Azimuth consultants have long been active participants in the security community. Some of our larger contributions include a comprehensive book on software security assessment, and a supporting blog and website focused on software security.


The Art of Software Security Assessment - Mark Dowd, John McDonald, and Justin Schuh (November 2006)


This is a 1200 page Addison-Wesley Professional book focusing on software security assessment. It teaches the reader how to audit applications across a wide range of technologies and platforms. The book's primary focus is on utilizing manual source code review to find security flaws, and it reinforces this skill through the use of extensive examples drawn from real-world code. 


This book was published by Addison-Wesley Professional.




The Art of Software Security Assessment Blog - Mark Dowd, John McDonald, and Justin Schuh (2006 - 2009)



This website was created to support our book, and provide a platform for the authors to publish additional material. There are several original articles published here, including security research, coding challenges, example vulnerable code, and a collection of resources and links for each chapter in the book. 


This website was created by Mark Dowd and John McDonald of Azimuth Security, and Justin Schuh of Google.





Azimuth consultants have authored a few notable whitepapers on security research topics

Heap Cache Exploitation - John McDonald (July 2009)


This paper discusses several innovative exploitation techniques for the Windows XP and Windows 2003 operating systems. It specifically focuses on an undocumented part of the heap implementation named the heap cache, which is responsible for large block allocations. 

This work was performed on behalf of IBM ISS X-Force.


Application Specific Attacks: Leveraging the ActionScript Virtual Machine - Mark Dowd (April 2008)


This paper discusses the exploitation of a specific flaw uncovered in Adobe Flash. Specifically, it explores a technique that incorporates the ActionScript Virtual Machine (AVM) to reliably exploit a memory corruption flaw that would otherwise be difficult to leverage with traditional techniques.

 This work was performed on behalf of IBM ISS X-Force.






In addition to our whitepapers, Azimuth consultants regularly speak at a variety of industry conferences. This section contains the research papers and slides from these speeches.

Smashing The Atom (Extraordinary String-based Attacks) - Tarjei Mandt (Recon 2012)


This presentation introduces a mini bug-class affecting the Windows Kernel. It specifically focuses on the types of problems that can occur when unprivileged users are able to access and manipulate the Windows atom table in unexpected ways. Several real-world examples are presented in this talk that shows these attacks in action.

Slides (PPT)

Attacking Interoperability - Mark Dowd, Ryan Smith, David Dewey (BlackHat Vegas 2009)


This presentation discusses several unique classes of vulnerabilities specific to interoperability layers within complex applications, with particular focus on contemporary web browsers. The speech covers object retention, type confusion, and transitive trust. This speech included disclosure of several vulnerabilities, including the much-publicizedInternet Explorer killbit bypass.

This work was performed on behalf of IBM ISS X-Force.

Slides (PPT)      Paper (PDF)

Attacking Interoperability - Mark Dowd (HITB Malaysia 2009)


This presentation covered a lot of the same material as the Black Hat Las Vegas 2009 presentation, but it had several additions regarding automatic enumeration of the attack surface. 

This work was performed on behalf of IBM ISS X-Force.

Slides (PPT)


Practical Windows Heap Exploitation - John McDonald, Chris Valasek (BlackHat Las Vegas 2009)


This speech focuses on heap exploitation techniques specific to the Windows XP and Windows 2003 operating systems. Several methodologies are discussed for creating favorable memory layout patterns and manipulating heap data structures in order to create robust exploits for heap memory-corruption vulnerabilities. Many of the techniques covered build on well-documented prior heap research, with a healthy mix of original content that treads new ground. 

This work was performed on behalf of IBM ISS X-Force.

Slides (PPT)      Paper (PDF)


How To Impress Girls with Browser Memory Protection Bypasses - Mark Dowd, Alex Sotirov (BlackHat Vegas 2008)


This presentation focused on several techniques that could be utilized within web browsers to bypass the memory protection features incorporated in to Windows Vista. Several innovative new techniques were introduced - including stack spraying, Java RWX allocations, and statically-located .NET user controls. 

This work was performed on behalf of IBM ISS X-Force.

Slides (PDF)      Paper (PDF)


Media Frenzy: Attacking the Windows Media Framework - Mark Dowd, John McDonald (CanSecWest Vancouver 2008)


This speech focuses on the security exposure of the DirectShow framework present on Windows operating systems. Here, we explore how codecs (also known as DirectShow filters) are registered on the system, what attack surface each codec exposes, and how to enumerate the codecs on a given system. From there, we discuss the types of vulnerabilities commonly found in such codecs and give several real-world examples. 

This work was performed on behalf of IBM ISS X-Force.

Slides (PPT)