Total Recall? LLM finds bug in SQLite, C++ safety failures, zero time for zero privs – ASW #306
Microsoft delays Recall AGAIN, Project Zero uses an LLM to find a bugger underflow in SQLite, the scourge of infostealer malware, zero standing privileges is easy if you have unlimited time (but no one does), reverse engineering Nintendo's Alarmo and RedBox's... boxes.
Bonus: the book series mentioned in this episode The Lost Fleet by Jack Campbell.
Hosts
- 1. EmeraldWhale’s Massive Git Breach Highlights Config Gaps
- 2. Cybersecurity Job Market Stagnates, Dissatisfaction Abounds
- 3. Cultivating a successful engineering culture with Platform Engineering
- 4. Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland
- 5. Inside the Massive Crime Industry That is Hacking Billion Dollar Companies
Infostealers are a HUGE problem, and they're partially targeting devs and engineers. Initially, they were designed to steal cryptocurrency and crypto wallet keys, but a nice bonus for them was realizing they were scooping up AWS API keys, Slack keys, and other creds that ransomware crews will pay top dollar for to get into enterprises.
- 6. Microsoft delays Windows Recall again, now by December
Coming from our infostealer story, Microsoft Recall looks like a HUGE potential opportunity for this malware category. It will be interesting to see how they eventually decide to roll it out. I'll be shocked if it's opt-out instead of opt-in.
- 7. Looking into the Nintendo Alarmo
Writeups reverse engineering and jailbreaking the latest shiny gadget always make me smile. This is a great one, detailing the discovery process and linking to resources and code you can use to learn how to do this kind of reverse engineering work yourself!
- 8. Zero Standing Privileges: The Essentials
The approach suggested here is fantastic, until it makes contact with the real world. One of the things that bugs me about these types of writeups from vendors is that what they're proposing is a potential nightmare at scale. I really need microsegmentation and zero trust vendors to spend more time explaining how they tackle the scale problem.
We can't add 600% time and budget to every project to perfectly configure application/identity/data access controls and privileges. Can AI do it? Maybe. Hopefully. We'll see.
- 1. Project Zero finds buffer underflow vuln in SQLite via LLM
This is a space we've been interested in this year - how can we leverage these LLM things to make our software more secure? Google's Project Zero is now teaming up with Google's DeepMind to venture further into this space with an AI agent named Big Sleep. It's first vulnerability was found recently, a buffer underflow in the SQLite database.
One interesting point they mention is that they're trying to build tools that will find vulnerabilities that fuzzing can't. For a while we thought of fuzzing as the best way to find a lot of vulnerabilites, but over time we're seeing fuzzing can be expensive, noisy, and not always fruitful.
- 2. Why Safety Profiles Failed
I've been following this drive to get C++ memory-safe for a few months now. In the last few weeks, a proposal has been out for "safe C++" - an alternative to Bjarne Stroustrup's proposal of C++ "profiles." Last week one of the authors of the Safe C++ proposal took a shot at Stroustrup's ideas with a post discussing why safety profiles have "failed."
