"Trustworthy Whole-System Provenance for the Linux Kernel" - usenix.org/system/files/confer

> .. We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems. We demonstrate that LPM creates a trusted provenance-aware execution environment, collecting complete whole-system provenance while imposing as little as 2.7% performance overhead on normal system operation...

Regarding "How Ledger Hacked an HSM" - cryptosense.com/blog/how-ledge - I have doubts about the significance of this if they are correct in speculating that this is associated with SafeNet's recent Sentinel advisory. Sentinel is SafeNet's software licensing/DRM thingy... quite separate to their actual HSM business... but maybe I'm missing something

"Understanding Real-World Concurrency Bugs in Go" - songlh.github.io/paper/go-stud

"..we perform the first systematic study on concurrency bugs in real Go programs. We studied six popular Go software including Docker, Kubernetes, and gRPC. We analyzed 171 concurrency bugs in total, with more than half of them caused by non-traditional, Go-specific problems. ... we also studied their fixes, performed experiments to reproduce them, and evaluated them with two publicly-available Go bug detectors.

""Sibyl - A Miasm2 based function divination"" - github.com/cea-sec/Sibyl

"In reverse engineer work.. Tools have been developed to automate.. Some are based on CFG.. signature (Bindiff), others on magic constants (FindCrypt) or enhanced pattern matching (FLIRT). Sibyl is one of these tools, dynamic analysis oriented and based on Miasm2 (github.com/cea-sec/miasm). The idea is to identify functions from their side effects. That way, identification is independent of the used implementation."

"Assessing Unikernel Security" - nccgroup.trust/globalassets/ou

"We surveyed two major unikernels, Rumprun and IncludeOS .. Features like ASLR, W^X, stack canaries,
heap integrity checks and more are either completely absent or seriously flawed. If an
application running on such a system contains a memory corruption vulnerability, it is
often possible for attackers to gain code execution, even in cases where the application’s source and binary are unknown ..

Finally replaced the cracked screen in my phone and its almost completely inoperable charge port. Took me a couple of hours... it's the 3rd screen. I try to make phones last a few years...

Anyway my laptop screen also died

I just can't have devices, they all fail

Honestly the scrum guide reads like some kind of cult

It assumes the Product Owner knows best, and everyone Shall Respect the Product Owner

Clearly then the single most impactful thing you can do for an organization's security program isn't tools or training, it's to ensure product owners understand their security goals and how to achieve them when faced with the various dysfunctions unique to their environment

Show thread

.. I know this is obvious/boring, but there's others who should know better on birdsite & it wasn't always obvious to me: the front of my career was a mix of small/large orgs but always in small teams, often as the lone coder, personally accountable but always empowered

Maybe I'm just unlucky, but scrumgile seems to create pathological 1-way relationships w/product owners & devs who cope via learned helplessness, desensitized to issues they could fix if only owners would put them on the backlog

Show thread

.. there's a staggering amount of hubris among hackers who've never built stuff. Including myself as an engineer: I didn't "get" how dominant the shape of an org, its people systems, feedback loops (or lack thereof), commercial settings etc were until I spent a few years exposed to management/inter-BU/customer things on larger teams.

In a fight between a smug infosec rockstar vs 87 sprints under a tunnel-visioned SCRUMlord, yrs of 0% slack time & career-driven-development, I know who I'd bet on

Show thread

Training, tools, even competent engineers are no match for perverse incentives. Infosec is still quick to bash engineers based on flaws in products & assume they don't "get" offense. I too once thought the fix belonged with engineers, maybe training, but let me tell you something: top ~10-20% of devs I've worked with already know how to attack their product, know enough to be training their peers, & given ~months to re-train would easily make better offsec hackers than most that spent ~years..

@cynicalsecurity @csirac2 I have to admit that I only skimmed it during lunch. To be read in full after work.

If you want a more in depth history of SAT/SMT there is this paper:

h/t Dr. Heidy Khlaaf (@HeidyKhlaaf on birdsite)

"Why don't people use formal methods?" - I really enjoy Hillel Wayne making some of this stuff more accessible to "blue collar" programmers like me

The history on the SMT stuff seems a bit off but otherwise a good writeup on the matter I think


By the time you have your first million lines of code there's easily 100+ person-years invested, surely we can spend a few months mapping this out. I don't know how everyone else feels so great leaning into such massive projects, regardless of language it's in, when the systems engineering/analysis required to meaningfully support such complexity appears to be totally absent from the core development process. I wish this wasn't so hard to sell to people

Show thread

This year my hobby will be building things to extract data from, analyze and visualize complex software (statically & runtime) to more quickly grok ridiculous codebases comprising complex systems I'm dealing with. Each layer has various independent security controls/confinement that don't always sit very well on the next. Want to more efficiently identify critical/trusted parts, or even just survey what components there are, to reveal actual (rather than communicated) structure. Lots of GraphDBs

"A survey on formal specification and verification of separation kernels" - arxiv.org/pdf/1508.07066.pdf

"... This paper presents an overview of formal specification and verification of separation kernels. We first present the background including the concept of separation kernel and the comparisons among different kernels. Then, we survey the state of the art on this topic since 2000. Finally, we summarize research work by detailed comparison and discussion."

A bunch of the niftiest people are making k07cw/Cult of the Cyber Witch, a new hacker zine complete with regex crossword, and you should definitely check it out kultofthecyberw.itch.io/kult-o

BSidesCBR CFP is open! docs.google.com/forms/d/e/1FAI

This year I helped directly invite folks to submit, which resulted in some very interesting talks from people who wouldn't have otherwise submitted. But... struggling a bit with strategy on how to approach different networks this time

Does anyone know of research into heuristically detecting compression bombs, using something like entropy profiles or compression ratios?

I wonder if it's possible to estimate person-hrs that goes into a paper; or estimate total $$$ invested in literature analysing the security of a piece of security-critical software.

The answer is obviously no, unless they cite specific grants

Want to say something about technical debt behind otherwise shiny-looking projects which have had little or no analysis/verification/correctness efforts applied within or outside the project

This should be a quality metric when choosing dependencies

I can't process this Supermicro story yet bloomberg.com/news/features/20

Queue "we told you so!" brigade.. been agonizing over supply-chain issues for years, but that doesn't make this easier for me to process

Timing of "apple kicking SM from their DCs over BMC security issues" rumours ages ago; nasdaq delisting... if this is BS, that's amazing propaganda effort that I also can't process

Show older

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!