Sort by:  

Conference:  Defcon 31
Authors: David Leadbeater Open Source Engineer, G-Research

It is 60 years since the first publication of the ASCII standard, something we now very much take for granted. ASCII introduced the Escape character; something we still use but maybe don't think about very much. The terminal is a tool all of us use. It's a way to interact with nearly every modern operating system. Underneath it uses escape codes defined in standards, some of which date back to the 1970s. Like anything which deals with untrusted user input, it has an attack surface. 20 years ago HD Moore wrote a paper on terminal vulnerabilities, finding multiple CVEs in the process. I decided it was time to revisit this class of vulnerability. In this talk I'll look at the history of terminals and then detail the issues I found in half a dozen different terminals. Even Microsoft who historically haven't had strong terminal support didn't escape a CVE. In order to exploit these vulnerabilities they often need to be combined with a vulnerability in something else. I'll cover how to exploit these vulnerabilities in multiple ways. Overall this research found multiple remote code execution vulnerabilities across nearly all platforms and new unique ways to deliver the exploits.
Conference:  Defcon 31
Authors: Michael Stepankin Security Researcher at GitHub

Although x509 certificates have been here for a while, they have become more popular for client authentication in zero-trust networks in recent years. Mutual TLS, or authentication based on X509 certificates in general, brings advantages compared to passwords or tokens, but you get increased complexity in return. In this talk, we’ll deep dive into some novel attacks on mTLS authentication. We won’t bother you with heavy crypto stuff, but instead we’ll have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation and information leakages. We present some CVEs we found in popular open-source identity servers and ways to exploit them. Finally, we’ll explain how these vulnerabilities can be spotted in source code and how the safe code looks like.
Authors: Madhu Akula

tldr - powered by Generative AI

The presentation discusses the importance of understanding technology to solve security problems and the usefulness of the Kubernetes Goat project in learning and practicing Kubernetes security.
  • There is a significant gap in knowledge in the security industry and the modern ecosystem due to the constant emergence of new tools and technologies.
  • Understanding technology is crucial in solving security problems.
  • The maturity model of a tool should be considered from a security point of view.
  • The Kubernetes Goat project is a useful tool for learning and practicing Kubernetes security.
  • The project has fantastic documentation and provides step-by-step guidance on various attack scenarios.
  • The project also has examples of real-world attacks and solutions.
  • The project has received feedback from the community and has a Discord channel for support.
Authors: Rodrigo Campos Catelin, Marga Manterola

What if I told you that there's a bool you can set in your pod yaml that mitigates many CVEs out there? Not just any CVEs, but some HIGH and CRITICAL ones! This feature is coming to Kubernetes, thanks to user namespaces, and we'll tell you all about it.User namespaces is a kernel feature that isolates the user in the container from the one in the host. A process running as root in a container can run as a different (non-root) user in the host. This is a HUGE improvement: if a process escapes the container, the privileges on the host are significantly reduced. Furthermore, some capabilities are void and others are only valid inside the user namespace.Many container workloads that run as root today can benefit from this already: enable user namespace in their pod yaml and be more secure without additional changes.This talk will explain how to use this feature in your cluster, how it is implemented, the current state of the KEP and future work and challenges in this area.
Authors: Henrik Blixt, Michael Crenshaw

tldr - powered by Generative AI

The presentation discusses the security measures taken by Argo CD, an open-source continuous delivery tool, to address vulnerabilities and improve supply chain security.
  • Argo CD has implemented security measures to address vulnerabilities and improve supply chain security
  • The measures include introducing security advisory drafts, having regular meetings with a special interest group, and improving logging to monitor for potential issues
  • Argo CD has also tightened up supply chain security by introducing S-bombs to all components and using cryptographically secure random number generators
Authors: Stefano Chierici, Lorenzo Susini

tldr - powered by Generative AI

The presentation discusses how Falco, an open-source project for runtime security, can be extended to monitor capabilities and detect potential malicious behavior in Kubernetes clusters.
  • Falco is an open-source project for runtime security that has become the de facto standard for Kubernetes security.
  • Capabilities in Kubernetes can create a gray area in security monitoring, and Falco can be extended to monitor capabilities and detect potential malicious behavior.
  • The presenters created two rules using Falco to detect excessive capabilities in new containers and modifications to the release agent file.
  • Falco only monitors runtime security and does not consider configuration changes in the YAML files.
  • Falco can be deployed on Kubernetes using official charts and packages.
Authors: Stefan Prodan, Mitch Connors

tldr - powered by Generative AI

The presentation discusses the challenges of upgrading Istio and proposes a GitOps approach to automate service mesh upgrades.
  • Upgrading Istio is difficult and time-consuming
  • 88% of Istio installations still have known CVEs despite efforts to make upgrades easier
  • The GitOps approach using Flux and Flagger can automate Istio upgrades and improve observability
  • The Helm controller in Flux provides a better experience than the Istio operator
  • Istio upgrades should be treated like any other piece of infrastructure and automated using GitOps
Authors: Andrew Martin

tldr - powered by Generative AI

The presentation discusses threat-driven defense for Kubernetes and provides a guide on how to attack and defend clusters from various vulnerabilities and attacks.
  • Threat modeling and understanding attackers' capabilities is crucial for effective defense
  • Attack trees can help visualize potential attack paths and identify necessary controls
  • Supply chain attacks are a significant threat to Kubernetes security
  • Remote code execution and misconfigured containers are common vulnerabilities to exploit
  • Advanced runtime hardening and workload identity are important for cluster security
Authors: Grant Ongers

tldr - powered by Generative AI

The presentation discusses the importance of scaling application security through education and defines application security as product security. It also highlights the ISO IEC 25010 system and software quality model and the impact of technical debt on quality.
  • Application security is a crucial aspect of cybersecurity that involves building secure software systems.
  • ISO IEC 25010 system and software quality model prioritizes security as an intrinsic quality system.
  • Technical debt can lead to a drop in non-functional qualities, including security.
  • Scaling application security through education is essential to ensure developers are equipped with the necessary skills to identify and address security issues during code review.