Introduction Have you ever been fuzzing a program and received a crash, only to find the input file was huge? Trying to manually determine which portions of an input file trigger the bug can be an extremely frustrating and time consuming process. Huge input files can make the triage of bugs much harder. This blog post describes a technique known as delta-debugging which can help you automatically produce an input file that is as small as possible while still triggering the bug in the original input file.
GRIMM has been a long time advocate of building Connected and Automated Vehicles (CAV) with a security-by-design approach. We advance our automotive and aerospace clients’ cybersecurity posture for all forms of embedded security concerns. For example, for the past several years, GRIMM has been a co-sponsor and staple at theSANS Automotive conference - a one-stop shop for bringing the automotive sector, including manufacturers as well as vendors, and the security industry together to discuss the complexities of securing citizens in commercial and personal vehicles.
At GRIMM, we are always trying out new tools to build our capabilities in vulnerability research. We frequently use fuzzing to search for bugs in applications, but there are some bugs a fuzzer alone would not be able to find. So, we were excited to try out Driller, a tool written by Shellphish. Driller uses symbolic execution to find new parts of the code to fuzz, helping the fuzzer to find bugs that it might not have reached otherwise.
One of the things that is important to us at GRIMM is making sure there is time to experiment, and explore new ways of approaching problems. We want to answer the big questions like “How can we find vulnerabilities that other tools and manual analysis has overlooked?” This is what we are passionate about. So when one of our engineers has an idea for a new fuzzer, we try to make time for them to put their idea to the test.
The eyes of the world were recently focused on PyeongChang, South Korea for the 2018 Winter Olympics. While we watched athletes curl, skate, ski and slide across the frozen South Korean landscape, we at GRIMM had our own South Korean experience!
GRIMM is excited to be named a finalist in the Best Tech Work Culture category for the DC Timmy Awards. These awards, now in their third year, recognize technology work cultures that actively promote technical creativity, innovation, and learning in the DC area and celebrate the organizations that make innovation possible. Vote for GRIMM here! Sponsored by Tech in Motion, the DC-area business community can vote online through September 8th to help choose who represents the best of DC tech.
Heading into the summer hacker conferences can be overwhelming. Demonstrations, panels and talks across multiple events events as in sames week - DEFCON 25, Black Hat 2017, BSidesLV - combined with all the parties (and meetings) made for an action packed week! With our social calendar full and our demonstrations in tow, the GRIMM team found itself in the spotlight while showcasing some of the most innovative cybersecurity research and intelligence on connected vehicles, IoT, smart homes, smart grids and ICS security up and down the Vegas Strip.
“Howdy Neighbor” is GRIMM’s Internet of Things (IoT) Capture the Flag (CTF)-like challenge. As smart devices become ubiquitous within the common household, so are threats to these devices. For example, last year, it was reported that researchers could use a smart lightbulb network vulnerability to attack an entire city. Howdy Neighbor is a model smart house that simulates how multiple interactive “smart” home products, including webcams, smoke detectors, power meters, HVAC systems, smart ovens and refrigerators, video game consoles, smart TVs, toasters, coffee makers, locks, and light bulbs (etc.
“3PO” is GRIMM’s mobile car hacking lab. Since nearly every modern car is Internet-connected, you no longer need physical access to break out of, or break into a vehicle. Hackers prove vehicles are not only insecure from a cybersecurity perspective, but because of that, also unsafe. From controlling the steering, accelerating, braking, and communications, this presents an extremely large attack surface. As automotive original equipment manufactures (OEM) and their Tier 1 direct suppliers have become more aware of the threat, their need for end-to-end hardware and software vulnerability assessments has grown.
GRIMM is excited to announce that Lisa Wiswell, Principal for Security Consulting, was selected as a Young AFCEA 40 Under 40 winner for 2017. The Young AFCEA 40 Under 40 Award is given to 40 individuals, 40 or under, recognizing their significant contributions in technical STEM fields by providing innovation, thought leadership and support to military and government technology communities. Lisa joined GRIMM’s leadership team earlier this year as a Principal in support of GRIMM’s commercial and government clients.