Recent Posts
Archives

Archive for the ‘General’ Category

PostHeaderIcon [AWSReInventPartnerSessions2024] Mastering Cloud Security through CNAPP Maturity: A Ten-Phase Iterative Framework

Lecturer

Leor Hasson serves as Director of Cloud Security Advocacy at Tenable, guiding organizations toward unified exposure management across cloud-native environments.

Abstract

This analytical treatment conceptualizes cloud-native application protection platforms (CNAPP) as evolutionary synthesis beyond CSPM, CWPP, CIEM, and DSPM fragmentation. It articulates cloud-specific security challenges—novel attack vectors, expertise scarcity, tool proliferation, collaboration intensity—and programmatic opportunities. A structured ten-phase iterative progression guides advancement from inventory to automated remediation, emphasizing contextual risk prioritization through Tenable One’s hybrid attack path visualization.

Cloud Security Challenges and Programmatic Opportunities

Cloud computing introduces unprecedented attack surfaces, nascent practitioner expertise, overwhelming toolsets, and intensified cross-functional requirements. Yet programmatic access to configurations and logs, combined with delegated responsibility, unlocks automation potential.

CNAPP unifies visibility across workloads, infrastructure, identities, networks, and sensitive data. Tenable integrates AWS, multi-cloud, identity providers, CI/CD pipelines, and third-party systems.

Ten-Phase Iterative Maturity Pathway

The non-linear progression includes:

  1. Asset Inventory – Comprehensive discovery
  2. Contextual Exposure – Risk differentiation (public PII vs. isolated)
  3. Actionable Remediation – Executable fixes

Advanced phases: IAM Least Privilege (over-permission detection), Network Exposure Graphing, Data Classification, Vulnerability-Exploitability Correlation, IaC Scanning (Terraform instantiation risks), Malicious Code Detection, Automated Ticketing/Webhooks.

\# IaC risk example
resource "aws_s3_bucket" "sensitive" {
  bucket = "confidential-data"
  acl    = "public-read"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

Tenable One correlates cloud findings with endpoint vulnerabilities, tracing access keys from developer machines to sensitive data.

Organizational Implications

Contextual prioritization compresses exposure; hybrid visibility prevents lateral movement. Implications include accelerated maturity, resource optimization, and regulatory alignment.

Links:

PostHeaderIcon [DefCon32] Manipulating Shim and Office for Code Injection

The Windows ecosystem harbors hidden attack surfaces, and security researchers Ron Ben-Yizhak and David Shandalov from Deep Instinct unveil a sophisticated technique to exploit them. By manipulating the Application Compatibility Framework (shim) and OfficeClickToRun service, they achieve stealthy code injection and privilege escalation without traditional traces like registry modifications. Their reverse engineering of undocumented APIs and kernel drivers reveals novel methods to subvert system defenses, challenging assumptions about patched vulnerabilities.

Reviving the Shim Attack Surface

Ron introduces the Application Compatibility Framework, designed to ensure legacy software runs on modern Windows systems. The shim infrastructure, managed by a kernel driver, applies runtime fixes to processes. By exploiting undocumented APIs, Ron and David craft a malicious shim that injects code without disk-based evidence, evading detection by endpoint detection and response (EDR) systems. This approach, applied to 64-bit processes, bypasses traditional monitoring, as injection occurs before EDR hooks are established.

Exploiting OfficeClickToRun for Escalation

David details their attack surface research on OfficeClickToRun.exe, a service running as NT AUTHORITY\SYSTEM. By leveraging its undocumented RPC interfaces and Opportunistic Lock (OpLock) mechanisms, they inject a DLL into a high-privilege process, achieving escalation. This method requires specific conditions, which they meticulously engineered, demonstrating the power of combining disparate system components into a cohesive attack vector.

Methodology and Community Collaboration

The duo’s methodology hinges on deep reverse engineering, analyzing shim data structures and AVL tables to manipulate process behavior. They modernize a previously known technique, making it registry-free and elusive. Ron and David share their tools’ source code, inviting the community to refine these attacks and explore additional shim fixes. Their findings highlight the potential for OpLock and shim mechanisms to serve as building blocks for complex, multi-component attacks.

Defensive Measures and Future Research

To counter these threats, Ron and David urge developers to monitor early-stage process injections and scrutinize undocumented APIs. They encourage further exploration of shim data structures and AVL table manipulations, which could yield new attack vectors. By open-sourcing their tools, they foster collaborative advancements in offensive security, aiming to strengthen Windows defenses against such stealthy techniques.

Links:

PostHeaderIcon [DefCon32] Sudos and Sudon’ts: Peering Inside Sudo for Windows

In a groundbreaking move, Microsoft introduced Sudo for Windows in February 2024, bringing a Unix-like privilege elevation mechanism to Windows 11 Insider Preview. Michael Torres, a security researcher at Google, delves into the architecture of this novel feature, exploring its implementation, inter-process communication, and potential vulnerabilities. Michael’s analysis, rooted in reverse engineering and Rust’s interaction with Windows APIs, uncovers security flaws that challenge the tool’s robustness. His open-source approach invites the community to scrutinize and enhance Sudo for Windows, ensuring it balances usability with security.

Understanding Sudo for Windows

Michael begins by demystifying Sudo for Windows, a utility designed to allow users to execute commands with elevated permissions directly from a non-elevated console. Unlike its Unix counterpart, it leverages User Account Control (UAC) for elevation and Advanced Local Procedure Call (ALPC) for communication between processes. Available in Windows 11 version 24H2, the tool supports three configurations: running commands in a new window, disabling input in the current window, or inline execution akin to Linux sudo. Michael highlights its open-source nature, hosted on GitHub, which enables researchers to dissect its codebase for potential weaknesses.

Security Implications and Rust Challenges

Delving into the technical intricacies, Michael examines how Sudo for Windows interoperates with Windows APIs through Rust, a language touted for memory safety. However, invoking native Windows APIs requires “unsafe” Rust code, introducing risks of memory corruption vulnerabilities—counterintuitive to Rust’s safety guarantees. He identifies non-critical issues reported to Microsoft’s Security Response Center (MSRC) and one embargoed vulnerability, emphasizing the need for rigorous scrutiny. For bug hunters, Michael advises focusing on unsafe Rust boundaries, where Windows API calls create exploitable seams.

Path Resolution and Process Coordination

Michael explores the path resolution process, critical for handling file and relative path inputs in Sudo for Windows. The tool’s reliance on ALPC for coordinating elevated and non-elevated processes introduces complexity, as it must maintain secure communication across privilege boundaries. Missteps in path handling or process elevation could lead to unintended escalations, a concern Michael flags for further investigation. His analysis underscores the delicate balance between functionality and security in this new feature.

Community Engagement and Future Directions

Encouraging community involvement, Michael praises the open-source release, urging researchers to probe the codebase for additional vulnerabilities. As Sudo for Windows rolls out to mainline Windows 11, its adoption could reshape administrative workflows, but only if security holds. He advocates for responsible bug hunting to prevent malicious exploitation, ensuring the tool delivers on its promise of seamless elevation without compromising system integrity.

Links:

PostHeaderIcon [NDCOslo2024] Get Old, Go Slow, Write Code! – Tobias Modig

In the inexorable march toward maturity within the software realm, where velocity often eclipses wisdom, Tobias Modig, a veteran developer and agile enthusiast, delivers a defiant ode to senescence and serenity. With decades of debugging and deployment under his belt, Tobias dismantles the dread of obsolescence, championing the virtues of deliberate deliberation over frenetic fervor. His manifesto, infused with humor and historical homage, reframes aging as an asset, urging seasoned coders to linger in their craft, cultivating depth that outlasts the dash of youth.

Tobias sets the stage with three audacious aims: extol the merits of maturation, extol the elegance of unhurried execution, and exhort eternal engagement with the keyboard. He concedes the tribulations of tenure—framework flux, fledgling fluency—yet counters with conviction: the elder’s edge lies in equanimity, a measured mastery that millennials might mistake for malaise. Drawing from personal peregrinations, Tobias recounts races against rookies, where haste harvested hazards, while patience polished prowess.

