Archive for the ‘General’ Category

JiaQing Huang, Hao Zheng, and Yue Liu, security researchers at Shanghai Jiao Tong University, explore an uncharted attack surface in VMware’s device virtualization within the VMKernel. Their presentation unveils eight vulnerabilities, three assigned CVEs, discovered through reverse-engineering. JiaQing, Hao, and Yue provide insights into exploiting these flaws, some successfully demonstrated at Tianfu Cup, and discuss their implications for virtual machine security.

Exploring VMware’s VMKernel

JiaQing introduces the VMKernel’s device virtualization, focusing on the virtual machine monitor (vmm) and UserRPC mechanisms that enable communication between the hypervisor and host. Their reverse-engineering, conducted at Shanghai Jiao Tong University, uncovered vulnerabilities in USB and SCSI emulation, revealing a previously unexplored attack surface critical to VMware Workstation and ESXi.

USB System Vulnerabilities

Hao details flaws in the USB system, including the host controller, VUsb middleware, and backend devices. Their analysis identified exploitable issues, such as improper input validation, that could allow attackers to manipulate virtual devices. By exploiting these vulnerabilities, Hao and his team achieved privilege escalation, demonstrating the risks to virtualized environments.

SCSI Emulation Flaws

Yue focuses on the SCSI-related emulation in VMware’s virtual disk system, highlighting differences between Workstation and ESXi. Their discovery of an out-of-bounds write in the unmap command, due to unchecked parameter lengths, caused system crashes. Yue’s analysis underscores design flaws in disk emulation, exposing potential avenues for virtual machine escape.

Mitigating Virtualization Risks

Concluding, JiaQing proposes enhancing sandbox protections and elevating process privileges to prevent exploits. Their work, officially confirmed by VMware, calls for robust mitigation strategies to secure virtual environments. By sharing their findings, JiaQing, Hao, and Yue encourage researchers to explore VMKernel security, strengthening virtualization against emerging threats.

Links:

• Shanghai Jiao Tong University website

Michal Grygarek and Martin Petr, embedded systems security experts at Accenture in Prague, reveal the vulnerabilities of eFuse-based memories used to store sensitive data like encryption keys. Their presentation explores the process of extracting confidential information from these chips using accessible tools, challenging the assumption that eFuse memories are inherently secure. Michal and Martin’s work underscores the need for enhanced protection mechanisms in embedded systems.

Decoding eFuse Vulnerabilities

Martin opens by explaining the role of eFuse memories in securing encryption keys and debugging interfaces. Traditionally considered robust, these memories are susceptible to physical attacks due to their readable properties. Martin details their journey, starting with chip decapsulation using household items like a wet stone, demonstrating that determined attackers can bypass protections without advanced equipment.

Reverse-Engineering Techniques

Michal delves into their methodology, which involved delayering chips to access eFuse data. Using a Scanning Electron Microscope (SEM) rented from a local university, they read encryption keys, breaking the confidentiality of encrypted flash memory. Their approach, supported by Accenture, highlights the ease of extracting sensitive data, as the physical destruction of the chip was not a barrier to recovering firmware.

Implications for Embedded Security

The duo emphasizes the broader implications, noting that eFuse vulnerabilities threaten devices relying on these memories for security. Martin addresses the misconception that delayering is prohibitively complex, showing that basic tools and minimal resources suffice. Their findings, including a giveaway of decapsulated ESP32 chips, encourage hands-on experimentation to understand these risks.

Strengthening Protection Mechanisms

Concluding, Michal advocates for advanced obfuscation techniques and alternative storage solutions to secure sensitive data. Their work, presented at DEF CON 32, calls for vendors to reassess eFuse reliance and implement robust safeguards. By sharing their techniques, Michal and Martin inspire the cybersecurity community to address these overlooked vulnerabilities in embedded systems.

Links:

• Accenture website

Giorgos Anagnostaki and Kostantinos Petropoulos, from IKnowHealth, delivered a concise 15-minute talk at Devoxx Greece 2025, portraying software engineering as a creative process with profound social impact, particularly in healthcare.

Engineering as Art

Anagnostaki likened software engineering to creating art, blending design and problem-solving to build functional systems from scratch. In healthcare, this creativity carries immense responsibility, as their work at IKnowHealth supports radiology departments. Their platform, built for Greece’s national imaging repository, enables precise diagnoses, like detecting cancer or brain tumors, directly impacting patients’ lives. This human connection fuels their motivation, transforming code into life-saving tools.

The Radiology Platform

Petropoulos detailed their cloud-based platform on Azure, connecting hospitals and citizens. Hospitals send DICOM imaging files and HL7 diagnosis data via VPN, while citizens access their medical history through a portal, eliminating CDs and printed reports. The system supports remote diagnosis and collaboration, allowing radiologists to share anonymized cases for second opinions, enhancing accuracy and speeding up critical decisions, especially in understaffed regions.

Technical Challenges

The platform handles 2.5 petabytes of imaging data annually from over 100 hospitals, requiring robust storage and fast retrieval. High throughput (up to 600 requests per minute per hospital) demands scalable infrastructure. Front-end challenges include rendering thousands of DICOM images without overloading browsers, while GDPR-compliant security ensures data privacy. Integration with national health systems added complexity, but the platform’s impact—illustrated by Anagnostaki’s personal story of his father’s cancer detection—underscores its value.

Links

• IKnowHealth
• Devoxx Greece

Xiling Gong and Eugene Rodionov, security researchers at Google, delve into the vulnerabilities of Qualcomm’s Adreno GPU, a critical component in Android devices. Their presentation uncovers nine exploitable flaws leading to kernel code execution, demonstrating a novel exploit method that bypasses Android’s CFI and W^X mitigations. Xiling and Eugene’s work highlights the risks in GPU drivers and proposes actionable mitigations to enhance mobile security.

Uncovering Adreno GPU Vulnerabilities

Xiling opens by detailing their analysis of the Adreno GPU kernel module, prevalent in Qualcomm-based devices. Their research identified nine vulnerabilities, including race conditions and integer overflows, exploitable from unprivileged apps. These flaws, discovered through meticulous fuzzing, expose the GPU’s complex attack surface, making it a prime target for local privilege escalation.

Novel Exploit Techniques

Eugene describes their innovative exploit method, leveraging GPU features to achieve arbitrary physical memory read/write. By exploiting a race condition, they achieved kernel code execution with 100% success on a fully patched Android device. This technique bypasses Control-flow Integrity (CFI) and Write XOR Execute (W^X) protections, demonstrating the potency of GPU-based attacks and the need for robust defenses.

Challenges in GPU Security

The duo highlights the difficulties in securing GPU drivers, which are accessible to untrusted code and critical for performance. Xiling notes that Android’s reliance on in-process GPU handling, unlike isolated IPC mechanisms, exacerbates risks. Their fuzzing efforts, tailored for concurrent code, revealed the complexity of reproducing and mitigating these vulnerabilities, underscoring the need for advanced testing.

Proposing Robust Mitigations

Concluding, Eugene suggests moving GPU operations to out-of-process handling and adopting memory-safe languages to reduce vulnerabilities. Their work, published via Google’s Android security research portal, calls for vendor action to limit attack surfaces. By sharing their exploit techniques, Xiling and Eugene inspire the community to strengthen mobile security against evolving threats.

Links:

• Google Android Security website

Eliot Andres, co-founder and CTO of Photoroom, chronicled the odyssey of bespoke vision at DotAI 2024. With nine years honing deep learning for e-commerce elixirs, Andres propelled Photoroom’s ascent—YC S20 alumna serving global galleries. His narrative dissected in-house genesis over off-the-shelf oracles, unveiling diffusion’s dawn-to-dusk: bespoke blueprints, data distillations, compute conquests, and feedback forges yielding thrice-swift sorcery for millions.

Forging Foundations Beyond Borrowed Blueprints

Andres interrogated imitation’s insufficiency: Stable Diffusion’s splendor suits savants, yet falters for Photoroom’s precinct—product portraits purged of props, shadows sculpted sans seams. Off-the-shelf oracles, he observed, ossify on outliers: e-commerce ephemera demands domain devotion.

Thus, genesis from void: custom cascades commencing with chromatic chaos—splashes sans structure—escalating to entity emergence post-thousand-hour tutelage, culminating in crystalline compositions after 40,000 epochs. Andres attributed ascent to architectural autonomy: latent labyrinths laced with proprietary priors, data distilled from decamillions of dealer dossiers—curated for commerce’s cadence.

Compute’s crucible: H100 hordes harnessed in harmonious herds, mitigating mishaps via meticulous monitoring—gradient guardians averting gradients’ ghosts.

Navigating Novelties and Nurturing at Nascent

Andres aired adversities: data’s deluge demands discernment—deduping dross, equilibrating epochs—while scaling summons stability, feedback’s fount from frontline forges finessing flaws. Photoroom’s polity: purveyors as partners, iterating on idiosyncrasies like luminous lapses or artifact anomalies.

Deployment’s decree: distillation’s dual dance—LCM’s leapfrog lessons compressing cascades to sprints—and TensorRT’s transmutations, fusing fluxions for fleet-footed fruition, doubling dispatch sans diminishment.

FR 2030’s fellowship fuels forthcoming: grander guardians, verisimilar visions—velocity unyielding. Andres beckoned bibliophiles to GitHub’s groves: datasets as doorways, teams as talismans—collaborative conquests crowning communal code.

In tableau, Andres toasted tandemry: machine learning’s mosaic, indivisible from ingenuity’s impetus—Photoroom’s pantheon, propelling pixels to panoramas.

Links:

• Photoroom Website
• Eliot Andres on LinkedIn

Prototype pollution is one of those vulnerabilities that many developers have heard about, but few fully understand—or guard against. It’s sneaky, dangerous, and more common than you’d think, especially in JavaScript and Node.js applications.

This post breaks down what prototype pollution is, how it can be exploited, how to detect it, and most importantly, how to fix it.

What Is Prototype Pollution?

In JavaScript, all objects inherit from Object.prototype by default. If an attacker can modify that prototype via user input, they can change how every object behaves.

This is called prototype pollution, and it can:

• Alter default behavior of native objects
• Lead to privilege escalation
• Break app logic in subtle ways
• Enable denial-of-service (DoS) or even remote code execution in some cases

Real-World Exploit Example

const payload = JSON.parse('{ "__proto__": { "isAdmin": true } }');
Object.assign({}, payload);

console.log({}.isAdmin); // → true 

Now, any object in your app believes it’s an admin. That’s the essence of prototype pollution.

How to Detect It

✅ Static Code Analysis

• ESLint
  • Use plugins like eslint-plugin-security or eslint-plugin-no-prototype-builtins
• Semgrep
  • Detect unsafe merges with custom rules

Dependency Scanning

• npm audit, yarn audit, or tools like Snyk, OWASP Dependency-Check
• Many past CVEs (e.g., Lodash < 4.17.12) were related to prototype pollution

Manual Testing

Try injecting:

{ "__proto__": { "injected": true } }

Then check if unexpected object properties appear in your app.

️ How to Fix It

1. Sanitize Inputs

Never allow user input to include dangerous keys:

• __proto__
• constructor
• prototype

2. Avoid Deep Merge with Untrusted Data

Use libraries that enforce safe merges:

• deepmerge with safe mode
• Lodash >= 4.17.12

3. Write Safe Merge Logic

function safeMerge(target, source) {
  for (let key in source) {
    if (!['__proto__', 'constructor', 'prototype'].includes(key)) {
      target[key] = source[key];
    }
  }
  return target;
}

4. Use Secure Parsers

• secure-json-parse
• @hapi/hoek

TL;DR

‍ Final Thoughts

Prototype pollution isn’t just a theoretical risk. It has appeared in real-world vulnerabilities in major libraries and frameworks.

If your app uses JavaScript—on the frontend or backend—you need to be aware of it.

Share this post if you work with JavaScript.
️ Found something similar in your project? Let’s talk.

#JavaScript #Security #PrototypePollution #NodeJS #WebSecurity #DevSecOps #SoftwareEngineering

Kent C. Dodds, in his dynamic 22-minute talk at Devoxx Greece 2025, explored how Model Context Protocols (MCPs) enable AI assistants to interact with applications, envisioning a future where users have their own “Jarvis” from Iron Man.

The Vision of Jarvis

Dodds opened with a clip from Iron Man, showcasing Jarvis performing tasks like compiling databases, generating UI, and creating flight plans. He posed a question: why don’t we have such assistants today? Current technologies, like Google Assistant or Siri, fall short due to limited integrations. Dodds argued that MCPs, a standard protocol supported by Anthropic, OpenAI, and Google, bridge this gap by enabling AI to communicate with diverse services, from Slack to local government platforms, transforming user interaction.

MCP Architecture

MCPs sit between the host application (e.g., ChatGPT, Claude) and service tools, allowing seamless communication. Dodds explained that LLMs generate tokens but rely on host applications to execute actions. MCP servers, managed by service providers, connect to tools, enabling users to install them like apps. In a demo, Dodds showed an MCP server for his website, allowing an AI to search blog posts and subscribe users to newsletters, though client-side issues hindered reliability, highlighting the need for improved user experiences.

Challenges and Future

The primary challenge is the poor client experience for installing MCP servers, currently requiring manual JSON configuration. Dodds predicted a marketplace or auto-discovery system to streamline this, likening MCPs to the internet’s impact. Security concerns, similar to early browsers, need addressing, but Dodds sees AI hosts as the new browsers, promising a future where personalized AI assistants handle complex tasks effortlessly.

