• tl;dr sec
  • Posts
  • [tl;dr sec] #50 - Engineering Empathy, Golang Security, Bardcore

[tl;dr sec] #50 - Engineering Empathy, Golang Security, Bardcore

Applying engineering lessons learned to AppSec teams, common Golang bugs, and medieval covers of modern pop songs take the Internet by storm.

Hey there,

I hope you’ve been doing well!

🥁 Bardcore

Sometimes it feels like 2020 is a continuously increasing crescendo of one trainwreck after another: COVID-19, the economy, wildfires, and (potentially) the upcoming presidential election.

And while that may be mostly true, I came across this small sliver of joy: bardcore (also known as “tavernwave”), which is, to quote Wikipedia: “a 2020 internet phenomenon consisting of medievalised remakes of hit pop songs.” 🤣

One notable bard of our era

I took it upon myself to do this important research for you and listened to a nigh festival of bardcore songs.

Hadst thou need to stoop so low? To send a wagon for thy minstrel and refuse my letters I need no longer write them, though Now thou art somebody whom I used to know

• Sir Gotye

Was this tl;dr sec issue written to bardcore? You bet your lute.

Sponsor

📢 Webinar: Intro to Sqreen (AppSec Management Platform)

Interested in improving your application security? What about protecting your apps against the OWASP top 10? Join us for a live product demo and get an in-depth view of Sqreen's protection capabilities (RASP + In-App WAF), and learn about relevant use cases that will help you scale your AppSec program.

📜 In this newsletter...

🔗 Links:

  • Threat Modeling: Play threat modeling card games remotely + the value of making it a game

  • Golang: Talk on common Golang security bugs, a purposefully vulnerable Golang repo, how to check if a mutex is locked, a dynamic analysis library to find race condition-esque issues

  • AppSec: Finding and exploiting bugs in multiplayer game engines, Electron's App Sandbox and a Slack RCE, configure SSH securely, thinking about security budgets as supply and demand

  • Web Security: A fast HTTP enumerator

  • Cloud Security: Materials for learning about Azure Sentinal and Security Center, a remote shell for ephemeral environments where you don't have SSH

  • Blue Team: MITRE Shield: Active Defense Matrix, an organizational asset and vulnerability management tool

  • Fuzzing: Fuzzing the Linux kernel entry code (transition between userspace and the kernel)

  • Politics / Privacy: Facebook is preparing for Trump to potentially cast doubt on election results, iOS 14 will make it harder to collect data on users, how China surveils the world, an argument why TikTok should be banned

  • Misc: Paul Graham on how to disagree

📚 Engineering Empathy: Adapting Software Engineering Principles and Process to Security

In this Black Hat USA 2020 talk by Camille Mackinnon and Craig Ingram of Salesforce (Heroku), they describe how security teams can leverage ideas and processes from engineering.

Threat Modeling

How to Play Elevation of Privilege and Cornucopia Remotely
Agile Stationery has a website that enables you to “deal out” cards for these threat modeling card games to support people playing remotely. They also list “3 advantages of playing games in cyber security”:

  1. Creativity - Turning it into a game lowers the stakes and provides a safe environment for creative exploration of the security problem.

  2. Depth - Assigning threat models to players helps make use of detailed context known to each player.

  3. The Unexpected - Randomly dealing out threats to players prompts the sharing of tacit knowledge that cannot reliably be located in advance, such as the details of how specific components were programmed and tested.

Golang

Go-ing for an Evening Stroll: Golang Beasts & Where to Find Them
Trail of Bits’ Stefan Edwards and Robert Tonic discuss 4 common classes of Golang vulnerabilities they see during their work and how to fix them: Integers/Numerics, standard library issues, error checking and type assertions, and defer semantics. See this repo for an extended version of the talk + the slides.

trailofbits/not-going-anywhere
A set of vulnerable Golang programs meant to show common vulnerabilities and provide a test bed for users to find, fix, and remediate Golang vulnerabilities. Includes a wholistic ecosystem of vulnerablities using gRPC, Web, and database/sql and a set of focused programs meant to demo common Golang issues.

How to check if a mutex is locked in Go
Although you can Lock() or Unlock() a mutex, you can’t check whether it’s locked. But sometimes you want to assert in a function that a precondition to calling it is that a given mutex is already locked. go-mutexasserts is a library by disconnect3d that provides functions like AssertMutexLocked, which let you do just that.

trailofbits/on-edge
A dynamic analysis library for detecting certain improper uses of the “Defer, Panic, and Recover” pattern in Golang programs. “OnEdge detects global state changes that occur between (1) the entry point to a function that defers a call to recover and (2) the point at which recover is called. Often, such global state changes are unintentional.”

AppSec

Finding and Exploiting Bugs in Multiplayer Game Engines
In this DEF CON 2020 talk, Jack Baker provides some background on how to go about exploiting multiplayer game engines and walks through several concrete example of bugs he’s found in Unreal Engine 4 and Unity3D. (supporting code and PoCs)

The App Sandbox
Slack’s Charlie Hess describes Electron’s “app sandbox” and the attack vectors it aims to prevent. See also this detailed HackerOne submission by Oskars Vegeris in which he describes a 1-click RCE in Slack’s desktop app.

On secure-shell security
An opinionated guide to configuring SSH securely by Kamil Zabielski.

  • Demand side management: you can decrease the demand by adjusting risk appetite (tighten the band of what you classify as critical) or decrease the demand by the wholesale elimination of risk (e.g. remove certain business services, products, vendors, or whole classes of technology).

