In this cautionary tale of averting a large-scale supply chain attack, a follow-up to Kudelski Security researchers @tmlxs and @nathanhamiel’s Black Hat USA presentation, we detail our RCE on CodeRabbit’s production servers and write access to 1m repos.
https://t.co/SAUyzFz8o1
Here is our detailed write-up of the CodeRabbit vulnerability, one of the vulnerabilities @tmlxs and I highlighted in our @blackhatevents USA presentation. This is the one where we had access to a million repositories. We show how to go from PR to RCE. A patient attacker could have turned this into a large-scale supply chain attack. One of the things we wanted to demonstrate is that finding vulnerabilities in real-world AI-powered applications is just as much, if not more, about understanding the underlying systems and tools that the AI components are interacting with. If you don’t understand these, then you will miss things no matter how many prompt injections you supposedly have. We hope you find this useful. Link to post, in comment.
Glad to see our AI-powered fuzzing work inspire research community to try this on Rust targets successfully ($3, 14 bugs, 34 fuzzers in 37 projects). Wait on some of our new results on Gemini! https://t.co/lzOaO9k7AC
🦀 Using AI to Automatically Fuzz Rust Projects from Scratch
New tool, Fuzzomatic, can automatically generate fuzz targets for @rustlang projects
→ Found at least one bug in 14 projects (38%)
Code: https://t.co/eTj1yen3yy
By @KudelskiSec
https://t.co/FZCA4hFMP8
@KudelskiSec's @tmlxs releases the code behind his latest project, Fuzzomatic — an automated fuzz target generator and bug finder meticulously crafted for Rust projects, written in Python! https://t.co/r3dvVqD2xL
#Fuzzing#Python#Rust#AI
Introducing Fuzzomatic. A Python based fuzzer for Rust that uses AI assistance, allowing for completely from scratch fuzzing. Fuzzomatic has a few tricks up its sleeve, too. It can perform fixes and parse various artifacts to generate fuzz targets. https://t.co/y0JkkMjmDm
Today I’m happy to announce a new paper Addressing Risks from AI Coding Assistants. A realistic look at tools like #GitHub#Copilot and #ChatGPT for development tasks, outlining the risks and providing mitigation advice for security and development teams. https://t.co/RR5MI5YAB3
AI coding assistants: development utopia or buggy nightmare? As @nathanhamiel paper shows, it all depends on understanding the risks and mitigating them. Click the link and read on:
https://t.co/J8r7vxydrf #risks#ChatGPT#Copilot
The @KudelskiSec Research Team discovered a novel attack on ECDSA that they call Polynonce and applied it to datasets like Bitcoin and Ethereum networks. Are private jets in their future? Details and open-source tools to test the attack here: https://t.co/lcsdxmxHk4
Based on their presentation at @sstic, Kudelski Security’s Sylvain Pelissier and Nils Amiet latest blog post covers GPG and whether it resists memory forensics. Read more: https://t.co/pkQdBn5M2m
It's now possible to detect and fix security issues with Semgrep’s Autofix feature as long as the rule that matched is autofix-capable. Check out some real-world examples in Kudelski Security Nils Amiet’s latest blog post: https://t.co/QeNhzm8lrj #semgrep#autofix#securityissues
It's always a rarity when we find a really good manual on smart contract hacking. Today, we have such a manual for you!
👉 https://t.co/SvXTVRtbCU - Blockchain Vulnerabilities in Practice.
Today we released oramfs, a simple, flexible, Free Software ORAM implementation for Linux written in Rust https://t.co/0hZmzzU6M9 Join us on Wednesday July 7th at 4:10pm CEST when we present oramfs at #pts21#Linux#OpenSource
Did you miss #PassTheSALT? That’s okay. In his latest blog post, you can view Nils’ slides and even watch a recording of his talk on replacing #passwords with #FIDO2. Click here. https://t.co/jHdAb2thZO
#DifferentialPrivacy provides a measurable way to balance privacy & data accuracy when publicly releasing aggregate data on private datasets. @KudelskiSec’s Nils Amiet’s latest blog is a hands-on, applied, comparison of several popular libraries https://t.co/3WCuOGkB1v
Un article très intéressant de @KudelskiSec.
L'équipe de chercheurs de Kudelski y décrit le modèle de sécurité de #FIDO2 et aborde des sujets avancés au cœur du protocole tels que les attestations.
#cybersecurity#trust
https://t.co/dqINxJMDlU
With just a little bit of money, you can perform a power analysis on a target. Learn more in @KudelskiSec’s @Baldanos latest #ResearchBlog article Power (Analysis) to the People. https://t.co/XGwFizmxvV