• tl;dr sec
  • Posts
  • [tl;dr sec] #130 - Project Zero on 0day Trends, ThinkstScapes, How Do You Actually Find Bugs?

[tl;dr sec] #130 - Project Zero on 0day Trends, ThinkstScapes, How Do You Actually Find Bugs?

Maddie Stone on 2021 0day trends, Thinkst's excellent research round-up, Mark Dowd OffensiveCon keynote on security research

Hey there,

I hope you’ve been doing well!

In Recent News

Welp…

Unrelatedly, shout-out to the management consultants out there 👏

Sponsor

📢 5 Features you need in an automated security platform

There are so many compliance platforms on the market, yet not all are created equal. As the leader in compliance automation, we know exactly what features to look for when choosing an automated platform. We've compiled a list of the biggest differentiators to check for – and we explain how each feature works in order to make your job more efficient as you go through the compliance process. Check out our guide to the five must haves in an automated security platform.

📜 In this newsletter...

  • Conferences: OffensiveCon keynote on how to find bugs, Insomni'hack 2022 presentations

  • SSH: A smart SSH bastion host for Linux usable with any SSH client, a memory-safe SSH server built in Go with secure defaults

  • AppSec: DataDog Security Labs' PoCs, cURL but for gRPC, 6 principles for pragmatic start-up security

  • Cloud Security: Mitigating the top 10 GCP security threats, GCP asset inventory, Lambda that converts any document format that LibreOffice can import, CLI that uses Okta IdP via SAML for temporary AWS creds, Prowler Pro, a decade of AWS Marketplace

  • OPA: Audit your GitHub data using Rego, vet resources at deploy time using OPA + AWS CloudFormation Hook

  • Container Security: Gaining visibility via a security-focused service mesh

  • Misc: Easier and faster jq, make your Slack Google-searchable, keyboard shortcuts, license plates from around the world

  • The More You Know, The More You Know You Don’t Know: Google Project Zero on 2021 0day trends

  • ThinkstScapes Quarterly: 2022 Q1: Great round-up of security research by Thinkst

  • Twitter: Permanent chronic pain vs acute pain

Conferences

OffensiveCon22: How Do You Actually Find Bugs?
Great keynote by Mark Dowd, author of The Art of Software Security Assessment, in which he shares his mindset and tips as a long time vulnerability researcher.

Dealing with frustration and new information constructively is a key differentiator to success.

The more you’re curious about how a technology works, or how an algorithm achieves its goal, the less monotonous code review is.

The attack surface is the vulnerability- finding a bug there is just a detail. 

Insomni’hack 2022 YouTube Playlist
Has some interesting both offensive and defensive talks.

SSH

warp-tech/warpgate
A smart SSH bastion host for Linux that can be used with any SSH client, by Eugeny.

Introducing Caddy-SSH
By Mohammed Al Sahaf: A general-purpose, extensible, modular, memory-safe SSH server built in Go with safe, modern, and secure defaults.

AppSec

DataDog/security-labs-pocs
Information, exploits, and scripts from Datadog Security Labs from DataDog’s Christophe Tafani-Dereeper and Andrew Krug. Currently has PoCs for the Dirty Pipe container breakout, Spring4Shell, and the JWT Null Signature Vulnerability.

fullstorydev/grpcurl
Like cURL, but for gRPC: a CLI tool for interacting with gRPC servers, by FullStory. You can also browse the schema for gRPC services, either by querying a server that supports server reflection, by reading proto source files, or by loading in compiled “protoset” files.

Vanta’s 6 principles for pragmatic startup security
Vanta’s Rob Picard describes practical, high value areas that are useful to focus on at a start-up.

Cloud Security

Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
NCC Group’s Viktor Gazdag outlines some of the recommendations of the latest CIS GCP benchmark, to which he contributed. Topics: resource segregation, IAM, network security, cloud storage, compute engine, cloud SQL, and logging and monitoring.

Where’s my stuff on GCP?
Google’s Nick Brandaleone shares how easily is it use GCP’s Cloud Asset Inventory functionality to search for all of your GCP resources globally: $ gcloud asset search-all-resources.

javidlakha/unofunction
An AWS Lambda function that converts any document format that LibreOffice can import to any document format that LibreOffice can export, by Javid Lakha.

Nike-Inc/gimme-aws-creds
A CLI that utilizes an Okta IdP via SAML to acquire temporary AWS credentials via AWS STS.

Putting the Pro in Prowler
Toni de la Fuente, the creator of Prowler, will now be working on Prowler Pro, which makes it easy to deploy in multiple AWS cloud accounts, and offers centralized, automated reporting with configurable dashboards. It’s always nice to see open source tools getting more development, and the creators of them being rewarded.

Related meme by Naomi Buckwalter:

A decade of innovating with AWS Marketplace
An interesting history and overview of AWS Marketplace, which aims to make it easy to buy and deploy software from vendors into your AWS environment, like Snowflake, Databricks, Palo Alto Networks, and more.

OPA

reposaur/reposaur
Audit your GitHub data using custom policies written in Rego. Generate reports, perform auditing and more.

The OPA AWS CloudFormation Hook
Styra’s Anders Eknert describes using the new AWS CloudFormation Hook feature to allow custom code (in this case OPA) to intercept a resource on its way to deployment and verify its properties against policy at provisioning time.

Container Security

Gaining Visibility Within Container Clusters
Palo Alto Networks’ Nathaniel Quist describes how using a security-focused service mesh can help you with runtime and network traffic monitoring and visibility in Kubernetes clusters. Here’s an example architecture:

Sponsor

📢 Eliminate noise and prioritize the vulnerabilities that really matter with Risk Spotlight

Is your team drowning in container vulnerability noise? Are you spending a lot of time figuring out where to focus resources on and still missing risky vulnerabilities? You are not alone. Read this blog to learn how fast and easy you can find, focus and fix vulnerabilities that pose a real risk.

Misc

Introducing zq: an Easier (and Faster) Alternative to jq
By Brim Data. I haven’t played with it yet, but zq’s syntax seems a bit more intuitive than jq’s.

Linen: Make your Slack community Google-searchable
“Linen syncs your Slack threads to an SEO friendly website that allows your community to discover you through search engines and reduces the number of repeat questions.”

Use The Keyboard
A collection of keyboard shortcuts for Mac apps, Windows programs, and websites.

License Plates Of The World
See license plates from all around the world.

Google Project Zero’s Maddie Stone presents Project Zero’s annual review of 0days used in-the-wild in 2021.

  • 58 in-the-wild 0-days detected and disclosed, the most ever recorded since Project Zero began tracking in mid-2014.

    • They believe this increased number is due to better detection, not more being used.

  • 39, or 67% were memory corruption.

  • Attacker methodology hasn’t actually had to change much, they’re having success using the same bug patterns and exploitation techniques and going after the same attack surfaces.

With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty “meh” or standard.

While the sample size is small (3), it’s still quite striking to see that 100% of the known in-the-wild Android 0-days that target the kernel are bugs that actually were known about before their exploitation… The Linux kernel was actually only vulnerable to the issue for a few weeks, but due to Android patching practices, that few weeks became almost a year for some Android devices.

Outstanding questions include:

Are we seeing the same bug patterns because that’s what we know how to detect?

Another great round-up of security research by Thinkst Canary, covering:

  • Low-level, but high-privilege bug hunting

  • Confidential computing for the masses

  • MachineLearning is here to help, or not

  • Nifty sundries

One that stuck out to me is “Why No One Pwned Synology at Pwn2Own and Tianfu Cup in 2021” (slides) by Eugene Lim and Loke Hui Yi, in which they reflected on how Synology held up as targets at two IoT-focused exploitation contests.

…they identified three consistently-deployed defensive coding practices that prevented exploitation:

1. Declarative flows for authentication and authorisation

2. Hardened library functions that were integrated into bundled open-source components

3. and finally a minimisation of duplicate code.

The researchers did note that there were vulnerabilities present, but they either were broken by other security practices or restricted to authenticated users. Synology not only developed and enforced the usage of safer alternatives to commonly-misused memory manipulation functions, but carried those alternatives into open-source components on the platform. This prevented bugs in a well-known open-source server or library from automatically resulting in code execution on the Synology device. The consistent usage of the same validation functions both on the frontend and backend components prevented discrepancies from opening differentials that could be exploited later.

Twitter

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint