NorthSec 2021

Addison Amiri

Addison Amiri got his start in security in the mid-2000’s when he read about how easy it was to break WEP. From there, he’s meandered the world of security, through academia and industry, eventually entering the world of professional security consulting. Along the way, he’s had the opportunity to be simultaneously amazed at how well computers work and terrified that our lives now rely on them. These days he’s traveling the world and making the most of the cyberpunk dystopia.


What is your title?

Security Consultant

What is your company/affiliation(s)?

Shibuya Industries


Sessions

05-20
17:10
40min
Vulnerability research
Ivica Stipovic, Jeff Dileo, Addison Amiri, Yuan Stevens, Stephanie Tran, Florian Martin-Bariteau, Pedro Ribeiro, Rayna Stamboliyska

Q&A and discussion for the malware block, hosted and moderated by Rayna Stamboliyska. Questions will be gathered from the audience during the four prior talks.

Vulnerability research
Main stream
05-20
16:00
30min
dRuby Security Internals
Addison Amiri, Jeff Dileo

dRuby is a "distributed object system" built into Ruby that is generally known
to be insecure, but which has never been properly audited... until now. In this
talk, we will discuss how dRuby works, where its insecurities lie, and how it
is much more insecure than previously understood to be — which is a feat,
considering that dRuby already provides code execution as a service.

This talk will focus on a discussion of the dRuby API, its
internals, and its underlying wire protocol, covering the security issues
inherent in each along the way. As part of the this, we will also demonstrate
several novel exploitation techniques that can be used against both dRuby
servers and clients, the latter of which have not been known to be vulnerable
until now. Following this, we will discuss some of our work to harden dRuby
against each of the issues we identified. We will then close our talk by
covering our work to exploit the exploits used to compromise dRuby-based
services for some very ironic honeypotting.

Vulnerability research
Main stream