Curve9767 and Fast Signature Verification

This post is about elliptic curves as they are used in cryptography, in particular for signatures. There are many ways to define specific elliptic curves that strive to offer a good balance between security and performance; here, I am talking about specific contributions of mine: a new curve definition, and some algorithmic improvements that target … Continue reading Curve9767 and Fast Signature Verification

The Extended AWS Security Ramp-Up Guide

On November 25th, AWS released the Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance. The Security Ramp-Up is a curated list of educational AWS resources. The goal is "to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow … Continue reading The Extended AWS Security Ramp-Up Guide

Code Patterns for API Authorization: Designing for Security

Summary This post describes some of the most common design patterns for authorization checking in web application code. Comparisons are made between the design patterns to help understand when each pattern makes sense as well as the drawbacks of the pattern. For developers and architects, this post helps you to understand what the different code … Continue reading Code Patterns for API Authorization: Designing for Security

How cryptography is used to monitor the spread of COVID-19

On April 10, Apple and Google announced1, 2 that they were joining forces in an effort to help reduce the spread of COVID-19. Their solution leverages Bluetooth technology to trace interactions between individuals. This principle is known as contact tracing and public health agencies are heavily relying on it to monitor and prevent the spread … Continue reading How cryptography is used to monitor the spread of COVID-19

C Language Standards Update – Zero-size Reallocations are Undefined Behavior

[Editor's Note: Robert Seacord of NCC Group is a longstanding member of the C Standards Committee. In this blog post, he outlines a recently adopted change he proposed to the C Language Standard, to help eliminate double-free vulnerabilities being introduced to C code as a result of zero-sized reallocations of memory.] by Robert Seacord The … Continue reading C Language Standards Update – Zero-size Reallocations are Undefined Behavior

Exploring Verifiable Random Functions in Code

Verifiable Random Functions (VRFs) have recently seen a strong surge in popularity due to their usefulness in blockchain applications. Earlier I wrote about what VRFs are, where they can be used, and a few dozen things to consider when reviewing them. In this follow-on blog post, I am pleased to introduce actual working code that … Continue reading Exploring Verifiable Random Functions in Code

Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks

DNS over HTTPS (DoH) is a new protocol to perform DNS resolution over HTTPS. It has been in the news recently as Google and Mozilla have both implemented DoH in Chrome and Firefox respectively. DoH encrypts DNS traffic using HTTPS. This prevents internet service providers and anybody in a privileged network position to observe the … Continue reading Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks

Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities

By Aleksandar Kircanski and Terence Tarvis A good amount of effort has been dedicated to surveying and systematizing Ethereum smart contract security bug classes. There is, however, a gap in literature when it comes to surveying implementation-level security bugs that commonly occur in basic PoW blockchain node implementations, discovered during the first decade of Bitcoin’s … Continue reading Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities

Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns

Running smart contracts in a Trusted Execution Environment (TEE) such as Intel Software Guard Extensions (SGX) to preserve the confidentiality of blockchain transactions is a novel and not widely understood technique. In this blog post, we point out several bug classes that we observed in confidential smart contract designs and implementations in our recent client … Continue reading Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns

A Survey of Istio’s Network Security Features

Istio is a service mesh, which, in general, exist as a compliment to container orchestrators (e.g. Kubernetes) in order to provide additional, service-centric features surrounding traffic management, security, and observability. Istio is arguably the most popular service mesh (using GitHub stars as a metric). This blog post assumes working familiarity with Kubernetes and microservices, but … Continue reading A Survey of Istio’s Network Security Features