New SLAP & FLOP Attacks, OCSP Fades Away, DeepSeek’s ClickHouse, OAuth 2.0 Security – ASW #316
Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more!
Hosts
- 1. SLAP
New research out of the team that disclosed iLeakage back in 2023.
- SLAP -- "Data Speculation Attacks via Load Address Prediction on Apple Silicon"
- FLOP -- "Breaking the Apple M3 CPU via False Load Output Predictions"
Where Spectre and its ilk expected control flow scenarios, this new research scrutinized CPU behavior, predictions, and misses in data flows.
- 2. The Slow Death of OCSP | Feisty Duck
What if a security feature was developed in response to another security feature that was unwieldy and didn't scale well?
But then that security feature wasn't adopted by browsers for almost a decade, its failure mode meant it wasn't enforcing anything, and servers didn't support it well?
This story strikes me more as a useful case study in correctly identifying a security problem, but creating a solution of half-measures. It also seems very reasonable to do away with OCSP. The move towards very short-lived certs -- enabled by protocols like ACME and organizations like Let's Encrypt -- shows how there's not much of a negative impact to losing OCSP and, instead, the internet is moving to better practices overall.
- 3. Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History
There was a great upheaval in the AI world last week, where a dose of real innovation dropped into an artificial market.
In appsec terms, I’d call this an influencer injection attack, where a lot of strongly held opinions were put forward based on superficial extrapolations from headlines and that repeated many misleading claims. It’s similar to saying public WiFi is too dangerous to ever use or personal VPNs protect you from malware and protect your privacy by hiding your IP address.
I still would rather cover the angle of AI demonstrating value as an appsec tool. We still seem to be at the one-off demonstration of possibility.
So, with all that said, yes, I included one article related to DeepSeek. But I specifically wanted to highlight Wiz's point that “…the immediate security risks for AI applications stem from the infrastructure and tools supporting them.”
- 4. RFC 9700: Best Current Practice for OAuth 2.0 Security
When do you update a threat model? What should that update look like?
This new RFC gives us a chance to talk about OAuth2, design flaws, implementation details, and creating actionable recommendations.
- 5. FYI: Top 10 Web Hacking Techniques | PortSwigger Research
The Portswigger folks will release the 2024 list of top 10 web hacking techniques on Tuesday after we record the show, but I wanted to remind everyone to check it out.
I think my personal favorite was Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine. I liked the persistence in research, from finding an ancient bug to the effort involved in figuring out how to exploit it, and learning about a new class of PHP attacks that I wasn't familiar with.
- 6. FUN: A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
A fun example of the disproportionate impact of a few lines of code on performance and cost savings.
Check out the commit here.
- 1. Do We Really Need The OWASP NHI Top 10?
Yes, but the list also feels like an extension of the existing OWASP controls
- 2. Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits
Vulns were reported back in Sept 2024, so its been well over 90 days but a patch hasnt been deployed
