{"id":1190,"date":"2021-07-15T23:26:43","date_gmt":"2021-07-16T06:26:43","guid":{"rendered":"https:\/\/breanneboland.com\/blog\/?p=1190"},"modified":"2021-08-11T22:22:14","modified_gmt":"2021-08-12T05:22:14","slug":"diana-initiative-2021-the-system-call-is-coming-from-inside-the-house","status":"publish","type":"post","link":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/","title":{"rendered":"Diana Initiative 2021: The System Call Is Coming from Inside the House"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Diana Initiative 2021-Breanne Boland-The System Call Is Coming from Inside the House: Appsec Horror\" width=\"660\" height=\"371\" src=\"https:\/\/www.youtube.com\/embed\/GLkIBGXYvKo?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Like ghosts, security vulnerabilities are the result of us going about our lives, doing the best we can, and then experiencing things going awry just because that&#8217;s usually what happens. We plan systems, we build software, we try to create the best teams we can, and yet there will always be echoes in the world from our suboptimal choices. They can come from lots of places: one team member\u2019s work not being double checked when a large decision is at stake, a committee losing the thread, or &#8211; worst of all &#8211; absolutely nothing out of the ordinary. Alas, it&#8217;s only true: security issues are a natural side effect of creating and using technology.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this post (and the talk it accompanies; video to come when it&#8217;s up), we\u2019re going to talk about the energy signatures, cryptids, orbs, poltergeists, strange sounds, code smells, and other things that go bump in the night. That\u2019s right: we\u2019re talking about security horror stories. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before we get started, here\u2019s a little disclaimer. Everything I\u2019m about to talk about it is something I\u2019ve encountered, but I\u2019ve put a light veil of fiction on everything. It\u2019s just professionalism and good manners, a dash of fear of NDAs, and a little superstition too. The universe likes to punish arrogance, so I\u2019m not pretending I\u2019m immune to any of this. No one is &#8211; it\u2019s why appsec exists!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now: let&#8217;s get to the haunts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Automatic Updates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I\u2019m starting with one that\u2019s probably fresh in everyone\u2019s minds, and I\u2019m mentioning it first because it\u2019s such a dramatic betrayal. You think you\u2019re doing the right thing. You\u2019re doing the thing your security team TOLD you to do by keeping your software up to date. And then suddenly, you hear a familiar name in the news, and you have an incident on your hands.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/pointy-804x1024.png\" alt=\"a white man in a blue shirt who has been stabbed by his own wooden stake. A dialogue bubble reads, &quot;Mr. Pointy, no!&quot;\" class=\"wp-image-1196\" width=\"218\" height=\"277\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/pointy-804x1024.png 804w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/pointy-236x300.png 236w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/pointy-768x978.png 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/pointy.png 990w\" sizes=\"auto, (max-width: 218px) 100vw, 218px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">This one is like getting stabbed with your own stake when you\u2019re fending off a vampire; I thought we had a good thing going! <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/newspaper-1024x670.jpeg\" alt=\"A drawing of a newspaper that says &quot;OH NO&quot; and then &quot;YIKES YIKES YIKES&quot;\" class=\"wp-image-1195\" width=\"289\" height=\"189\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/newspaper-1024x670.jpeg 1024w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/newspaper-300x196.jpeg 300w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/newspaper-768x503.jpeg 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/newspaper-1536x1006.jpeg 1536w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/newspaper.jpeg 1952w\" sizes=\"auto, (max-width: 289px) 100vw, 289px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Ideally, you&#8217;ll learn about it via responsible disclosure from the company. Realistically, it might be CNN. Such is the way of supply chain attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You invite it in by doing the right thing. Using components, tools, and libraries with known vulnerabilities is in the most current version of the OWASP top ten for a reason, so there&#8217;s endless incentive to keep your stuff up to date. The problem comes from the tricky balance of updates vs. stability: the old ops vs. security argument.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A couple of jobs ago, we were suddenly having trouble after our hourly server update. Ansible was behaving itself, but a couple of our server types weren\u2019t working right. After an intense afternoon, some of my coworkers narrowed it down to a dependency that had been updated after a long time with no new releases. It wasn\u2019t even what you\u2019d call a load-bearing library, but it was important enough that there\u2019d been a breaking change. The problem was solved by pinning the requirement to an earlier version and reverting the update.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">My own sad little contribution toward this not being the state of things forever was to make a ticket in our deep, frozen, iceboxy backlog saying to revisit it in six months. I was an SRE then, but I was leaning toward security, and I was a little perturbed by the resolution &#8211; though I couldn\u2019t have suggested a better solution for keeping business going that day.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">(It did get fixed later, by the way. My coworkers reached out to tell me, which was very kind of them.