- Keynote: Acting national cyber director discusses the national cybersecurity strategy and workforce efforts (K. WALDEN)
A new team at the White House of about 100 people dedicated to this task. No comment
- AI-Assisted Decision Making of Security Review Needs for New Features (M. GAUTAM, P. KOLACHOOR)
The people ḍeciding which features require security reviews are not security experts. Can AI help?
The first issue is that engineering language is different than the normal language. There is a lot of jargon and acronyms. Thus, standard LLM may fail.
They explored several strategies of ML.
They used unsupervised training to define vector size (300 dimensions). Then, they used convolution network with these vectors to make their decision.
The presentation is a good high-level introduction to basic techniques and the journey.
Missed 2% and false 5%.
- Three New Attacks Against JSON Web Tokens (T TERVOORT)
The standard does not forbid JWE and JWS with asymmetric keys. By changing the header, it was able to confuse the default behavior.
The second attack uses applications that use two different libraries, crypto and claims. Each library handles different JSON parsing. It is then possible to create inconsistency.
The third attack is a DOS by putting the PBKDF2 iteration value extremely high.
As a developer, ensure at the validation the use of limited known algorithms and parameters.
ChatGPT demonstrates the vulnerability of humans to being bad at testing
When demonstrating a model, are we sure they are not using trained data as input to the demonstration. This trick ensures PREDICTABILITY.
Train yourself in ML as you will need it.
Very manual methodology using traditional reverse engineering techniques
Laion5B is THE dataset of 5T images. It is a list of URLs. But registered domains expire and can be bought. Thus, they may be poisoned. It is not a targeted attack, as the attacker does not control who uses it.
0.01% may be sufficient to poison.
It shows the risk of untrusted Internet data. Curated data may be untrustworthy.
- ODDFuzz: Hunting Java Deserialization Gadget Chains via Structure-Aware Directed Greybox Fuzzing (B. HE, H. MU)
The attack is to use Java polymorphism to override the normal deserialization. The purpose is to detect this chain.
Their approach uses tainted data analysis and then fuzz.