ESET researchers investigate what could possibly go wrong when you connect your bedroom to the internet of things
The post Sex in the digital era: How secure are smart sex toys? appeared first on WeLiveSecurity
Posted by Jonathan Metzman, Google Open Source Security Team
OSS-Fuzz, Google’s open source fuzzing service, now supports fuzzing applications written in Java and other Java Virtual Machine (JVM) based languages (e.g. Kotlin, Scala, etc.). Open source projects written in JVM based languages can add their project to OSS-Fuzz by following our documentation.
The Google Open Source Security team partnered with Code Intelligence to integrate their Jazzer fuzzer with OSS-Fuzz. Thanks to their integration, open source projects written in JVM-based languages can now use OSS-Fuzz for continuous fuzzing.
OSS-Fuzz has found more than 25,000 bugs in open source projects using fuzzing. We look forward to seeing how this technique can help secure and improve code written in JVM-based languages.
What can Jazzer do?
Jazzer allows users to fuzz code written in JVM-based languages with libFuzzer, as they already can for code written in C/C++. It does this by providing code coverage feedback from JVM bytecode to libFuzzer. Jazzer already supports important libFuzzer features such as:
- FuzzedDataProvider for fuzzing code that doesn’t accept an array of bytes.
- Evaluation of code coverage based on 8-bit edge counters.
- Value profile.
- Minimization of crashing inputs.
The intent for Jazzer is to support all libFuzzer features eventually.
What Does Jazzer Support?
Jazzer supports all languages that compile to JVM bytecode, since instrumentation is done on the bytecode level. This includes:
- Java
- Kotlin
- Scala
- Clojure
Jazzer can also provide coverage feedback from native code that is executed through JNI. This can uncover interesting memory corruption vulnerabilities in memory unsafe native code.
Why Fuzz Java/JVM-based Code?
As discussed in our post on Atheris, fuzzing code written in memory safe languages, such as JVM-based languages, is useful for finding bugs where code behaves incorrectly or crashes. Incorrect behavior can be just as dangerous as memory corruption. For example, Jazzer was used to find CVE-2021-23899 in json-sanitizer which could be exploited for cross-site scripting (XSS). Bugs causing crashes or incorrect exceptions can sometimes be used for denial of service. For example, OSS-Fuzz recently found a denial of service issue that could have been used to take “a major part of the ethereum network offline”.
As discussed in our post on Atheris, fuzzing code written in memory safe languages, such as JVM-based languages, is useful for finding bugs where code behaves incorrectly or crashes. Incorrect behavior can be just as dangerous as memory corruption. For example, Jazzer was used to find CVE-2021-23899 in json-sanitizer which could be exploited for cross-site scripting (XSS). Bugs causing crashes or incorrect exceptions can sometimes be used for denial of service. For example, OSS-Fuzz recently found a denial of service issue that could have been used to take “a major part of the ethereum network offline”.
When fuzzing memory safe code, you can use the same classic approach for fuzzing memory unsafe code: passing mutated input to code and waiting for crashes. Or you can take a more unit test like approach where your fuzzer verifies that the code is behaving correctly (example).
Another way fuzzing can find interesting bugs in JVM-based code is through differential fuzzing. With differential fuzzing, your fuzzer passes mutated input from the fuzzer to multiple library implementations that should have the same functionality. Then it compares the results from each library to find differences.
Check out our documentation to get started. We will explore this more during our OSS-Fuzz talk at FuzzCon Europe.
ESET Research has found LuckyMouse, Tick, Winnti Group, and Calypso, among others, are likely using the recent Microsoft Exchange vulnerabilities to compromise email servers all around the world
The post Exchange servers under siege from at least 10 APT groups appeared first on WeLiveSecurity
What happens when you try to opt out of e-health to avoid issues in the event of a breach?
The post Online health security – when ‘opt out’ isn’t an option appeared first on WeLiveSecurity
One of the fundamental security issues with open source is that it’s difficult to know where the software comes from or how it was built, making it susceptible to supply chain attacks. A few recent examples of this include dependency confusion attack and malicious RubyGems package to steal cryptocurrency.
Today we welcome the announcement of sigstore, a new project in the Linux Foundation that aims to solve this issue by improving software supply chain integrity and verification.
Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine. To address this we need to make it possible to verify the provenance of all software – including open source packages. We talked about the importance of this in our recent Know, Prevent, Fix post.
The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code. Sigstore also has the added benefit of being backed by transparency logs, which means that all the certificates and attestations are globally visible, discoverable and auditable.
Sigstore is designed with open source maintainers, for open source maintainers. We understand long-term key management is hard, so we’ve taken a unique approach of issuing short-lived certificates based on OpenID Connect grants. Sigstore also stores all activity in Transparency Logs, backed by Trillian so that we can more easily detect compromises and recover from them when they do occur. Key distribution is notoriously difficult, so we’ve designed away the need for them by building a special Root CA just for code signing, which will be made available for free.
We have a working prototype and proof of concepts that we’re excited to share for feedback. Our goal is to make it seamless and easy to sign and verify code:
It has been fun collaborating with the folks from Red Hat and the open source community on this project. Luke Hinds, one of the lead developers on sigstore and Security Engineering Lead at Red Hat says, “I am very excited about sigstore and what this means for improving the security of software supply chains. sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.” We couldn’t agree more.
Mike Malone, the CEO of Smallstep, helped with the overall design of sigstore. He adds, “In less than a generation, open source has grown from a niche community to a critical ecosystem that powers our global economy and institutions of society and culture. We must ensure the security of this ecosystem without undermining the open, decentralized collaboration that makes it work. By building on a clever composition of existing technologies that respect privacy and work at scale, sigstore is the core infrastructure we need to solve this fundamental problem. It’s an ambitious project with potential for global impact. I’m impressed by the rapid progress that’s been made by Google, Red Hat, and Linux Foundation over the past few months, and I’m excited to hear feedback from the broader community.”
While we are happy with the progress that has been made, we know there is still work to be done before this can be widely relied upon. Upcoming plans for sigstore include: hardening the system, adding support for other OpenID Connect providers, updating documentation and responding to community feedback.
Sigstore is in its early days, but we’re really excited about its future. Now is a great time to provide feedback, try out the tooling and get involved with the project as design details are still being refined.
While chats are end-to-end encrypted, their backups are not – this may change soon
The post WhatsApp may soon roll out encrypted chat backups appeared first on WeLiveSecurity
The number of women joining the ranks of cybersecurity practitioners is steadily increasing, but a lot still needs to be done to close the gap
The post Women in cybersecurity: Gender gap narrows but not enough appeared first on WeLiveSecurity
Are you a bull or a bear? If you can’t access your data and money, do your sentiments about the market still matter?
The post Going dark: Service disruptions at stock exchanges and brokerages appeared first on WeLiveSecurity
Four zero-days patched in Microsoft Exchange Server – A tale about an unsophisticated criminal – Web trackers in a password manager app
The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
For over a decade, ESET and the San Diego Police Foundation have been working together to help keep children safe from online threats
The post How ESET’s work on SafetyNet® helps protect children online appeared first on WeLiveSecurity
Easy Contact
253 Main Ave, Passaic NJ 07055Call 973-777-5656
info@advantagecomputers.com
Fax 973-777-5821
© 2025 ~ All Rights Reserved
Advantage Computer Solutions, Inc