[tl;dr sec] #14 - DevSecCon TLV, Slack’s Secure Overlay Network, Dangers of Struct Padding

6 minute read

Hi there,

After a lovely trip to Israel and the UK for DevSecCon Tel Aviv and London, I’m finally back in the Bay Area, where people are constantly pushing the forefront of what’s possible with technology.

That is, the people who have electricity, because the local energy company hasn’t cut their power due to concerns about fires. You know, normal stuff 😅

Nominated for CTO Universe MVP Award

An article I wrote for TechBeacon (Scale your security with DevSecOps: 4 valuable mindsets and principles) was one of 9 articles selected to be finalists for the 2019 CTO Universe MVP Awards in the DevOps category.

If you want, you can vote for my article here.

📜 In this newsletter...

Links:
  • Cloud Security: free AWS best practice configs, Slack's secure global overlay network, AWS metadata service hardening
  • Misc Tools: Godbolt compiler explorer, Singularity - a DNS rebinding framework
  • OSINT: bug bounty tips on discovering attack surface, new version of Amass
  • Collecting and Searching Information: 2 open source and 1 commercial tool
  • Programming: hands-on deadlock challenges, practical applications of formal methods
  • Politics: Google's acquiring your health records, Taiwan's social network that promotes debate
  • Padding the struct: How a compiler optimization can disclose stack memory

DevSecCon Tel Aviv:

Opening keynote by Elissa Shevinsky, lightweight threat modeling as code, managing secrets, container security stats, and I discuss the current state of DevSecOps and make predictions about where we're headed.

Cloud Security

asecure.cloud - A free repository of customizable AWS security configurations and best practices.

Introducing Nebula, the open source global overlay network from Slack
“Securely connect tens of thousands of computers, hosted at multiple cloud service providers in dozens of locations around the globe.” source code

  • Service provider agnostic
  • Allows traffic filtering by host identity (not just IP address)
  • Hosts identify themselves via certificates that encode user-defined attributes (datacenter, role, environment, etc.).

Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service
V2 of the EC2 Instance Metadata Service (IMDSv2) released, with several changes to prevent common attacks:

  • Every request now requires a session, whose secret is obtained via a PUT request to IMDSv2
  • Calls with the X-Forwarded-For header will be dropped
  • The PUT response containing the secret token will have its IP packet TTL set to 1, meaning requests from the EC2 instance itself will work, but the response likely can’t make it to an external attacker.

Misc Tools

The Godbolt Compiler Explorer is a nice and easy way to see how C code gets translated to assembly by a number of compilers (linked by Jack Leadford’s post below).

Godbolt Compiler Explorer

Singularity - the current state of the art in DNS rebinding by Gerald Doussot and Roger Meyer. I’m calling it out again because their DEF CON 2019 talk is now live on Youtube.

Open-Source Intelligence (OSINT)

Hussein Daher:

When discovering subdomains/domains/assets owned by a company, use the Google Analytics ID to expand your attack surface. The ID is in the HTML code. Reverse search then: https://site-overview.com/website-report-search/analytics-account-id/ID

Gwendal Le Coguic:

We always talk about methodology to find subdomains, but what about domains first? If you want to enlarge your scope, I use http://crunchbase.com, http://whoisology.com, http://securitytrails.com, http://gandi.net to find more domains owned by a company

OWASP Amass v3.3.0 released, a Go tool that does “in-depth attack surface mapping and asset discovery.”

  • Supports gathering info from DNS, scraping, certificates, third-party APIs, and web archives.
  • Future releases will support saving results in Neo4J and any graph databases that supports Gremlin (@apachetinkerpop).

Tools for Collecting and Searching Information

Vortimo - “organizes information on webpages that you’ve visited. It records pages you go to, extracts data from it and enrich the data that was extracted. It augments the pages in your browser by allowing you to tag objects as well as decorating objects it deems important.” Chrome extension + server with DB and UI, not open source. (thx Daniel Miessler)

Memex - a fully private browser extension to full-text search your browsing history & bookmarks (open source).

organice - an implementation of Org mode built for mobile and desktop browsers. Open source, uses React, can use Dropbox, Google Drive, and WebDAV as backends.

Programming

The Deadlock Empire: Slay dragons, master concurrency!
Hands-on multi-threaded programming challenges with a fun theme 🤘

Tweetstorm by Hillel Wayne on the power of formal methods (TLA+). Here are some snippets to give you a flavor, check it out for some neat talk and blog post links:

TLA+ is a language for “debuggable designs”. It lets you design your system and find bugs in the design itself, not the code. In terms of expressive power, TLA+ is as high above Python as Python is above x86 Assembly.

My first time using TLA+ for work was for a tricky business domain problem, involving lots of edge cases and unreliable vendor APIs. The code was 3000+ lines of Ruby. The spec? 60 lines of TLA+. It found two critical bugs.

This was a battle-tested production system. It had been thoroughly unit-tested, integration-tested, code reviewed, and monitored. We’d spent a year fighting fires and fixing bugs. Months of work on stability.

Politics

Google’s secret cache of medical data includes names and full details of millions
Google has a secret “Project Nightingale,” in which they are collecting vast amounts of American healthcare data, unbeknownst to patients. Google is receiving the data from Ascension, the second-largest healthcare provider in the U.S., including patients’ full personal details (name + medical history). This data has not been anonymized and can be accessed by Google staff.

How a social network could save democracy from deadlock
Taiwan has built a platform designed for people from across political divides to express their views. It promotes statements that find support across different groups as well as within them, gamifying finding consensus. Rather than simply letting people vote via an app, the platform gives participants agenda-setting power to not just determine the answer, but also define the question. It doesn’t aim to find a majority of one side over another, but rather achieve consensus across them.

“People compete to bring up the most nuanced statements that can win most people across,” Tang told me.

“They spend far more time discovering their commonalities rather than going down a rabbit hole on a particular issue.”

Padding the struct: How a compiler optimization can disclose stack memory

NCC Group consultant Jack Leadford on how GCC may add padding to struct objects, attempting to make your code faster (by causing field accesses to be memory-aligned), but this can lead to disclosing stack memory!

Jack describes two example scenarios where this behavior may be exploited: an RPC server and a kernel driver. Here’s a useful illustration from a blog post by Alexander Popov:

Kernel Memory Leak

Related: a Linux Security Summit talk Dealing with Uninitialized Memory in the Kernel by Alexander Potapenko of Google.

⭐ DevSecCon Tel Aviv 2019 Roundup

I wrote up notes for some of the talks, including my first keynote 😱.

If you want to learn some practical steps to start managing your secrets properly, how to do lightweight, continuous threat modeling, some container security stats and best practices, and my thoughts on the future of DevSecOps and security programs, you can read the full summary here.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint
@clintgibler @programanalysis