Whitepaper – Project Triforce: Run AFL On Everything (2017)

Six years ago, NCC Group researchers Tim Newsham and Jesse Hertz released TriforceAFL - an extension of the American Fuzzy Lop (AFL) fuzzer which supports full-system fuzzing using QEMU - but unfortunately the associated whitepaper for this work was never published. Today, we’re releasing it for the curious reader and historical archives alike. While fuzzing … Continue reading Whitepaper – Project Triforce: Run AFL On Everything (2017)

Whitepaper – Practical Attacks on Machine Learning Systems

This paper collects a set of notes and research projects conducted by NCC Group on the topic of the security of Machine Learning (ML) systems. The objective is to provide some industry perspective to the academic community, while collating helpful references for security practitioners, to enable more effective security auditing and security-focused code review of ML systems. Details of specific practical attacks and common security problems are described. Some general background information on the broader subject of ML is also included, mostly for context, to ensure that explanations of attack scenarios are clear, and some notes on frameworks and development processes are provided.

Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities

By Aleksandar Kircanski and Terence Tarvis A good amount of effort has been dedicated to surveying and systematizing Ethereum smart contract security bug classes. There is, however, a gap in literature when it comes to surveying implementation-level security bugs that commonly occur in basic PoW blockchain node implementations, discovered during the first decade of Bitcoin’s … Continue reading Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities

Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone

Editor's note: This work was also presented at ACM CCS 2019. Written by Keegan Ryan Trusted Execution Environments (TEEs) such as ARM TrustZone are in widespread usein both mobile and embedded devices, and they are used to protect sensitive secretswhile often sharing the same computational hardware as untrusted code. Althoughthere has been limited research in … Continue reading Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone

Whitepaper: Recognizing and Preventing TOCTOU

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below. Recognizing and Preventing TOCTOU Whitepaper 03 Mar 2015 - Christopher Hacking Time-Of-Check-to-Time-Of-Use (TOCTOU) vulnerabilities have been known for decades, but are still frequently discovered in modern code. This diverse … Continue reading Whitepaper: Recognizing and Preventing TOCTOU

Whitepaper: CA Alternative

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below. CA Alternative Whitepapers 11 Feb 2015 - Braden Hollembaek Academic co-authors Adam Bates, Joe Pletcher, Tyler Nichols, Dave Tian and iSEC engineer Braden Hollembaek had a pair of interesting … Continue reading Whitepaper: CA Alternative

Whitepaper: Perfect Forward Security

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below. Perfect Forward Security Whitepaper 04 Sep 2014 - Pratik Guha Sarkar Encrypted communication channels were created so nobody could read confidential communications - this means not only during the … Continue reading Whitepaper: Perfect Forward Security

White Paper: Cryptopocalypse Reference Paper

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below. Cryptopocalypse Reference Paper 20 Mar 2014 - Javed Samuel Alex Stamos, Tom Ritter and Javed Samuel presented “Preparing for the Cryptopocalypse” at Black Hat 2013, looking into the latest … Continue reading White Paper: Cryptopocalypse Reference Paper

White Paper: Login Service Security

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity, and can be downloaded below. Login Service Security 17 Dec 2013 - Rachel Engel Web application login services are deceptively simple to develop, leading application developers to repeat the mistakes of the past. Learning … Continue reading White Paper: Login Service Security