- tl;dr sec
- [tl;dr sec] #50 - Engineering Empathy, Golang Security, Bardcore
[tl;dr sec] #50 - Engineering Empathy, Golang Security, Bardcore
Applying engineering lessons learned to AppSec teams, common Golang bugs, and medieval covers of modern pop songs take the Internet by storm.
I hope you’ve been doing well!
Sometimes it feels like 2020 is a continuously increasing crescendo of one trainwreck after another: COVID-19, the economy, wildfires, and (potentially) the upcoming presidential election.
And while that may be mostly true, I came across this small sliver of joy: bardcore (also known as “tavernwave”), which is, to quote Wikipedia: “a 2020 internet phenomenon consisting of medievalised remakes of hit pop songs.” 🤣
One notable bard of our era
I took it upon myself to do this important research for you and listened to a nigh festival of bardcore songs.
This Take on Me cover is pretty awesome.
And of course: Rick Astley’s Never Gonna Give You Up.
Was this tl;dr sec issue written to bardcore? You bet your lute.
📢 Webinar: Intro to Sqreen (AppSec Management Platform)
Interested in improving your application security? What about protecting your apps against the OWASP top 10? Join us for a live product demo and get an in-depth view of Sqreen's protection capabilities (RASP + In-App WAF), and learn about relevant use cases that will help you scale your AppSec program.
📜 In this newsletter...
Threat Modeling: Play threat modeling card games remotely + the value of making it a game
Golang: Talk on common Golang security bugs, a purposefully vulnerable Golang repo, how to check if a mutex is locked, a dynamic analysis library to find race condition-esque issues
AppSec: Finding and exploiting bugs in multiplayer game engines, Electron's App Sandbox and a Slack RCE, configure SSH securely, thinking about security budgets as supply and demand
Web Security: A fast HTTP enumerator
Cloud Security: Materials for learning about Azure Sentinal and Security Center, a remote shell for ephemeral environments where you don't have SSH
Blue Team: MITRE Shield: Active Defense Matrix, an organizational asset and vulnerability management tool
Fuzzing: Fuzzing the Linux kernel entry code (transition between userspace and the kernel)
Politics / Privacy: Facebook is preparing for Trump to potentially cast doubt on election results, iOS 14 will make it harder to collect data on users, how China surveils the world, an argument why TikTok should be banned
Misc: Paul Graham on how to disagree
📚 Engineering Empathy: Adapting Software Engineering Principles and Process to Security
How to Play Elevation of Privilege and Cornucopia Remotely
Agile Stationery has a website that enables you to “deal out” cards for these threat modeling card games to support people playing remotely. They also list “3 advantages of playing games in cyber security”:
Creativity - Turning it into a game lowers the stakes and provides a safe environment for creative exploration of the security problem.
Depth - Assigning threat models to players helps make use of detailed context known to each player.
The Unexpected - Randomly dealing out threats to players prompts the sharing of tacit knowledge that cannot reliably be located in advance, such as the details of how specific components were programmed and tested.
Go-ing for an Evening Stroll: Golang Beasts & Where to Find Them
Trail of Bits’ Stefan Edwards and Robert Tonic discuss 4 common classes of Golang vulnerabilities they see during their work and how to fix them: Integers/Numerics, standard library issues, error checking and type assertions, and
defer semantics. See this repo for an extended version of the talk + the slides.
A set of vulnerable Golang programs meant to show common vulnerabilities and provide a test bed for users to find, fix, and remediate Golang vulnerabilities. Includes a wholistic ecosystem of vulnerablities using gRPC, Web, and
database/sql and a set of focused programs meant to demo common Golang issues.
How to check if a mutex is locked in Go
Although you can
Unlock() a mutex, you can’t check whether it’s locked. But sometimes you want to assert in a function that a precondition to calling it is that a given mutex is already locked. go-mutexasserts is a library by disconnect3d that provides functions like
AssertMutexLocked, which let you do just that.
A dynamic analysis library for detecting certain improper uses of the “Defer, Panic, and Recover” pattern in Golang programs. “OnEdge detects global state changes that occur between (1) the entry point to a function that
defers a call to
recover and (2) the point at which
recover is called. Often, such global state changes are unintentional.”
