• tl;dr sec
  • Posts
  • [tl;dr sec] #39 - Evidence Based Security, Web Security, and Program Analysis

[tl;dr sec] #39 - Evidence Based Security, Web Security, and Program Analysis

[tl;dr sec] #39 - Evidence Based Security, Web Security

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

(You can also read this issue on our blog

).

Hey there,

I hope you've been doing well!

Upcoming CFPs

Conference: June 27-28, 2020.Call for papers | Call for trainers

  LASCON 

CFP deadline: June 30th, conference will be October 29-30.Call for papers | Call for trainers

CFP deadline: July 20th, conference will be November 9-12.Call for papers | Call for trainers already closed on March 30th.

Sponsor

  📢 Sr. Cloud Security Engineer @ Netflix 

Netflix is looking for a Sr. Cloud Security Engineer to lead our charter on identifying and auto remediating suspicious activities in AWS. Come join us to be part of a team that strives to securely operate one of the largest AWS deployments.

Netflix’s cloud security team does some pretty cool work 👍

📜 In this newsletter...

🔗 Links:

  • AppSec: OWASP's component analysis page, Madhu Akula's talks, trainings, slides, and more

  • Web Security: Understanding web security in Firefox, NodeJSScan v4, InQL Scanner v2, NahamCon2020 slides, the dangers of browsers' copy and paste APIs

  • Cloud Security: Cloud pen test cheatsheets, denial of wallet attacks, S3 find and forget, AWS' managed artifact repository service

  • Container Security: GKE kubelet TLS bootstrap privilege escalation, Kubernetes Goat, Starboard Octant plugin

  • Blue Team: Open source project to speed up the creation of security vulnerability reports, walkthrough of deobfuscating a trojan's initial stager, study on how fast unsecured databases are attacked

  • Red Team: A survey of recent iOS kernel exploits, PE parsing and defeating AV/EDR API hooking, find known exploits for a Windows target given its build number, a speculative execution attack that works across cores, hashcat v6

  • Politics / Privacy: Facebook paid a third-party for a Tails 0day and gave it to the FBI to catch a child predator, digital security advice for journalists covering protests, many officers' personal info leaked online, China is forcibly repatriating dissidents and activists living in other countries, a former CIA officer on U.S. police culture

  • Misc: Machine learning field guide, jq playground, interview with Marc Andreessen, graph database of related academic papers, Command & Conquer source code released, the best code is no code

  • Program Analysis: Facebook built a model that can translate code between C++, Java, and Python, a workshop on the state of the art in program analysis, AWS paper on integrating formal verification into the development of the AWS C Common Library

📚 The Need for Evidence Based Security

Chris Frenz on the importance of empirically measuring the effectiveness of your security controls.

🔗 Links

AppSec

OWASP: Component AnalysisOWASP’s page on third party dependency security, Includes an overview of the problem space and a list of tools at the bottom. H/T Julian Berton 

Talks, Workshops, Trainings, Slides, Videos, Book ContentMadhu Akula released a fair amount of content on his site, covering topics like cloud native infrastructure security, container security, and more.

  Web Security 

Understanding Web Security Checks in Firefox (Part 1)By Mozilla’s Christoph Kerschbaumer and Frederik Braun: “This is the first part of a blog post series that will allow you to understand how Firefox implements Web Security fundamentals, like the Same-Origin Policy. This first post of the series covers the architectural design, terminology, and introduces core interfaces that our implementation of the Same-Origin Policy relies on.” 

ajinabraham/nodejsscanAjin Abraham released v4 of NodeJSScan, the premier open source static analysis tool for Node.js apps. 

InQL Scanner v2 is out!Major update for Doyensec’s GraphQL testing tool: syntax highlighting and code completion, it now includes an embedded GraphiQL server, “Send to GraphiQL” from Burp, and a tabbed editor with multi-query and variables support. 

NahamCon2020 SlidesI definitely recommend checking out Jason Haddix’s The Bug Hunter’s Methodology v4 Recon slides. Jason consistently gives some of my favorite talks in security - info-packed, actionable, with tons of supporting links. They’re a great way to quickly get up to speed about the latest and best tools in a space. Louis Nyffenegger also gave a nicely detailed talk: JWT: jku x5u attacking json web tokens

The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsersMichał Bentkowski: Browsers expose an API that lets you set arbitrary clipboard content from JavaScript. An attacker could use this functionality to store an XSS payload in a victim’s clipboard, potentially exploiting another site the victim tries to paste text into that has a WYSIWYG editor. Browser vendors try to protect users from these attacks by sanitizing content on pasting. This post explains 4 security issues in browsers and 5 vulnerabilities in rich editors that earned Michał $30,000.

  Cloud Security 

CloudPentestCheatsheetsQuick command examples and notes for each major cloud platform by Beau Bullock

Denial of Wallet Attacks on AWSScott Piper describes an attack where the goal is not to bring a site down (e.g. DDoS), but rather to run up a large server bill. He recommends setting up a billing alert for when your estimated charges exceed a threshold. You can use Service Quotas to limit activity. The post lists a number of other interesting attacks and recommended mitigations. 

Amazon S3 Find and Forget“A solution to handle data erasure requests from data lakes stored on Amazon S3, for example, pursuant to GDPR”. 

Software Package Management with AWS CodeArtifact“A fully managed artifact repository service to help securely store and share the software packages used in development, build, and deployment processes.” Currently supports Maven and Gradle (Java), npm and yarn (Javascript), and pip and twine (Python), with more to come.

  Container Security 

Introduction to GKE Kubelet TLS Bootstrap Privilege EscalationBy Rhino Security’s Jack Ganbold: “We will exploit Kubernetes’s kubelet with TLS Bootstrapping to gain cluster admin access in the GKE cluster.”

Kubernetes GoatAn intentionally vulnerable Kubernetes cluster for learning and practicing, by Madhu Akula

Starboard Octant Plugin“An Octant (Kubernetes workload visualizer) plugin for Starboard (a K8s-native security tool kit by Aqua Security) which provides visibility into vulnerability assessment reports for Kubernetes workloads stored as custom security resources.”

Blue Team

VULNRΞPO“VULNRΞPO is a free open source project designed to speed up the creation of IT Security vulnerability reports. Complete templates of issues, AES encryption, Nessus/Burp/OpenVAS issues import, Jira export, TXT/HTML/PDF report, attachments, automatic changelog and statistics, vulnerability assessment, vulnerability management, secure issues sharing.” 

[Zero2Auto] – Initial Stagers - From one Email to a Trojan“This week we have discussed deobfuscating initial stagers and how to unpack their executable payloads. And what I’ve decided to do, to practice this week lesson is to find actual malware on any.run and unpack its entire initial stage.” 

Unsecured databases attacked 18 times per day by hackersResearchers set up an Elasticsearch honeypot and studied what happened. It was first attacked 8.5 hours after being deployed and was attacked twice within one minute of being indexed by Shodan. Three dozen attacks occurred before it was indexed by search engines, indicating that attackers are proactively scanning for targets. In total, 175 attacks were observed over 11 days.

  Red Team 

A survey of recent iOS kernel exploitsBy Google Project Zero’s Brandon Azad: “This post summarizes original iOS kernel exploits from local app context targeting iOS 10 through iOS 13, focusing on the high-level exploit flow from the initial primitive granted by the vulnerability to kernel read/write. At the end of this post, we will briefly look at iOS kernel exploit mitigations (in both hardware and software) and how they map onto the techniques used in the exploits.” 

PE Parsing and Defeating AV/EDR API Hooks in C++“This post covers several topics, like system calls, user-mode vs. kernel-mode, and Windows architecture.” 

Patch CheckerBy deadjakk: “Enter a list of installed KBs and select your build number to see if the system is patched against known public Windows privilege escalation exploits.” source

CROSSTalk“For the first time, we show that speculative execution enables attackers to leak sensitive information also across cores on many Intel CPUs, bypassing all the existing intra-core mitigations against prior speculative (or transient) execution attacks such Spectre, Meltdown, etc.” 

hashcat v6.0.0The password cracking tool has added 51 new hash mode algorithms and a number of other improvements.

  Politics / Privacy 

Facebook Helped the FBI Hack a Child PredatorA serial online harrasser of young women was so adept at covering his digital tracks, that Facebook worked with a third-party company to develop an 0day for the privacy-focused operating system Tails, supposedly costing six figures. The FBI used this 0day to unmask the man’s real IP address, which led to his arrest. “Hernandez was so notorious within Facebook that employees considered him the worst criminal to ever use the platform, two former employees told Motherboard.”

ReflectionsNot infrequently, I include articles in tl;dr sec that are critical of Facebook. I’m not a fan of their track record on user privacy, and I think that by optimizing for engagement, like Youtube and Twitter, Facebook has contributed to the polarization in America.That said, I happen to know that Facebook has a team of highly talented people dedicated to finding abusers on its platform. This team is not required by law, is purely a cost center to Facebook, but is trying to do the Right Thing: protecting people who are vulnerable. And I respect that.

Report: Officers’ personal information leaked online“Multiple high-ranking police officials in a number of cities, including Washington, Atlanta, Boston and New York have had their personal information shared on social media, including their home addresses, email addresses and phone numbers. At least one of the police commissioners was targeted for his alleged support of the use of tear gas to disperse protests.”

“It is not illegal to post the personal information of law enforcement officers online, though many social media companies specifically prohibit its sharing as part of their terms of service.” 

The Disappeared“Beijing’s policy of forcibly repatriating people it considers Chinese nationals — some of whom are in fact citizens of other countries — appears to be accelerating. Powerful businessmen, ex-Chinese Communist Party officials, dissidents, and activists have all been targeted as part of what Western intelligence officials say appears to be a large-scale campaign.” 

We need to change our mind-set about what it means to ‘police’ in America.

Our war on crime is producing the same fragile, anti-resilient communities in which an inevitable spark produces inevitable conflagration.

