The 11th USENIX Workshop on Offensive Technologies (WOOT17) took place the last two days in Vancouver. Some colleagues and I had the chance to attend and enjoy the presentations of all accepted papers of this rather small, single-track co-located USENIX event. Unfortunately, the talks have not been recorded. However, all the papers should be available on the website. It’s worth taking a look at all of the papers, but these are some presentations that we’ve enjoyed: Continue reading “11th USENIX Workshop on Offensive Technologies (WOOT17)”Continue reading
Last month the annual USENIX Security Symposium with its co-located workshops (WOOT, CSET, FOCI, ASE, and HotSec) was held in Austin, Texas. The program of the conference together with the published papers can be found here and information on the workshops can be found here.
The research topics were quite diverse and included subjects such as low-level attacks, cryptographic attacks, and vehicle attacks. To give you an impression on the research that has been presented at the conference, let us discuss some of the talks in the following:Continue reading
Recently I had the pleasure to attend the 24th USENIX Security Symposium and its co-located Workshop on Offensive Technologies (WOOT) in Washington, D.C. The workshop has received quite some attention this year, 57 submissions of which 19 have been accepted, so that the organizers decided to double its length from one to two days. Continue reading “24th USENIX Security Symposium & WOOT Workshop”Continue reading
Truncating TLS Connections to Violate Beliefs in Web Applications
Ben Smyth and Alfredo Pironti, INRIA Paris-Rocquencourt
This presentation was also given at BlackHat some weeks ago. It outlines a very interesting class of attacks against web applications abusing the TLS specification which states that “failure to properly close a connection no longer requires that a session not be resumed […] to conform with widespread implementation practice”. This characteristic enables new attack vectors on shared systems where certain outgoing (TLS encrypted) packets can be dropped in order to prevent applications from e.g. correctly finishing transaction (such as log out procedures) or even modifying the request bodies by dropping the last parts.Continue reading