Threat Modeling That Helps the Business – Akira Brand, Sandy Carielli – ASW #316

New research out of the team that disclosed iLeakage back in 2023.

• SLAP -- "Data Speculation Attacks via Load Address Prediction on Apple Silicon"
• FLOP -- "Breaking the Apple M3 CPU via False Load Output Predictions"

Where Spectre and its ilk expected control flow scenarios, this new research scrutinized CPU behavior, predictions, and misses in data flows.

What if a security feature was developed in response to another security feature that was unwieldy and didn't scale well?

But then that security feature wasn't adopted by browsers for almost a decade, its failure mode meant it wasn't enforcing anything, and servers didn't support it well?

This story strikes me more as a useful case study in correctly identifying a security problem, but creating a solution of half-measures. It also seems very reasonable to do away with OCSP. The move towards very short-lived certs -- enabled by protocols like ACME and organizations like Let's Encrypt -- shows how there's not much of a negative impact to losing OCSP and, instead, the internet is moving to better practices overall.

There was a great upheaval in the AI world last week, where a dose of real innovation dropped into an artificial market.

In appsec terms, I’d call this an influencer injection attack, where a lot of strongly held opinions were put forward based on superficial extrapolations from headlines and that repeated many misleading claims. It’s similar to saying public WiFi is too dangerous to ever use or personal VPNs protect you from malware and protect your privacy by hiding your IP address.

I still would rather cover the angle of AI demonstrating value as an appsec tool. We still seem to be at the one-off demonstration of possibility.

So, with all that said, yes, I included one article related to DeepSeek. But I specifically wanted to highlight Wiz's point that “…the immediate security risks for AI applications stem from the infrastructure and tools supporting them.”

When do you update a threat model? What should that update look like?

This new RFC gives us a chance to talk about OAuth2, design flaws, implementation details, and creating actionable recommendations.

The Portswigger folks will release the 2024 list of top 10 web hacking techniques on Tuesday after we record the show, but I wanted to remind everyone to check it out.

I think my personal favorite was Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine. I liked the persistence in research, from finding an ancient bug to the effort involved in figuring out how to exploit it, and learning about a new class of PHP attacks that I wasn't familiar with.

A fun example of the disproportionate impact of a few lines of code on performance and cost savings.

Check out the commit here.

Yes, but the list also feels like an extension of the existing OWASP controls

Vulns were reported back in Sept 2024, so its been well over 90 days but a patch hasnt been deployed