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This has become one of those stories that stays with me when I review code or a web UI and find that an old version of server software or a dependency has a known issue. Even if it doesn\u2019t have a documented vulnerability, not throwing the parking brake on until it\u2019s updated to the most recent major version feels like doing badly by our future selves, even if it\u2019s what makes sense that day.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The best way to fix this is to pay attention to changes, check hashes on new packages, and generally pay close attention to what\u2019s flowing into your environment. It isn\u2019t easy, but it\u2019s what we\u2019ve got.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chrome extensions and other free software<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The horrors that lurk in free software are akin to the risks of bringing a Ouija board in the house that you found on the street<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Behold: my favorite piece of art I made for this talk\/post.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"652\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/trashes-1024x652.png\" alt=\"a Ouija board sits on top of a pile of trash bags in a brown puddle\" class=\"wp-image-1200\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/trashes-1024x652.png 1024w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/trashes-300x191.png 300w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/trashes-768x489.png 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/trashes.png 1532w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You can identify it by listening for you or someone around you saying, \u201cLook at this cool free thing! Thanks, Captain Howdy, I feel so much more efficient now!\u201d Question everything that\u2019s free, especially if it executes on your own computer. That&#8217;s how we invite it in: sometimes it\u2019s really hard to resist something useful and free, even if you know better.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A particular problem with <a href=\"https:\/\/breanneboland.com\/blog\/2020\/08\/22\/bugcrowd-levelup-0x07-how-to-do-chrome-extension-code-reviews\/\" data-type=\"post\" data-id=\"1148\">Chrome extensions<\/a> is that you can\u2019t publish them without automatic updates enabled, so someone has a direct line to change code in your browser, so long as you keep it installed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"302\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.14-PM-1024x302.png\" alt=\"Captain Howdy Efficiency Extension with picture of Regan from The Exorcist\" class=\"wp-image-1202\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.14-PM-1024x302.png 1024w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.14-PM-300x88.png 300w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.14-PM-768x226.png 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.14-PM-1536x453.png 1536w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.14-PM.png 1648w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Last fall, <a rel=\"noreferrer noopener\" href=\"https:\/\/www.zdnet.com\/article\/google-kills-the-great-suspender-heres-what-you-should-do-next\/\" target=\"_blank\">The Great Suspender<\/a>, a popular extension for suspending tabs and reducing Chrome&#8217;s memory usage, was taken over by malicious maintainers. As a result, people who had, once upon a time, done their due diligence were still sometimes unpleasantly surprised. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s the tough thing about evaluating some of these: you have to consider both the current risks (permissions used, things lurking in code) and the possible future risks. What happens if this program installed on 500 computers with access to your company\u2019s shared drive goes rogue? It makes it difficult to be something other than that stereotype of security, the endless purveyors of NO. But a small risk across a big enough attack surface ends up being a much larger risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In short: it\u2019s the Facebook principle, where if you get a service for free, you might consider the possibility that you\u2019re the product. Security isn\u2019t necessarily handled as carefully as it should be for the product rather than paying customers. Pick your conveniences carefully and prune them now and then. (Or get fancy, if you control it within your company, and consider an allowlist model rather than a blocklist. Make conveniences prove themselves before you bring them in the house.)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">unsafe-eval and unsafe-inline in CSP<\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1-1024x862.jpeg\" alt=\"watercolor of a brown book that says &quot;Super Safe Spells, gonna be fine!&quot;\" class=\"wp-image-1198\" width=\"350\" height=\"294\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1-1024x862.jpeg 1024w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1-300x253.jpeg 300w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1-768x647.jpeg 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1-1536x1293.jpeg 1536w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1-2048x1725.jpeg 2048w\" sizes=\"auto, (max-width: 350px) 100vw, 350px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Our next monster: an overly permissive content security policy. I&#8217;d compare it to <a href=\"https:\/\/en.wikipedia.org\/wiki\/I,_Robot..._You,_Jane\" target=\"_blank\" rel=\"noreferrer noopener\">a particular episode of <em>Buffy the Vampire Slayer<\/em><\/a> or any movie that uses that trope of people reading an old book out loud without understanding what they&#8217;re saying. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Fortunately, a content security policy is a lot easier to read than inspecting every old leather book someone might drag into your house<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1024x835.jpeg\" alt=\"watercolor of a brown book that says &quot;script-src 'unsafe-eval'&quot; and &quot;Good CSP Ideas&quot;\" class=\"wp-image-1199\" width=\"384\" height=\"312\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1024x835.jpeg 1024w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-300x244.jpeg 300w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-768x626.jpeg 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images-1536x1252.jpeg 1536w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/talk-images.jpeg 2048w\" sizes=\"auto, (max-width: 384px) 100vw, 384px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">We invite it in because sometimes,the risky choice just seems easier. You just need to run a little code from a CDN that you need to be able to update easily.&nbsp;You know.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For fending it off, I would gently urge you not to put anything in your CSP that literally contains the word \u201cunsafe.\u201d I honestly understand that there are workarounds that can make sense in the moment, when you\u2019re dealing with a tricky problem, when you just need a little flexibility to make the thing <em>work.<\/em> <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In that case, I urge you to follow my quarantine problem-solving process, for moments where you need to figure something out or finish a task, but the brain won\u2019t cooperate.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Have you eaten recently? (If not, fix that.)<\/li><li>Does this just feel impossible right now? Set a timer, work on it for a bit, then stop.<\/li><li>Can you not think around this problem usefully? Write out your questions.<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">I would suggest starting with \u201cwhy do I think unsafe-eval is the best option right now, and what might I google to persuade myself otherwise?\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sometimes you want to keep things flexible: &#8220;I\u2019ll just allow scripts from this wide-open CDN URL wildcard pattern.&#8221; But what can this enable? What if the CDN gets compromised? Use partners you trust, sure, but it&#8217;s also a good idea to have a failsafe in place, rather than having something in place that allows any old code from a certain subdomain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Look, it\u2019s hard to make things work. You have to be a glutton for punishment to do this work, even if you love it. (And I usually do.) But you can\u2019t just say yes to everything because of future-proofing or whatever feels like a good reason today, influenced by your last month or so of work pains. You can\u2019t do it. I\u2019m telling you, as an internet professional, not to do it. Because your work might go through my team, and I will say NOT TODAY, INTERNET SATAN, and then you\u2019re back at square one anyway.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stacktraces that tell on you<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u201cThe demon is a liar. He will lie to confuse us; but he will also mix lies with the truth to attack us.\u201d <\/p><cite>William Peter Blatty, eminent appsec engineer and author of <em>The Exorcist<\/em><\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Logs and stacktraces contain the truth. Right? They\u2019re there to collect context and provide you information to make things better. Logs: they\u2019re great! Except&#8230;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Exception in thread \"oh_no\" java.lang.RuntimeException: AHHHHHH!!!\n    at com.theentirecompany.module.MyProject.superProprietaryMethod(MyActualLivelihood.java:50)\n    at com.theentirecompany.module.MyProject.catOutOfBagMethod(MyActualLivelihood.java:34)\n    at com.theentirecompany.module.MyProject.underNDAMethod(MyActualLivelihood.java:27)\n    at com.theentirecompany.module.MyProject.sensitiveSecretMethod(MyActualLivelihood.java:11)\n    at com.theentirecompany.module.MyProject.oh_no(MyActualLivelihood.java:6)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u2026except for when they get out of their cage. Or when they contain information that can be used to hurt you or your users.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We invite it in by adding values to debug statements that don\u2019t need to be there. Or maybe by writing endpoints so that errors might spill big old stacktraces that tell on you. Maybe you space and leave debugging mode on anywhere once you\u2019ve deployed. Or you just haven\u2019t read up <a rel=\"noreferrer noopener\" href=\"https:\/\/owasp.org\/www-project-top-ten\/2017\/A6_2017-Security_Misconfiguration\" target=\"_blank\">OWASP\u2019s cheat sheet on security misconfiguration<\/a>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">How to fend it off: conjure a good culturally shared sense of safe log construction and remember what shouldn\u2019t be in logs or errors: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Secrets<\/li><li>PII<\/li><li>PHI<\/li><li>Anything that could hurt your users<\/li><li>Anything that could get you sued. <\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Make a commit hook that checks for debug <em>anything<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secrets in code<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>&#8220;To speak the name is to control the thing.&#8221;<\/p><cite>Ursula K. Le Guin<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">The monster I&#8217;d compare this to is when the fae (<a href=\"https:\/\/en.wikipedia.org\/wiki\/The_Lies_of_Locke_Lamora\" target=\"_blank\" rel=\"noreferrer noopener\">or a wizard, depending on your taste in fantasy<\/a>) has your true name and can control you. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>API_KEY = \"86fbd8bf-deadbeef-ae69-01b26ddb4b22\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">How to identify it: read your code. Is there something in there you wouldn\u2019t want any internet random to see? Yank it! Use less-sensitive identifiers like internal account numbers if you need to, just not the thing that lets someone pretend to be you of one of your users if they have it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You know you&#8217;re summoning this one if you find yourself saying, \u201cOh, it\u2019s a private repo, it\u2019ll never matter.\u201d Or maybe, \u201cIt\u2019s a key that\u2019s not a big deal, it\u2019s fine if it\u2019s out there.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We fend this one off with safe secret storage and not depending on GitHub as a critical layer of security.