logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Black Hat Asia 2023
Authors: Mikhail Shcherbakov
2023-05-11

Many have heard about Prototype Pollution vulnerabilities in JavaScript applications. This kind of vulnerability allows an attacker to inject properties into an object's root prototype that may lead to flow control alteration and unexpected program behavior. Every time a successful exploit looks like magic or is limited to a denial of service (DoS). Would you be surprised if I told you that every application has a chain of methods that can be triggered by Prototype Pollution and leads to arbitrary code execution? Such gadgets populated Node.js core code and popular NPM packages. Keep calm. Not every app can be exploited! However, this fact increases the risk of exploitation many times over.In our research, we studied Prototype Pollution beyond DoS and analyzed Node.js source code against the gadgets. We then analyzed 15 popular Node.js apps from GitHub and got 8 RCEs. Through this talk, I will elaborate on the detected gadgets and vulnerabilities. We will also take a look at how the recent changes in Node.js mitigate these issues.
Authors: Andres Aguiar, Anders Eknert
2023-04-21

tldr - powered by Generative AI

The presentation discusses the use of service policies and Argo workflows for Cloud native open source authorization application architecture.
  • The use of service policies and Argo workflows enables Cloud native open source authorization application architecture.
  • Service policies allow for dynamic resolution of authorization checks based on service instances.
  • Argo workflows are used for end-to-end workflows for compiling, testing, and validating authorization changes.
  • The presentation provides an example of using Argo to submit a job to pull down policies and run tests to validate changes.
  • The presentation emphasizes the importance of testing and evolving policies over time.
Authors: David de Torres Huerta, Mirco De Zorzi
2023-04-20

tldr - powered by Generative AI

Defensive Monitoring in Kubernetes Clusters
  • Using metrics from Prometheus to detect anomalies in network traffic and CPU usage
  • Manipulating data from Kubernetes metrics to generate topology diagrams of the cluster
  • Using service-level metrics to create network topology diagrams
  • These techniques can be useful for detecting and investigating security breaches
Authors: Mohit Suman, Zbynek Roubalik
2023-04-20

tldr - powered by Generative AI

The presentation discusses the use of vendor agnostic serverless functions for processing Amsterdam city data. It highlights the benefits of serverless computing and how it can be used across multiple cloud environments. The demo showcases the use of Knative Serving and Eventing building blocks, CNCF Buildpacks, Tekton Pipelines, and Camel-K.
  • Serverless computing is a deployment model that abstracts the way applications are deployed on infrastructure, provides auto-scaling capabilities, and has a simplified development and deployment model.
  • Functions are a programming model that has a certain function signature that needs to be matched to deploy the function.
  • The presentation showcases the use of Knative Serving and Eventing building blocks, CNCF Buildpacks, Tekton Pipelines, and Camel-K for processing Amsterdam city data.
  • Developers can benefit from serverless concepts and still be able to deploy across multiple cloud environments.
  • The demo includes a react application with a node.js backend that emits cloud events and exposes rest APIs.
  • The presentation highlights the benefits of using serverless computing for event-driven applications that scale on demand and consume just the right amount of resources.
  • The demo showcases the use of serverless functions for adding real-time capabilities to applications.
  • The presentation emphasizes the user-friendliness of the solution, with no Dockerfiles or YAML editing required.
  • The presentation includes a live demo of the solution in action.
Authors: Jennifer Strejevitch, Thomas Schuetz, Josh Gavant
2023-04-20

When deploying to Kubernetes we often talk about applications, but wait … What is an application in the cloud native world? Is it a chart, a git repository, or a bundle of manifests? In the first part of this talk, we’ll highlight some application definition formats and their different approaches. But an application is not _just_ its core business logic. What about supporting services like observability, identity, and data stores - are they part of an app? How are they included in an app? An emerging answer to this is developer platforms and platform engineering. We will show you why platforms are the optimal way to enable this and the first steps on how to build one and integrate it with your apps. In this talk, we’ll give you some insights on building developer platforms to deliver cloud-native applications based on the work of the TAG App Delivery GitOps, Operator and Platform Working Groups, and their whitepapers.
Authors: Taylor Dolezal
2023-04-19

tldr - powered by Generative AI

The presentation discusses the latest news and trends in the CNCF End User Ecosystem, with a focus on saving time for end users and empowering organizations to collaborate and share best practices in cloud native technologies.
  • The CNCF End User Program aims to connect and empower organizations to collaborate and share best practices in cloud native technologies through engagement within the CNCF community.
  • The end user newsletter, Wisdom of the Cloud, provides an ecosystem pulse to cut through the noise and save time for end users, with deep technical dives and highlights on people and processes.
  • End users are short on time and have to keep up with the latest developments in cloud native technologies while running their business, which is why the program exists to help save time.
  • The presentation also mentions the CTO Summit Series and a report on the foundations of cloud native maturity, as well as a survey to gather feedback on which projects end users are interested in and how they fit together.
Authors: Cathy Zhang
2022-10-27

tldr - powered by Generative AI

Intel's perspective on open source innovation in cloud computing and their developments in hardware topology aware scheduling and confidential computing technologies to enhance cloud cost, performance, and security. They are also working on innovative solutions to address the challenges of serverless computing.
  • Intel is committed to the success of the open source community and takes a software first approach.
  • Hardware topology aware scheduling can enhance cloud cost, performance, and security by taking into consideration the low layer hardware topology.
  • Confidential computing technologies like SGX and TDX can build a trusted execution environment around the data when it is being processed.
  • Intel is working on innovative solutions to address the challenges of serverless computing, such as code start latency and auto scaling speed.
  • Intel has contributed to many open source projects spanning all the software stack.
  • Intel invites feedback and encourages people to learn more about their work at Intel Boost in the solutions showcase.
Authors: Alexander Jung
2022-10-27

tldr - powered by Generative AI

Unikraft is an open-source library operating system that enables the construction of ultra-lightweight VMs quickly, easily and without time-consuming developer effort. These VM images are tailored to the application itself and have high-performance, low resource usage and a small attack surface. The talk compares Unikraft with existing runtimes for the cloud and demonstrates how it can be used with Kubernetes today.
  • Existing runtimes for the cloud rely on traditional kernel stacks and hypervisors, which negatively impact security and performance.
  • Unikraft is an open-source library operating system that enables the construction of ultra-lightweight VMs quickly, easily and without time-consuming developer effort.
  • Unikraft VM images are tailored to the application itself and have high-performance, low resource usage and a small attack surface.
  • Unikraft can be used with Kubernetes today.
  • Unikraft supports major cloud vendors such as AWS and GCP.
Authors: Ritu Sood, Cathy Zhang
2022-10-26

Deploying, monitoring, and managing complex applications across multiple clusters is a challenging task. A complex application is usually composed of multiple microservices that need to be deployed to different clusters based on the criteria like latency, bandwidth, local context, etc. Some microservices need to be replicated in multiple geo-locations. Some microservices have cross-cluster dependencies. Some of these microservices deployed across different clusters may also need to communicate with each other securely. Furthermore, various infrastructure-related configurations need to be done in order for some microservices to function properly. To reduce the operational cost of deploying and managing these complex applications, automation is a must, and the goal is to achieve zero-touch deployments. In this talk, we'll examine the landscape of available solutions such as Kubedge, ArgoCD, Karmada, EMCO, etc. and provide an in-depth analysis of each of them.
Conference:  CloudOpen 2022
Authors: Chenxi Li
2022-06-21

HTTP(S) is one of the most popular application protocols. Many well-known applications, such as Kubernetes and TiDB, heavily rely on the HTTP(s) protocol. However, HTTP connections might fail due to various faults, such as network aborts, long delays, or even man-in-the-middle attacks, causing services unavailable to users. In such cases, simulating HTTP faults with a chaos engineering tool can be extremely beneficial to ensure the robustness and resilience of the application, particularly distributed ones. In this talk, Chenxi Li will show how to implement the HTTPChaos, a chaos engineering mechanism that injects faults into common HTTP applications without any configurations. The theory and rust implementation of a transparent proxy, the hijack solution of HTTPS services on Kubernetes, and the plugins used to inject the message body as custom requirements will also be covered.