool projects, such as visual malware reverse engineering.

Bitsquatting: DNS Hijacking Without Exploitation

Bitsquatting is a means to leverage bit-errors in computer hardare to hijack DNS queries. My bitsquatting research describes the history of bit-errors, their security implications, actual bitsquatting events, and potential mitigations. To judge how often bit-errors happen in DNS queries, I registered several domains one bit away from a popular domain name (e.g. mic2osoft.com vs. microsoft.com). It turns out that these bitsquat domains receive a substantial amount of traffic (both DNS and HTTP) from computers around the world. Most bit-errors that redirect user traffic actually occur before domain resolution or wire transport -- meaning that both DNS security technologies (such as DNSSEC) and transport layer security technologies (such as SSL/TLS) would offer no protection.

Binfuzz.js: A Binary Fuzzer in JavaScript

Binfuzz.js is a library for fuzzing structured binary data in JavaScript and was demonstrated at Blackhat Arsenal 2013. Structured binary data is data that can be easily represented by one or more C structures. Binfuzz.js uses the definition of a structure to create instances of the structure with invalid or edge-case values. Supported structure features include nested structures, counted arrays, file offset fields, and length fields. The live example uses Binfuzz.js to generate Windows ICO files (a surprisingly complex format) to stress your browser's icon parsing and display code. Binfuzz.js is MIT licensed, with all code available on Github. Slides from the Blackhat Arsenal 2013 demo are also available.