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We all want to do it. Sometimes, it\u2019s way easier than environment variables or figuring out a legit secret storage system. Who wants to spend time caring for and feeding a <a href=\"https:\/\/www.vaultproject.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Vault<\/a> cluster? Come on, it\u2019s just on our servers, it\u2019s not a big deal. It\u2019s only deployed within our private network.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>It is a big deal<\/em>. It is my job to tell people not to do this. Today I will tell you for free: don\u2019t do this!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I&#8217;ve argued with people about this one sometimes. It surprises me when it happens, but the thing is that people really just want to get their job done, which can mean the temptation of doing things in the way that initially seems simpler. As a security professional, it becomes your job to help them understand that saving time now can create so any time-consuming problems later.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s great to have <a href=\"https:\/\/github.com\/awslabs\/git-secrets\" target=\"_blank\" rel=\"noreferrer noopener\">a commit check<\/a> that looks for secrets, but even better is <em>never ever doing that<\/em>. Best of all is both!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">A single layer of input validation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Our next monster: a single layer of input validation for your web UI. I quote <em>Zombieland<\/em>: always double-tap.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"656\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/hydra-1024x656.jpeg\" alt=\"many snaky hydra heads baring pointy teeth\" class=\"wp-image-1201\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/hydra-1024x656.jpeg 1024w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/hydra-300x192.jpeg 300w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/hydra-768x492.jpeg 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/hydra-1536x985.jpeg 1536w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/hydra-2048x1313.jpeg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Our comparison for this one is anything tenacious. Let\u2019s say zombies, vampires, hydras. Anything that travels in a pack. And we identify it by siccing <a rel=\"noreferrer noopener\" href=\"https:\/\/portswigger.net\/burp\" target=\"_blank\">Burp Suite<\/a> on it. Maybe the form doesn\u2019t let you put a li\u2019l &lt;script&gt; tag in, but the HTTP request might be only too happy to oblige. We invite it in by getting a little complacent.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The best way to fend it off is to remember that regular users aren\u2019t your real threat (and you\u2019re probably just irritating people with names that don\u2019t meet the definition of \u201cnormal\u201d some shoddier validation will catch, which can do some awful racist things). There\u2019s a reason injection, especially <a href=\"https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection\" target=\"_blank\" rel=\"noreferrer noopener\">SQL injection<\/a>, is a perennial member of the <a href=\"https:\/\/owasp.org\/www-project-top-ten\/\" target=\"_blank\" rel=\"noreferrer noopener\">OWASP top ten<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Say it with me: client-side and server-side validation and sanitation! And then add appropriate encoding too, depending on what you\u2019re doing with this input.<br>Most people do only interact with your server via your front end, and bless them. But the world is filled with jerks like me, both professional jerks and people who are jerks for fun, and we will bypass your front end to send requests directly to your server. Never take only one measure when you can take two.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Your big-mouthed server<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -I big-mouthed-server.com<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">How to identify this one? <code>curl -I<\/code> thyself<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We invite this one in by not changing defaults, which aren\u2019t always helpful. This also relates to <a rel=\"noreferrer noopener\" href=\"https:\/\/owasp.org\/www-project-top-ten\/2017\/A6_2017-Security_Misconfiguration\" target=\"_blank\">security misconfiguration from the OWASP top ten<\/a>. The early internet sometimes defaulted too much toward trust (read <em>T<\/em><a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/The_Cuckoo%27s_Egg_(book)\" target=\"_blank\"><em>he Cuckoo\u2019s Egg<\/em> by Cliff Stoll<\/a> for a great demonstration of the practices and perils of this mindset), and we can still see this in defaults for some software configs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Protect yourself from this one by changing your server defaults so your server isn\u2019t saying anything you wouldn\u2019t want to broadcast. The primary concern here is about telling someone you\u2019re using a vulnerable version of your server software, so keep your stuff updated <em>and<\/em> muffle your server.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s go <em>X-Files<\/em> about it: trust no one, including your computers. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ESPECIALLY your computers. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Don\u2019t trust computers! They just puke your details out everywhere if someone sends them a special combination of a few characters. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In conclusion, sometimes <a href=\"https:\/\/ofgeography.tumblr.com\/post\/169427164316\/tech-enthusiasts-everything-in-my-house-is-wired\" target=\"_blank\" rel=\"noreferrer noopener\">I wish I had been born in the neolithic<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Laissez-faire auth (or yolosec, if you prefer)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Our next monster: authentication that accepts any old key and authorization that assumes that, if you&#8217;re logged in, you&#8217;re good to go. Its horror movie counterpart is that member of your zombie-hunting group that cares more about being a chill dude than being alive.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can identify it by doing a little token swapping. Can you complete operations for one user using another\u2019s token? The monster is in your house.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here we are again at the OWASP top ten: <a rel=\"noreferrer noopener\" href=\"https:\/\/owasp.org\/www-project-top-ten\/2017\/A2_2017-Broken_Authentication\" target=\"_blank\">broken authentication<\/a> is a common and very serious issue. The problem compounds because we need to do better than \u201cAre you allowed in?\u201d We also need to ask, \u201cAre you allowed to do THIS operation?\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We invite this one in by assuming no one will check to see if this is an issue or by assuming the only people who interact with your software have a user mindset. Or, sometimes worst of all, just not giving your devs enough time and resources to do this right.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We can fend it off by using a trusted authentication solution (<a rel=\"noreferrer noopener\" href=\"https:\/\/oauth.net\/\" target=\"_blank\">OAuth<\/a> is popular for a reason) and ensuring there are permissions checks, especially on state-changing operations &#8211; ones that go beyond &#8220;if you&#8217;re not an admin, you don&#8217;t have certain links in your view of things.&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I&#8217;ve seen a fair amount of \u201cany token will do\u201d stuff: tokens that don\u2019t invalidate on logout, tokens that work if you fudge a few characters, things like that. It\u2019s like giving a red paper square as a movie ticket: anyone can come in anytime. Our systems and users need us to do better.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The elder gods of technology<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Ah, yes, the technology that will never leave us. Think ancient WordPress, old versions of Windows running on an untold number of servers, <a href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2018-1000164\/\" target=\"_blank\" rel=\"noreferrer noopener\">a certain outdated version of Gunicorn<\/a>, and other software with published CVEs.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u201cThat is not dead which can eternal lie.\u201d<\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Which monster would I compare this to? Well, I\u2019m not going to say his name, am I? <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You know you&#8217;re at risk of summoning it when you hear someone say \u201clegacy software,\u201d though newer projects are NOT immune to this. Saying \u201cwe\u2019re really focusing our budget on new features right now\u201d is another great way to find&#8230; you know&#8230; on your doorstep.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We can fend it off by allocating budgets to review and update dependencies and fix problems when they&#8217;re found. And they should be sought out on a regular schedule.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">No tool, framework, or language is bad. They all have potential issues that need to be considered when. For instance, there are still valid reasons to use XML, and PHP is a legitimate language that just needs to be lovingly tended. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Yep, we\u2019re back at the risk of using components with known vulnerabilities from the OWASP top ten. No tool, framework, or language is <em>bad<\/em>, but some versions have known problems, and some tools have common issues if you don\u2019t work around them. It\u2019s not on them; it\u2019s on you and how you use and tend your tools.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The real incantation to keep this one away is understanding why we keep these things around. No engineering team keeps their resident technical debt nightmare because they <em>like<\/em> it. They do it because it\u2019s worked so far, and rewriting things is expensive and finicky, particularly if outside entities depend on your software or services. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I\u2019ve never been on an engineering team that didn\u2019t have lots of other things to do rather than address the thing that mostly hasn\u2019t given them problems\u2026 even if none of the engineers without vivid memories of the 90s understand it very well. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sometimes the risk of breaking changes is scarier than whatever might be waiting down the road, once your old dependencies cause problems\u2026 or someone on the outside realizes what your house of cards is built on.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Javascript :D<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Speaking of no tool, framework, or language being bad: let&#8217;s talk about Javascript. Specifically Javascript used incorrectly.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"710\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/12_monkeys_and_cabin_fever-1024x710.png\" alt=\"\" class=\"wp-image-1205\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/12_monkeys_and_cabin_fever-1024x710.png 1024w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/12_monkeys_and_cabin_fever-300x208.png 300w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/12_monkeys_and_cabin_fever-768x533.png 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/12_monkeys_and_cabin_fever.png 1300w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Our horror comparison? It&#8217;s a little <em>12 Monkeys<\/em>, a little <em>Cabin Fever<\/em>. Anything where they realize the contagion is in the water or has gone airborne. &#8220;Oh god, it\u2019s everywhere, it\u2019s unavoidable, it\u2019s a\u2026 global\u2026 pandemic\u2026&#8221; <em>Oh no.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The way to summon this one is simple. Say it with me:<\/p>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>internet<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Anything\u2026 internet. It\u2019ll be there, whether you think you invited it or not. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To fend it off? Just\u2026 be very careful, please.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I\u2019m not going to make fun of Javascript. Once I was a child and enjoyed childish things, like making fun of Javascript. Ok, that was like three years ago, but now I am an adult and have quit my childish ways. In fact, I made myself do it somewhere between when I realized that mocking other people\u2019s tech is not actually an interesting contribution to a conversation and when I became an appsec engineer, so roughly between 2016 and the end of 2019.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The internet and thus life and commerce as we know it runs largely on Javascript and its various frameworks. It\u2019s just there! And there have been lots of leaps forward to make it less nightmarish, thanks to the really hard work of a lot of people, but still, things like doctor\u2019s appointments and vaccination slots and other giant matters of safety and wellbeing hang out on top of the peculiarities of a programming language that was created in ten days.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unfortunately, new dragons will just continue to appear, because that\u2019s the side effect of making new things: new features, new problems. The great thing for appsec that\u2019s an unfortunate thing about humanity is that we make the same mistakes over and over, because if something worked once, we want to think we have it sorted. And unfortunately, the internet and technology insist on continuing to evolve.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">How to fix it? Invest in appsec. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sorry. It\u2019s a great and important goal to develop security-conscious software engineers and to talk security as early as possible in the development process. But there\u2019s a reason writers don\u2019t proofread their work &#8211; or shouldn\u2019t. Writing and reviewing the work are two different jobs. It\u2019s why healthy places don\u2019t let people approve their own PRs. If we created it, we can\u2019t see it objectively. And most of us become sharper when honed by other perspectives and ideas.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The most permissive of permissions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">And finally, the monster that&#8217;s nearest and dearest to my heart: overly permissive roles, most specifically AWS permissions. I&#8217;d compare this to sleeping unprotected in the woods when you know very well they&#8217;re full of threats. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can identify it by checking out your various IAM role permissions. And yes, this is totally a broken authentication issue too, a la OWASP.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The best way I know to invite this one in is by starting out as a smaller shop and then moving from a team of, say, three people who maybe even all work in the same room, doing everything, to thirty or fifty or more people, who have greater specialization\u2026 yet your permissions never got the memo.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And the best way I know to fend it off is to make more refined roles as early as you can. I know, it\u2019s hard! It isn\u2019t a change that enables a feature or earns more money, so it&#8217;s easy to ignore. Worst of all, as you refine the roles, reduce access, and iterate, you\u2019re probably going to piss off a bunch of people as you work to get it right. IAM: the monster that doesn\u2019t need a clever analogy because getting it right sucks so bad on its own sometimes! <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s also the monster that lurks around basically every corner, because IAM is <em>ubiquitous<\/em>. So it\u2019s everywhere, and it\u2019s endlessly difficult: awesome! Alas, we have to put the work in, because messing it up the most efficient way I know to undermine so much other carefully done security work.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"646\" src=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.28-PM-1024x646.png\" alt=\"AWS permissions that allow access to all resources and actions\" class=\"wp-image-1203\" srcset=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.28-PM-1024x646.png 1024w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.28-PM-300x189.png 300w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.28-PM-768x485.png 768w, https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/Screen-Shot-2021-07-15-at-10.13.28-PM.png 1100w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And yet I feel warmly toward it, because <a href=\"https:\/\/breanneboland.com\/blog\/2020\/01\/27\/how-an-sre-became-an-application-security-engineer-and-you-can-too\/\" data-type=\"post\" data-id=\"1125\">IAM was my gateway into security work<\/a>. It\u2019s the thing I tend to quietly recommend to the security-aspiring, because most people don\u2019t seem to like doing it very much, yet the work always needs to be done. Just showing up and being like, \u201cIAM? I\u2019d love to!\u201d is a highly distinctive professional posture. Get your crucifix ready and have some incantations at hand, and you\u2019ll never run out of things to do. It\u2019s never not useful. Sorry, it\u2019s just like the rest of tech: if you\u2019re willing to do the grunt stuff and get good at it, you\u2019ll probably have work for as long as you want it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Whew. That\u2019s a lot of things that go bump in the night.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s end with some positive things. I swear there are some. And if a security engineer tells you that there are still some beautiful, sparkly, pure things in the world, that\u2019s probably worth listening to.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Strategies for vulnerability ghost hunting<\/h2>\n\n\n\n<h4 class=\"wp-block-heading\">Don\u2019t be the security jerk<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Be easy to work with. This doesn\u2019t mean being in a perpetually good mood &#8211; I am NOT, and former coworkers will attest to this if you ask &#8211; but it means reliably not killing the messenger. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">People outside of your security team &#8211; including and <em>especially<\/em> people who aren\u2019t engineers &#8211; are your best resource for knowing what\u2019s actually going on. Here\u2019s the thing: if you\u2019re a security engineer, people don\u2019t act normally around you anymore. You probably don\u2019t get to witness the full spectrum of people\u2019s natural behavior. Unfortunately, it just comes with the territory. And it means we have to rely on people telling us the truth when they see something concerning.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Even people who are cooperative with security will hedge a little sometimes when dealing with us. I know this because I\u2019ve done it. But you\u2019ll reduce this problem if everyone knows that talking to security will be an easy, gracious thing where they\u2019re thanked at the end. Make awards for people who are willing to bring you problems instead of creating a culture of fear and covering them up! Make people feel like they\u2019re your ally and a valued resource, because they <em>are<\/em>!<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Be an effective communicator<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Being able to communicate in writing is so important in this work. Whether it\u2019s vulnerability reports, responsible disclosure, blog posts warning others about haunted terrain, or corresponding with people affected by security poltergeists, being able to write clearly for a variety of audiences is one of our best tools. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you think you\u2019re losing your grip on how regular people talk about this stuff, bribe your best blunt, nontechnical friend to listen to you explain things. Then have that blunt friend tell you when what you said didn\u2019t make a goddamn lick of sense\u2026 then revise and explain again. Do this until you\u2019re able to explain things in plain language accessible to your users and spur them to action using motivations that make sense to <em>them<\/em>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Now let&#8217;s leave this haunted house together and greet the coming dawn.<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I hope you encounter none of these terrifying creatures and phenomena that I described, that your trails from server to server in our increasingly connected world are paved with good intentions and mortared together with only the best outcomes. But should you wander into dark woods full of glowing red eyes and skittering sounds belonging to creatures just out of sight\u2026 I hope you are better equipped to recognize and banish them than you were earlier. Thank you for reading.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In which we compare internet security issues with a bevvy of scary things in the interest of people better remembering how to find and fix them.<\/p>\n","protected":false},"author":1,"featured_media":1197,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[246],"tags":[265,263],"class_list":["post-1190","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-talks","tag-owasp","tag-vulnerabilities"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Diana Initiative 2021: The System Call Is Coming from Inside the House - Breanne Boland<\/title>\n<meta name=\"description\" content=\"The blog post version of my 2021 Diana Initiative, full of ghosts, monsters, things that go bump in the night, and the horrors of free software.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Diana Initiative 2021: The System Call Is Coming from Inside the House - Breanne Boland\" \/>\n<meta property=\"og:description\" content=\"The blog post version of my 2021 Diana Initiative, full of ghosts, monsters, things that go bump in the night, and the horrors of free software.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/\" \/>\n<meta property=\"og:site_name\" content=\"Breanne Boland\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-16T06:26:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-12T05:22:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/scary_eyes-1024x655.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"655\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/scary_eyes.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"21 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/#\\\/schema\\\/person\\\/7b8ba109de56e2b80e0773753109c1ce\"},\"headline\":\"Diana Initiative 2021: The System Call Is Coming from Inside the House\",\"datePublished\":\"2021-07-16T06:26:43+00:00\",\"dateModified\":\"2021-08-12T05:22:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/\"},\"wordCount\":4457,\"publisher\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/#\\\/schema\\\/person\\\/7b8ba109de56e2b80e0773753109c1ce\"},\"image\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/breanneboland.com\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/scary_eyes.png\",\"keywords\":[\"owasp\",\"vulnerabilities\"],\"articleSection\":[\"talks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/\",\"url\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/\",\"name\":\"Diana Initiative 2021: The System Call Is Coming from Inside the House - Breanne Boland\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/breanneboland.com\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/scary_eyes.png\",\"datePublished\":\"2021-07-16T06:26:43+00:00\",\"dateModified\":\"2021-08-12T05:22:14+00:00\",\"description\":\"The blog post version of my 2021 Diana Initiative, full of ghosts, monsters, things that go bump in the night, and the horrors of free software.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/#primaryimage\",\"url\":\"https:\\\/\\\/breanneboland.com\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/scary_eyes.png\",\"contentUrl\":\"https:\\\/\\\/breanneboland.com\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/scary_eyes.png\",\"width\":3002,\"height\":1921,\"caption\":\"glowing eyes on a black background\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/2021\\\/07\\\/15\\\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Diana Initiative 2021: The System Call Is Coming from Inside the House\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/\",\"name\":\"Breanne Boland\",\"description\":\"Appsec engineer, SRE, writer, UX, endless questions mostly\",\"publisher\":{\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/#\\\/schema\\\/person\\\/7b8ba109de56e2b80e0773753109c1ce\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/breanneboland.com\\\/blog\\\/#\\\/schema\\\/person\\\/7b8ba109de56e2b80e0773753109c1ce\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/764113b6dca6b6cee982a9f690f5c44d6166de3996e918649e2bafb27cd4c8bf?s=96&d=blank&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/764113b6dca6b6cee982a9f690f5c44d6166de3996e918649e2bafb27cd4c8bf?s=96&d=blank&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/764113b6dca6b6cee982a9f690f5c44d6166de3996e918649e2bafb27cd4c8bf?s=96&d=blank&r=g\",\"caption\":\"admin\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/764113b6dca6b6cee982a9f690f5c44d6166de3996e918649e2bafb27cd4c8bf?s=96&d=blank&r=g\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Diana Initiative 2021: The System Call Is Coming from Inside the House - Breanne Boland","description":"The blog post version of my 2021 Diana Initiative, full of ghosts, monsters, things that go bump in the night, and the horrors of free software.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/","og_locale":"en_US","og_type":"article","og_title":"Diana Initiative 2021: The System Call Is Coming from Inside the House - Breanne Boland","og_description":"The blog post version of my 2021 Diana Initiative, full of ghosts, monsters, things that go bump in the night, and the horrors of free software.","og_url":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/","og_site_name":"Breanne Boland","article_published_time":"2021-07-16T06:26:43+00:00","article_modified_time":"2021-08-12T05:22:14+00:00","og_image":[{"width":1024,"height":655,"url":"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/scary_eyes-1024x655.png","type":"image\/png"}],"author":"admin","twitter_card":"summary_large_image","twitter_image":"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/scary_eyes.png","twitter_misc":{"Written by":"admin","Est. reading time":"21 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/#article","isPartOf":{"@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/"},"author":{"name":"admin","@id":"https:\/\/breanneboland.com\/blog\/#\/schema\/person\/7b8ba109de56e2b80e0773753109c1ce"},"headline":"Diana Initiative 2021: The System Call Is Coming from Inside the House","datePublished":"2021-07-16T06:26:43+00:00","dateModified":"2021-08-12T05:22:14+00:00","mainEntityOfPage":{"@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/"},"wordCount":4457,"publisher":{"@id":"https:\/\/breanneboland.com\/blog\/#\/schema\/person\/7b8ba109de56e2b80e0773753109c1ce"},"image":{"@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/#primaryimage"},"thumbnailUrl":"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/scary_eyes.png","keywords":["owasp","vulnerabilities"],"articleSection":["talks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/","url":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/","name":"Diana Initiative 2021: The System Call Is Coming from Inside the House - Breanne Boland","isPartOf":{"@id":"https:\/\/breanneboland.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/#primaryimage"},"image":{"@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/#primaryimage"},"thumbnailUrl":"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/scary_eyes.png","datePublished":"2021-07-16T06:26:43+00:00","dateModified":"2021-08-12T05:22:14+00:00","description":"The blog post version of my 2021 Diana Initiative, full of ghosts, monsters, things that go bump in the night, and the horrors of free software.","breadcrumb":{"@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/#primaryimage","url":"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/scary_eyes.png","contentUrl":"https:\/\/breanneboland.com\/wp-content\/uploads\/2021\/07\/scary_eyes.png","width":3002,"height":1921,"caption":"glowing eyes on a black background"},{"@type":"BreadcrumbList","@id":"https:\/\/breanneboland.com\/blog\/2021\/07\/15\/diana-initiative-2021-the-system-call-is-coming-from-inside-the-house\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/breanneboland.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Diana Initiative 2021: The System Call Is Coming from Inside the House"}]},{"@type":"WebSite","@id":"https:\/\/breanneboland.com\/blog\/#website","url":"https:\/\/breanneboland.com\/blog\/","name":"Breanne Boland","description":"Appsec engineer, SRE, writer, UX, endless questions mostly","publisher":{"@id":"https:\/\/breanneboland.com\/blog\/#\/schema\/person\/7b8ba109de56e2b80e0773753109c1ce"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/breanneboland.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/breanneboland.com\/blog\/#\/schema\/person\/7b8ba109de56e2b80e0773753109c1ce","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/764113b6dca6b6cee982a9f690f5c44d6166de3996e918649e2bafb27cd4c8bf?s=96&d=blank&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/764113b6dca6b6cee982a9f690f5c44d6166de3996e918649e2bafb27cd4c8bf?s=96&d=blank&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/764113b6dca6b6cee982a9f690f5c44d6166de3996e918649e2bafb27cd4c8bf?s=96&d=blank&r=g","caption":"admin"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/764113b6dca6b6cee982a9f690f5c44d6166de3996e918649e2bafb27cd4c8bf?s=96&d=blank&r=g"}}]}},"_links":{"self":[{"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/posts\/1190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/comments?post=1190"}],"version-history":[{"count":9,"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/posts\/1190\/revisions"}],"predecessor-version":[{"id":1225,"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/posts\/1190\/revisions\/1225"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/media\/1197"}],"wp:attachment":[{"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/media?parent=1190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/categories?post=1190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/breanneboland.com\/blog\/wp-json\/wp\/v2\/tags?post=1190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}