| |
|
We are dedicated to stress the limits of your product by conducting innovative security assessments.
|
|
|
Services
|
Top-Down Analysis:
Top-down analysis starts from a high-level overview of the target technology and drills down to details once our team suspects specific weaknesses. With this approach, we first gather and analyze documentation and all available design materials for the target technology and any related technologies. This might include design specifications, protocol specifications, white papers or formal descriptions of underlying cryptosystems.
From such documentation, we identify both theoretical problems in the target technology’s design and known problems in its related technologies. We then look at the technology in more detail to confirm or deny the existence of the theoretical bugs.
Zero Knowledge Approach:
When the source code is not available, our team must take a different approach. If the software is relatively small or simple, reverse engineering might work.
To find bugs using the reverse engineering approach, two things are crucial: software debugging and disassembly. Debugging entails actively monitoring the software’s execution to understand its functions and how it carries them out. Software developers regularly use this technique to find and fix software bugs (security-related or not) when a program misbehaves or when a bug manifests itself during program execution, but they’ve detected no problems with the source code.
We apply the same idea. The team selects program inputs and follow their execution path, thereby gaining an understanding of the input’s progression and identifying security bugs. The team can change inputs to force the program into other execution paths that might yield new findings. However, it’s impossible to debug a program and follow every possible execution path.
Success also depends on the target software’s complexity and size; disassembling a large application or major chunks of an OS might be too resource intensive.
Definitions are taken from:
Bug Hunting: The Seven Ways of the Security Samurai
Iván Arce, Core Security Technologies
|
|
| |
|
