Shostack + Friends Blog


Application Security Roundup - Feb

This month is all about memory safety, unless you’re a standards group. A set of puzzle pieces

Before we get to the memory safety, two great trip reports from Appsec Dublin: OWASP AppSec Dublin 2023 - Day 1 by Paul McCann. (Day 2 hasn’t dropped as I draft this.) and OWASP Global AppSec Dublin 2023 by Tanya Janca, who cleverly baited time travellers into revealing themselves at our secret get-together. (There were a lot of them!)

Memory Safety

There’s a lot happening in memory safety, and important progress from Microsoft, Google and Apple.


Well, it's not all memory safety — there were a stack of interesting posts from Microsoft:

  • Shawn Hernan shared how Azure Security expands variant hunting capacity at a cloud tempo. I particularly liked this paragraph:
    In addition to detailed technical lessons, variant hunting also seeks to understand the frequency at which certain bugs occur, the contributing causes that permitted them to escape SDL controls, the architectural and design paradigms that mitigate or exacerbate them, and even the organizational dynamics and incentives that promote or inhibit them. It is popular to do root cause analysis, looking for the single thing that led to the vulnerability, but variant hunting seeks to find all of the contributing causes.
  • Michael Howard discusses Repudiation Threats and ledger in Azure SQL Database/SQL Server, with the trenchant observation “Sadly, because repudiation is not well understood, it is often ignored when building threat models or designing systems.” (Hey, have you seen my new book? )
  • I'd missed the blog post Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability, which exploits MacOS’s extended ACLs to set permissions that prevent Safari from appending attributes to the file. This is the sort of complex flaw that security experts aspire to discover: it’s subtle and amusing. But if you skip the more mundane ones, your system is still vulnerable.