1Y0-341 availability - Citrix ADC Advanced syllabus - Security Management and Optimization Updated: 2023

A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.

CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.

On October 17, Mandiant revealed that the flaw was abused as a zero-day in limited attacks since late August 2023.

This Monday, Citrix issued a subsequent warning to administrators of NetScaler ADC and Gateway appliances, urging them to patch the flaw immediately, as the rate of exploitation has started to pick up.

Today, researchers at Assetnote shared more details about the exploitation method of CVE-2023-4966 and published a PoC exploit on GitHub to demonstrate their findings and help those who want to test for exposure.

The Citrix Bleed flaw

The CVE-2023-4966 Citrix Bleed flaw is an unauthenticated buffer-related vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway, network devices used for load balancing, firewall implementation, traffic management, VPN, and user authentication.

By analyzing the unpatched (13.1-48.47) and patched versions (13.1-49.15) of NetScaler, Assetnote found 50 function changes.

Among these functions, the researchers found two ('ns_aaa_oauth_send_openid_config' and 'ns_aaa_oauthrp_send_openid_config') that featured additional bounds checks preceding the generation of a response.

These functions use 'snprintf' to insert the appropriate data into the generated JSON payload for the OpenID configuration. In the pre-patch version, the response is sent immediately without checks.

The vulnerability emerges from the return value of the snprintf function, which can lead to a buffer over-read if exploited.

The patched version ensures that a response will only be sent if snprintf returns a value lower than 0x20000.

Snatching session tokens

Armed with that knowledge, Assetnote's analysts attempted to exploit vulnerable NetScaler endpoints.

During that process, they found that the hostname value used for generating the payload comes from the HTTP Host header, so one does not need administrator rights to access it.

Furthermore, the hostname is inserted into the payload six times. Hence, its exploitation makes it possible to exceed the buffer limit, forcing the endpoint to respond with the buffer's contents and adjacent memory.

"We could clearly see a lot of leaked memory immediately following the JSON payload," explains Assetnote in the report.

"While a lot of it was null bytes, there was some suspicious-looking information in the response."

By exploiting the vulnerability thousands of times for testing, the analysts consistently located a 32-65 byte long hex string that is a session cookie.

Retrieving that cookie makes it possible for attackers to hijack accounts and gain unrestricted access to vulnerable appliances.

Now that a CVE-2023-4966 exploit is publicly available, it is expected that threat actors will increase their targeting of Citrix Netscaler devices to gain initial access to corporate networks.

Threat monitoring service Shadowserver reports spikes of exploitation attempts following the publication of Assetnote's PoC, so the malicious activity has already started.

As these types of vulnerabilities are commonly used for ransomware and data theft attacks, it is strongly advised that system administrators immediately deploy patches to resolve the flaw.

Earlier this month another vulnerability was found in Citrix Systems Inc.’s NetScaler and NetGateway product lines. This time around, the Citrix Bleed exploit is a lot more dangerous and harder to snuff out.

In July and August, about 2,000 NetScalers were exploited by a threat actor to get persistent access. NetScaler and NetGateway perform a variety of network security functions, including load balancing, application firewalls and proxy services.

The Citrix Bleed exploit allows attackers to retrieve session cookies to gain unauthorized access. The company announced patches on Oct. 10 for several versions, with the exception of v12.1, which is still vulnerable and considered past its end of life. But then other issues were discovered.

Last week saw further definition of the scope of the problem. Google LLC’s Mandiant research group found another vulnerability that wasn’t fixed with these patches. Other researchers, including Assetnote, found the exploit happening in their telemetry since August and issued a proof-of-concept example. This can be used as a demonstration, as well as a mechanism for network administrators to test their systems. Assetnote had further technical details that show how the exploit works.

Mandiant found instances where the exploit was used to infiltrate the infrastructure of government entities and technology corporations, and the Cybersecurity and Infrastructure Security Agency added the exploit and warnings to federal agencies. Mandiant and Citrix both issued warnings to those that haven’t yet patched their systems to do so as soon as possible. Greynoise, another security researcher, indicated that more than a dozen unique IP addresses were still unpatched as of the weekend, according to data they extracted from their own telemetry.

