[tl;dr sec] #14 - DevSecCon TLV, Slack's Secure Overlay Network, Dangers of Struct Padding
DevSecCon Tel Aviv 2019 talk notes, Slack releases Nebula, AWS instance metadata hardening, OSINT tips, struct padding can leak heap memory, deadlock challenges, formal methods.
After a lovely trip to Israel and the UK for DevSecCon Tel Aviv and London, I’m finally back in the Bay Area, where people are constantly pushing the forefront of what’s possible with technology.
That is, the people who have electricity, because the local energy company hasn’t cut their power due to concerns about fires. You know, normal stuff 😅
Nominated for CTO Universe MVP Award
An article I wrote for TechBeacon (Scale your security with DevSecOps: 4 valuable mindsets and principles) was one of 9 articles selected to be finalists for the 2019 CTO Universe MVP Awards in the DevOps category.
If you want, you can vote for my article here.
📜 In this newsletter...
Cloud Security: free AWS best practice configs, Slack's secure global overlay network, AWS metadata service hardening
Misc Tools: Godbolt compiler explorer, Singularity - a DNS rebinding framework
OSINT: bug bounty tips on discovering attack surface, new version of Amass
Collecting and Searching Information: 2 open source and 1 commercial tool
Programming: hands-on deadlock challenges, practical applications of formal methods
Politics: Google's acquiring your health records, Taiwan's social network that promotes debate
Padding the struct: How a compiler optimization can disclose stack memory
DevSecCon Tel Aviv:
Opening keynote by Elissa Shevinsky, lightweight threat modeling as code, managing secrets, container security stats, and I discuss the current state of DevSecOps and make predictions about where we're headed.
asecure.cloud - A free repository of customizable AWS security configurations and best practices.
Introducing Nebula, the open source global overlay network from Slack
“Securely connect tens of thousands of computers, hosted at multiple cloud service providers in dozens of locations around the globe.” source code
Service provider agnostic
Allows traffic filtering by host identity (not just IP address)
Hosts identify themselves via certificates that encode user-defined attributes (datacenter, role, environment, etc.).
Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service
V2 of the EC2 Instance Metadata Service (IMDSv2) released, with several changes to prevent common attacks:
Every request now requires a session, whose secret is obtained via a PUT request to IMDSv2
Calls with the
X-Forwarded-Forheader will be dropped
PUTresponse containing the secret token will have its IP packet TTL set to 1, meaning requests from the EC2 instance itself will work, but the response likely can’t make it to an external attacker.
The Godbolt Compiler Explorer is a nice and easy way to see how C code gets translated to assembly by a number of compilers (linked by Jack Leadford’s post below).
Open-Source Intelligence (OSINT)
OWASP Amass v3.3.0 released, a Go tool that does “in-depth attack surface mapping and asset discovery.”
Supports gathering info from DNS, scraping, certificates, third-party APIs, and web archives.
Future releases will support saving results in Neo4J and any graph databases that supports Gremlin (@apachetinkerpop).
Tools for Collecting and Searching Information
Vortimo - “organizes information on webpages that you’ve visited. It records pages you go to, extracts data from it and enrich the data that was extracted. It augments the pages in your browser by allowing you to tag objects as well as decorating objects it deems important.” Chrome extension + server with DB and UI, not open source. (thx Daniel Miessler)
Memex - a fully private browser extension to full-text search your browsing history & bookmarks (open source).
The Deadlock Empire: Slay dragons, master concurrency!
Hands-on multi-threaded programming challenges with a fun theme 🤘
Tweetstorm by Hillel Wayne on the power of formal methods (TLA+). Here are some snippets to give you a flavor, check it out for some neat talk and blog post links:
Google’s secret cache of medical data includes names and full details of millions
Google has a secret “Project Nightingale,” in which they are collecting vast amounts of American healthcare data, unbeknownst to patients. Google is receiving the data from Ascension, the second-largest healthcare provider in the U.S., including patients’ full personal details (name + medical history). This data has not been anonymized and can be accessed by Google staff.
How a social network could save democracy from deadlock
Taiwan has built a platform designed for people from across political divides to express their views. It promotes statements that find support across different groups as well as within them, gamifying finding consensus. Rather than simply letting people vote via an app, the platform gives participants agenda-setting power to not just determine the answer, but also define the question. It doesn’t aim to find a majority of one side over another, but rather achieve consensus across them.
NCC Group consultant Jack Leadford on how GCC may add padding to struct objects, attempting to make your code faster (by causing field accesses to be memory-aligned), but this can lead to disclosing stack memory!
Jack describes two example scenarios where this behavior may be exploited: an RPC server and a kernel driver. Here’s a useful illustration from a blog post by Alexander Popov:
Related: a Linux Security Summit talk Dealing with Uninitialized Memory in the Kernel by Alexander Potapenko of Google.
⭐️ DevSecCon Tel Aviv 2019 Roundup
I wrote up notes for some of the talks, including my first keynote 😱.
If you want to learn some practical steps to start managing your secrets properly, how to do lightweight, continuous threat modeling, some container security stats and best practices, and my thoughts on the future of DevSecOps and security programs, you can read the full summary here.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!