No announcement yet.

Workshop Information: Finding Vulnerabilities at Ecosystem-Scale

  • Filter
  • Time
  • Show
Clear All
new posts

  • Workshop Information: Finding Vulnerabilities at Ecosystem-Scale

    Title: Finding Vulnerabilities at Ecosystem-Scale

    Instructor: Isaac Evans

    Abstract: r2c is writing and helping others write tools to exploit and eradicate entire vulnerability classes at scale. In this workshop, we'll show how to develop program analysis tools that can be depended on in analysis pipelines and quickly run at massive scale. If you've ever wondered “but surely, no programmer would upload something that does that do NPM” this is the place to be! Our command line tool for local analyzer development is freely available and publicly documented—we'll show you how to get started and invite you to collaborate with us on to build pipelines that use pre-computed intermediary representations that we already have. We'll also show how to use our collaborative triage tools with impact prioritization that can quickly allow turning these analysis results into bug-bounty submissions. No program (static/dynamic) analysis background required (though it is helpful!) Motivated developers should be able to make at least one bug bounty submission by the end of the workshop.

    Level: Intermediate

    Pre-Requisites: Basic programming knowledge (what is a function call?), able to run docker hello-world as user, able to write and run small programs, very comfortable with command line interfaces

    Required Materials: Laptop with network access, OSX or Linux available (Windows ok with WSL installed)