Defensive Track Talks. Part 1
The talks of the Defensive Track are devoted to secure development, DevSecOps, incident detection, and practical aspects of cybersecurity.
Some of the approved talks are below.
Formal verification redux: secure dev beyond randomized testing
What can a man do to write secure software beyond code review and rigorous testing? Write less code and more theorems! Let’s check out how HTTPS is secured at the implementation level today.
It’s well known it’s hard to grok what code does if it spans more than a screenful. The solution? Restrict semantics for better composition; give a user cheap modeling huzzah; knock program analysis up to 11. This talk gives a hurricane ride of the state of the art in formal verification, including case studies of a verified OS (CertiKOS), HTTPS components powering most of the traffic on the web (Project Everest), and the Linux kernel (linux.git/*.tla; locking mechanisms models). Why? So you can write code better, of course. With the power of Computer Science.
This talk is prepared by wldhx (Dmitriy Volkov).
Container escapes: Kubernetes edition
Container escape vulnerabilities, like sandbox escape in browsers or VM escapes, top the list of vulnerabilities security researches desire to find. But still, researching containers without regard to the environment/infrastructure they exist in is quite an impractical idea. In this talk, Dmitriy Evdokimov will discuss cloud-native applications and how easy or hard it is to make container escapes in Kubernetes infrastructure with all its specifics.
CVEhound: check Linux sources for known CVEs
CVEhound is a tool for checking Linux kernel source dumps for known CVEs. Allows one to easily audit their phones, routers, servers, etc. for missing CVE fixes from upstream kernel development. The talk by Denis Efremov will include a brief description of the CVE patching workflow in the Linux kernel and the presentation of the CVEhound tool.
Company wide SAST
At Yandex, the developers have a wide range of VCS and CI/CD systems, and the security team has more than a dozen tools. For static analysis, they have commercial, open source, and proprietary tools. But without a single entry point, the tools would have poor coverage, high false-positive rate, and low bus factor. To solve these problems, they developed the imPulse orchestrator meant to unify analyzers’ startup processes, handle reports, and triage operations.
imPulse supports the traditional scenario of scheduled scans as well as security audits by request inside CI/CD systems. A single interface to work with static analysis tools allows them to find related problems and vulnerabilities specific to Yandex in the entire code base. To do this, they use analyzers like Semgrep and CodeQL. In this presentation, Aleksei Meshcheriakov, Alexander Kaleda, and Evgenii Protsenko will tell you about the problems they face and where they get ideas for custom rules.