Embracing Maturity: The Gifts of Graying Grace

Aging, Tobias asserts, accrues acuity: accumulated anecdotes afford anticipation of anomalies, sparing the squad from snafus. He invokes the Peter Principle’s peril—that of ascending to incompetence—warning against the siren song of supervisory seclusion. Developers, he declares, thrive in trenches, where tactile troubleshooting trumps theoretical tenure. His anecdote: a mid-career pivot to management, marred by monotony, until a return to roots reignited rapture.

Deliberation distinguishes the doyenne: novices navigate novelties nimbly, yet veterans vet viability, averting avoidable adventures. Tobias’s tenet: slowness safeguards sustainability, yielding code that’s not just correct but crafted with care, comprehensible to cohorts centuries hence.

Deliberate Deliberation: The Delights of Dawdling Development

Haste, Tobias laments, harbors hubris: crammed calendars court catastrophe, as unforeseen exigencies eclipse equilibrium. He likens laden ledgers to jammed junctions—a single snag spawns stalemates. His remedy: infuse interstices—unallocated intervals for introspection, ideation, or intercession—transforming tension into tranquility.

This tempo tempers teams: slack spaces spawn serendipity, where neighboring novices nurture under seasoned scrutiny, sans overtime’s overhang. Tobias’s triumph: a project propelled by pauses, where prototypes pondered yielded paradigms that persisted, proving premeditation’s primacy.

Perpetual Pursuit: Coding as Continuum

Tobias’s triad culminates in commitment: code ceaselessly, defying the drift to desks. He bewails the “developer lifecycle”—from coder to curator to custodian—as a cul-de-sac of creativity. His exhortation: evade elevation, or equilibrate it with engagements that endure—pairing, mentoring, moonlighting.

His horizon: harness hoariness as hegemony, letting longevity lead, as the world whirls while wisdom waits.

Links:

PostHeaderIcon [DefCon32] Spies and Bytes: Victory in the Digital Age

Cyber warfare reshapes global security, demanding agility and collaboration. General Paul M. Nakasone, retired U.S. Army and former director of the NSA and U.S. Cyber Command, shares insights from his career defending against nation-state hackers. His narrative, rooted in real-world operations, highlights strategies for securing critical infrastructure and countering sophisticated threats. Now founding director of Vanderbilt University’s Institute for National Security, Paul envisions a future where adaptive cyber strategies and new leadership tackle emerging challenges.

Paul’s experiences, from thwarting cyberattacks to fostering international alliances, underscore the importance of transparency and intelligence sharing. His forward-looking vision emphasizes resilience and interdisciplinary approaches to safeguard the digital frontier.

Defending Against Nation-State Threats

Paul recounts operations against adversaries like China and Russia, where rapid intelligence sharing thwarted attacks on U.S. infrastructure. As NSA director, he prioritized real-time collaboration with allies, disrupting cyber campaigns targeting elections and utilities.

These efforts highlight the need for dynamic defenses, adapting to adversaries’ evolving tactics in a borderless digital battlefield.

Building Resilient Cyber Defenses

At U.S. Cyber Command, Paul oversaw strategies integrating offensive and defensive operations. He describes fortifying critical systems, like power grids, through persistent engagement—proactively disrupting attacker infrastructure. Partnerships with private sectors, including tech giants, amplified these efforts, leveraging collective expertise.

Transparency in operations, he argues, builds trust and deters adversaries, a lesson drawn from high-stakes missions.

The Role of Intelligence and Alliances

International cooperation was central to Paul’s tenure. Alliances with NATO and Five Eyes nations enabled coordinated responses to threats, such as ransomware campaigns. Intelligence-driven operations, blending human and technical sources, provided actionable insights, often preventing attacks before they materialized.

This collaborative model sets a benchmark for future cyber defense, emphasizing shared responsibility.

Shaping the Future of Cybersecurity

At Vanderbilt, Paul aims to cultivate young leaders through the Institute for National Security, launching in October 2025. By integrating AI, cybersecurity, and decision-making, the institute addresses the industry’s age gap, where most professionals are over 50. He invites the DEF CON community to join, fostering innovation through partnerships and open dialogue.

