Project backlog

04 Feb 2013

I have a lot of ideas for things I want to work on, but I'm hoping I can get some feedback from the readers of this blog to prioritize these ideas and where I should focus my efforts. Here are the things I have been meaning to do:

Work on IceBuddha

I really want to get IceBuddha to a point where I can convince Didier Stevens to use IceBuddha as part of his PDF training at HITB Amsterdam. Continueing on IceBuddha means getting it to parse PDF files, and eventually other file types, lots of GUI features, providing hex editing capabilities, ability to run IceBuddha parse scripts via the command-line without the browser, and many other things.

Software to whitelist Windows

It really bothers me that there are no good white-listing options for Windows. This is a big task and involves the following:

  • Step 1: Produce tool to hash all executables, and incorporate AnalyzePESig. This hash list will then be fed into Windows Software Restriction Policy (SRP). At this stage, you can lock down a system, but doing updates will be problematic.
  • Step 2: Write driver to identify anytime a process starts or loads a DLL, and checks this against the hash list, so we no longer have to use SRP. This also would allow for "audit" modes to see what files would be executed instead of enforcing the policy all at once. I could also provide nicer pop-ups to the user when a new unknown file wants to be executed, and be able to turn the service off more easily during updates, or automatically add files to white-list when their certs are good. I will also likely use BLAKE2 for the hashing algorithm because for this use case, it is ideal.
  • Step 3 (optional): Depending on the speed step 2 runs at, and how much I want to cheat (ex. don't bother re-hashing the file if the modification time stamp has not changed), I may want to write a filter driver to watch file writes and do cache invalidation on my list of known good files. This would also allow me to track for the user "File X was updated by process Y".
  • Step 4: Once I have a list of known good files, I can write a server component, so that an agent on these clients could call in and provide the list of files that the system has and has white-listed. If you have enough systems calling in, and they additionally provide information like the version number of the file, and what updated/created the file, you can do something like Secunia PSI to inform the user they have out-dated software. The basic concept here is that if you have 100 clients calling in, and 10 clients say they are using Adobe X, and the other 90 are using an earlier version of Adobe, then assume Adobe X is the latest and inform those other 90. Also, can check for updates periodically. Additionally, business could use this client/server setup to identify all the software running in a network, which is what a lot of white-listing products tend to focus on as one of their selling points (such as bit9).
This concept could actually make me money (hurray!) because I would release the client side stuff as GPL, and the server side would be a service I could charge for or software to sell to businesses. The open-source client side stuff would be very useful for the home-user (and free), but if you want to integrate this with domain controllers and make me do boring coding, then I would want to charge money. This would also be the starting point for my Security as a Service company that one day I dream of eventually doing, and I should probably write a post on what the company would be doing.

Post on securing Windows

The main component of this will be how to use AmbushIPS, with a check-list of other steps to take (browser plug-ins, emet, encryption, etc.), which could ultimately become an application that locks it all down for you. Also, I should probably do something for locking down other OS's (Ubuntu and OSX). For example, most people probably aren't aware that Chrome on Ubuntu is a couple of versions behind.

Post about online advertisers

I have a strong knowledge of how online advertising works and the dangers involved with that (generic problems, in case my old employer just freaked out). This post would expose that. This would be in the spirit of the work done by Mozilla's Collusion project, and Vincent Diaz's (Kaspersky Lab) talk from VB2012 "I´m not a number, I´m a free man"

Asymmetric defenses on Windows

This would be a combination of my posts Hurdles for a beginner to exploit a simple vulnerability on modern Windows and DEP (Data Execution Prevention) explanation by example applied to every protection offered by EMET and other protections possible (such as sandboxing). The goal would be to take a simple application and show an exploit for it, then show how various defenses could have mitigated it, and provide real-world references to where this same vulnerability was used to exploit a real application and again how those defenses would have stopped it. This post is motivated both by my desire to understand these better (I learned a lot in that DEP post), and also by the post on Leave security to security code. Or: Stop fixing bugs to make your software secure!. It also draws inspiration from A Bug Hunter's Diary.


I spent some time without Internet for a while, and it was horrible. However, in my boredom, I started writing short stories to keep busy. I'm a horrible fiction writer, but my plots are awesome, because I think about current technology and capabilities and just let my mind run with it, and sometimes how "If this one thing was different, what would the effect of that be?" which is really how I look at computer security in general because I think "If this thing was no longer a problem, what would the other problems be?" Or "If this thing didn't work like it should, what affect would that have? What can detect that breaking and what other protections could back it up?" One of my plots involved a guy that finds flaws in financial software, such as the tools that let people do automated trading. This software identifies certain conditions (prices of a stock, volume of trades, or maybe twitter references to a company) and then makes stock trades. This software really exists, but in my story the character discovered that when certain conditions occurred in the world, the software would react in a way that he could predict, control, and profit from, and it was the perfect crime. I then thought "Why am I writing fiction, I should make this reality!" So that's another idea, or I could just write the story instead of hiding from the SEC, but I also think the story would be more fun if I actually found some of these flaws so I could reference them, and some flaws in some other software out there, like forensics software (actual arbitrary execution exploits, not boring stego tricks).

Let me know your opinion!

I don't have commenting ability on this blog, but I do read and respond to emails. My email is 0xdabbad00 .at. or I'm @0xdabbad00 on twitter.