Niko Schmidt, Marco Bartoli, Fabian Yamaguchi

Field Report on a Zero-Day Machine


Make no mistake, security is about finding and exploiting vulnerabilities, not the ones everyone already knows about. The keen dream of the presenters is to build a machine that eats code on a large scale and outputs accurate information about all the ways in which this program exposes itself to the attacker, fails to be cautious about the input it receives, and leaks information. This is not something you create in a year and not in five, and while you do it, you continuously remember that what you are trying to do is impossible in general. This does not mean though, that it will not work remarkably well in practice.

This presentation is our first field report on this journey. In an iterative process, we identified which input this machine truly requires from the outside, and what it can do by itself. Pushing static data-flow tracking well beyond what is publicly available to date, we report on what it can do for you automatically, and where it still requires help. We proceed to present a new language similar to a firewall configuration, which allows to specify exactly what an attacker can do, which input she/he controls, and where data may leak to her/him. We show how this information, combined with language-neutral formulations of typical vulnerability patterns allow for cross-language identification of many classes of vulnerabilities, including object deserialization vulnerabilities, command injections and cross site scripting. We will illustrate this capabilities with real, previously unknown vulnerabilities.




Niko is a security researcher at Shiftleft, where he applies bleeding edge graph technologies to find bugs. In his prior positions, Niko worked for several companies as penetration tester and security consultant; before, he worked on binary exploitation as a research assistant at several universities. He enjoys playing CTF (co-founder of the ALLES! CTF team) and malware analysis.

Marco is a security enthusiast who started to dive into computer science at very young age. Starting from Web Application security world, he's now more focused on memory corruption bugs. He used to play CTF for ( but now the spare time is used to struggle to get a BSc in Computer Science while working. Previously worked as a penetration tester but now his mission is to build a 0day machine with his colleagues at ShiftLeft. CVE-2017-0712:

Fabian 'fabs' Yamaguchi currently works on automatic code analysis and vulnerability discovery at ShiftLeft, where he leads the research team. He has over 10 years of experience in the security domain, including work as a security consultant and vulnerability researcher for Recurity Labs GmbH. He has identified previously unknown vulnerabilities in popular system components and applications such as the Microsoft Windows kernel, the Linux kernel, the Squid proxy server, and the VLC media player. Fabian is a frequent speaker at major industry conferences such as Black Hat USA, DEF CON, First, and CCC and renowned academic security conferences such as ACSAC, Security and Privacy, and CCS. He holds a master’s degree in computer engineering from Technical University Berlin and a PhD in computer science from the University of Goettingen.