  • Supply side management: Increase resources (more budget) and increase resource efficiency (see below quote).

Look at the means by which you can increase the supply of capability to meet demand by increasing the leverage of the resources you already have. This could be through scaling processes better, increasing the basic training of all employees, implementing tools / toolkits for people to use, embedding security in opinionated platforms to raise the baseline by reducing the cost of control. This can also include leverage for the security team by automation and orchestration tools and better communication of architecture patterns to reduce the effort needed on design reviews.

Web Security

RedTeamPentesting/monsoon
A fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time. e.g. Run an HTTP GET request for each entry in filenames.txt and hide all responses with the status code 403 or 404.

Cloud Security

Become an Azure Sentinel Ninja: The complete level 400 training
16 modules to make you an Azure Sentinel master, by Ofer Shezaf.

Become an Azure Security Center Ninja
A curated list of Azure Security Center resources, by Yuri Diogenes.

TimeToogo/tunshell
A simple and secure method to remote shell into ephemeral environments such as deployment pipelines or serverless functions, by Elliot Levin. Useful when you need quick, ad-hoc remote access to hosts which you may not have SSH access to, or even the ability to install an SSH daemon at all.

Blue Team

MITRE Shield: Active Defense Matrix
Consists of tactics: what the defender is trying to accomplish (e.g. channel, collect, contain, detect, disrupt, facilitate, legitimize, test) and techniques, describing how the defense achieves the tactic.

softrams/bulwark
“An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.”

Fuzzing

Fuzzing the Linux kernel (x86) entry code, Part 1 of 3
By Vegard Nossum: While most Linux kernel fuzzing (e.g. trinity and syzkaller) has historically focused on testing the system calls themselves (and the code reachable through system calls), one thing they don’t test very well is what happens at the actual transition point between userspace and the kernel. This blog post explores how one might go about writing a fuzzer targeting the Linux kernel entry code on x86. See also part 2 and part 3.

Politics / Privacy

Facebook Braces Itself for Trump to Cast Election Results Doubts
Facebook is making contingency plans for if Trump does things like claim he’s won before results are finalized or if he tries to invalidate the results by declaring that the Postal Service lost mail-in ballots or that other groups meddled with the vote. Nothing to see here, it’s totally normal that a company would have to plan for the President potentially casting doubt on democratic processes 😅

Facebook apologizes to users, businesses for Apple’s monstrous efforts to protect its customers’ privacy
iOS 14 will require apps to ask users for permission before Facebook grabs data from their phones.

The CCP’s methods are not that different from what we see in the global advertising industry. But instead of trying to sell a product, the CCP is trying to exert authoritarian control. It’s using capitalism as a vehicle to access data that can help it disrupt democratic processes and create a more favorable global environment for its power.

In China, where the party-state literally says that the purpose of the law is to “strengthen and improve the Party’s leadership,” technology is deployed to extend the political power of the party-state and developed according to that standard. The Party talks about its intent to shape global public opinion in order to protect and expand its own political power. At the same time, Chinese tech companies collect data in support of such efforts. Anyone living in a liberal democracy should be concerned about the ramifications this has for freedoms and privacy.

In China, the foreign equivalents of TikTok and WeChat — video and messaging apps such as YouTube and WhatsApp — have been banned for years. China keeps a closed and censorial internet economy at home while its products enjoy full access to open markets abroad.

Few foreign companies are allowed to reach Chinese citizens with ideas or services, but the world is fully open to China’s online companies.

From China’s perspective, the asymmetry has been a bonanza that has served economic as well as political goals. While China does have great engineers, European nations overrun by American tech companies must be jealous of the thriving tech industry that China has built in the absence of serious foreign competition (aided by the theft of trade secrets).

Misc

In this Black Hat USA 2020 talk by Camille Mackinnon and Craig Ingram of Salesforce (Heroku), they describe how security teams can leverage ideas and processes from engineering. (Dark Reading overview)

Here are some parts that stuck out to me.

 AppSec Service Level Indicators 

Some service level indicators (SLIs) your AppSec team can use include:

  • Last time each team has asked for a security review - If it’s been more than 30 days, perhaps:

    • The devs think they’re not working on anything that has no security impact, in which case it might be nice to check in and confirm that you agree, or

    • They could be swamped with other security asks, and you could help them prioritize and answer question to make fixing issues easier.

  • Last time your threat models have been updated - If it’s been a long time, you should probably revisit a given project, as many new features have likely been added.

  • Pull request failure rates due to automated security tools - If you’re failing too many builds, devs will be angry at you and may try to bypass your systems. If you’re not failing any builds at all, you might want to make sure your checks are actually running.

 Remove toil through automation 

Toil: manual, repetitive, automatable, reactive, lacks enduring value, grows at least as fast as its source.

Integrate with engineers’ own efforts to automate: see what tools they are using and how to leverage them to automate security work as well.

A concrete example of this at Salesforce includes work by Kinnaird McQuade and others involving Open Policy Agent (OPA): now, when you do an ACL request at Salesforce, many times it’s completely automated through OPA, freeing up security engineers from manually reviewing these request, so they can spend more time on higher leverage things they can do to help engineering.

Salesforce has OPA directly integrated into engineering build systems examining Terraform configs: seeing if any of the configs may be insecure, and warning engineers right there in the CI system that they use. This way, engineers don’t have to log in to yet another security system.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint