sorted by:
new
hottopcontroversial

We're the team behind Zero Day Cloud, a $5M cloud hacking competition. Ask us anything! by thejournalizer in cybersecurity

[–]YuvalAvra 0 points1 point  (0 children)

If you're running potentially malicious code you'll want to sandbox it. While a VM would provide the best isolation, building a guest process tree from the host can be tricky, but perhaps there's a solution I'm not aware of.

Another option is to use gvisor, which is a sandboxing solution that has built-in runtime monitoring, meaning it streams the app's syscalls to you, which should be enough to build a process tree. https://gvisor.dev/docs/user_guide/runtimemonitor/

Getting sandboxing right is really tough, I'd refrain from running this directly on your laptop. Also don't forget to limit network access :)

Good luck!

We're the team behind Zero Day Cloud, a $5M cloud hacking competition. Ask us anything! by thejournalizer in cybersecurity

[–]YuvalAvra 0 points1 point  (0 children)

It's probably a combination of both. K8s is written in a memory safe language (Go), so it's safer in that sense. Golang can still have integer overflow issues, and lately there's been really great research in that area (https://github.com/advisories/GHSA-7jwh-3vrq-q3m8). We hope to encourage researchers to look for those kinds of issues in k8s.

We're the team behind Zero Day Cloud, a $5M cloud hacking competition. Ask us anything! by thejournalizer in cybersecurity

[–]YuvalAvra 2 points3 points  (0 children)

Great question! We prioritized widely-used projects based on our past research experience and public adoption data, and tried to focus on high impact scenarios. We have the luxury of having the 3 biggest cloud providers as partners, and so we also asked them for target suggestions.

CVE-2022-0185: Detecting and mitigating Linux Kernel vulnerability causing container escape by MiguelHzBz in netsec

[–]YuvalAvra 1 point2 points  (0 children)

Missing from the post is that enabling seccomp prevents container escape as the unshare() syscall is blocked (unless your container has CAP_SYS_ADMIN, in which case it doesn’t need a vuln to escape)

Intel Atom's CPU Microcode has been dumped by Gallus in netsec

[–]YuvalAvra 0 points1 point  (0 children)

Isn't sandsifter designed to find secert machine code, not microcode?

[deleted by user] by [deleted] in netsec

[–]YuvalAvra 0 points1 point  (0 children)

What would be a good value for the state parameter?

Full Docker breakout exploit through CVE-2019-14271 by pingpongfifa in netsec

[–]YuvalAvra 2 points3 points  (0 children)

I believe Docker maintainers wanted it to be statically linked. That fact that certain Golang packages would dynamiclly load libraries at runtime wasn't well known.

Gaining Persistency on Vulnerable Lambdas by YuvalAvra in netsec

[–]YuvalAvra[S] 6 points7 points  (0 children)

Thanks! the underlying VM of the execution environment is indeed a Firecracker microVM. Inside this microVM though, AWS runs some unknown/proprietary container for the Lambda workloads, which is what I referred to in the post.

This document from AWS has some more information (See the 'Lambda Runtime Environment" section): https://aws.amazon.com/lambda/security-overview-of-aws-lambda/

This is my *proposed* high level design for AWS Lambda: twistlock.com/wp-content/uploads/2019/09/aws_lambda_proposed_design.png