Links

• Kent C. Dodds’ Website
• Model Context Protocol GitHub
• Devoxx Greece

Reusing Rust Code in Web Applications

WebAssembly (WASM) has emerged as a transformative technology for reusing backend code in web applications, offering portability and performance across platforms. At OxidizeConf2024, Georg Semmler and Jonas Klein from Giga Infosystems presented a compelling case study on leveraging Rust and WebAssembly to enhance a geological subsurface modeling system. Their project, developed for a German federal agency, involved reusing computationally intensive Rust code for generating virtual boreholes in both backend systems and a 3D web viewer, showcasing WebAssembly’s potential to bridge backend and frontend development.

The GST system, comprising a Rust-based backend, a TypeScript-based web application, and a desktop client, manages large geological models with millions of triangles. Georg and Jonas explained how the virtual borehole feature, which calculates intersections between a cylindrical probe and subsurface layers, was initially implemented in Rust for the backend. By compiling this code to WebAssembly, they enabled the same functionality in the web viewer, allowing users to validate models against real-world data in real time, a critical requirement for geological analysis.

Implementing WebAssembly Workflows

The implementation process involved several key steps, which Georg detailed with clarity. The team used the wasm32 target to compile Rust code into WebAssembly binaries, leveraging Rust’s robust tooling, including Cargo and wasm-bindgen. This library facilitated seamless integration with JavaScript, enabling type-safe communication between the Rust code and the web application. To avoid blocking the main thread, the team employed web workers and Comlink, a library that simplifies worker communication, alongside shared array buffers to minimize data copying.

Performance comparisons underscored WebAssembly’s advantages. For a small model with 300,000 triangles, the Rust-WebAssembly implementation computed intersections in 7 milliseconds, compared to 100 milliseconds for an unoptimized TypeScript version. For larger models, the performance gap widened, with WebAssembly significantly outperforming TypeScript due to its native execution speed. However, Jonas noted challenges, such as WebAssembly’s 2GB memory limit, which required careful optimization of data structures to handle large geometries.

Real-World Impact and Future Directions

The adoption of WebAssembly in the GST system has profound implications for geological applications, particularly in public communication and geothermal energy exploration. Jonas highlighted use cases like visualizing radioactive waste disposal sites and assessing subsurface potential, which benefit from the system’s ability to handle complex 3D models. The team’s success in reusing Rust code across platforms demonstrates WebAssembly’s potential to streamline development, reduce duplication, and enhance performance.

Looking forward, Georg and Jonas plan to optimize memory usage further and explore additional WebAssembly use cases, such as integrating game logic for interactive visualizations. Their work underscores the importance of community collaboration, with contributions to open-source WebAssembly tools enhancing the ecosystem. By sharing their approach, they inspire developers to leverage Rust and WebAssembly for efficient, reusable code in data-intensive applications.

Links:

• Giga Infosystems company website

Alexander Rubin and Martin Rakhmanov, security engineers at Amazon Web Services’ RDS Red Team, present a groundbreaking MySQL honeypot designed to counterattack malicious actors. Leveraging vulnerabilities CVE-2023-21980 and CVE-2024-21096, their “Atomic Honeypot” exploits attackers’ systems, uncovering new attack vectors. Alexander and Martin demonstrate how this active defense mechanism turns the tables on adversaries targeting database servers.

Designing an Active Defense Honeypot

Alexander introduces the Atomic Honeypot, a high-interaction MySQL server that mimics legitimate databases to attract bots. Unlike passive honeypots, this system exploits vulnerabilities in MySQL’s client programs (CVE-2023-21980) and mysqldump utility (CVE-2024-21096), enabling remote code execution on attackers’ systems. Their approach, detailed at DEF CON 32, uses a chain of three vulnerabilities, including an arbitrary file read, to analyze and counterattack malicious code.

Exploiting Attacker Systems

Martin explains the technical mechanics, focusing on the MySQL protocol’s server-initiated nature, which allows their honeypot to manipulate client connections. By crafting a rogue server, they executed command injections, downloading attackers’ Python scripts designed for brute-forcing passwords and data exfiltration. This enabled Alexander and Martin to study attacker behavior, uncovering two novel MySQL attack vectors.

Ethical and Practical Implications

The duo addresses the ethical considerations of active defense, emphasizing responsible use to avoid collateral damage. Their honeypot, which requires no specialized tools and can be set up with a vulnerable MySQL instance, empowers researchers to replicate their findings. However, Martin notes that Oracle’s recent patches may limit the window for experimentation, urging swift action by the community.

