Showing posts from May, 2018

GRIMM’s New Michigan Cybersecurity Research Lab

GRIMM’s New Michigan Cybersecurity Research Lab GRIMM has been a long time advocate of building Connected and Automated Vehicles (CAV) with a security-by-design approach. We advance our automotive and aerospace clients’ cybersecurity posture for all forms of embedded security concerns. For example, for the past several years, GRIMM has been a co-sponsor and staple at the  SANS Automotive conference  - a one-stop shop for bringing the automotive sector, including manufacturers as well as vendors, and the security industry together to discuss the complexities of securing citizens in commercial and personal vehicles. Hacking automobiles is not  new , but as vehicles become more and more connected, and reliant on transferring digital information, the attack surface has grown tremendously, putting citizens’ privacy and potentially safety at risk. Bad guy’s no longer need physical access to your car to control the steering, acceleration, braking, or communications of your own vehicle. Th

Guided Fuzzing with Driller

Guided Fuzzing with Driller At GRIMM, we are always trying out new tools to build our capabilities in vulnerability research. We frequently use fuzzing to search for bugs in applications, but there are some bugs a fuzzer alone would not be able to find. So, we were excited to try out  Driller , a tool written by Shellphish. Driller uses symbolic execution to find new parts of the code to fuzz, helping the fuzzer to find bugs that it might not have reached otherwise. We found it a little tricky to get up and running, but it did succeed in helping a stuck fuzzer to make progress, so it seems like a potentially valuable tool. In this post, we’ll show how we installed AFL and Driller on Linux, and discuss our experiences using and troubleshooting it. How Does Driller Work? Fuzzing is an extremely useful technique for discovering software bugs that can cause crashes, which often lead to vulnerabilities. A fuzzer provides randomly-generated inputs to a target program, attempting to fin