DARPA’s AI Challenge, CISA Wants Secure Open Source, 5 Years of Vuln Research – ASW #251

A new challenge to coax AI into figuring out how to identify and fix software flaws. The challenges will be across many programming languages, but have half of them focused on memory-safety issues in C and C++.

I'd be curious to see a challenge that rewrote a program in C into Rust.

Check out the OpenSSF announcement.

Keep an eye on the contest's home page.

We covered comments from Google's red team targeting AI back in episode 248. Here's a similar article from Microsoft.

A few things stand out from "normal" red team exercises. One, this testing is more expensive. Two, it requires repeated attempts. Three, and more interesting to me, is testing how such systems might generate harmful content for average users. In other words, the testing is just figuring out what a malicious actor might do, but what the system might do to a benign user.

CISA wants to push the industry to secure by default and secure by design. A big part of this is moving towards memory-safe languages. Another part is asking the industry where they think major investments in effort should go.

Check out the Request for Information. You have until October 9, 2023 to respond.

There's a lot in here about what vulnerability management programs should focus on and how they can be efficient and effective. For example, focusing on high-risk vulns (as indicated by CVSS) combined with exploitation. It's important to have good visibility into the vulns across an org, but it's also important to realize that not all of those vulns require remediation.

Yet another look at CPU-related security, this time in memory leaks in the Linux kernel and what a user space program can get out of it -- like encryption keys.

Mostly including this just to show how exploits improve and emerge over time. This research points out that bugs that were seemingly unexplainable (in terms of an RCE) or that lead to a DoS now have an additional security consideration.

We've got secrets managers in the cloud, secure enclaves on user systems, and lots of API security tokens floating around that need protection.

This is also a chance to talk about API security and different models like shared secrets, asymmetric signing keys, and HMACs.

Another example of an "install mode" that may persist after the install and consequently be used to obtain encryption keys.

"This year's Codebreaker Challenge will center around a simulation in which the US Coast Guard identifies a signal about 30 miles off the coast of the continental US; participants will be asked to interpret and find the origin of the signal."

Keep an eye on the official site. The challenge runs from Sept. 28 through Dec. 21.

Max Levchin tells a story about how he used Shamir Secret Sharing to protect encryption on Paypal's database - and how it first broke when they put it into production.

(h/t Bill)

Always nice to see my curiosity with space appsec filter over to to the side my political nerd side also reads ????

Turns out urlsplit() and urlparse() don't do input validation. Whoops.

I'm on the waiting list so haven't gotten to play with it, but Google's announced IDX - a Visual Studio-based IDE with some of Google's flavor of LLM built into it to assist in coding. I keep hoping these things will produce more secure code...

The folks who funded most of the development of Stable Diffusion (one of the first to kick off the current generative AI fashion period) have released Stablecode - a LLM focused on software development. The model's up on huggingface - start your coding!

This interview over on HBR includes a message I can really get behind: Don't worry so much about AI/computers taking over the world, but if you don't understand how to leverage these new tools, you may find it difficult to keep up with those who do.

This is an interesting read of how an IOT manufacturer could take a more proactive stance about understanding the threats against their products, and spend some resources working to improve the security situation.

(apologies if this is paywalled - it seems available to me)

Intel got patches out for Downfall fairly quickly, but they'll take up to 39% of your CPU's performance, unfortunately.

(thanks to Phoronix for always creating great low-level Linux articles)

The folks at cycode developed a POC extension for VSCode which doesn't just get security tokens from other plugins, but also the GitHub/Microsoft tokens for login/sync functionality. They went beyond that and provided a great writeup about how they worked through figuring out how to get their POC extension to do what they want