Conference:  Defcon 31

Authors: Dr. Bramwell Brizendine Assistant Professor at University of Alabama in Huntsville, Jake Hince, Max 'Libra' Kersten

2023-08-01

Shellcode is omnipresent, seen or unseen. Yet tooling to analyze shellcode is lacking. We present the cutting-edge SHAREM framework to analyze enigmatic shellcode. SHAREM can emulate shellcode, identifying 20,000 WinAPI functions and 99% of Windows syscalls. In some shellcode, some APIs may never be reached, due to the wrong environment, but SHAREM has a new solution: Complete code coverage preserves the CPU register context and memory at each change in control flow. Once the shellcode ends, it restarts, restoring memory and context, ensuring all functionality is reached and identifying all APIs. Encoded shellcode may be puzzling at times. SHAREM is a game-changer, as it presents emulated shellcode in its decoded form in a disassembler. IDA Pro and Ghidra can produce disassembly of shellcode that is of poor quality. However, SHAREM uniquely can ingest emulation data, resulting in virtually flawless disassembly. While SHAREM has its own custom disassembler, we are also releasing a Ghidra plugin, so SHAREM's enhanced disassembly can enhance what is in GHidra. Only SHAREM identifies APIs in disassembly, and this also can be brought to Ghidra. We will also see how SHAREM can be used by aspiring shellcode authors to enhance their own work, and we will examine advanced shellcode specimens in SHAREM. | Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations, for which he did his dissertation on Jump-Oriented Programming, a hitherto seldom-studied and poorly understood subset of code-reuse attacks.

Conference:  KubeCon + CloudNativeCon Europe 2023

Authors: Ben Hirschberg

2023-04-20

The presentation discusses an innovative approach to securing Kubernetes clusters using behavior analysis during continuous integration testing and generating native policies based on behavior. The focus is on leveraging continuous behavioral analysis to replace tedious manual policy definitions and the importance of native policies to enforce security policies directly within Kubernetes without relying on third-party tools.

• Continuous behavioral analysis can replace manual policy definitions
• Native policies allow for direct enforcement of security policies within Kubernetes
• Hands-on practices for implementing this approach are covered
• The presentation emphasizes the importance of leveraging innovative approaches to security in Kubernetes clusters

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Micah Hausler, Robert Clark

2021-10-15

The presentation discusses the importance of staying up-to-date with Kubernetes vulnerabilities and the need to consider environmental scoring when assessing their severity.

• Canonical sources for vulnerability information may not always be up-to-date
• Staying on an up-to-date version of Kubernetes is crucial for security
• Environmental scoring can change the severity of a vulnerability based on how it's deployed
• Rescoring vulnerabilities is important to understand which ones to escalate
• The number of unique CVEs has consistently decreased over the last few years

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Morgan McLean, Jaana Dogan

2021-10-14

OpenTelemetry provides correlations between different types of data that can be used to improve service operations and responses to outages.

• OpenTelemetry captures distributed traces, metrics, logs, and resource metadata
• Correlating this information is crucial for understanding failures in highly distributed systems
• OpenTelemetry allows for correlations between language runtime traces and network events
• Correlations can provide general production insights and improve development velocity