[tl;dr sec] #133 - Hunting Evasive Vulnerabilities, eBPF, Fuzzing
James Kettle on finding subtle bugs and bug classes, eBPF-related tools and backdoors, fuzzing Golang, malware, and getting higher coverage.
I hope you’ve been doing well!
This week I’m in Costa Rica at an offsite with r2c’s Security Research team + friends!
It’s actually the first time we’ve ever all met in person, with people flying in from all over the U.S., France, Belgium, and Russia.
We’ve been having a blast: getting to know each other better, having meetings at the pool, going ziplining, and fending off more biodiversity than most of us are accustomed to.
Staying at a large Airbnb basically surrounded by jungle is humbling- you realize that it is in fact ants* that own this territory, you’re just a visitor.
*As well as the 5 inch spider we found in the common area, the bat that flew into the house, and countless other inch+ insects.
📢 Cloud SIEM Best Practices Guide: Learn how to apply Datadog Cloud SIEM best practices
Datadog Cloud SIEM, a part of the Datadog Cloud Security Platform, provides robust threat detection for dynamic, cloud-scale environments.
With Cloud SIEM, you can analyze operational and security logs in real time—regardless of their volume—while utilizing curated, out-of-the-box integrations and rules to detect threats.
In this guide, learn how to collect and leverage logs from popular technologies to monitor and secure your systems. Additionally, explore how to use authentication logs to detect common security threats.
Read Datadog's Cloud SIEM best practices guide to learn more.
📜 In this newsletter...
AppSec: Tool to probe for Java deserialization gadgets blind, the power of customizable, open source static analysis
Mobile Security: Flutter reverse engineering framework
Web Security: Hunting evasive vulnerabilities, mitmproxy to OpenAPI 3.0 specs
Cloud Security: Building a data perimeter on AWS, security reference architeture for serverless app, complete AWS security maturity model
eBPF: Chinese eBPF backdoor, nmap for pids, tool to build, run and distribute eBPF programs using OCI images, Linux eBPF backdoor over TCP, flow-based IDS, using machine learning in eBPF
Supply Chain: Keyless git signing using Sigstore, how to sign Lambda function code built with GitHub Actions
Fuzzing: Getting higher observed fuzzing coverage, fuzzing ClamAV with real malware samples, fuzzing Golang
Politics / Privacy: How to disable ad ID tracking on iOS and Android, ICE uses data brokers to bypass surveillance restrictions
Misc: Avril Lavigne parody about Bitcoin
Productivity tools Katie Paxton-Fear uses every day: List of some useful tools
Tool by Bishop Fox’s Jake Miller that helps you exploit Java deserialization bugs when none of the ysoserial payloads worked, and you need to debug or build a gadget chain totally blind. Probes endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
Flutter reverse engineering framework by @Impact_I that uses the patched version of the Flutter library which is already compiled and ready for app repacking. This library has a snapshot deserialization process modified to allow you to perform dynamic analysis in a convenient way.
Hunting evasive vulnerabilities
Nullcon Berlin keynote by Portswigger’s James Kettle picks out evasive vulnerabilities found across a decade of web security research, exploring what factors hid both individual bugs and entire attack classes - and what gave them away. He extracts both specific techniques and broad principles that you can apply to find other overlooked flaws, as well as what doesn’t work, as he’s learnt quite a bit about that too.
See also James’ excellent So you want to be a web security researcher?.
Automatically convert mitmproxy captures to OpenAPI 3.0 specifications. Basically you can automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.
Building a Data Perimeter on AWS
An AWS whitepaper on best practices and available services for creating a perimeter around your identities, resources, and networks in AWS. See also this blog post by Ilya Epshteyn.
Security reference architecture for a serverless application
Salesforce’s Anunay Bhatt walks through the security controls you can apply to a demo serverless application, including authentication, authorization, infra least privilege, network security, code security, data protection, and logging.
By Kris Nóva: Like nmap but for pids. xpid gives a user the ability to “investigate” for process details on a Linux system, for example: investigate a specific pid, find all container processes on a system, find all processes in the same namespace as a given pid, find all processes running with eBPF programs, etc.
By solo.io: Get eBPF programs running from the cloud to the kernel in 1 line of Bash. BumbleBee helps to build, run and distribute eBPF programs using OCI images. It allows you to focus on writing eBPF code, while taking care of the user space components - automatically exposing your data as metrics or logs.
Linux eBPF backdoor over TCP by Kris Nóva. Remote code execution over TCP (SSH, Nginx, Kubernetes, etc), network gateway bypass (bad checksums, TCP reset), self obfuscation at runtime (eBPF process hiding).
A flow-based IDS using Machine Learning in eBPF
Academic paper: “We show that it is possible to develop a flow based network intrusion detection system based on machine learning entirely in eBPF.”
Fuzzing ClamAV with real malware samples
“tl;dr: Fuzzing ClamAV using real malware samples results in 10 bugs discovered including one buffer overflow and three DoS vulnerabilities.” See also their multiple posts on fuzzing game map parsers and network fuzzing with AFL.
Go Fuzz Testing - The Basics
Fuzzbuzz’s Everest Munro-Zeisberger walks through fuzzing a simple Golang function, and in Advanced Go Fuzzing Techniques discusses fuzzing with assertions, round-trip fuzzing, and differential fuzzing.
Politics / Privacy
How to Disable Ad ID Tracking on iOS and Android, and Why You Should Do It Now
Walkthrough by the EFF on revoking tracker access to your ad ID on Android and iOS as well as the history of ad identifiers and why they matter.
📢 6 Best Practices for Kubernetes Audit Logging
Running Kubernetes is challenging and complex. Learn how to set up Kubernetes audit logging to troubleshoot your deployment in this guide from Teleport.
Lil Bubble - Liquidated
This week on “Things I Didn’t Expect to See but I Suppose are not Surprising” (TIDEtSbISanS), is this “Complicated” by Avril Lavigne parody about Bitcoin 🤣
Plan - The best organization app - a planner + multiple TODO lists.
Obsidian - For note-taking.
Notion - For dashboard-style setups.
XMind - For mind maps.
GoodNotes - iPad note-taking.
LiquidText - Where she stores all PDFs and notes on books/whitepapers/blogs.
Speechify - Reads PDFs to you.
Feedly - RSS reader.
Fantastical - Best Calendar app that integrates with many different calendars, handles natural language event descriptions (“Sunday 4pm at…”).
Calendly - For scheduling.
Discord - Social.
OneDrive - Storage.
DarkReader - Makes websites dark mode.
Grammarly - Writing and grammar help.
Dragon - Dictation (speech -> text).
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!