Future of Defensive Security

Concluding, Alexander advocates for integrating active defense into cybersecurity strategies, highlighting the honeypot’s ability to provide actionable intelligence. Their work, supported by AWS, inspires researchers to explore innovative countermeasures, strengthening database security against relentless bot attacks. By sharing their exploit chain, Alexander and Martin pave the way for proactive defense mechanisms.

Links:

• Alexander Rubin on LinkedIn
• Amazon Web Services website
• Atomic Honeypot website

Unlocking the Power of Apache Parquet: A Modern Standard for Data Efficiency

In today’s digital ecosystem, where data volume, velocity, and variety continue to rise, the choice of file format can dramatically impact performance, scalability, and cost. Whether you are an architect designing a cloud-native data platform or a developer managing analytics pipelines, Apache Parquet stands out as a foundational technology you should understand — and probably already rely on.

This article explores what Parquet is, why it matters, and how to work with it in practice — including real examples in Python, Java, Node.js, and Bash for converting and uploading files to Amazon S3.

What Is Apache Parquet?

Apache Parquet is a high-performance, open-source file format designed for efficient columnar data storage. Originally developed by Twitter and Cloudera and now an Apache Software Foundation project, Parquet is purpose-built for use with distributed data processing frameworks like Apache Spark, Hive, Impala, and Drill.

Unlike row-based formats such as CSV or JSON, Parquet organizes data by columns rather than rows. This enables powerful compression, faster retrieval of selected fields, and dramatic performance improvements for analytical queries.

Why Choose Parquet?

✅ Columnar Format = Faster Queries

Because Parquet stores values from the same column together, analytical engines can skip irrelevant data and process only what’s required — reducing I/O and boosting speed.

Compression and Storage Efficiency

Parquet achieves better compression ratios than row-based formats, thanks to the similarity of values in each column. This translates directly into reduced cloud storage costs.

Schema Evolution

Parquet supports schema evolution, enabling your datasets to grow gracefully. New fields can be added over time without breaking existing consumers.

Interoperability

The format is compatible across multiple ecosystems and languages, including Python (Pandas, PyArrow), Java (Spark, Hadoop), and even browser-based analytics tools.

☁️ Using Parquet with Amazon S3

One of the most common modern use cases for Parquet is in conjunction with Amazon S3, where it powers data lakes, ETL pipelines, and serverless analytics via services like Amazon Athena and Redshift Spectrum.

Here’s how you can write Parquet files and upload them to S3 in different environments:

From CSV to Parquet in Practice

Python Example

import pandas as pd

# Load CSV data
df = pd.read_csv("input.csv")

# Save as Parquet
df.to_parquet("output.parquet", engine="pyarrow")

To upload to S3:

import boto3

s3 = boto3.client("s3")
s3.upload_file("output.parquet", "your-bucket", "data/output.parquet")

Node.js Example

Install the required libraries:

npm install aws-sdk

Upload file to S3:

const AWS = require('aws-sdk');
const fs = require('fs');

const s3 = new AWS.S3();
const fileContent = fs.readFileSync('output.parquet');

const params = {
    Bucket: 'your-bucket',
    Key: 'data/output.parquet',
    Body: fileContent
};

s3.upload(params, (err, data) => {
    if (err) throw err;
    console.log(`File uploaded successfully at ${data.Location}`);
});

☕ Java with Apache Spark and AWS SDK

In your pom.xml, include:

<dependency>
    <groupId>org.apache.parquet</groupId>
    <artifactId>parquet-hadoop</artifactId>
    <version>1.12.2</version>
</dependency>
<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-java-sdk-s3</artifactId>
    <version>1.12.470</version>
</dependency>

Spark conversion:

Dataset<Row> df = spark.read().option("header", "true").csv("input.csv");
df.write().parquet("output.parquet");

Upload to S3:

AmazonS3 s3 = AmazonS3ClientBuilder.standard()
    .withRegion("us-west-2")
    .withCredentials(new AWSStaticCredentialsProvider(
        new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY")))
    .build();

s3.putObject("your-bucket", "data/output.parquet", new File("output.parquet"));

Bash with AWS CLI

aws s3 cp output.parquet s3://your-bucket/data/output.parquet

Final Thoughts

Apache Parquet has quietly become a cornerstone of the modern data stack. It powers everything from ad hoc analytics to petabyte-scale data lakes, bringing consistency and efficiency to how we store and retrieve data.

Whether you are migrating legacy pipelines, designing new AI workloads, or simply optimizing your storage bills — understanding and adopting Parquet can unlock meaningful benefits.

When used in combination with cloud platforms like AWS, the performance, scalability, and cost-efficiency of Parquet-based workflows are hard to beat.