Home Author
Author

Denis Makrushin

Denis is the Director of Security and Test Technology Center at Huawei, where he leads the team of top-talented experts focused on enabling innovation in trustworthiness for core products and services.

Blog

Contribution to Linux kernel: patch to fix fuzzing process with nyx-fuzz and VMware

by Denis Makrushin
written by Denis Makrushin

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.5

With the latest Linux kernel, the fuzzing process will be easier not only for our team. Thanks to Denis Valeev, who discovered, prepared, and contributed the patch to kernel v.5.16.5.

The discovered bug breaks nyx-fuzz (also included in AFL++ code base) that uses VMware backdoor as an alternative way for hypercall from guest user-mode. With this bug, a hypercall is interpreted as a GP and leads to process termination. Bug occurs on GP triggered by VMware backdoor when eax value is unaligned. eax alignment check should not be applied to non-SVM instructions because it leads to incorrect omission of the instructions emulation. The solution is to apply alignment check only to SVM instructions.

0 comment
FacebookTwitterPinterestLinkedinRedditTelegramEmail
Research

Attack Surface Analysis and Monitoring using Open-Source Intelligence

by Denis Makrushin
written by Denis Makrushin

The paper introduces the case study for attack surface analysis and monitoring with practical application of open-source intelligence (OSINT) methods. The case is based on the perimeters of healthcare organizations and aims to introduce the threat landscape of healthcare industry as well as methods to collect information about entry points and assets on network perimeter. Techniques and tools in this paper are not limited by organization type and can be applied for different network assets to prepare initial information during first stage of penetration testing and red team operations.

Continue Reading
0 comment
FacebookTwitterPinterestLinkedinRedditTelegramEmail
Blog

Prototype Pollution in “Top 10 Web Hacking Techniques of 2021” nomination

by Denis Makrushin
written by Denis Makrushin
0 comment
FacebookTwitterPinterestLinkedinRedditTelegramEmail
Blog

Application Security Course: Open Lectures

by Denis Makrushin
written by Denis Makrushin

https://t.me/bhhub/635

Designed the “Application Security Fundamentals” course for Information Security students of my alma mater, I’m giving back and together with my friends from industry cultivate the design thinking of next generation alumni: shift the mindset from problem discovery to solution architecture. 

Three years after launching, to increase the impact of this course, we made our lectures open to every Russian-speaking student. Just register yourself using the link from the first comment and wait for the announcement of open lecture tomorrow.

The photo illustrates how a typical class looks like – somewhere with laptop. Grab your device, headset and join!

0 comment
FacebookTwitterPinterestLinkedinRedditTelegramEmail
Research

Security Audit Logging in Microservice-Based Systems: Survey of Architecture Patterns

by Denis Makrushin
written by Denis Makrushin

https://www.researchgate.net/publication/350364503_Security_Audit_Logging_in_Microservice-Based_Systems_Survey_of_Architecture_Patterns

Service-oriented architecture increases technical abilities of attacker to move laterally and maintain multiple pivot points inside of compromised environment. Microservice-based infrastructure brings more challenges for security architects related to internal event visibility and monitoring.

The research paper published by Alexander Barabanov in “Cybersecurity Issues” provides helpful resources to application and product security architects, software, and operation engineers on existing architecture patterns to implement trustworthy logging and audit process in microservice-based environments. We performed threat modeling for typical architecture pattern of logging system, defined threat mitigation strategy, and, as a result, provided bunch of high-level security requirements for audit logging system.

0 comment
FacebookTwitterPinterestLinkedinRedditTelegramEmail
Load More Posts