At the CIA, I worked in failed states where there was a shortage of everything but weapons and strife. We are replicating our failures abroad here at home.

  Misc 

jq PlaygroundPlay with the command-line JSON processor jq in your browser, with a helpful cheat sheet at the bottom. 

The Observer Effect: Marc AndreessenInterview with Marc Andreessen about productivity, the value of open time/delegation, goals and systems, process, outcomes, and bets, books, on learning and viewpoints, improvement and motivation, and his recent ‘build’ essay. 

🔥 Connected Papers: Explore connected papers in a visual graphSuper cool graph mapping of academic papers, linked by citations. Example use cases: getting a visual overview of a new academic field, keeping up with recent papers in your field, and discovering relevant prior and derivative works. H/T Caleb Fenton for the link.

The best code is no code“Remember, the value you provide is to solve the problem you are faced with (the outcome), not to write code. Custom code has value, but comes with costs. It needs to be deployed, maintained and upgraded. It has bugs. It requires a developer to change.” It also has opportunity costs: you’re not building something else that might be more urgent or important. Keep focus on solving the business problem and be aware that custom code isn’t always the right answer. 

Program Analysis

My heart is filled with joy that there were enough links this week to justify giving program analysis its own section 😍 

Facebook’s TransCoder AI converts code from one programming language into anotherFacebook has build a “neural transcompiler” that can convert code between C++, Java, and Python. It uses unsupervised learning and was trained on 2.8 million open source repos from GitHub and targeted translation at the function level. “And while it wasn’t perfect — TransCoder failed to account for certain variable types during generation, for example — it outperformed frameworks that rewrite rules manually built using expert knowledge.” paper

Related: OpenAI demoed a model that uses English-language comments to generate entire functions, and researchers at Rice University created a Bayou, that can write its own programs by associating “intents” behind publicly available code. 

Workshop on the State Of the Art in Program AnalysisA 7 hour recording of this workshop with academics and industry. Includes some papers as well as tool talks. See here for the full program. If you’ve been looking for a new show to #quaranbinge with your partner, give it a try 😉 (You won’t believe the results in the third paper, what a twist! 😱) 

How to integrate formal proofs into software development“On AWS’ Automated Reasoning team, we’ve piloted several projects on integrating formal verification into the software development process. Some involve verification at the protocol level; some involve generating code directly from a verified specification; and some involve verification at the code level itself.” They discuss their methodology during development work on the AWS C Common Library, an open-source repository of functions used by several other AWS libraries, including widely used AWS SDKs.

Their upcoming ICSE paper includes 6 key components:

  1. Function specification in the same language as the code - in this case, C.

    1. “We have found that ease of adoption more than makes up for the loss of expressivity.”

  2. Declarative function specification - the verification team provides a library of functions that enables developers to write such declarative specifications in a familiar imperative language.

  3. Code-embedded specifications - Function preconditions and post conditions are specified inline (see below).

  4. A proof model that uses a familiar “unit test” syntax - Except that, rather than a sequence of concrete inputs, the user specifies a range of possible inputs. This can then automatically be converted into the type of mathematical expression that automated provers are designed to evaluate.

  5. Bug repair - They’ve found that one of the most effective means of selling developers on the utility of formal verification is for the verification team to not only identify bugs but provide code patches for them.

  6. Continuous integration - New code is scanned on checkin to provide developers with immediate feedback.

Using our methodology, one full-time verification engineer and two interns, working together with the development team, were able to specify and verify (with some assumptions) 171 entry points (points in the program where the user can input data) over nine key modules of the library.

📚

Compliance needs to be viewed as a minimum baseline and not an end goal, as shooting for compliance alone is like shooting for a D grade in a class. Sure, you may pass, but you are not really doing a great job.

As security professionals we need to begin to develop ways to empirically measure what controls work to protect our environment against a given threat and what do not. Even for controls that are proven effective, we need to empirically establish that the controls were deployed properly and to an adequate level.

Sure, having that new high end next-gen AV package is great, but has it ever been tested in your environment to see what threats may be able to bypass it? For the threats that can bypass it, how effective are the other layers of controls in your environment to mitigate (e.g. network segmentation) or detect (e.g. a DNS sinkhole) the threat of a now compromised end point? Do you know how fast your staff can detect, mitigate, and otherwise respond to an incident? If you can’t concretely answer some of these questions, how do you really know how secure your environment truly is.

When your pen test or attack simulation succeeds in achieving some objective via a specific exploit, consider the broader implications, as there may be other efforts that are a better use of resources than just patching that exploit. For example, the vulnerable system may currently be used as a trivial pivot point to access critical internal resources. By making pivoting from this system harder, you are net reducing more risk, as there will always be new exploits.

Once controls are added or modified, repeat the testing and empirically determine how well the newly implemented or modified controls actually work by comparing the before and after testing metrics.

Even threats already tested against should be periodically retested for as well as changes which can negatively impact security can often be introduced into an environment over time.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint