• tl;dr sec
  • Posts
  • [tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship

[tl;dr sec] #9 - Autonomous Bug Reporting, HTTP Desync Attacks, & Censorship

Fuzzing is finding security bugs faster than CVEs can be issued, HTTP desync attacks advance, China's censorship power is felt around the world.

Hey there,

I hope you've been doing well!

Just links this time, no summary, as I've been busy prepping for a ShellCon talk this weekend on building simple but useful lightweight static analyses using open source tools.

🔗 Links

Google has been working on a new sanitizer, the Kernel Concurrency Sanitizer (KCSAN). "In their testing just last month, in two days they found over 300 unique data race conditions within the mainline (Linux) kernel." Whoa. 🔥

A bash script that documents and walks through using pretty much every git command.

Duo Labs released Journal, their tool for centralizing research notes and publishing articles. Journal is composed of a Hugo (Golang static site generator) template and a CLI tool that can create/publish posts and convert Jupyter notebooks and R markdown for easy inclusion.

Excellent Twitter thread of advice by Phil Venables: "When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving into the immediate and very specific things that need improving."

Autonomy and the Death of CVEs?

Opinion piece by David Brumley that the manual process of reporting bugs (CVEs) doesn't scaling to modern autonomous bug finding (e.g. fuzzing). Here's the fundamental challenge:

  • Tools like Google's ClusterFuzz find thousands of bugs a year.

  • Many of these bugs are security-relevant. Based on Chrome and oss-fuzz data, that's 100's of security bugs discovered per year.

  • There is no way to automatically report and index these bugs; it takes manual work to file a CVE and for the DB to be updated => thus many of these security bugs don't have CVEs!

  • Yet we depend on indexes like the MITRE CVE database to tell us whether we’re running known vulnerable software.

  • Proposed solution:

    • Add structure to CVE and CWE databases that is machine parsable.

    • Create a system where autonomous systems can report bugs that other autonomous systems can consume. Lower fidelity than a human-verified system (potential FPs/FNs), but it would help us move faster.

HTTP desync attacks continue

James Kettle of Portswigger has continued his awesome research into HTTP desync attacks, which was originally presented at Black Hat USA 2019.

  • You can read his bug bounty report to New Relic ("This is a pretty dope bug.")

  • The Black Hat video isn't live yet, but it looks like he gave a similar talk at BSides Manchester.

  • FYI: If you're not familiar with his work yet, James Kettle is web app pen testing wizard, and anything he puts out is worth reviewing.

James Mickens gets tenure

James Mickens' Harvard tenure announcement is as hilarious as the articles he writes and talks he gives.

For one example, from the abstract of his Usenix 2018 keynote "Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?”:

Some people enter the technology industry to build newer, more exciting kinds of technology as quickly as possible. My keynote will savage these people and will burn important professional bridges, likely forcing me to join a monastery or another penance-focused organization.

...

At some point, my microphone will be cut off, possibly by hotel management, but possibly by myself, because microphones are technology and we need to reclaim the stark purity that emerges from amplifying our voices using rams’ horns and sheets of papyrus rolled into cone shapes. I will explain why papyrus cones are not vulnerable to buffer overflow attacks, and then I will conclude by observing that my new start-up papyr.us is looking for talented full-stack developers who are comfortable executing computational tasks on an abacus or several nearby sticks.

A new contender in asset inventory security start-ups

Tanya Janca, a globetrotting frequent speaker, recently left a cloud security role at Microsoft to do a start-up, which she just announced: Security Sidekick- "real-time web app inventory and vulnerability discovery."

It'll be interesting to see how her company differentiates, as asset inventory seems to be a hot/crowded area right now (e.g. one of the things Jupiter One seems to do, as mentioned in tl;dr sec #8).

The Chinese censorship machine is broader than you realize

The continued protests in Hong Kong are showing how powerful the Chinese government's censorship powers are outside of their borders. (Some good additional thoughts by Stratechery.)

Let's review an incomplete list of examples:

1. The Houston Rockets general manager posted a pro-Hong Kong democracy tweet, various Chinese companies were upset, then the NBA went into damage control mode.

2. Apple has removed the Taiwan flag emoji for Chinese iPhones and all mainland China iCloud users will have their data stored by a data firm started by the Chinese government.

3. Video games

Blizzard suspends a professional Hearthstone player for Hong Kong comments.

A Twitter thread with some interesting context from a video game industry veteran:

Chinese game companies have grown huge not just because of market size, but because the government subsidizes them. They get free land, free offices, and huge infusions of cash.

I’ve seen firsthand the corruption of Chinese gaming companies, and I was removed from a company I founded (after Blizzard) for refusing to take a 2 million dollar kickback bribe to take an investment from China.

Chinese companies tried to ruin my career with planted press stories. Money is often paid for favorable press in China and some of that money flows here to the US as well.

Finally (4): the screen industry

Hollywood is already inserting or cutting scenes to make Chinese censors happy.

  • Dalian Wanda, China's largest commercial property company and movie theater operator, is actively acquiring U.S. cinema assets.

  • In 2012, Wanda bought AMC Entertainment, the second largest U.S. movie theater chain. This year, AMC is buying Carmike Cinemas, which would form the largest movie theater chain in the country.

  • Wanda bought Legendary Entertainment (production company behind The Dark Knight Trilogy) and is interested in Lionsgate (The Hunger Games). When they acquired Legendary, they called it, "China's largest cross-border cultural acquisition to date."

  • Wanda's founder and chairman is a former Communist deputy and the company has received at least $1.1 billion in government subsidies.

  • "The control of both production and distribution channels allows him to censor movies in their development stage and after release. In theory, he could prevent his movie theaters from playing films unapproved by the Communist Party."

South Park has been wiped from the Chinese-accessible Internet due to their "Band in China" episode that criticizes how American media adjusts content to accommodate Chinese censorship rules.

  • Trolling tweet from the South Park creators: "Like the NBA, we welcome the Chinese censors into our homes and into our hearts. We too love money more than freedom and democracy." Oh snap!

To summarize, the Chinese government is already:

  • Influencing one of the biggest video game companies (Blizzard).

  • Making an NBA team manager apologize for acknowledging widespread protests that are currently happening.

  • Apple, one of the biggest and most profitable tech companies, is censoring emoji and giving the Chinese government control over user data.

  • Major Hollywood films are adding, removing, or changing scenes to please the censors, and a Chinese media company is actively acquiring U.S. cinemas and film production companies while acknowledging this is about extending China's soft power abroad. 😅

Today it's Hong Kong, tomorrow it's...?

Mo money mo problems

What Really Happens When You Become an Overnight Millionaire? is a fascinating article about Peter Rahal, who bootstrapped RxBar out of his mom's kitchen, took no funding, then sold it for $600 million.

Rahal prides himself on struggle and says that’s how he built RxBar into a breakout success. Yet now he exists in a rich person’s wonderland, where workers appear and disappear on some imperceptible schedule to clean the pool or fix the elevator.

Having won that impossible prize most entrepreneurs only dream of, Rahal is faced with a new reality: Who is he now that he is actually living out the fantasy?

Though Rahal says he’s incredibly grateful for everything he has, he’s trying to figure out bigger ways to reintroduce struggle to his life — like starting another company where he stands to lose a lot.

“Humans’ natural tendency is to remove pain, and we’ve come to a point where we’ve done it so well I find myself seeking uncomfortability,” Rahal says.

People spend a lot of time dreaming about "making it," but rarely ask, "How will my life change once I've 'made it'?"

To be honest, at least for me, having hundreds of millions of dollars would probably be more stressful than it's worth.

A few million would be OK though, as that'd get me a small studio in SF (with a bad view and no in-unit laundry) ;-)

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint