Curiosity is at the heart of what we do – both in software engineering in general and at Revelry in particular. Building or improving: that’s the job of an engineer. Of course, curiosity has always had a dark twin. Breaking and manipulating: that’s the job of a hacker. The forbidden fruit is the sweetest: when it’s clear that measures have been taken to freeze you out, there’s nothing more some people want to get in. As engineers, we’re the ones building those walls and moats: and any hole left unsealed could become a vulnerability.
Even the smallest and most innocent of vulnerabilities can lead to catastrophic consequences if exploited; so it’s vital to nip these in the bud before the seeds of destruction can propagate through your code. As we move into yet another epoch of tech, with the rise of generally available and all purpose Generative AIs, it’s more important than ever to remember the lessons of the past.
In general, the new attacks emerging technologies enable aren’t based on novelty, but rather speed: using a steam-powered jackhammer rather than a human-powered sledgehammer. After all, inputting passwords one at a time with 10 fingers and a keyboard is woefully inadequate compared to a brute-force program left to run by itself for days. Speed is the name of the game, and as things get faster, we tend to become more vulnerable.
For software engineers, knowledge is critical. You can’t stop threats if you don’t know what they look like.
Hacker Technique #1: Buffer Overflow
A buffer overflow is a software vulnerability where an application writes more data to a block of memory, or buffer, than it was designed to hold, causing data to overflow into adjacent buffers and potentially allowing an attacker to inject malicious code.
Buffer overflow was a crucial factor in the Morris Worm’s propagation and in part of Wannacry’s spread. As seen in the Morris Worm case, buffer overflow in the Fingerd program allowed the worm to execute commands and self-replicate. Similarly, Wannacry exploited a buffer overflow vulnerability in the Server Message Block (SMB) protocol.
Bounds checking – ensuring that data written into buffers doesn’t exceed the buffer’s capacity – is a fundamental defensive strategy against buffer overflow vulnerabilities. Additionally, randomizing the location of data in memory (address space layout randomization) and making sure to use non-executable stack protection (designating certain areas of memory, such as the stack, as non-executable).
Hacker Technique #2: Debug Remote Code Execution
Debug Remote Code Execution is a type of vulnerability where an attacker is able to exploit debugging features or functionalities in a system to execute arbitrary code remotely.
Debug remote code execution was a technique used in the Morris Worm through the Sendmail exploit, and recently reared its ugly head again in the widespread log4j vulnerability. Debugging tools and features are prime targets to execute arbitrary code. To defend against such threats, engineers must ensure that debugging and diagnostic tools are securely implemented. Access to these features should be strictly controlled, and they should be disabled or removed in production environments. Additionally, rigorous input sanitization can prevent the execution of arbitrary code. Also, software should be kept up-to-date, as patches for vulnerabilities like log4j are often quickly made available after discovery.
Hacker Technique #3: Cross-Site Scripting
At Revelry, we spend a great deal of our time building webapps. This brings with it a specific set of challenges and vulnerabilities that we need to focus on, like cross-site scripting (XSS), a.k.a. injecting malicious code into trusted websites, which is then executed by the victim’s browser.
In 2005, Samy Kamkar launched what became known as the “Samy” worm on MySpace, which exploited an XSS vulnerability. The worm executed a script that made anyone viewing Samy’s profile automatically send him a friend request, and it would then copy itself into the viewer’s profile. Within 24 hours, Samy had accumulated over a million “friends.” Popular guy, great at parties.
To prevent XSS attacks, it’s important to rigorously sanitize user-generated input, ensuring that it doesn’t contain any executable code before it’s incorporated into a webpage. Utilizing Content Security Policy (CSP), which controls the resources a user agent is allowed to load, can further mitigate the risk. Additionally, maintaining updated libraries and frameworks, and adhering to secure coding practices (like output encoding data before displaying it to the user), can defend against such threats.
Hacker Technique #4: Brute Force Password Attacks
The primary defense against brute force password attacks are strong password policies and account lockout policies. Passwords should be long, complex, and unique. One of the remarkable things about the Morris Worm was that it was able to crack hundreds of accounts simply by using a relatively short list of words. Using multi-factor authentication can also greatly reduce the success of brute force attacks. Account lockout policies that limit the number of failed login attempts can prevent an attacker from trying endless combinations.
In this new era of generative AIs, these traditional defense methods are still critical, perhaps more-so than ever. The rise of AI also provides new opportunities for defense. AI can help identify unusual patterns of behavior, potentially detecting and stopping threats before they cause significant harm. Automated security testing and AI-based vulnerability detection can also help developers find and fix security issues faster than manual methods.
Revelry’s primary mission is to build cool shit, but it’s important to remember that people will always be trying to break in – and for a host of reasons, including just for the sheer fun of it. It’s important to write code in a way that values and prioritizes security. With every line of code written, we have a responsibility to consider the potential security implications. As technology advances and attack methods evolve, this responsibility becomes all the more significant. But by drawing on the lessons of the past and remaining vigilant, we can all help build a more secure future.
We're building an AI-powered Product Operations Cloud, leveraging AI in almost every aspect of the software delivery lifecycle. Want to test drive it with us? Join the ProdOps party at ProdOps.ai.