- tl;dr sec
- Posts
- [tl;dr sec] #198 - Building a Detection as Code Pipeline, NIST on CI/CD Supply Chain Security, Finding Malware with LLMs
[tl;dr sec] #198 - Building a Detection as Code Pipeline, NIST on CI/CD Supply Chain Security, Finding Malware with LLMs
How to build and test a DaC pipeline, new NIST whitepaper on integrating supply chain security measures into CI/CD pipelines, and finding malicious PyPi/npm packages with LLMs
Hey there,
I hope you’ve been doing well!
⏰ Time
Between having a full time job and writing this newsletter, I can get a bit busy 😅
So I’ve been reflecting on how I spend my time, the life I want to lead, and what I want to leave behind.
One metaphor I heard that I liked is that we have ~112 waking hours in a week, and you can imagine each hour like a chip that you get to “spend,” on work, friends, family, etc.
But there’s a finite number of chips and you can only spend each chip once.
I also like this Your Life in Weeks post by Wait But Why.
Or this Bitcoin life advice:
I hope you’re regularly spending time on things and with people you find meaningful ✊
Sponsor
📣 The R&D platform for the next generation of devices
Nearly 95% of smartphones and IoT devices are powered by Arm processors, which is why we built a unique hypervisor, the Corellium Hypervisor for Arm (CHARM), to run virtual Arm devices on Arm servers.
Easily spin up any combination of device, OS, and apps.
Instant root access for iOS and Android, jailbreaks not required.
Use powerful built-in security tools and integrate with your existing developer, security and DevOps tools.
Organizations of all sizes use Corellium to better meet the need for faster R&D and increased security for mobile application development and cyber security testing.
If you need to do mobile emulation for security testing (or other purposes), I’ve had a number of people tell me that Corellium is where it’s at ☝️
Mobile Security
lico-n/ZygiskFrida
A Zygisk module that allows you to inject Frida (a dynamic instrumentation toolkit) gadgets into Android applications in a stealthier way. Gadgets are not embedded into the APK, so integrity and signature checks will pass. It also avoids ptrace detection.
Android Goes All-in on Fuzzing
Google's Hamzeh Zawawy and Jon Bottarini share details on how Google performs fuzzing at scale, documenting their experiences, challenges, and successes in building infrastructure to automate fuzzing across Android. They utilize Clusterfuzz, an open-source continuous fuzzing framework, to run fuzzers continuously on Android devices and emulators.
Katalina: an open-source Android string deobfuscator
Human's Gabriel Cirlig presents Katalina, an open-source tool that executes Android bytecode in a sandboxed VM to deobfuscate strings in malware, making it easier to understand what the malware is doing and write detections.
Sponsor
📣 Are you ready for NIS2 cybersecurity requirements?
Cyber regulation is heating up around the globe. In January of this year, it was announced that the Network and Information Systems (NIS) would get an overhaul. NIS2, the sequel to NIS, expands the initial 2016 regulation to eliminate inconsistency and establish a common set of cybersecurity standards and risk management practices. Learn more about NIS2 and how it may impact you and your organization.
Web Security
fransr/postMessage-tracker
By Frans Rosen: A Chrome Extension designed to track postMessage usage (URL, domain, and stack). It provides both logging capabilities using CORS and visual indicators through an extension icon.
bist-security/cherrybomb
By BLST Security et al: A Rust-based CLI tool that helps you avoid undefined user behavior by auditing your API specifications, validating them against an OpenAPI file to ensure compliance with OpenAPI Specification (OAS) rules, and running API security tests.
Hacking GTA V RP Servers Using Web Exploitation Techniques
veritas shares an XSS vulnerability impacting a GTA V mod that causes other players to connect to a websocket you can send commands to, such as transferring in-game currency, accessing other player's microphones, or obtaining their clipboard contents.
Cloud Security
XMCyber/XMGoat
By Eng Soon et al: Terraform templates to help you learn about common Azure security issues. Each template is a vulnerable environment with some significant misconfigurations that you can attack and compromise.
Google Cloud Functions are Secure, only if you know how to use them!
By Cybervelia's Theodoros Danos: Basically, if you’re running user-provided code in the same Google Cloud Function runtime environment, a malicious user could read code written by other users. The solution is to use a Google Cloud Function for each user or use GKE.
Container Security
blackberry/Falco-bypasses
By Shay Berkovich: Research on various techniques to bypass the default Falco ruleset, via symlink creation, executable naming, command argument manipulation, and more. KubeCon 2022 slides.
awslabs/k8s-network-policy-migrator
By Sanjeev Ganjihal: A tool for migrating Calico or Cilium custom network policies to Kubernetes native network policies. The tool offers features such as pre-migration checks, policy collection and conversion, and more.
Supply Chain
javixeneize/neo4cyclone
By Banco Santander’s Javier Dominguez: A project that ingests CycloneDX SBOMs into a Neo4J database for visualization purposes.
Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines
37 page initial public draft PDF from NIST on integrating supply chain security measures into CI/CD pipelines, covering risk factors and mitigation measures, CI/CD security goals, securing workflows in CI pipelines, and more.
Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
Pinning your GitHub Action to a full commit SHA doesn't mean you're going to run the same code. Palo Alto's Yaron Avital outlines a number of ways this could be the case, for example, if the Action uses a Docker container that isn't pinned, a composite Action that lets you run bash or other Actions, a JavaScript Action that downloads an external script and doesn't verify the checksum, etc.
Yaron calls these Actions "unpinnable," and finds 32% of the 1,000 top starred actions on the GitHub Marketplace to be unpinnable.
Fuzzing
google/fuzzing
By Max Moroz et al: A repository from Google hosting tutorials, examples, discussions, research proposals, and other resources related to fuzzing.
Blue Team
From soup to nuts: Building a Detection-as-Code pipeline
David French explains the process of designing and implementing a Detection-as-Code (DAC) pipeline, using Terraform, Sumo Logic, and Tines.
Part 2 includes explanations and code for creating CI/CD workflows to test the DAC pipeline, handling alert payloads with Tines, testing detections, validating the alert pipeline, and concluding with a practical use case of detecting & responding to suspicious Okta behavior.
Politics / Privacy
Personal Privacy & Security for CISOs
If you want to embrace your paranoia and take your personal (and family) security and privacy posture to 11, Caleb Sima has the deep dive for you.
Chrome extensions can steal plaintext passwords from websites
Honestly, this seems like a “works as intended” situation. The Google Chrome Manifest V3 for extensions does not introduce a security boundary between extensions and web pages, so a browser extension that can read the DOM of a page can potentially steal sensitive info like passwords.
The University of Wisconsin-Madison researchers found ~17,300 extensions in the Chrome Web Store (12.5%) have the needed permissions, and 190 extensions are already directly accessing password fields. I sure hope those are password managers 😅
The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15
If you have a credit card, a credit bureau likely has a lot of info about you. Hackers are selling access to that info (birth date, current and prior addresses, SSN, phone number) for $15 in Telegram groups, obtaining it via third-party services the credit bureaus have sold the data to, by posing as a private investigator, from data leaks, etc. Frustratingly, there’s little you can do about it, there just needs to be credit bureau reform.
Machine Learning + Security
Using LLMs to reverse JavaScript variable name minification
Jesse Luoto writes about how to reverse minified JavaScript using LLMs like ChatGPT and llama2 while keeping the code semantically intact.
Unminify and prettify the code.
Ask the LLM to describe the intent and a better name for variables.
Use Babel to do the renaming, which can effectively rename a JavaScript variable within its scope by operating on the code's Abstract Syntax Tree (AST), preserving how the code works.
LLM-assisted Malware Review: AI and Humans Join Forces to Combat Malware
Endor Labs’ Henrik Plate describes some experiments they performed that suggest that LLM-based malware reviews can complement, but not yet substitute for human reviews.
1800 artifacts from PyPi and npm → 34 flagged as malware, 19/34 true positives.
Signals like in the Backstabber’s Knife Collection used.
“False-positives are predominantly due to incomplete and syntactically incorrect code snippets, which commonly happens if the prompt’s length restriction prevents us from uploading an entire file.”
“GPT can be tricked with help of several simple techniques to change an assessment from malicious to benign, e.g., by using innocent function names, including comments that indicate benign functionality or through inclusion of string literals.”
Reviewing Malware with LLMs: OpenAI vs. Vertex AI
Follow-up post in which Henrik makes several improvements and also tests Google’s Vertex AI.
Analysis Improvements
The removal of comments in suspicious code snippets (using Pygments) reduced exposure to prompt injection.
Asked for 0-9 risk score instead of binary classification.
Increased the context size, which also benefits from comment removals.
>90% of the time the two models rated within 1 point of the same score.
GPT-4 outperforms the other models for non-obfuscated code - better risk ratings and source code explanations.
Machine Learning
Quicklinks
Can LLMs learn from a single example? Some initial results from fine-tuning an LLM on multiple-choice science exam questions.
smol-podcaster - Your autonomous podcast production intern.
PromptTools - Free, open source tools for testing and experimenting with prompts. Evaluate prompts using code and notebooks.
oobabooga/text-generation-webui - A Gradio web UI for LLMs, supports many model backends.
A few lists of… lists of LLM-based Agents 😅
opstower-ai/llm-opstower
Ask questions about your AWS resources and perform calculations on CloudWatch metrics from the command line.
BarbAIrians at the Gate: The Financial Opportunity of AI
a16z’s Alex Rampell argues that AI may enable more private equity-style takeovers, where one company acquires another and makes it vastly more profitable using AI.
Misc
The Beginner's Guide to Cybersecurity
Francis Odum provides a nice intro and overview of the various cybersecurity vendors. Also, he’s running a bootcamp starting next week!
CyberSecurityUP/awesome-flipperzero2
By Joas A Santos: A compilation of contents about Flipper Zero.
Gian’s Thoughts after watching Oppenheimer
“What are we even doing A/B testing button colors and making React behave when 80 years ago the pinnacle of technology was splitting atoms and ending world wars. 80 years ago a bunch of nerds in the middle of the desert turned academic papers into a war-ending device. Today we struggle making escalators work reliably.”
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!
Cheers,
Clint
@clintgibler