tmlxs

In this cautionary tale of averting a large-scale supply chain attack, a follow-up to Kudelski Security researchers @tmlxs and @nathanhamiel’s Black Hat USA presentation, we detail our RCE on CodeRabbit’s production servers and write access to 1m repos. kdlski.co/4oIvuKs

Here is our detailed write-up of the CodeRabbit vulnerability, one of the vulnerabilities @tmlxs and I highlighted in our @blackhatevents USA presentation. This is the one where we had access to a million repositories. We show how to go from PR to RCE. A patient attacker could have turned this into a large-scale supply chain attack. One of the things we wanted to demonstrate is that finding vulnerabilities in real-world AI-powered applications is just as much, if not more, about understanding the underlying systems and tools that the AI components are interacting with. If you don’t understand these, then you will miss things no matter how many prompt injections you supposedly have. We hope you find this useful. Link to post, in comment.

Glad to see our AI-powered fuzzing work inspire research community to try this on Rust targets successfully ($3, 14 bugs, 34 fuzzers in 37 projects). Wait on some of our new results on Gemini! research.kudelskisecurity.com/2023/12/07/int…

🦀 Using AI to Automatically Fuzz Rust Projects from Scratch New tool, Fuzzomatic, can automatically generate fuzz targets for @rustlang projects → Found at least one bug in 14 projects (38%) Code: github.com/kudelskisecuri… By @KudelskiSec research.kudelskisecurity.com/2023/12/07/int…

@KudelskiSec's @tmlxs releases the code behind his latest project, Fuzzomatic — an automated fuzz target generator and bug finder meticulously crafted for Rust projects, written in Python! kdlski.co/3RcdKHz #Fuzzing #Python #Rust #AI

Introducing Fuzzomatic. A Python based fuzzer for Rust that uses AI assistance, allowing for completely from scratch fuzzing. Fuzzomatic has a few tricks up its sleeve, too. It can perform fixes and parse various artifacts to generate fuzz targets. research.kudelskisecurity.com/2023/12/07/int…

Last week during @ph0wn we gave a workshop about Security Keys with @tmlxs. Here are the slides: cybermashup.files.wordpress.com/2023/11/yubike…

Today I’m happy to announce a new paper Addressing Risks from AI Coding Assistants. A realistic look at tools like #GitHub #Copilot and #ChatGPT for development tasks, outlining the risks and providing mitigation advice for security and development teams. resources.kudelskisecurity.com/en/kudelski-se…

AI coding assistants: development utopia or buggy nightmare? As @nathanhamiel paper shows, it all depends on understanding the risks and mitigating them. Click the link and read on: kdlski.co/3F3Bus1 #risks #ChatGPT #Copilot

The @KudelskiSec Research Team discovered a novel attack on ECDSA that they call Polynonce and applied it to datasets like Bitcoin and Ethereum networks. Are private jets in their future? Details and open-source tools to test the attack here: kdlski.co/3kIc7p2

Based on their presentation at @sstic, Kudelski Security’s Sylvain Pelissier and Nils Amiet latest blog post covers GPG and whether it resists memory forensics. Read more: kdlski.co/3Oh3eMb

⚡Tech Speaker Alert! 🧠GPG memory #Forensics 💡Nils & Sylvain @Pelissier_S (@KudelskiSec) will demonstrate techniques to retrieve #passphrases & #encryption keys from a memory dump 😎Join us➡️bit.ly/34cBbMC #NullconBerlin2022 #Infosec

It's now possible to detect and fix security issues with Semgrep’s Autofix feature as long as the rule that matched is autofix-capable. Check out some real-world examples in Kudelski Security Nils Amiet’s latest blog post: kdlski.co/3qlraFf #semgrep #autofix #securityissues

It's always a rarity when we find a really good manual on smart contract hacking. Today, we have such a manual for you! 👉 dl.acm.org/doi/fullHtml/1… - Blockchain Vulnerabilities in Practice.

Today we released oramfs, a simple, flexible, Free Software ORAM implementation for Linux written in Rust hubs.ly/H0Rj2hj0 Join us on Wednesday July 7th at 4:10pm CEST when we present oramfs at #pts21 #Linux #OpenSource

Did you miss #PassTheSALT? That’s okay. In his latest blog post, you can view Nils’ slides and even watch a recording of his talk on replacing #passwords with #FIDO2. Click here. hubs.ly/H0shc8R0

#DifferentialPrivacy provides a measurable way to balance privacy & data accuracy when publicly releasing aggregate data on private datasets. @KudelskiSec’s Nils Amiet’s latest blog is a hands-on, applied, comparison of several popular libraries hubs.ly/H0nwj1M0

Un article très intéressant de @KudelskiSec. L'équipe de chercheurs de Kudelski y décrit le modèle de sécurité de #FIDO2 et aborde des sujets avancés au cœur du protocole tels que les attestations. #cybersecurity #trust research.kudelskisecurity.com/2020/02/12/fid…

Organizations still have a #password problem. In his latest post,@KudelskiSec’s Nils Amiet dives into #FIDO2, specifically on the topics of #attestations, #trustmodel, and #security. Read it here. hubs.ly/H0m-N2q0

With just a little bit of money, you can perform a power analysis on a target. Learn more in @KudelskiSec’s @Baldanos latest #ResearchBlog article Power (Analysis) to the People. hubs.ly/H0lhLB_0