• tl;dr sec
  • Posts
  • [tl;dr sec] #76 - Is Secure Design > Patching? and Supply Chain, Breaking Regexes

[tl;dr sec] #76 - Is Secure Design > Patching? and Supply Chain, Breaking Regexes

An argument for why secure design + threat modeling is higher ROI than patching, making code signing easy, finding regex bugs with regexploit or fuzzing.

Author

Clint Gibler
March 24, 2021

Hey there,

I hope you’ve been doing well!

The Little Things

The smell of grinding your own coffee beans. The way your partner’s hair falls on their face as they sleep in on Sunday mornings. The texture of your favorite book’s pages as you turn its creased corners once more.

Some things inspire a sense of inner tranquility, or perhaps a smile that you couldn’t hide even if you wanted to.

One thing I can’t help but laugh when watching, and I don’t know why is… Goofy sings Evanescence’s Bring Me to Life.

Wait for it- the chorus surprises and delights.

Sponsor

📢 Nearly half of connected 3rd party apps were installed by end users, not IT teams

Major SaaS applications now host a wide range of 3rd party applications. But it’s not easy for security teams to gain visibility or manage data access to these apps - especially when about half of the apps discovered were installed by end users, not the IT team or the SaaS application owner. While there are a variety of ways for 3rd party apps to connect to cloud services, there are three in particular to focus on from a security perspective.

📜 In this newsletter...

  • AppSec: Finding DoS-able regexes, exploiting ML pickle files

  • Web Security: Finding bugs in regex logic using differential fuzzing

  • Cloud Security: Auto-remediating Internet accessible ports, type checking your Rego policies, generate Terraform from existing infrastructure

  • Container Security: Using kubelet client to attack the cluster, awesome k8s security list

  • Supply Chain: Making code signing of open source software easy, signing container images, how The Update Framework works

  • Opinion: Secure Design + Threat Modeling > Patching: An argument to reduce attack surface, isolate systems, and then worry about patching

  • Augmented Reality: Glasses by Microsoft to enable mixed reality sessions, Facebook's neural wristbands that it definitely won't abuse the data from

  • Misc: InfoSec income questionnaire, record educational tours of your code, college Essays as a Service

AppSec

Regexploit: DoS-able Regular Expressions
Doyensec’s Ben Caller released regexploit, a tool that was able to find regular expression denial of service (ReDoS) vulnerabilities in a number of popular NPM, Python, and Ruby dependencies. Regexploit also has built-in support for extracting regexes from TypeScript, C#, JSON and YAML. Also, the power of secure defaults:

So why didn’t I bother looking for ReDoS in Golang? Go’s regex engine re2 does not backtrack.

Never a dill moment: Exploiting machine learning pickle files
I’ve long been wary of Python’s pickle, and this post by Trail of Bits’ Evan Sultanik et al certainly hasn’t helped me gherkin on my trust issues. In short, many ML models are shared as pickle files and have no tampering checks. They’ve released fickling, a decompiler and static analyzer for pickle files that is safe to run on potentially malicious files, because it symbolically executes the code. Their recommended solution: don’t use pickle, use JSON, CBOR, ProtoBuf, etc. instead.

Web Security

Finding Issues In Regular Expression Logic Using Differential Fuzzing
Many web apps use regexes to enforce certain security properties, like paths a user should or should not have access to, an allowlist for redirect URL paths, etc. Evan Custodio shows how you can use differential fuzzing to find bugs in these regexes.

As referenced in tl;dr sec 15 and 36, differential fuzzing is a clever idea where you basically compare the outputs of two programs or libraries implementing the same thing, and when their outputs differ you have a bug. In this case, Evan uses Google’s coverage-guided Python fuzzing engine, Atheris (referenced in issue 63).

Cloud Security

How to auto-remediate internet accessible ports with AWS Config and AWS System Manager
Walkthrough blog post on how to develop an AWS Config custom rule to detect ports that aren’t expected to be open in security groups attached to Amazon EC2 instances, and auto-remediate them by isolating that security group and removing the noncompliant ports.

Type checking your Rego policies with JSON schema in OPA
By Mandana Vaziri, Ansu Varghese, and Torin Sandall: You can now pass a JSON schema to OPA to help it find typos and other bugs in your Rego code.

GoogleCloudPlatform/terraformer
Infra as Code: OK. Infra TO code: 🔥 Terraformer generates tf/json and tfstate from your existing infrastructure, including AWS, GCP, Azure, and more.

Container Security

In this blog post, we are going to look at the Kubernetes agent, kubelet, which is responsible for the creation of the containers inside the nodes and show how it can be exploited remotely to attack the cluster. We will review different misconfigurations of kubelet that have been deployed with default settings as part of a Kubernetes installation and how these misconfigurations could eventually open avenues to the Kubernetes cluster as well as several effective mitigation steps.

magnologan/awesome-k8s-security
A curated list of Awesome Kubernetes Security resources by Magno Logan, covering the basics, official pages, talks and videos, blogs and articles, books, certs, CVEs, slides, trainings, repos, papers, and more.

Supply Chain

Introducing sigstore: Easy Code Signing & Verification for Supply Chain Integrity
By Google’s Kim Lewandowski and Dan Lorenc: “The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code. Sigstore also has the added benefit of being backed by transparency logs, which means that all the certificates and attestations are globally visible, discoverable and auditable.”

Cosign — Signed Container Images
By Dan Lorenc: From GitHub: “Container Signing, Verification and Storage in an OCI registry. Cosign aims to make signatures invisible infrastructure.” This post provides a nice overview of cosign. 

The Update Framework and You. Why does it need to be so TUF?
Great overview of The Update Framework (TUF) and its major components by Dan Lorenc. To my knowledge, people generally view TUF as a good option if you want to take securing your software updates to 11.

Opinion: Secure Design + Threat Modeling > Patching

Idle musing: “supply chain” risk is in the vogue but too many people seem to have taken it to mean “patching”. For most, secure design + threat modeling is a much much higher ROI than any patching. Reduce attack surface, isolate systems, and then worry about patching

2/ If you are running any software (jenkins, nginx, citrix, exchange) on prem and exposed to the internet, patching is not going to save you. Get rid of it or move it behind an beyond-corp style authenticating proxy.

3/ Get Cloudfront/ALB to be your external perimiter, and stop running nginx on the edge; then worry about patching nginx. Move jenkins behind auth. and so on.

4/ And then worry about isolation: move jenkins to a different AWS account for isolation! Add monitoring/canary-tokens to detect jenkins compromise.

And then worry about patching jenkins.

5/ For your employees, can the automatically-patched OS and Browser be the only attack surface? If any memory-unsafe language is in your attack surface, then working on changing that is likely a higher ROI than patching that extra attack surface.

6/ I am obviously biased but here’s where web-based SaaS software are a huge win. Opening PDFs inside Dropbox/GDrive means you don’t have to trust them; you can trust the browser sandbox to save you. And each SaaS service is vacuously its own sandbox!

Augmented Reality

What was once science fiction comes ever closer to reality.

Microsoft Mesh powers shared experiences in mixed reality
Architects and engineers could physically walk through a holographic model of a factory floor under construction, remote doctors could advise in an operating room, people around the world could attend a Cirque du Soleil presentation, or you could replace your Zoom fatigue with #holofatigue (which conveniently also connotes your feeling inside after a year of social isolation).

Microsoft Mesh, a new mixed reality platform, will allow geographically distributed teams to meet and collaborate in shared mixed reality sessions where participants appear as digital representations of themselves. Image by Microsoft.


Facebook has offered a glimpse inside its plans for a new augmented reality interface, based on technology from CTRL-Labs, the startup it acquired in 2019. In a video, it shows off wristbands that use electromyography (EMG) to translate subtle neural signals into actions — like typing, swiping, or playing games like an archery simulator. The bands also offer haptic feedback, creating a system that’s more responsive than basic hand tracking options.

Misc

💰 InfoSec Income Questionnaire
Google Sheet with >300 responses from security professionals including their title, IC vs Manager, years of experience, education, location, and total compensation. I love transparency efforts like this, I think it’s super important context for people to have so that they’re more likely to be compensated fairly.

microsoft/codetour
Man, Microsoft’s VSCode extension game is on point 👌 This one “allows you to record and playback guided walkthroughs of your codebases. It’s like a virtual brownbag, or table of contents, that can make it easier to onboard to a new project/feature area, visualize bug reports, or understand the context of a code review/PR change.”

Academic “Ghost-Writing”: The Cheating Scandal No One Will Discuss
Wow. As services that detect plagiarism have gotten better, now there are several Essay as a Service companies that basically connect students with underemployed writers, grad students, and assistant professors to complete the students’ coursework for them. Some students will even outsource all of their work for a class, like online discussions, and even multiple classes over their university career. I wonder what’s going to happen when one day they have to actually, you know, do the work.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint