Videos to Watch

  • Julien Vehent -

How to Write a Great Research Paper

How to Give a Great Research Talk

Securing DevOps - Youtube channel from Julien Vehent

  • DEF CON 2018
  • Infiltrate
  • CCC
  • CanSecWest

  • BH USA/Asia/EU

  • NDSS
  • LoneStar

  • LocomocoSec

  • POPL

Stephen Magill Principal Scientist, Software Analysis

  • I serve as the CEO of Galois spin-off MuseDev, a startup focused on automatically finding and fixing critical bugs. My research interests focus on static and dynamic program analysis, with a particular emphasis on scalability and tuning analyses for specific software domains. My recent work focuses on security, both software security in the traditional sense and related issues such as privacy. I have also worked on analyses that help programmers build and deploy software updates in high-availability environments.

Black Hat Asia 2017 Halvar Flake - Why we are not building a defendable Internet

BH USA 2006 - Halvar Flake Need New Tools

DEF CON 2006 - NNew Chhallenges Need Changing Tools

RuhrSec 2018: Keynote: Weird machines, exploitability and unexploitability (Halvar Flake)

Preventing Attacks at Scale [I] - Dino Dai Zovi, Capsule8

  • Security hardening for containers, clusters, and operating systems is a very important part of setting up infrastructure and always “Plan A”. The world of “Plan A” defends the importance of making sure your cluster is set up securly. Dino comes from the world of “Plan B” and will focus on detecting when security boundaries have been breached. This is necessary for environments where you don’t have ability to ensure base OS is fully patched, etc.
  • Step into the world of Linux kernel features such as seccomp, eBPF, kprobes and Kubernetes tunable security features and learn how to detect and defend against attacks at scale.
  • Dino Dai Zovi is the Co-Founder and CTO at Capsule8.

BH USA 2002 - Professional Source Code Auditing - Mark Dowd, neel Mehta, Halvar Flake

Halvar Flake: Black Hat EU 2003 - Data Flow Analysis

[AthCon 2012] Exploitation and State Machines

44CON 2013 - A talk about (info-sec) talks - Haroon Meer

  • Last year there was an Information Security conference taking place for almost every day of the year. This translates to about 15 information security talks per day, every day. The question is, is this a bad thing? Even niche areas of the info-sec landscape have their own dedicated conference these days. Is this a good thing?
  • The conference scene is actually a reasonable proxy for the state of information security as a discipline.. i.e. theres a lot of activity but with questionable results (and dodgy metrics).
  • This talk aims to change (some of) that.

Dino Dai Zovi - Attacker Math 101

An introduction to Category Theory forSoftware Engineers - seems like an awesome intro

Static Detection of Second-Order Vulnerabilities in Web Applications - Usenix 2014 - a sample rewrite catalog of code patterns. (academic)

mpage/plt-study - A path to Programming Language Theory enlightenment

  • Lots of links to great papers and videos

James Koppel - The Best Refactoring You’ve Never Heard Of

  • Really detailed, cool looking talk

A gentle introduction to program analysis

  • Great slide deck from an academic, solid intro looks like, 113 slides

Let’s build a compiler - book

Safe and Efficient, Now -statically assure a wide range of safety properties:

  • never dereferencing a null pointer or taking the head of an empty list;
  • always sanitizing user input;
  • using only in-bounds indices to access (dynamically allocated) arrays of the statically unknown size.
  • Also a bunch of articles on types

The Architecture of Open Source Applications

Introducing the FASTEN project - The core idea behind FASTEN is really simple: instead of analyzing dependencies at the package level, we will analyze them at the call graph level! This will allow us to be super precise when we are tracking dependencies, when we do change impact analysis, when we recommend clients to update packages etc. It will also open the door to new sophisticated applications, e.g. licensing compliance, dependency risk profiling and data-driven API evolution.

Macaroons are Better Than Cookies!

246 Findings From our Smart Contract Audits: An Executive Summary

Microsoft Academic Knowledge Graph - a large RDF data set with over eight billion triples with information about scientific publications and related entities, such as authors, institutions, journals, and fields of study. The data set is based on the Microsoft Academic Graph and licensed under the Open Data Attributions license. Furthermore, we provide entity embeddings for all 210M represented scientific papers.

The A-Z of Programming languages - interviews with programming language creators)

Adventures in Prolog

Magritte: A Language for Pipe-BasedProgramming - masters thesis