Virtually every company today uses firewalls to enforce perimeter
security. However, this security model is problematic because, when
that perimeter is breached, an attacker has relatively easy access to a
company’s privileged intranet. As companies adopt mobile and cloud technologies,
the perimeter is becoming increasingly difficult to enforce. Google
is taking a different approach to network security. We are removing the
requirement for a privileged intranet and moving our corporate applications
to the Internet.
The goal of Google’s BeyondCorp initiative is to improve our security
with regard to how employees and devices access internal applications.
Unlike the conventional perimeter security model, BeyondCorp
doesn’t gate access to services and tools based on a user’s physical location
or the originating network; instead, access policies are based on information
about a device, its state, and its associated user. BeyondCorp considers both
internal networks and external networks to be completely untrusted, and
gates access to applications by dynamically asserting and enforcing levels, or
“tiers,” of access.
We present an overview of how Google transitioned from traditional security infrastructure
to the BeyondCorp model and the challenges we faced and the lessons we learned in the process.
For an architectural discussion of BeyondCorp, see .
Fuzz testing has proven successful in finding
security vulnerabilities in large programs. However, traditional
fuzz testing tools have a well-known common drawback: they
are ineffective if most generated malformed inputs are rejected
in the early stage of program running, especially when target
programs employ checksum mechanisms to verify the integrity
of inputs. In this paper, we present TaintScope, an automatic
fuzzing system using dynamic taint analysis and symbolic
execution techniques, to tackle the above problem. TaintScope
has several novel contributions: 1) TaintScope is the first
checksum-aware fuzzing tool to the best of our knowledge. It
can identify checksum fields in input instances, accurately locate
checksum-based integrity checks by using branch profiling
techniques, and bypass such checks via control flow alteration.
2) TaintScope is a directed fuzzing tool working at X86 binary
level (on both Linux and Window). Based on fine-grained
dynamic taint tracing, TaintScope identifies which bytes in a
well-formed input are used in security-sensitive operations (e.g.,
invoking system/library calls) and then focuses on modifying
such bytes. Thus, generated inputs are more likely to trigger
potential vulnerabilities. 3) TaintScope is fully automatic, from
detecting checksum, directed fuzzing, to repairing crashed
samples. It can fix checksum values in generated inputs using
combined concrete and symbolic execution techniques.
We evaluate TaintScope on a number of large real-world
applications. Experimental results show that TaintScope can
accurately locate the checksum checks in programs and dramatically
improve the effectiveness of fuzz testing. TaintScope
has already found 27 previously unknown vulnerabilities in
several widely used applications, including Adobe Acrobat,
Google Picasa, Microsoft Paint, and ImageMagick. Most of
these severe vulnerabilities have been confirmed by Secunia
and oCERT, and assigned CVE identifiers (such as CVE-2009-
1882, CVE-2009-2688). Corresponding patches from vendors
are released or in progress based on our reports.
Slides from two day course on Vanadium https://vanadium.github.io/
We report the success of a project that Google performed as a proof-of-concept for increasing
confidence in first-instruction integrity across a variety of server and peripheral environments. We
begin by motivating the problem of first-instruction integrity and share the lessons learned from
our proof-of-concept implementation. Our goal in sharing this information is to increase industry
support and engagement for similar designs. Notable features include a vendor-agnostic capability
to interpose on the SPI peripheral bus (from which bootstrap firmware is loaded upon power-on in a
wide variety of devices today) without negatively impacting the efficacy of any existing vendor- or
device-specific integrity mechanisms, thereby providing additional defense-in-depth.