Finding and Exploiting Bugs in Multiplayer Game Engines
In this DEF CON 2020 talk, Jack Baker provides some background on how to go about exploiting multiplayer game engines and walks through several concrete example of bugs he’s found in Unreal Engine 4 and Unity3D. (supporting code and PoCs)
The App Sandbox
Slack’s Charlie Hess describes Electron’s “app sandbox” and the attack vectors it aims to prevent. See also this detailed HackerOne submission by Oskars Vegeris in which he describes a 1-click RCE in Slack’s desktop app.
Demand side management: you can decrease the demand by adjusting risk appetite (tighten the band of what you classify as critical) or decrease the demand by the wholesale elimination of risk (e.g. remove certain business services, products, vendors, or whole classes of technology).
Supply side management: Increase resources (more budget) and increase resource efficiency (see below quote).
A fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time. e.g. Run an HTTP GET request for each entry in
filenames.txt and hide all responses with the status code 403 or 404.
Become an Azure Sentinel Ninja: The complete level 400 training
16 modules to make you an Azure Sentinel master, by Ofer Shezaf.
A simple and secure method to remote shell into ephemeral environments such as deployment pipelines or serverless functions, by Elliot Levin. Useful when you need quick, ad-hoc remote access to hosts which you may not have SSH access to, or even the ability to install an SSH daemon at all.
MITRE Shield: Active Defense Matrix
Consists of tactics: what the defender is trying to accomplish (e.g. channel, collect, contain, detect, disrupt, facilitate, legitimize, test) and techniques, describing how the defense achieves the tactic.
“An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.”
Fuzzing the Linux kernel (x86) entry code, Part 1 of 3
By Vegard Nossum: While most Linux kernel fuzzing (e.g. trinity and syzkaller) has historically focused on testing the system calls themselves (and the code reachable through system calls), one thing they don’t test very well is what happens at the actual transition point between userspace and the kernel. This blog post explores how one might go about writing a fuzzer targeting the Linux kernel entry code on x86. See also part 2 and part 3.
Politics / Privacy
Facebook Braces Itself for Trump to Cast Election Results Doubts
Facebook is making contingency plans for if Trump does things like claim he’s won before results are finalized or if he tries to invalidate the results by declaring that the Postal Service lost mail-in ballots or that other groups meddled with the vote. Nothing to see here, it’s totally normal that a company would have to plan for the President potentially casting doubt on democratic processes 😅
Facebook apologizes to users, businesses for Apple’s monstrous efforts to protect its customers’ privacy
iOS 14 will require apps to ask users for permission before Facebook grabs data from their phones.
In this Black Hat USA 2020 talk by Camille Mackinnon and Craig Ingram of Salesforce (Heroku), they describe how security teams can leverage ideas and processes from engineering. (Dark Reading overview)
Here are some parts that stuck out to me.
AppSec Service Level Indicators
Some service level indicators (SLIs) your AppSec team can use include:
Last time each team has asked for a security review - If it’s been more than 30 days, perhaps:
The devs think they’re not working on anything that has no security impact, in which case it might be nice to check in and confirm that you agree, or
They could be swamped with other security asks, and you could help them prioritize and answer question to make fixing issues easier.
Last time your threat models have been updated - If it’s been a long time, you should probably revisit a given project, as many new features have likely been added.
Pull request failure rates due to automated security tools - If you’re failing too many builds, devs will be angry at you and may try to bypass your systems. If you’re not failing any builds at all, you might want to make sure your checks are actually running.
Remove toil through automation
Integrate with engineers’ own efforts to automate: see what tools they are using and how to leverage them to automate security work as well.
A concrete example of this at Salesforce includes work by Kinnaird McQuade and others involving Open Policy Agent (OPA): now, when you do an ACL request at Salesforce, many times it’s completely automated through OPA, freeing up security engineers from manually reviewing these request, so they can spend more time on higher leverage things they can do to help engineering.
Salesforce has OPA directly integrated into engineering build systems examining Terraform configs: seeing if any of the configs may be insecure, and warning engineers right there in the CI system that they use. This way, engineers don’t have to log in to yet another security system.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!