Summary

Top Articles:

  • Enhancing Automated Configuration Security Capabilities with OpenAI Grant Funding
  • RISC-V Memory Hot Plugging To Be Introduced With Linux 6.11
  • New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant
  • New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant
  • NVIDIA's Open-Source Kernel Driver & Maturing Wayland Support Were Great In 2023
  • X.Org Server & XWayland Updated Due To Two Decade-Old Security Vulnerabilities
  • Lennart Poettering Talks Up A "Brave New Trusted Boot World" For Linux
  • Linux 6.1 Hardening Retpolines With Ensuring An INT3 After Every Unconditional Jump
  • VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack - Phoronix
  • Linus Torvalds Switches To AMD Ryzen Threadripper After 15 Years Of Intel Systems - Phoronix

Enhancing Automated Configuration Security Capabilities with OpenAI Grant Funding

Published: 2024-07-05 17:02:17

Popularity: None

Author: Written byCoGuardShare post

🤖: "secured config"

Introduction

In an era where software systems are increasingly complex and interconnected, the risks associated with misconfigurations have never been more significant. CoGuard, with the support of OpenAI's Cybersecurity Grant, is pioneering advancements in software configuration security. These developments ensure that our security solution evolves as rapidly as the technologies it aims to protect. 

Automating Security to Mitigate Configuration Risks 

The research funded by the OpenAI Cybersecurity Grant has allowed us to expand and enhance our rules set significantly. The automated creation of configuration security rules not only minimizes human error—a major cause of security breaches—but also ensures that configurations are precise and optimized for security and compliance. This automated approach addresses potential vulnerabilities in the configuration of software applications that have lacked specific security scanning rules, thereby maintaining a pro-active defense against evolving threats while supporting the adoption of new technologies by development teams.

Key Advancements in Automation

The grant has enabled an extraction pipeline, automating the derivation of security-relevant configuration parameters and rules from available software documentation and manuals. This ensures a comprehensive analysis and adherence to the latest security standards, significantly reducing human error and effort in rule maintenance.

‍

Expanding and Streamlining Our Security Rule Set 

“By leveraging OpenAI’s capabilities, we’ve automated configuration rules extraction," noted Albert Heinle, CTO of CoGuard. "This extension has broadened our scanning capabilities to include previously complex software in terms of different configuration parameters or niche software projects."

The automatic expansion of the configuration rules engine enables CoGuard to scale its protection capabilities alongside client growth and the adoption of emerging technologies without compromising security or performance. This initiative not only enhances security but also boosts operational efficiency by freeing up IT resources for strategic initiatives rather than manual rule management tasks.

Learn More about the Research

For a deeper dive into our research and the specific findings of our latest project, we invite you to read our detailed research report available on GitHub: CoGuard's OpenAI Cybersecurity Grant funded research.

Looking to the Future

 As organizations continue to adopt additional software technologies, the need for adaptable and extensible configuration security measures grows. Our ongoing work with OpenAI to extend and refine our rulesets is just the beginning. We are committed to continuous improvement to ensure our customers' infrastructures remain secure and compliant in an ever-changing technological landscape.

Product Roadmap for Custom Configuration Rules

At CoGuard, we are committed to enhancing our configuration security capabilities to support a wide range of software applications. Our roadmap for the next quarter focuses on expanding our service to include custom configuration rules for the following key software platforms:

As we progress with our roadmap, we invite our customers, stakeholders and those interested in securing software infrastructure to engage with us in the development process. Feedback and insights from actual deployment scenarios are invaluable and help us refine our rules to better meet real-world demands. 

Get Started with CoGuard

Self-Service Scan 

Begin securing your environment immediately by installing our command-line tool. Use the following commands to install CoGuard-cli and start a read-only scan of your AWS/GCP/Azure configurations:

```
pip install coguard-cli
coguard scan aws
```

Assisted Setup 

Prefer a guided setup? Contact us, and our team will work with you to establish the necessary access permissions and discuss the findings from your configuration scan in detail. This personalized approach ensures that you fully understand the applications running on your cloud infrastructure.

