"Trustworthy Whole-System Provenance for the Linux Kernel" - https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-bates.pdf
> .. We present Linux Provenance Modules (LPM), the first general framework for the development of provenance-aware systems. We demonstrate that LPM creates a trusted provenance-aware execution environment, collecting complete whole-system provenance while imposing as little as 2.7% performance overhead on normal system operation...
Regarding "How Ledger Hacked an HSM" - https://cryptosense.com/blog/how-ledger-hacked-an-hsm/ - I have doubts about the significance of this if they are correct in speculating that this is associated with SafeNet's recent Sentinel advisory. Sentinel is SafeNet's software licensing/DRM thingy... quite separate to their actual HSM business... but maybe I'm missing something
"Understanding Real-World Concurrency Bugs in Go" - https://songlh.github.io/paper/go-study.pdf
"..we perform the first systematic study on concurrency bugs in real Go programs. We studied six popular Go software including Docker, Kubernetes, and gRPC. We analyzed 171 concurrency bugs in total, with more than half of them caused by non-traditional, Go-specific problems. ... we also studied their fixes, performed experiments to reproduce them, and evaluated them with two publicly-available Go bug detectors.
""Sibyl - A Miasm2 based function divination"" - https://github.com/cea-sec/Sibyl
"In reverse engineer work.. Tools have been developed to automate.. Some are based on CFG.. signature (Bindiff), others on magic constants (FindCrypt) or enhanced pattern matching (FLIRT). Sibyl is one of these tools, dynamic analysis oriented and based on Miasm2 (https://github.com/cea-sec/miasm). The idea is to identify functions from their side effects. That way, identification is independent of the used implementation."
"Assessing Unikernel Security" - https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2019/ncc_group-assessing_unikernel_security.pdf
"We surveyed two major unikernels, Rumprun and IncludeOS .. Features like ASLR, W^X, stack canaries,
heap integrity checks and more are either completely absent or seriously flawed. If an
application running on such a system contains a memory corruption vulnerability, it is
often possible for attackers to gain code execution, even in cases where the application’s source and binary are unknown ..
Honestly the scrum guide reads like some kind of cult
It assumes the Product Owner knows best, and everyone Shall Respect the Product Owner
Clearly then the single most impactful thing you can do for an organization's security program isn't tools or training, it's to ensure product owners understand their security goals and how to achieve them when faced with the various dysfunctions unique to their environment
.. I know this is obvious/boring, but there's others who should know better on birdsite & it wasn't always obvious to me: the front of my career was a mix of small/large orgs but always in small teams, often as the lone coder, personally accountable but always empowered
Maybe I'm just unlucky, but scrumgile seems to create pathological 1-way relationships w/product owners & devs who cope via learned helplessness, desensitized to issues they could fix if only owners would put them on the backlog
.. there's a staggering amount of hubris among hackers who've never built stuff. Including myself as an engineer: I didn't "get" how dominant the shape of an org, its people systems, feedback loops (or lack thereof), commercial settings etc were until I spent a few years exposed to management/inter-BU/customer things on larger teams.
In a fight between a smug infosec rockstar vs 87 sprints under a tunnel-visioned SCRUMlord, yrs of 0% slack time & career-driven-development, I know who I'd bet on
Training, tools, even competent engineers are no match for perverse incentives. Infosec is still quick to bash engineers based on flaws in products & assume they don't "get" offense. I too once thought the fix belonged with engineers, maybe training, but let me tell you something: top ~10-20% of devs I've worked with already know how to attack their product, know enough to be training their peers, & given ~months to re-train would easily make better offsec hackers than most that spent ~years..
If you want a more in depth history of SAT/SMT there is this paper:
h/t Dr. Heidy Khlaaf (@HeidyKhlaaf on birdsite)
"Why don't people use formal methods?" - I really enjoy Hillel Wayne making some of this stuff more accessible to "blue collar" programmers like me
The history on the SMT stuff seems a bit off but otherwise a good writeup on the matter I think
By the time you have your first million lines of code there's easily 100+ person-years invested, surely we can spend a few months mapping this out. I don't know how everyone else feels so great leaning into such massive projects, regardless of language it's in, when the systems engineering/analysis required to meaningfully support such complexity appears to be totally absent from the core development process. I wish this wasn't so hard to sell to people
This year my hobby will be building things to extract data from, analyze and visualize complex software (statically & runtime) to more quickly grok ridiculous codebases comprising complex systems I'm dealing with. Each layer has various independent security controls/confinement that don't always sit very well on the next. Want to more efficiently identify critical/trusted parts, or even just survey what components there are, to reveal actual (rather than communicated) structure. Lots of GraphDBs
"A survey on formal specification and verification of separation kernels" - https://arxiv.org/pdf/1508.07066.pdf
"... This paper presents an overview of formal specification and verification of separation kernels. We first present the background including the concept of separation kernel and the comparisons among different kernels. Then, we survey the state of the art on this topic since 2000. Finally, we summarize research work by detailed comparison and discussion."
A bunch of the niftiest people are making k07cw/Cult of the Cyber Witch, a new hacker zine complete with regex crossword, and you should definitely check it out https://kultofthecyberw.itch.io/kult-of-the-cyber-witch-issue-1
This year I helped directly invite folks to submit, which resulted in some very interesting talks from people who wouldn't have otherwise submitted. But... struggling a bit with strategy on how to approach different networks this time
I wonder if it's possible to estimate person-hrs that goes into a paper; or estimate total $$$ invested in literature analysing the security of a piece of security-critical software.
The answer is obviously no, unless they cite specific grants
Want to say something about technical debt behind otherwise shiny-looking projects which have had little or no analysis/verification/correctness efforts applied within or outside the project
This should be a quality metric when choosing dependencies
I can't process this Supermicro story yet https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
Queue "we told you so!" brigade.. been agonizing over supply-chain issues for years, but that doesn't make this easier for me to process
Timing of "apple kicking SM from their DCs over BMC security issues" rumours ages ago; nasdaq delisting... if this is BS, that's amazing propaganda effort that I also can't process
Electronics & infosec enthusiast trying to build defendable things. Usually with Linux, embedded or web things. @BSidesCBR helper. I @MakeHackVoid
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!