Application Security Roundup - Feb
This month is all about memory safety, unless you’re a standards group.
Before we get to the memory safety, two great trip reports from Appsec Dublin: OWASP AppSec Dublin 2023 - Day 1 by Paul McCann. (Day 2 hasn’t dropped as I draft this.) and OWASP Global AppSec Dublin 2023 by Tanya Janca, who cleverly baited time travellers into revealing themselves at our secret get-together. (There were a lot of them!)
Memory Safety
There’s a lot happening in memory safety, and important progress from Microsoft, Google and Apple.
- Microsoft Introduc[ed] kernel sanitizers on Microsoft platforms, somewhat confusingly calling them “detection features.”
- Google discussed the impact of Memory Safe Languages in Android 13 by Jeffrey Vander Stoep
- The unsafe language doom principle is an interesting blog on the topic by William Woodruff
- Survey of security mitigations and architectures, December 2022, by Saar Amar of Microsoft, but covering a lot of neat improvements in Apple and Linux as well.
- Direction Group Opinion On Safety For ISO C++, H. Hinnant, R. Orr, B. Stroustrup, D. Vandevoorde, M. Wong. The abstract states “This paper describes the opinion of the DG on the matter of Safety of C++...We do not aim to define a solution.” Many people found this a surprising lack of urgency.
- Meanwhile, Consumer Reports issued an impassioned report, Future of Memory Safety, which I hope to say more about this coming month.
Microsoft
Well, it's not all memory safety — there were a stack of interesting posts from Microsoft:
- Shawn Hernan shared how Azure Security expands variant hunting capacity at a cloud tempo. I particularly liked this paragraph:
In addition to detailed technical lessons, variant hunting also seeks to understand the frequency at which certain bugs occur, the contributing causes that permitted them to escape SDL controls, the architectural and design paradigms that mitigate or exacerbate them, and even the organizational dynamics and incentives that promote or inhibit them. It is popular to do root cause analysis, looking for the single thing that led to the vulnerability, but variant hunting seeks to find all of the contributing causes.
- Michael Howard discusses Repudiation Threats and ledger in Azure SQL Database/SQL Server, with the trenchant observation “Sadly, because repudiation is not well understood, it is often ignored when building threat models or designing systems.” (Hey, have you seen my new book? )
- I'd missed the blog post Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability, which exploits MacOS’s extended ACLs to set permissions that prevent Safari from appending com.apple.quarantine attributes to the file. This is the sort of complex flaw that security experts aspire to discover: it’s subtle and amusing. But if you skip the more mundane ones, your system is still vulnerable.