• tl;dr sec
  • Posts
  • [tl;dr sec] #44 - Formal Methods, New Web Security Mechanisms, Have GPT-3 Code for You

[tl;dr sec] #44 - Formal Methods, New Web Security Mechanisms, Have GPT-3 Code for You

Using lightweight formal methods in the real world, new web mitigations for injection vulns and isolation capabilities, GPT-3 is magic.

Hey there,

I hope you've been doing well!

Baking, En Quarantine

Like everyone, I’ve been experimenting with making some new things whilst confined to my spacious one bedroom apartment.

One of the easier sets of experiments has been variations on “mug cakes,” which are essentially putting some flour, sugar, cocoa powder, and whatever else you want into a mug, and then microwaving it. Yup, I’m fancy like that 🧑‍🍳

Here are some things I’ve tried:

  • Oats and peanut butter - pretty good, made it fairly chewy.

  • Chunks of cookie dough inside - delicious buried treasure.

  • Sea salt on top - a nice touch.

  • Whole wheat flour - trick yourself into thinking you’re being healthy.

  • Mochi rice flour - interesting, chewy texture.

  • Closing your eyes and feeling like you’re in Saison - priceless.

Sponsor

📢 Sr. Security Partner @ Netflix

Netflix is looking for an Infrastructure & Systems Security engineer to join the Appsec partnerships team. In this role, you will partner closely with engineering teams building infrastructure solutions for streaming and studio use cases, including Netflix's global CDN and virtual workstations for Netflix's studio.

Feel free to reach out to Astha Singhal on LinkedIn or Twitter with any questions about the role.

You can learn more about how the Netflix partnership team supports dev teams from Scott Behrens and Esha Kanekar’s AppSec Cali 2019 talk, “A​ Pragmatic Approach for Internal Security Partnerships”, which I’ve written a summary of here.

📜 In this newsletter...

🔗 Links:

  • AppSec: Play DEF CON CTF challenges, OWASP project to find secrets checked into version control

  • Web Security: AMA with Burp Suite creator Dafydd Stuttard, bypass CSP via JS in a PNG

  • Towards native security defenses for the web ecosystem: An overview of four new web security mechanisms

  • Cloud Security: Mitigating DDoS attacks on Lambdas, IR in the cloud

  • Container Security: 12 container image scanning best practices, container breakouts

  • Blue Team: Procmon for Linux

  • Politics / Privacy: UK tells Huawei GTFO and mind the gap, Russian spies target COVID-19 research, mishandling COVID-19 and discouraging international students could have long lasting economic impact, have celebs dissuade your conspiracy believing uncle, automation if coming for millions of jobs, a searchable map of surveillance tech deployed by police

  • Explain Why You’re Asking Your Team to Do Something: Ask in a way that's more likely to get buy-in

  • Misc: Dark web price index, strong reject academic memes, a collection of bite-sized nuggests of wisdom, have GPT-3 write your JSX, how McKinsey is making $$$ due to U.S. government's coronafails

📚 PLTalk: Practical Formal Methods with Hillel Wayne

Learn about using formal methods in the Real World (no, not the TV show. Though that would be an awesome spin-off 🤔).

AppSec

./ OOO archive | DEF CON CTF
A live, playable archive of DEF CON CTF challenges by Order of the Overflow.

OWASP Sensitive Enterprise Data Analyzer To Eliminate Disclosure
Integrates with git to scan for secrets being pushed. Interestingly, its regexes appear to overlap with truffleHog’s, but not exactly. Seems like there should be some consolidation in regex-based tools to find secrets, but 🤷

Web Security

Ask me anything, with Burp Suite creator Dafydd Stuttard
Some interesting history about Burp Suite and the founding of Portswigger. Fun facts include: Burp was the first tool Daf ever wrote in Java, he did a PhD in philosophy and thought he might go into academia, and more.

How To Bypass CSP By Hiding JavaScript In A PNG Image
“Using HTML Canvas you can hide any JavaScript code (or an entire library) into a PNG image by converting each source code character into a pixel. The image can then be uploaded onto a trusted website like Twitter or Google (usually whitelisted by CSP) and then loaded as a remote image in a HTML document. Finally, by using the canvas getImageData method, it’s possible to extract the “hidden JavaScript” from the image and execute it.”