Schedule a call with us to explore how CoGuard can help identify vulnerabilities and misconfigurations in your deployed applications.

‍

...more

RISC-V Memory Hot Plugging To Be Introduced With Linux 6.11

Published: 2024-07-01 03:07:24

Popularity: None

Author: Written by

🤖: "Plug in"

The RISC-V kernel port with Linux 6.11 is introducing the ability to handle memory hot plugging/unplugging.

...more

New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant

Published: 2024-02-14 03:39:38

Popularity: None

Author: Written by

Kicking off what may end up being a fairly busy Patch Tuesday are two WiFi authentication vulnerabilities being made public that affect Intel's IWD daemon as well as the WPA_Supplicant software -- between the two they are the most common solutions for wireless daemons on Linux systems.

...more

New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant

Published: 2024-02-13 18:57:30

Popularity: None

Author: Written by

Kicking off what may end up being a fairly busy Patch Tuesday are two WiFi authentication vulnerabilities being made public that affect Intel's IWD daemon as well as the WPA_Supplicant software -- between the two they are the most common solutions for wireless daemons on Linux systems.

...more

NVIDIA's Open-Source Kernel Driver & Maturing Wayland Support Were Great In 2023

Published: 2024-01-02 21:36:00

Popularity: None

Author: Written by

Following the 2023 highlights for Intel and AMD on Linux, here's a look back at the most popular Linux-related NVIDIA news for the past calendar year.

...more

X.Org Server & XWayland Updated Due To Two Decade-Old Security Vulnerabilities

Published: 2023-12-14 17:22:15

Popularity: None

Author: Written by

The X.Org Server doesn't see much in the way of feature work these days with Red Hat and others divesting from classic X.Org/X11 sessions

...more

Lennart Poettering Talks Up A "Brave New Trusted Boot World" For Linux

Published: 2022-10-26 01:29:57

Popularity: None

Author: Written by

🤖: "secure boots"

Systemd lead developer Lennart Poettering has written a lengthy blog post entitled a 'brave new trusted boot world' in which he outlines current issues with the Linux boot process and how there is a trajectory for providing the Linux boot experience with more robustness, simplicity, and trust.

...more

Linux 6.1 Hardening Retpolines With Ensuring An INT3 After Every Unconditional Jump

Published: 2022-10-06 23:00:57

Popularity: None

Author: Written by

🤖: "`INT3 alert!`"

The x86/core changes for Linux 6.1 have been merged and are headlined by making sure an INT3 instruction is inserted after every unconditional Retpoline jump (JMP) for the Retpolines handling on both Intel and AMD processors.

...more

VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack - Phoronix

Published: 2021-02-07 03:38:35

Popularity: None

Author: Written by

🤖: ""Security breach""

Security researchers out of the University of Birmingham have crafted another attack against Intel Software Guard Extensions (SGX) when having physical motherboard access and using their "VoltPillager" hardware device they assembled for about $30 USD.

Two years ago

Plundervolt

was widely publicized for compromising Intel's SGX security by manipulating the CPU frequency/voltage as able to through software interfaces. By carefully undervolting the Intel CPUs when executing enclave computations they were able to ultimately compromise the integrity of SGX.


Pre-pandemic FOSDEM... Continually one of the best Linux/FLOSS events over the years.

The impact of Plundervolt was already limited as typically the software needs root/administrative rights to access the CPU voltage/frequency MSRs or other kernel interfaces for manipulating them. But in response to Plundervolt, motherboard vendors began offering options to allow disabling voltage/frequency interface controls on their systems. Following Plundervolt, security researchers at the University of Birmingham in the UK began exploring a hardware-based attack on SGX.

With the assembled "Voltpillager" device and latching onto the motherboard's VR responsible for the CPU voltage, they were able to mount fault-injection attacks to again break the integrity of SGX. With this ~$30 device they were able to run proof-of-concept attacks against crypto algorithms within SGX. Yes, this is a sophisticated attack and not as easy as say plugging in a compromised USB/Thunderbolt device with the Voltpillager needing to be carefully attached to the proper voltage regulator, but researchers have found this method to be successful even with Plundervolt safeguards enabled.