Session cookie-based attacks have been in the news most recently, because they make it easier for hackers to breech systems without having to find and steal login credentials. They’re also useful because the cookies are designed to persist after any reboots of the equipment, and in some cases the initial patches offered by the vendors don’t take this into account. A similar set of session cookie attacks were behind a series aimed at Cisco Systems Inc. IOS devices earlier in the month.

Photo: Citrix

A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced.

The security issue is an information disclosure and received a fix last week. It allows attackers to access secrets in appliances configured as gateways of authentication, authorization, and accounting (AAA) virtual servers.

In a security bulletin on October 10 with few technical details, Citrix strongly urged customers to install the available update without delay.

A report from Mandiant disclosed that it found signs of CVE-2023-4966 being exploited in the wild since August for stealing authentication sessions and hijacking accounts.

"Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023," says the cybersecurity company.

The company also warns that hijacked sessions persist even after installing the security update. Depending on the permissions of the hijacked account, the attackers may leverage the method to move laterally or to breach more accounts.

Security researchers observed CVE-2023-4966 being exploited for access on infrastructure belonging to government organizations and technology companies.

Apart from applying the patch from Citrix, Mandiant published a document with additional remediation recommendations for NetScaler ADC/Gateway administrators with the following suggestions:

1. Restrict ingress IP addresses if immediate patching isn't feasible.
2. Terminate all sessions post-upgrade and run the CLI command: clear lb persistentSessions <vServer>.
3. Rotate credentials for identities accessing vulnerable appliances.
4. If suspicious activity is detected, especially with single-factor authentication, rotate a broader scope of credentials.
5. For detected web shells or backdoors, rebuild appliances with the latest clean-source image.
6. If restoring from backup, ensure no backdoors are in the backup configuration.
7. Limit external attack exposure by restricting ingress to trusted IPs.

Also, upgrading the appliances to the following firmware versions should be prioritized:

• NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
• NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS 
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NdcPP

This is the second zero-day flaw Citrix fixes in its products this year. A previous one, identified as CVE-2023-3519, was exploited in the wild in early July and received a fix a few of weeks later.

A critical security vulnerability in Citrix NetScaler patched last week is under active attack — and has been since at least August.

Making matters worse, the bug (CVE-2023-4966, CVSS score 9.4), can't be fully remediated by simply applying the patch, Mandiant warns.

To that point, "organizations should ... terminate all active sessions," Mandiant CTO Charles Carmakal explained in a LinkedIn post on the active Citrix exploitation this week. "These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated."

Technically an information-disclosure vulnerability, the flaw allows cyberattackers to hijack existing authenticated sessions and potentially bypass multifactor authentication (MFA). The result is full control over NetScaler environments, which control and manage application delivery within enterprises.

Mandiant has traced attacks exploiting the bug back to late summer, carried out by an unknown threat actor. Carmakal said that the ongoing exploitation appears focused on cyberespionage, with professional services, technology, and government organizations so far in the unknown attackers' sights.

"We anticipate other threat actors with financial motivations will exploit this over time," he added.

That's a likely prediction given that organizations have a poor track record when it comes to mitigating known threats against Citrix gear. For instance, earlier in the month it came to light that legions of attackers are still targeting CVE-2023-3519 (CVSS score of 9.8), a critical pre-authentication remote code-execution (RCE) vulnerability in Citrix NetScaler gateways that was addressed in July (but exploited as a zero-day for a month before that).

Thousands of credential-theft attacks ensued after the disclosure, cresting in August as patching lagged. As of early October, according to the Shadowserver Foundation, more than 1,300 backdoored NetScaler instances were still appearing in scans.

As far as the latest critical security bug goes, customer-managed Citrix NetScaler ADC and NetScaler Gateway installations are affected; cloud instances are not, as outlined in the Citrix bug advisory, which also includes information about patched versions. Mandiant on Wednesday also offered updated, detailed remediation guidance for CVE-2023-4966.

