DESKTOP & SERVER
APPLICATIONS
Our familiarity with modern operating systems allows us to quickly evaluate the security posture of the application and identify issues caused by interdependent components.
-
Linux, Windows, macOS
During review of stand-alone applications and network services, we begin by mapping out the attack surface (IPC/RPC mechanisms, sockets, user-supplied input, etc.) to clearly define the threat model.
With static analysis techniques and dynamic testing/instrumentation we can understand the inner workings of the application even if custom file formats or protocols are used. We build custom tools to exercise the application behavior with our inputs, which ultimately leads to the discovery of security vulnerabilities
For fuzzing, we use internally-built tools and well-known frameworks to facilitate our audits. Stack and heap overflows, format strings, use-after-free, integer overflows, path traversal, and local privileges escalation bugs are just few examples of the vulnerabilities classes uncovered during these assessments.
our research articles
Research is one of our founding principles and we invest in it heavily. All of our researchers have the privilege to use 25% of their time exclusively for self-directed research.
show more publications