Links:

PostHeaderIcon [DevoxxBE2024] AI and Code Quality: Building a Synergy with Human Intelligence by Arthur Magne

In a session at Devoxx Belgium 2024, Arthur Magne, CPO and co-founder of Packmind, explored how AI can enhance code quality when guided by human expertise. Addressing the rapid rise of AI-generated code through tools like GitHub Copilot, Arthur highlighted the risks of amplifying poor practices and the importance of aligning AI outputs with team standards. His talk showcased Packmind’s approach to integrating AI with human-defined best practices, enabling teams to maintain high-quality, maintainable code while leveraging AI’s potential to accelerate learning and enforce standards.

The Double-Edged Sword of AI in Software Development

Arthur opened with Marc Andreessen’s 2011 phrase, “Software is eating the world,” updating it to reflect AI’s current dominance in code generation. Tools like GitHub Copilot and Codium produce vast amounts of code, but their outputs reflect the quality of their training data—often outdated or flawed, as noted by Veracode’s Chris Wysopal. A 2024 Uplevel study found 41% more bugs in AI-assisted code among 800 developers, and GitLab’s 2023 report showed a 100% increase in code churn since AI’s rise in 2022, indicating potential technical debt. Arthur argued that while AI boosts individual productivity (88% of developers feel faster, per GitHub), team-level benefits are limited without proper guidance, as code reviews and bug fixes offset time savings.

The Role of Human Guidance in AI-Driven Development

AI lacks context about team-specific practices, such as security, accessibility, or architecture preferences, leading to generic or suboptimal code. Arthur emphasized the need for human guidance to steer AI outputs. By explicitly defining best practices—covering frameworks like Spring, security protocols, or testing strategies—teams can ensure AI generates code aligned with their standards. However, outdated documentation, like neglected Confluence pages, can mislead AI, amplifying hidden issues. Arthur advocated for a critical human-in-the-loop approach, where developers validate AI suggestions and integrate company context to produce high-quality, maintainable code.

Packmind’s Solution: AI as a Technical Coach

Packmind, a tool developed over four years, acts as an IDE and browser extension for platforms like GitHub and GitLab, enabling teams to define and share best practices. Arthur demonstrated how Packmind identifies practices during code reviews, such as preferring flatMap over for loops with concatenation in TypeScript or Java for performance. Developers can flag negative examples (e.g., inefficient loops) or positive ones (e.g., standardized loggers) and create structured practice descriptions with AI assistance, including “what,” “why,” and “how to fix” sections. These practices are validated through team discussions or communities of practice, ensuring consensus before enforcement. Packmind’s AI suggests improvements, generates guidelines, and integrates with tools like GitHub Copilot to produce code adhering to team standards.

Enforcing Standards and Upskilling Teams

Once validated, practices are enforced via Packmind’s IDE extension, which flags violations and suggests fixes tailored to team conventions, akin to a customized SonarQube. For example, a team preferring TestNG over JUnit can configure AI to generate compliant test cases. Arthur highlighted Packmind’s role in upskilling, allowing junior developers to propose practices and learn from team feedback. AI-driven practice reviews, conducted biweekly or monthly, foster collaboration and spread expertise across organizations. Studies cited by Arthur suggest that teams using AI without understanding underlying practices struggle to maintain code post-project, underscoring the need for AI to augment, not replace, human expertise.

Balancing Productivity and Long-Term Quality

Quoting Kent Beck, Arthur noted that AI automates 80% of repetitive tasks, freeing developers to focus on high-value expertise. Packmind’s process ensures AI amplifies team knowledge rather than generic patterns, reducing code review overhead and technical debt. By pushing validated practices to tools like GitHub Copilot, teams achieve consistent, high-quality code. Arthur concluded by stressing the importance of explicit standards and critical evaluation to harness AI’s potential, inviting attendees to discuss further at Packmind’s booth. His talk underscored a synergy where AI accelerates development while human intelligence ensures lasting quality.

Links:

PostHeaderIcon [DefCon32] Redefining V2G: How to Use Your Vehicle as a Game Controller

Modern vehicles, intricate networks of computers on wheels, offer more than mobility—they can become game controllers. Timm Lauser and Jannis Hamborg, researchers from P3 Group, present Vehicle-to-Game (V2G), a Python-based project that transforms cars into Bluetooth gamepads. By leveraging the CAN bus or OBD2 port, V2G maps vehicle inputs like steering or pedals to game controls, blending automotive hacking with playful innovation.