A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.

Repeat: This is not a drill

Attacks have only ramped up recently, prompting security researcher Kevin Beaumont on Saturday to declare: “This vulnerability is now under mass exploitation.” He went on to say, “From talking to multiple organizations, they are seeing widespread exploitation.”

He said that as of Saturday, he had found an estimated 20,000 instances of exploited Citrix devices where session tokens had been stolen. He said his estimate was based on running a honeypot of servers that masquerade as vulnerable Netscaler devices to track opportunistic attacks on the Internet. Beaumont then compared those results with other data, including some provided by Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security company that also deploys honeypots, was showing exploits for CVE-2023-4966 coming from 135 IP addresses when this post went live on Ars. That’s a 27-fold increase from the five IPs spotted GreyNoise saw five days ago.

The most latest numbers available from security organization Shadowserver showed that there were roughly 5,500 unpatched devices. Beaumont has acknowledged that the estimate is at odds with his estimate of 20,000 compromised devices. It’s not immediately clear what was causing the discrepancy.

The vulnerability is relatively easy for experienced people to exploit. A simple reverse-engineering of the patch Citrix released shows the functions that are vulnerable, and from there, it’s not hard to write code that exploits them. Making attacks even easier, a handful of proof-of-concept exploits are available online.

In a detailed technical analysis, researchers from Assetnote wrote:

We found two functions that stood out ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config. Both functions perform a similar operation, they implement the OpenID Connect Discovery endpoint. The functions are both accessible unauthenticated via the /oauth/idp/.well-known/openid-configuration and /oauth/rp/.well-known/openid-configuration endpoints respectively.

Both functions also included the same patch, an additional bounds check before sending the response. This can be seen in the snippets below showing the before and after for ns_aaa_oauth_send_openid_config.

Original

iVar3 = snprintf(print_temp_rule,0x20000,
                "{\"issuer\": \"https://%.*s\", \"authorization_endpoint\": \"https://%.*s/oauth/ idp/login\", \"token_endpoint\": \"https://%.*s/oauth/idp/token\", \"jwks_uri\":  \"https://%.*s/oauth/idp/certs\", \"response_types_supported\": [\"code\", \"toke n\", \"id_token\"], \"id_token_signing_alg_values_supported\": [\"RS256\"], \"end _session_endpoint\": \"https://%.*s/oauth/idp/logout\", \"frontchannel_logout_sup ported\": true, \"scopes_supported\": [\"openid\", \"ctxs_cc\"], \"claims_support ed\": [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\", \"auth_time\", \"acr\", \"amr \", \"email\", \"given_name\", \"family_name\", \"nickname\"], \"userinfo_endpoin t\": \"https://%.*s/oauth/idp/userinfo\", \"subject_types_supported\": [\"public\"]}"
                ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);
authv2_json_resp = 1;
iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,iVar3);

Patched

uVar7 = snprintf(print_temp_rule,0x20000,
                "{\"issuer\": \"https://%.*s\", \"authorization_endpoint\": \"https://%.*s/oauth/ idp/login\", \"token_endpoint\": \"https://%.*s/oauth/idp/token\", \"jwks_uri\":  \"https://%.*s/oauth/idp/certs\", \"response_types_supported\": [\"code\", \"toke n\", \"id_token\"], \"id_token_signing_alg_values_supported\": [\"RS256\"], \"end _session_endpoint\": \"https://%.*s/oauth/idp/logout\", \"frontchannel_logout_sup ported\": true, \"scopes_supported\": [\"openid\", \"ctxs_cc\"], \"claims_support ed\": [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\", \"auth_time\", \"acr\", \"amr \", \"email\", \"given_name\", \"family_name\", \"nickname\"], \"userinfo_endpoin t\": \"https://%.*s/oauth/idp/userinfo\", \"subject_types_supported\": [\"public\"]}"
                ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);
uVar4 = 0x20;
if (uVar7 < 0x20000) {
        authv2_json_resp = 1;
        iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,uVar7);
        ...
}

The function is pretty simple, it generates a JSON payload for the OpenID configuration and uses snprintf to insert the device's hostname at the appropriate locations in the payload. In the original version, the response is sent immediately. In the patched version, the response is only sent if snprintf returns a value less than 0x20000.