This VoltPillager device is based on a Teensy microcontroller. The researchers behind this effort are formally presenting their research at the Usenix Security 2021 conference in August, but this weekend at the virtual FOSDEM conference their findings were shared as well. Their pre-publication paper on VoltPillager was published last November and can be found via

Usenix.org

but at the time didn't receive much attention.

As for this weekend's FOSDEM Online event, see

this slide deck

(PDF) for those interested in VoltPillager for their hardware-based under-volting attack on Intel SGX.

If it's not clear enough already, VoltPillager requires obvious hardware access to the system's motherboard and to carefully attach it to the proper VR for a particular motherboard -- so even while Plundervolt's scope was limited in needing root/admin access to the local system, VoltPillager is much more limited. Per the FOSDEM presentation, Intel responded to the researchers that tampering with the internal hardware to compromise SGX is "out of scope for SGX threat model" and prior Plundervolt mitigations were not designed for hardware-based attacks.

More of the VoltPillager research can be found on

GitHub

.

...more

Linus Torvalds Switches To AMD Ryzen Threadripper After 15 Years Of Intel Systems - Phoronix

Published: 2020-05-25 04:27:54

Popularity: None

Author: Written by

🤖: "CPU switcheroo"

An interesting anecdote shared in today's

Linux 5.7-rc7 announcement

is word that Linux and Git creator Linus Torvalds switched his main rig over to an AMD Ryzen Threadripper.

At least for what he has said in the past, Linus has long been using Intel boxes given his close relationship with the company (and even close proximity to many of the Intel Portland open-source crew). In fact, he commented this is the first time in about fifteen years not using an Intel system as his primary machine. He made this interesting remark in the RC7 announcement:

In fact, the biggest excitement this week for me was just that I upgraded my main machine, and for the first time in about 15 years, my desktop isn't Intel-based. No, I didn't switch to ARM yet, but I'm now rocking an AMD Threadripper 3970x. My 'allmodconfig' test builds are now three times faster than they used to be, which doesn't matter so much right now during the calming down period, but I will most definitely notice the upgrade during the next merge window.

The

Threadripper 3970X

and the rest of the 3900 series line-up are incredibly great options for kernel developers and those frequently compiling large code-bases. He didn't mention the CPU in his prior Intel box, but he is seeing 3x faster builds.

With the upcoming

Linux 5.8

merge window in early June, his Threadripper system is sure to have a great workout.

This in turn is actually good news as well for AMD Ryzen Linux users: as Torvalds is constantly building the latest kernel code for mainline, he tends to shout quite publicly and loudly when any code breaks on his systems stemming from botched/poorly-tested pull requests... Thus with the extra and immediate exposure on Threadripper, he will hopefully be spotting any kernel-breaking regressions more quickly and who knows whatever other improvements he may be able to wrangle up as he's burning in his new system.

...more

Programmers solve MIT’s 20-year-old cryptographic puzzle | MIT CSAIL

Published: 2019-05-01 13:29:20

Popularity: None

Author: Written By

🤖: "cryptcracked"

This week MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) announced that a 20-year-old cryptographic puzzle was just solved by a self-taught programmer from Belgium, 15 years earlier than MIT scientists expected.

Bernard Fabrot spent the last three and a half years computing the solution to a puzzle first announced by MIT researchers in 1999. Separately, another team led by tech executive Simon Peffers is nearing completion of computing a solution.

The puzzle essentially involves doing roughly 80 trillion successive squarings of a starting number, and was specifically designed to foil anyone trying to solve it more quickly by using parallel computing.

Fabrot and Peffers took very different approaches to the puzzle. Fabrot used a simple Intel Core i7-6700 found in consumer PCs, and computed the solution using the GNU Multiple Precision Arithmetic Library (GMP). Meanwhile, Peffers' team used a novel squaring algorithm (designed by Erdinç Öztürk from Sabanci University) to run on a programmable hardware accelerator called an FPGA. The team, which is working as part of a collaboration called Cryptophage, is on track to finish the puzzle on May 11 after only two months of computation.

“There have been hardware and software advances beyond what I predicted in 1999,” says MIT professor Ron Rivest, who first announced the puzzle in April 1999 tied to a celebration of 35 years of research at MIT’s Laboratory for Computer Science (now CSAIL). “The puzzle’s fundamental challenge of doing roughly 80 trillion squarings remains unbroken, but the resources required to do a single squaring have been reduced by much more than I predicted.”

The puzzle is an example of a “verifiable delay function” (VDF), meaning that its answer can only be solved after a certain number of steps. Because VDFs can also be used to create unbiased randomness, they’ve been proposed as potential approaches to improve the security and scalability of blockchain systems like Ethereum and Filecoin. 

In the original announcement, LCS promised that, if a correct solution was uncovered, they would open a special “time capsule” designed by architect Frank Gehry and filled with historical artifacts from the likes of Web inventor Tim Berners-Lee, Ethernet co-inventor Bob Metcalfe, and Microsoft founder Bill Gates. (Gates donated the original Altair BASIC that represented Microsoft’s first-ever product, which they developed for MITS in 1975.)

The capsule ceremony will happen Wednesday, May 15 at 4 p.m. at MIT’s Stata Center.

...more

Effective Fully Automated Forced Browsing Testing

Published: 2019-03-08 00:02:04

Popularity: None

Author: written by

Forced browsing is the class of serious web application vulnerability I see the most often. Contrary to conventional wisdom, you can build effective automated tests for it in your application, tests that don’t use hard-coding or fuzzing.

This friend of mine, Ohran, maintains a decent-sized web app, mydeathstar.empire. It does various boring administrative things for this space station, and the guy in charge, Darth something, keeps him busy with lots of little tweaks. The latest one was that for some reason he wanted to restrict who was allowed to remotely operate the trash compactors. Apparently there’d been some issue with that. So my friend wrote some code for the web app’s navigation header so that you’d only see a link to the trash compactor dashboard if you had the right set of privileges. It looked something like

in render_nav_bar:

if(current_user.trash_master) {  link_to("/trash_compactor_dashboard")  } 

So Trash Masters saw a page like this:

While regular stormtroopers saw a page without the link:

Now, Ohran is very conscientious about quality (apparently Darth Whatever isn’t very forgiving of bugs) so he added in a couple of automated tests too:

login_as(regular_user) visit_page("/") assert_not_in_page("/trash_compactor_dashboard") 
login_as(trashy_user) visit_page("/") assert_in_page("/trash_compactor_dashboard") 

And of course he deployed it to a staging server and had someone click around to make sure everything looked right. Eventually, he pushed the changes to the live server, and all seemed well.

That night, though, he woke up in a sudden panic. He pulled his laptop onto his chest and logged in to his account. The link wasn’t there, as expected – trash wasn’t his job. Then, he manually typed a URL into his address bar, hit enter, and…

Ohran had forgotten some very important code. When a request came in to load the dashboard page, or perform any trash compactor action, he needed to check to ensure that request was actually authorized. Even though no unauthorized user could get to the dashboard by accident, anybody with an account could use the forced browsing technique to load the page–and since it had previously been accessible to everyone, people certainly knew the URL. Ohran had to scramble to fix his mistake before anyone noticed.

After saving his neck, Ohran came to me, still fretting. “The authorization logic in this app is all over the place,” he said. “I don’t have the time or the freedom to refactor it, so whenever I add a new authorization rule, I just have to remember to add it in at least two places: hiding the link, and controlling the actual functionality. If I forget the first one, the user sees an error, and if I forget the second one, I’ve made the app vulnerable. For all I know, there’s some other forced browsing vulnerability out there that I’ve missed. Like when stormtrooper TK-422 goes to his personal preferences page, the URL looks like /users/TK-422/preferences. If he changed the number in the URL so it was /users/TK-421/preferences, he shouldn’t see TK-421’s preference page, that’s private!” Ohran rubbed his throat.

“Can’t you write a test for forced browsing?” I asked.