Timm and Jannis, driven by curiosity about vehicle networks, developed V2G to run on laptops or Raspberry Pi Zero WH, requiring reverse-engineering of CAN messages or UDS diagnostics. Their work, accessible via a public GitHub repository, invites enthusiasts to explore car interfaces while highlighting the accessibility of automotive security research.

Understanding Vehicle Networks

Timm explains vehicle architectures, where CAN buses and diagnostic ports like OBD2 facilitate communication between ECUs. V2G intercepts signals from components like the steering wheel or accelerator, translating them into gamepad inputs. This requires understanding proprietary CAN messages, often unique to each vehicle model.

Their Volkswagen ID.3 demo showcases real-time mapping of driving inputs to game controls, illustrating the project’s practicality.

Building the V2G Framework

Jannis details V2G’s implementation, using Python to interface with CAN buses via affordable hardware. The framework supports Bluetooth gamepad emulation, allowing cars to control games like racing simulators. Reverse-engineering CAN signals, though labor-intensive, is achievable with tools like CAN-utils, making V2G adaptable to various vehicles.

The open-source release encourages community contributions, with QR codes linking to the repository for further development.

Creative Applications and Challenges

Beyond gaming, V2G sparks interest in automotive interfaces, such as heads-up display integration. Timm and Jannis explore connecting to in-car screens via adapters, though cost remains a barrier. Flight simulator mapping, suggested by an audience member, highlights V2G’s versatility for unconventional inputs.

Challenges include model-specific CAN protocols and hardware costs, but the project lowers barriers for hobbyists and researchers.

Implications for Automotive Security

While playful, V2G underscores the accessibility of vehicle networks, a double-edged sword for security. Exposed interfaces like OBD2 ports are potential attack vectors, urging manufacturers to secure diagnostic communications. Timm and Jannis advocate responsible exploration, fostering learning without compromising safety.

Links:

PostHeaderIcon [DevoxxGR2025] Optimized Kubernetes Scaling with Karpenter

Alex König, an AWS expert, delivered a 39-minute talk at Devoxx Greece 2025, exploring how Karpenter enhances Kubernetes cluster autoscaling for speed, cost-efficiency, and availability.

Karpenter’s Dynamic Autoscaling

König introduced Karpenter as an open-source, Kubernetes-native autoscaling solution, contrasting it with the traditional Cluster Autoscaler. Unlike the latter, which relies on uniform node groups (e.g., nodes with four CPUs and 16GB RAM), Karpenter uses the EC2 Fleet API to dynamically provision nodes tailored to workload needs. For instance, if a pod requires one CPU, Karpenter allocates a node with minimal excess capacity, avoiding resource waste. This right-sizing, combined with groupless scaling, enables faster and more cost-effective scaling, especially in dynamic environments.

Ensuring Availability with Constraints

König addressed availability challenges reported by users, emphasizing Kubernetes-native scheduling constraints to mitigate disruptions. Topology spread constraints distribute pods across availability zones, reducing the risk of downtime if a node fails. Pod disruption budgets, affinity/anti-affinity rules, and priority classes further ensure critical workloads are scheduled appropriately. For stateful workloads using EBS, König recommended setting the volume binding mode to “wait for first consumer” to avoid pod-volume mismatches across zones, preventing crashes and ensuring reliability.

Integrating with KEDA for Application Scaling

For advanced scaling, König highlighted combining Karpenter with KEDA for event-driven, application-specific scaling. KEDA scales pods based on metrics like Kafka topic sizes or SQS queues, beyond CPU/memory. Karpenter then provisions nodes for pending pods, enabling seamless scaling for workloads like flash sales. König outlined a four-step migration from Cluster Autoscaler to Karpenter, emphasizing its simplicity and open-source documentation.

