Newsletter

Hello friend, was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open).

Monday blues.

My latest piece SecurityWeek piece on the economics (and narrow shelf life) of memory corruption mitigations has kickstarted an active discussion on the future of sandboxing to disrupt the economy of software exploitation. It’s a very touchy subject in software engineering and security circles as the industry starts to calculate the decades-long cost of playing cat-and-mouse with not-so-stellar results.

Chris Palmer, a member of Google Chrome’s security team, used an exclamation point in a retort — Long Live Sandboxing!  Palmer is an authority on the subject and his recent Enigma talk on the limits of sandboxing and separate essay on prioritizing memory safety migrations are required reading:

• Recently retired Google security engineer Justin Schuh: “I’m seeing something of a “sandboxing is dead” narrative popping up in light of new real-world attacks and growing interest in memory-safe development approaches (e.g. Rust). This framing seems inherently contradictory to me.”
• Chris Rohlf: “One thing lost in this larger conversation is sandboxes aren’t exclusively for browsers. They are a very useful construct under the right threat model. Browsers and Android both deal with untrusted computation by default. That environment is as challenging as it gets.”
• Security industry pioneer Halvar Flake: “One thing to note: The sandbox allowed Chrome to move to “separate processes per origin” models, which greatly mitigated Spectre-style attacks. If you don’t sandbox, you have to rely on your CPU to keep “intra-process-address-space” memory secret in the presence of a  powerful JIT. The browser security model, if you mix origins in the same address space, turns any information disclosure into a security flaw (auth cookies etc.)”.
• Alex Gaynor (from May 2020): “The empirical research supports the proposition that using memory-safe programming languages for these projects would result in a game-changing reduction in total number of vulnerabilities.”
• Results from Pwn2Own 2021: Exploits for memory safety vulnerabilities continue to dominate.
• Exploiting mixed binaries (direct PDF): “The attacks explored in this paper do not exploit Rust or Go binaries that depend on some legacy (vulnerable) C/C++ code. In contrast, we explore how Rust/Go compiled code can stand as a vehicle for bypassing hardening in C/C++ code.”

I’m thrilled that the discussion and debate is starting to happen publicly because we call have a stake in the consequences.  However, it would also be nice to hear from some non-Google big-co participation.

I’ve heard heated hallway conversations on the spend/value of some of these stop-gap mitigations (including sandboxing!) and I argue most of those belong in the public sphere.

On to the newsletter…

The most clicked link from last week’s issue was Collin Greene’s six buckets of product security, an essay on shifting bugs further into the “leftward” column and the importance of tracking the outcomes of vulnerabilities.  If you enjoyed that, check out this adjoining essay on product security primitives.

Pwn2Own and that Zoom zero-click exploit chain.

Some observations on the Pwn2Own hacking contest marketing campaign:

• A sobering, gut-check reality:  Right now, as I type this, a handful of folks know about a remotely exploitable, zero-click, three-bug code-execution exploit chain affecting the ubiquitous Zoom Messenger software.  Details are scarce and, despite sponsoring the hacking contest, Zoom has yet to provide pre-patch mitigation guidance to its hundreds of millions of users around the world. Super lame.
• ​Zoom’s massive attack surface is frightening on so many levels and things like Zoom’s SIP integration presents “blood-in-the-water” for attackers looking for entry points.  Now that Zoom is an enterprise utility (it is, sadly!), the security of that code base becomes important to all of computing. Is Zoom even sandboxed?
• Alisa Esage, a talented Russian hacker whose now-defunct company was sanctioned by the U.S. government, was denied a full Pwn2Own victory because the vendor (Parallels Desktop) already knew about the bug. My pal Dragos Ruiu says the rules are the rules and it’s not my place to tell a vendor (ZDI) how to run its marketing campaign but, like Dave Aitel says, “you probably shouldn’t participate in a bug bounty program where the rule is that if they already secretly knew about it, but didn’t patch it, you don’t get paid.”
• I preferred this take, “If the vendor knows about unpatched 0-days, you should get paid double!”

New pod: Fahmida Rashid, Executive Editor, VentureBeat.

I love interviewing journalists, especially those I admire and respect. Fahmida Rashid is unquestionably one of those, a hard-nosed reporter who came out of a networking/security practitioner background.  Fahmida joins the show to talk about her days tinkering with computer networks in college, her decision to pursue a Masters in Journalism and why she’s excited about the intersection of AI/ML in cybersecurity.

[Full Fahmida Rashid conversation available for your earholes here ]

Catch the show on Apple, Google, Spotify and Amazon or wherever you catch your podcasts.

Cloudy with a chance of security.

• OpenSearch, from Amazon, is a community driven, open source fork of Elasticsearch and Kibana. (see announcement).
• An Azure cost estimator, compatible with Terraform and ARM templates.
• Amazon and HackerOne is currently running an AWS capture-the-flag (CTF) contest.

​Important stuff you should already have read.

• The cost of a cyber incident (direct PDF) — An analysis by the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Office of the Chief Economist (OCE) to understand the impacts, costs, and losses from cyber incidents to enable cyber risk analysis and inform cybersecurity resource allocation decisions.
• Emerging architectures for modern data infrastucture: The folks at Andreesen Horowitz talked to hundreds of founders, corporate data leaders, and other experts in an attempt to codify emerging best practices and draw up a common vocabulary around data infrastructure.
• Red Canary’s 2021 threat detection report is worth a gander.
• Post Solarwinds, new guidance from the NTIA: The biggest single challenge to supply chain transparency and the Software Bill of Materials (SBOM) model is identifying software components with sufficient discoverability and uniqueness. Also see this SBOM tool classification taxonomy.
• SC Media’s Derek Johnson argues that newer CISOs should focus more on people and less on tech.

Tangentially.

• The astonishing math knowledge of honeybees.
• Ten computer codes that transformed science: From Fortran to arXiv.org, these advances in programming and platforms sent biology, climate science and physics into warp speed.
• No Starch Press Foundation plans to award up to US$100K in grants to projects designed to grow the worldwide hacker community and support ST(E)AM research.  Preference given to projects run on small budgets and those less likely to receive corporate, institutional, or government funding.

Have a great week and reach out with things I should be doing better.

_ryan

P.S. The podcast is available on all platforms (Apple, Google, Spotify and Amazon).  As the kids say, like and subscribe, like and subscribe.