Blog post by Google security information engineers Artur Janc and Lukas Weichselbaum on new web security mechanisms, specifically around injection vulnerabilities and isolation capabilities.

The root cause of injection vulnerabilities like XSS (and SQL injection, command injection, etc.) is a mixing of code and data. Web apps can separate data from code using two new security features:

  1. Trusted Types “make JavaScript code safe-by-default by restricting risky operations, such as generating HTML or creating scripts, to require a special object – a Trusted Type. The browser will ensure that any use of dangerous DOM functions is allowed only if the right object is provided to the function.” Done properly, this can prevent all DOM-based XSS.

  2. Content Security Policy based on script nonces - the random nonce attribute for loaded scripts ensures that even if an attacker is able to inject scripts on the page, the browser will refuse to execute it, preventing reflected and stored XSS.

These protections can be implemented with the following headers:

Content-Security-Policy: require-trusted-types-for 'script'; report-uri /report
Content-Security-Policy: script-src 'nonce-{randomValue}'; object-src 'none'; base-uri 'none'

New isolation capabilities include:

  1. Fetch Metadata Request Headers - These provide trustworthy info about the source of requests (e.g. same-site, cross-site), whether it’s a navigation or resource request, and more. This allows the web server to apply security policies before processing the request, preventing vulnerabilities like CSRF or web-based info leaks (XS-leaks).

  2. Cross-Origin Opener Policy (COOP) - “By default, the web permits some interactions with browser windows belonging to another application: any site can open a pop-up to your webmail client and send it messages via the postMessage API, navigate it to another URL, or obtain information about its frames.” COOP allows you to lock down your app to prevent such interactions.

For more info, see the Securing Web Apps with Modern Platform Features Google I/O talk: slides, video.

Cloud Security

AWS Lambda Abuse
@luminousmen describes how to minimize the damage of DDoS attacks on your AWS Lambdas.

  • Make sure your code doesn’t hang on bad inputs (e.g. ReDoS or long payloads).

  • Set up billing alerts.

  • You can set concurrency levels on a per-function basis.

  • Using SQS as a broker for your Lambda function lets you batch process multiple events at a time.

  • Use a CDN like CloudFront, or use AWS WAF.

  • For internal apps, require an API key to hit API Gateway.

  • Use the API Gateway usage plans (e.g. “Token Bucket” model).

Incident Response in the Cloud
Ollie Green discusses the IR phases (preparation, identification, triage, investigation, containment, recovery, and lessons learned) and highlights some of the key differences between “traditional” IR and Cloud IR.

Container Security

  1. Bake image scanning into your CI/CD pipelines

  2. Adopt inline scanning to keep control of your privacy (only scan metadata sent to the scanning tool)

  3. Perform image scanning at registries

  4. Leverage Kubernetes admission controllers

  5. Pin your image versions

  6. Scan for OS vulnerabilities

  7. Make use of distroless images

  8. Scan for vulnerabilities in third-party libraries

  9. Optimize layer ordering

  10. Scan for misconfigurations in your Dockerfile

  11. Flag vulnerabilities in services already deployed and running in Kubernetes

Container Breakouts – Part 1: Access to root directory of the Host
First of a series of posts by Jan Harrie on container breakout techniques. Future posts will cover privileged containers and having access to the Docker socket.

I’ve collected links to a few tools that test container environments for common breakout bad practices here.

Blue Team

microsoft/ProcMon-for-Linux
This week in “Things I Never Thought I’d See,” Microsoft releases Process Monitor (Procmon) for Linux, a convenient way for Linux developers to trace the syscall activity on their system.

Politics / Privacy

Coronavirus: Russian spies target Covid-19 vaccine research
As I imagine China is doing as well. The first country to create a vaccine will get a nice PR boost.

America’s Innovation Engine Is Slowing
Between handling COVID-19 poorly and settings policies that discourage international students, the U.S. could be damaging its economy for decades. More than half of American startups that became companies valued at $1 billion include immigrants among their founders and top executives, and international students represent 12 percent public university enrollment but ~28% of total tuition revenue. The problem is that these things compound: smart people go where there are other smart people and opportunities, so if the U.S. stops being that place, it’s quite hard to get it back.

The True True Truth
Jon Oliver got John Cena, Catherine O’Hara, Billy Porter, Paul Rudd, and Alex Trebek to record short messages that you can show to your friends or relatives who believe in conspiracy theories, that encourages them to think critically about the info they encounter, without talking down to them. See also Jon Oliver’s episode on coronavirus conspiracy theories.

More automation is coming, what are we going to do about it?We are sprinting towards a future where certain classes of jobs, currently employing millions of people are just not going to exist. And few people are sounding the alarm, other than perhaps Andrew Yang. You can’t just “bring back coal” or “break up big tech.” People are costly, and businesses are incentivized to cut costs.

EFF: Atlas of Surveillance
A searchable map of surveillance tech deployed by police including body camears, drones, automated license plate readers, Ring partnerships, facial recognition, cell-site simulators, predictive policing, and more. Data was crowdsource gathered from volunteers and OSINT over ~2 years.

When people know why they’re being asked to do something, they’re much more likely to do it.

So next time you’re preparing to deliver an important message to your team, make sure you’re clear on the “why” behind it. Start by asking yourself a few “what” questions, such as: What are the stakes? What will the future look like if we get this done? Next, figure out how to clearly articulate your reasoning. Think about what action you’re asking your team to take, and then follow it with a clear, well-practiced explanation.

For example: We need to improve our hiring practices, because our current process isn’t attracting a diverse enough pool of candidates.

And be prepared to answer follow-up questions and explain the process that led to the decision. You’ll be more persuasive if you share ideas that you considered, explored, tested, and then abandoned. This level of transparency will keep your team motivated to pursue the task at hand.

Misc

Dark Web Price Index 2020
The Privacy Affairs team scanned dark web marketplaces, forums, and websites, to create an index of the average prices for a range of specific products. Some interesting stats on prices for credit card data / online banking logins, payment processing services like PayPal, forged documents, social media accounts, malware, and DDoS attacks.

Strong Reject
Apparently there’s this meme floating around academia on getting rough peer review. If you’ve also spent time in academia, you’ll probably get a laugh.

“Concepts” by Daniel Miessler
Bite-sized nuggets of wisdom from books, articles, and more covering topics ranging from psychology, to philosophy, reasoning, and more. A super dense and quick way to get exposed to a bunch of interesting ideas.

🔥 Describe the Layout You Want -> Autogenerate with GPT-3Impressive demo by Sharif Shameem of entering text like “a button that looks like a watermelon” or “a button for every color of the rainbow” and it generates JSX code that does it. And here’s a video of him describing and then generating the Google home page.

How McKinsey Is Making $100 Million (and Counting) Advising on the Government’s Bumbling Coronavirus Response
Welp, good thing the U.S. coronavirus response is going so well 😅 Here are some fun snippets:

  • In April, McKinsey was penalized for refusing to comply with a General Services Administration audit. The firm went over the head of a contracting officer and found a GSA supervisor who was willing to accommodate them and improperly inflated contract prices.

  • “The firm effectively sells data it obtains from one government project to other agencies. McKinsey generally retains in its central databases anonymized work product from its engagements, so future consulting teams can get a head start on similar projects.” If the government did the work, they would share it with state and city governments for free.

A single junior consultant — typically a recent college or business school graduate — runs clients $67,500 per week, or $3.5 million annually. For $160,000 per week, you get two consultants, the second one mid-level.

☝️ Security consultants be like 😭😭

I stumbled across this Twitch stream (PLTalk) by Jean Yang and Hongyi Hu on making academic-y programming languages research more accessible.

This sort of thing is my jam - listen to some smart people discuss technical topics in approachable ways, covering ideas, tools, and techniques that’ll expand your knowledge of what’s out there and possible 🤘

This week they were joined by guest Hillel Wayne, where they discussed using formal methods in the real world.

I wrote a summary of the ~1.5 hour video that includes points from the discussion, code snippets from Hillel’s live demo, and links to some neat academic papers and related tools.

Also check out this great summary by Leslie Lamport of the paper: Use of Formal Methods at Amazon Web Services.

Or read Jean’s comparison of high fashion to programming languages research; and yes, the metaphor fits (and thus sits)!

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them

🙏

Thanks for reading!

Cheers,

Clint