Links

PostHeaderIcon [DefCon32] Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls

Email addresses, seemingly mundane, harbor complexities that can unravel security controls. Gareth Heyes, a security researcher at PortSwigger, exposes how arcane RFC standards governing email parsing enable attackers to bypass access controls. By crafting RFC-compliant email addresses, Gareth demonstrates spoofing domains, accessing internal systems, and executing blind CSS injection. His toolkit, integrated with Burp Suite, automates these attacks, revealing vulnerabilities in applications and libraries.

Gareth’s exploration, rooted in parser discrepancies, shows how seemingly valid emails can route to unintended destinations, undermining Zero Trust architectures. His methodology and open-source tools empower researchers to probe email-handling systems, urging developers to fortify defenses against these subtle yet potent attacks.

The Chaos of Email RFCs

Gareth begins with the convoluted RFCs defining email syntax, which allow exotic encodings like Unicode overflows and encoded words. These standards, often misunderstood, lead to parser inconsistencies. For example, an email ending in @example.com might route elsewhere due to mishandled Unicode or Punycode, breaking domain-based authorization.

Case studies illustrate real-world exploits, including bypassing employee-only registrations and accessing internal systems by exploiting parser flaws.

Exploiting Parser Discrepancies

Using tools like Hackverter and Turbo Intruder, Gareth automates the generation of malicious email addresses. His Punycode fuzzer, for instance, substitutes placeholders with random characters, uncovering exploitable parser behaviors. A notable exploit involved GitHub’s handling of null characters, found via Turbo Intruder, leading to unauthorized access.

These techniques transform harmless inputs into payloads that misroute emails or inject CSS, compromising application security.

Defensive Strategies

Gareth advocates filtering encoded words and verifying email addresses before use, even from trusted SSO providers. Relying solely on domains for authorization is perilous, as demonstrated by his exploits. Regular expression sanitization and strict validation can mitigate risks, ensuring emails route as intended.

He references influential blog posts by researchers like Pep Villa, emphasizing community knowledge-sharing to bolster defenses.

Tools and Future Research

Gareth’s toolkit, including a Burp Suite wordlist and a vulnerable Joomla Docker instance, enables researchers to replicate his attacks. A Web Security Academy CTF further hones skills in email splitting. He encourages exploring additional parser vulnerabilities, such as those in mailer libraries, to uncover new attack vectors.

Links:

PostHeaderIcon [GoogleIO2024] Under the Hood with Google AI: Exploring Research, Impact, and Future Horizons

Delving into AI’s foundational elements, Jeff Dean, James Manyika, and Koray Kavukcuoglu, moderated by Laurie Segall, discussed Google’s trajectory. Their dialogue traced historical shifts, current breakthroughs, and societal implications, offering profound perspectives on technology’s evolution.

Tracing AI’s Evolution and Key Milestones

Jeff recounted AI’s journey from rule-based systems to machine learning, highlighting neural networks’ resurgence around 2010 due to computational advances. Early applications at Google, like spelling corrections, paved the way for vision, speech, and language tasks. Koray noted hardware investments’ role in enabling generative methods, transforming content creation across fields.

James emphasized AI’s multiplier effect, reshaping sciences like biology and software development. The panel agreed that multimodal, long-context models like Gemini represent culminations of algorithmic and infrastructural progress, allowing generalization to novel challenges.

Addressing Societal Impacts and Ethical Considerations

James stressed AI’s mirror to humanity, prompting grapples with bias, fairness, and values—issues societies must collectively resolve. Koray advocated responsible deployment, integrating safety from inception through techniques like watermarking and red-teaming. Jeff highlighted balancing innovation with safeguards, ensuring models align with human intent while mitigating harms.

Discussions touched on global accessibility, with efforts to support underrepresented languages and equitable benefits. The leaders underscored collaborative approaches, involving diverse stakeholders to navigate complexities.

Envisioning AI’s Future Applications and Challenges

Koray envisioned AI accelerating healthcare, solving diseases efficiently worldwide. Jeff foresaw enhancements across human endeavors, from education to scientific discovery, if pursued thoughtfully. James hoped AI fosters better humanity, aiding complex problem-solving.

Challenges include advancing agentic systems for multi-step reasoning, improving evaluation beyond benchmarks, and ensuring inclusivity. The panel expressed optimism, viewing AI as an amplifier for positive change when guided responsibly.

Links: