In this post, I will introduce fpicker. Fpicker is a Frida-based coverage-guided, mostly in-process, blackbox fuzzing suite. Its most significant feature is the AFL++ proxy mode which enables blackbox in-process fuzzing with AFL++ on platforms supported by Frida. In practice, this means that fpicker enables fuzzing binary-only targets with AFL++ on potentially any system that is supported by Frida. For example, it allows fuzzing a user-space application on the iOS operating system, such as the Bluetooth daemon bluetoothd – which was part of the original motivation to implement fpicker. Continue reading “fpicker: Fuzzing with Frida”
Last week I attended ACM WiSec. Of course, only virtually. The first virtual conference I attended. Coincidentally, it was also the first conference I presented at. While the experience was quite different from a “real” conference, the organizers did a great job to make the experience as good as possible with, for example, a mattermost instance to interact with other conference participants.
In the following, I will list a few talks and papers that I either found very interesting or that generally stood out to me:
On September 14th the final deadline of complying with the new Payment Service Directive PSD2 will be reached. Among other things, this directive will bring quite a few technical challenges for credit institutions. These include new requirements on two-factor authentication and API access for third parties. In this blog post we will give a short overview of what this means for banks from a security perspective and outline a few of the security-related issues based on what we have been observing during recent assessments of such APIs.