“I Googled it, and apparently you can’t really,” said Ohran. “Like, OWASP says ‘Automated tools are unlikely to find these problems.’ They give a lot of ways to defend against it, but they’re all manual testing and refactoring and doing code analysis. Which, I mean, I’ll do as much as I can. Everywhere else I’ve looked says it’s impossible, aside from just checking a hardcoded list of common ‘sensitive paths’ like /admin.php. There’s no way /trash_compactor_dashboard is gonna be on that list. Or there’s fuzzing, but same deal there–no testing tool is going to randomly guess that URL.”

Ohran and I put our heads together, and eventually we figured out a solution. It was actually pretty obvious in retrospect: just take what a manual white-hat tester does when searching for forced browsing vulnerabilities, and do it programmatically. First, we wrote a helper function in Ohran’s test code that could crawl the site, recursively following all of the links that a given user could see and returning the complete list. It looked something like

define browse_as(user) { visited_pages = Set.new() crawl(user, "/",visited_pages) return(visited_pages) } define crawl(user, page, visited_pages) { login_as(user) visit_page(page) visited_pages.add(page) current_page.links.for_each(link) {   if(!visited_pages.include(link)) {crawl(user,link, visited_pages)} } } 

Just your standard spider. We made it re-login on every request just because some links log you out, but we could also have blacklisted logout links and other links that leave the site, so that we don’t end up crawling around the actual web.

Then we checked in a test. In the test, we create two users. One has all the privileges in the app: she could operate the trash compactors, commence primary ignition, open the thermal exhaust port, whatever. The other just has the minimum privileges necessary to log in. Then, the test crawls as both users, and compares the results. Crawling as the privileged user is just a simple way of enumerating all the pages in the app. Crawling as the unprivileged user is a way of inferring what the user is expected to be able to see. We can assume that if a user sees a link to a page they’re not supposed to see, that’ll be caught in manual testing. So this automated test now knows that any user can see the home page, their preference page, and a station-wide list of alerts, say. Now we take the difference of the lists: the list of all pages the privileged user can browse to, but the unprivileged user can’t. This will include admin-only pages, like the trash compactor dashboard, as well as personal pages for the privileged user, like her preferences page. Finally, we can loop over each link in this list, and try forced browsing to it as the unprivileged user. If we get a success response, not a redirect or an error, then this is likely a forced browsing vulnerability, and the test should fail. The test looks like:

privileged_user_visible_pages = browse_as(privileged_user) regular_user_visible_pages = browse_as(unprivileged_user) restricted_pages = privileged_user_visible_pages.except(regular_user_visible_pages) restricted_pages.for_each(link) { login_as(unprivileged_user) visit_page(link) assert_error_page(current_page) } 

Happily, it turns out the conventional wisdom is wrong. As long as you have the ability to log in as both a privileged and unprivileged user, you can write an automated test for your web app that catches forced browsing vulnerabilities. I believe this should be added to integration testing for most web applications. If you use an interactive testing tool like Burp Suite, I’d suggest implementing this as a plugin (I might even write this as a bookmarklet one of these days). If you use, say, Cucumber, it’s probably fastest to just implement this algorithm by hand in your existing test suite.

Gotchas:

  • Make sure you secure your write (e.g. POST, PUT) routes, not just your page reads. My pseudo-code above works for this if “current_page.links” includes form submissions and AJAX requests, and “visit_page()” can handle form submissions, but that’s tricky since you may need mock data.
  • As mentioned, it’s best to restrict the links you follow to relative links and ones to the same domain, and to blacklist the logout link.
  • For a large enough app, this can be a time-consuming test. Ideally, try to run it outside of a browser to save time rendering. You may also want to optimize by adding “redundant” pages to your blacklist, such as pages after the first of a paginated result list.
  • Make sure you’re running against a test database that has at least one of everything, so that every possible link exists.
  • If you try to browse to a page you don’t have access to, some apps will simply serve a page you do have access to instead, without returning a 3xx Redirect response or displaying an error. These can lead to spurious failures in your tests. Ideally you should change that behavior, as it’s not very standards-compliant anyway.
  • A purely single-page web app that doesn’t store state in the URL at all will have to do this a bit differently, possibly by recording the AJAX requests done as each user crawls, then forcing those rather than front-end state.
  • The test as described doesn’t catch similar vulnerabilities involving other kinds of user-controllable input, such as cookies and hidden form submissions. It might be worth expanding to record everything (besides the authentication secret) the privileged user sends, and replaying it as the unprivileged user.
  • It may be non-trivial to ensure your privileged user always has all possible privileges.

And one final, meta-level disclaimer: try not to write projects with authorization rules that keep you up at night, scattered around different files and enforced in different ways. Try to put all of them in one place, so you can reference them both when deciding what links to render and what actions to allow. Make it impossible to process a request if no authorization check has run. And then test anyway.

...more

Ancient Wisdom Reveals 6 Rituals That Will Make You Happy - Barking Up The Wrong Tree

Published: 2019-03-07 23:17:28

Popularity: None

Author: Written By:

Forget self-help. Ancient wisdom has happiness tips that align with science. Bestselling author Ryan Holiday explains how Stoicism can make you smile.

...more

The New Restartable Sequences System Call Is Living Up To Its Performance Claims - Phoronix

Published: 2019-03-07 22:07:04

Popularity: None

Author: Written by

Introduced in the Linux 4.18 kernel was the

Restartable Sequences "rseq" system call

intended to yield faster user-space operations on per-CPU data. As covered during a presentation at this week's Open-Source Summit Europe, that system call is indeed providing performance wins while it's not widely utilized yet.

The restartable sequences system call allows for faster performance in per-CPU data updates from user-space for items like incrementing per-CPU counters, modifying data protected by per-CPU spinlocks, reading/writing per-CPU ring buffers, and similar operations while the kernel guarantees atomic behavior. The RSEQ system call was merged for Linux 4.18 while in the newly-released Linux 4.19 kernel the syscall is supported on ARM64 and other architectures.

There still is ongoing work for improving Restartable Sequences especially with utilizing this syscall from different key components in the Linux user-space, but it's looking like the performance benefits are worthwhile. Mathieu Desnoyers of EfficiOS presented at this week's Open-Source Summit Europe in Edinburgh where he covered this interesting kernel work. The benchmark results are what excited us the most:

Those wishing to learn more about the ongoing RSEQ syscall and weren't able to make it to Edinburgh for the event, Desnoyers' slide deck can be viewed

here

(PDF). There is also another presentation by Mathieu back from

Linux Plumbers 2016

with more background information on this system call if you are interested in more reading this weekend.

...more

iPhones are Allergic to Helium

Published: 2019-03-07 22:06:22

Popularity: None

Author: written by

This is the kind of tale that you don’t hear every day.  During the installation of a new MRI machine, a technician started getting calls that iPhones weren’t working—but Androids were just fine.

...more

UBIFS File-System Being Hardened Against Power Loss Scenarios

Published: 2024-07-28 23:19:25

Popularity: None

Author: Written by

🤖: "Battery backup mode"

While most Linux file-systems are rather robust in recovering when the system experiences a power loss, the UBIFS file-system is more prone to problems when a power-cut happens

...more

NVIDIA Publishes Open-Source Linux Driver Code For GPU Virtualization "vGPU" Support

Published: 2024-09-25 17:23:39

Popularity: None

Author: Written by

🤖: "gpu party"

NVIDIA engineers have sent out an exciting set of Linux kernel patches for enabling NVIDIA vGPU software support for virtual GPU support among multiple virtual machines (VMs)

...more

"100% Free" GNU Boot Discovers Again They Have Been Shipping Non-Free Code

Published: 2024-10-20 00:52:58

Popularity: None

Author: Written by

🤖: "Linux fail 😒👀"

GNU Boot is a '100% free software project aimed at replacing the non-free boot software' and is a downstream of Coreboot, GRUB, and SeaBIOS

...more

OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch

Published: 2024-10-31 12:42:08

Popularity: None

Author: Written by

🤖: "Kernel patch party"

Enterprise security firm Edera today is announcing OpenPaX that they promoted in their advance press notice as a 'new open-source alternative to GrSecurity.' GrSecurity being the firm focused on providing out-of-tree Linux kernel patches focused in the name of security enhancements

...more

end