The vulnerability occurs because the return value of snprintf is used to determine how many bytes are sent to the client by ns_vpn_send_response. This is a problem because snprintf does not return how many bytes it did write to the buffer, snprintf returns how many bytes it would have written to the buffer if the buffer was big enough.

To exploit this, all we needed to do was figure out how to get the response to exceed the buffer size of 0x20000 bytes. The application would then respond with the completely filled buffer, plus whatever memory immediately followed the print_temp_rule buffer.

‍Exploiting the Endpoint

Initially we thought the endpoint would probably not be exploitable. The only data that was inserted was the hostname, which is something that needed administrator access to configure. Luckily for us, we were wrong and the value inserted into the payload did not come from the configured hostname. It actually came from the HTTP Host header.

We were also fortunate that NetScaler inserts the hostname into the payload six times, as this meant we could hit the buffer limit of 0x20000 bytes without running into issues because either the Host header or the whole request was too long.

We put together the following request and sent it to our NetScaler instance.

GET /oauth/idp/.well-known/openid-configuration HTTP/1.1
Host: a <repeated 24812 times>
Connection: close

We received the response shown below with the non-printable characters removed.

HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 147441
Cache-control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-Citrix-Application: Receiver for Web

{"issuer": "https://aaaaa ...<omitted>... aaaaaaaaaaaaaaaaí§¡
ð
í§¡-ª¼tÙÌåDx013.1.48.47à
d98cd79972b2637450836d4009793b100c3a01f2245525d5f4f58455e445a4a42HTTP/1.1 200 OK
Content-Length: @@@@@
Encode:@@@
Cache-control: no-cache
Pragma: no-cache
Content-Type: text/html
Set-Cookie: NSC_AAAC=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;Secure;HttpOnly;Path=/

{"categories":[],"resources":[],"subscriptionsEnabled":false,"username":null}
ð
å
å
PÏÏ
H¡
éÒÏ
eGÁ"RDEFAULT
ò #pack200-gzip
compressdeflategzip
dentity
þÿÿÿÿÿ
©VPN_GLOBALÿÿÿÿÿÿ   è"AAA_PARAMí

We could clearly see a lot of leaked memory immediately following the JSON payload. While a lot of it was null bytes, there was some suspicious looking information in the response.

But Citrix Bleed is still plenty bad. Organizations should consider all Netscaler devices to have been compromised. This means patching any remaining unpatched devices. Then, all credentials should be rotated to ensure any session tokens that might have been leaked are invalidated. Last, organizations should inspect their devices and infrastructure for signs of compromise. Security firm Mandiant has in-depth security guidance here.

A critical vulnerability that hackers have exploited since August, which allows them to bypass multifactor authentication in Citrix networking hardware, has received a patch from the manufacturer. Unfortunately, applying it isn’t enough to protect affected systems.

The vulnerability, tracked as CVE-2023-4966 and carrying a severity rating of 9.8 out of a possible 10, resides in the NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. Stemming from a flaw in a currently unknown function, the information-disclosure vulnerability can be exploited so hackers can intercept encrypted communications passing between devices. The vulnerability can be exploited remotely and with no human action required, even when attackers have no system privileges on a vulnerable system.

Citrix released a patch for the vulnerability last week, along with an advisory that provided few details. On Wednesday, researchers from security firm Mandiant said that the vulnerability has been under active exploitation since August, possibly for espionage against professional services, technology, and government organizations. Mandiant warned that patching the vulnerability wasn’t sufficient to lock down affected networks because any sessions hijacked before the security update would persist afterward.

The company wrote:

Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multi factor authentication or other strong authentication requirements. These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor.

The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted. A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment.

Mandiant provided security guidance that goes well beyond the advice Citrix provided. Specifically:

• Isolate NetScaler ADC and Gateway appliances for testing and preparation of patch deployment.

Note: If the vulnerable appliances cannot be prioritized for patching, Mandiant recommends that the appliances have ingress IP address restrictions enforced to limit the exposure and attack surface until the necessary patches have been applied.

• Upgrade vulnerable NetScaler ADC and Gateway appliances to the latest firmware versions, which mitigate the vulnerability.

• Post upgrading, terminate all active and persistent sessions (per appliance).

– Connect to the NetScaler appliance using the CLI.

• To terminate all active sessions, run the following command: kill aaa session -all

• To clear persistent sessions across NetScaler load balancers, run the following command (where is the name of the virtual server / appliance): clear lb persistentSessions

• To clear existing ICA sessions, run the following command: kill icaconnection -all

• Credential Rotation

– Due to the lack of available log records or other artifacts of exploitation activity, as a precaution, organizations should consider rotating credentials for identities that were provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance.

– If there is evidence of suspicious activity or lateral movement within an environment, organizations should prioritize credential rotation for a larger scope of identities if single factor authentication (SFA) remote access is allowed for any resources from the Internet.

• If web shells or backdoors are identified on NetScaler appliances, Mandiant recommends rebuilding the appliances using a clean-source image, including the latest firmware.

Note: If a restoration of an appliance is required using a backup image, the backup configuration should be reviewed to ensure that there is no evidence of backdoors.

• If possible, reduce the external attack exposure and attack surface of NetScaler appliances by restricting ingress access to only trusted or predefined source IP address ranges.

The advice is warranted given the track record from previous exploitation of critical Citrix vulnerabilities. For example, Citrix disclosed and released a patch for a separate 9.8 vulnerability on July 18. Three days later, according to Internet scans by security organization Shadowserver, more than 18,000 instances had yet to apply the critical update.

By then, according to the US Cybersecurity and Infrastructure Security Administration, the vulnerability was already under active exploit. In the subsequent weeks,  Shadowserver and security firms F-Secure and IBM Security Intelligence tracked thousands of exploitations used for credential theft.

What Mandiant’s guidance amounts to is this: If your organization uses either NetScaler ADC or NetScaler Gateway that's on-premises, you should assume it has been hacked and follow the guidance provided. And yes, that includes patching first.

Pediatric Research adheres to Springer Nature’s Data Policy Type 3. This means that a submission to Pediatric Research implies that materials described in the manuscript, including all relevant raw data, will be freely available to any researcher wishing to use them for non-commercial purposes, without breaching participant confidentiality. It also means that a Data Availability Statement (see below for more details) is required by the journal.

Data Policy Details

The journal strongly encourages that all datasets on which the conclusions of the paper rely should be available to readers. We encourage authors to ensure that their datasets are either deposited in publicly available repositories (where available and appropriate) or presented in the main manuscript or additional supporting files whenever possible. Please see Springer Nature’s information on recommended repositories.

General repositories – for all types of research data – such as figshare and Dryad may be used where appropriate.

Where a widely established research community expectation for data archiving in public repositories exists, submission to a community-endorsed, public repository is mandatory*.

Persistent identifiers (such as DOIs and accession numbers) for relevant datasets must be provided in the paper.

*For the following types of data set, submission to a community-endorsed, public repository is mandatory:

Data Availability Statement

As part of the Pediatric Research Data Availability Policies, all original articles must include a Data Availability Statement. Data availability statements should include information on where data supporting the results reported in the article can be found including, where applicable, hyperlinks to publicly archived datasets analysed or generated during the study. By data we mean the minimal dataset that would be necessary to interpret, replicate and build upon the findings reported in the article. We recognise it is not always possible to share research data publicly, for instance when individual privacy could be compromised, and in such instances data availability should still be stated in the manuscript along with any conditions for access.

Data Availability statements can take one of the following forms (or a combination of more than one if required for multiple datasets):

1. The datasets generated during and/or analysed during the current study are available in the [NAME] repository, [PERSISTENT WEB LINK TO DATASETS].
2. The datasets generated during and/or analysed during the current study are not publicly available due [REASON WHY DATA ARE NOT PUBLIC] but are available from the corresponding author on reasonable request.
3. The datasets generated during and/or analysed during the current study are available from the corresponding author on reasonable request.
4. Data sharing not applicable to this article as no datasets were generated or analysed during the current study.
5. All data generated or analysed during this study are included in this published article [and its supplementary information files].
6. The data that support the findings of this study are available from [third party name] but restrictions apply to the availability of these data, which were used under license for the current study, and so are not publicly available. Data are however available from the authors upon reasonable request and with permission of [third party name].

Photo: Topology Optimization and Tailored Fiber Placement used to stiffen an aerospace wing bulkhead. Optimization generates a 15% stiffness increase at 44% weight savings for the bulkhead back panel, compared to quasi-isotropic composite laminates.

Composite Optimization Capability

UDRI offers a suite of in-house tools for design of composite structures and devices. These algorithms attempt to minimize a user-defined objective, while considering any relevant design constraints. Both gradient-based and genetic algorithm optimizations are available, and are tightly coupled with UDRI analysis and manufacturing capability. This allows UDRI to go from problem definition, to an optimized and validated design, to a fabricated composite structure. The result is lighter, stiffer structures and the potential for subsystem integration through multifunctional materials.

Optimization for Tailored Fiber Placement (TFP) Composites

A gradient-based optimization algorithm provides optimal topology and fiber alignment for Tailored Fiber Placement composites. The algorithm generates minimum-compliance designs for single or multiple load cases, greatly expanding attainable design space when compared to quasi-isotropic composite laminates. Optimization output provides options for selective reinforcement of traditional thin-walled structures, or for fully dense replacements of traditionally manufactured parts.

Figure 1. Optimization trade of a TFP-optimized panel vs. a unidirectional panel.

Figure 2. Fully dense panel, 2x as stiff as a unidirectional panel of the same weight. Manufactured using ICOMAT FibreSteer.

Optimization using process variables

Using material characterization techniques, UDRI develops a continuous, differentiable model for a controllable manufacturing process, such as variation in fiber alignment as a function of print speed. This model then feeds the gradient-based optimization in order to determine the best structure. Including the process model in the design significantly reduces post-processing design time and design-to-part defects.

Figure 3. Seifert, David Ryan, Andrew Abbott, and Jeffery Baur. "Topology and alignment optimization of additively manufactured, fiber-reinforced composites." Structural and Multidisciplinary Optimization 63.6 (2021): 2673-2683.

Multifunctional Topology Optimization

UDRI offers multiphysics design using in-house FEM and sensitivity algorithms. Currently supporting electrostatics and piezoresistive mechanics and objectives, with capability for thermal and aeroelastic physics in progress. The algorithm is able to balance load carrying capability with the secondary function to arrive at a suite of optimal topologies for a given range of performance targets.

Figure 4. Seifert, Ryan, Mayuresh Patil, and Gary Seidel. "Topology optimization of self-sensing nanocomposite structures with designed boundary conditions." Smart Materials and Structures 28.7 (2019): 074006.

Genetic Optimization of Composite Damage Specimens

Using UDRI’s BSAM composite damage FEM software, a NSGA-II genetic algorithm performs shape optimization to tailor a tensile specimen for a targeted failure mode. This removes the need for the complicated test fixtures typically required to characterize many composite damage modes.

Figure 5. Geise, Luke, et al. "Harnessing shape optimization techniques to develop novel methods to determine shear properties in PMCs." Computational Materials Science 200 (2021): 110782.

Figure 6. BSAM analysis confirms that the optimized design experiences shear failure in the target area.

Scott Huelskamp
Senior Composites Engineer
Phone: 937-229-3045
Email: Scott.Huelskamp@udri.udayton.edu

Copyright ©2023 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8