Quarkslab was mandated by the Open Source Technology Improvement Fund, Inc. to proceed with the security assessment of the Operator Fabric project. The purpose of this assessment is to deliver an expert opinion of the security level reached by the application at a specific moment.

Drawing from our audit of Airswift's SCF, we discuss part of Soroban's security model and showcase common vulnerabilities. SCF, for "Supply Chain Financing", is the DeFi product developed by Airswift that "optimizes funds flow" between buyers and suppliers. It is developed on Stellar's smart contract platform: Soroban. Airswift mandated Quarkslab for an audit of their smart contracts, with support from the Stellar Development Foundation. In this blog post, we present the results of this audit, and share common pitfalls to avoid on Soroban.

We studied the most secure static encrypted nonce variant of "MIFARE Classic compatible" cards -- meant to resist all known card-only attacks -- and developed new attacks defeating it, uncovering a hardware backdoor in the process. And that's only the beginning...

This is a writeup of a heap pwn challenge at HitconCTF Qualifiers 2024, which explains some glibc malloc internals and some heap exploitation tricks that can be used for getting a shell!

We performed a security assessment of Cloud Native Buildpacks to help improve it, in collaboration with Open Source Technology Improvement Fund, Inc .

Golang is the most used programming language for developing cloud technologies. Tools such as Kubernetes, Docker, Containerd and gVisor are all written in Go. Despite the fact that the code of these programs is open source, there is not an obvious way to analyze and extend their behaviour dynamically (for example through binary instrumentation) without recompiling their code. Is this due to the complex internals of the language or is there something else? In this third blog post, we will demonstrate how to dynamically instrument Golang code by implementing the function hooks described in the first blog post. Furthermore, we will tackle the limitations of this approach using FFI (Foreign function interfaces) in Golang which we saw in the second blog post of this series.

Discovery of two vulnerabilities (CVE-2024-34065) in Strapi, an open source content management system. In this post we explain how these vulnerabilities, if chained together, allow authentication to be bypassed.

This blogpost explains how we recovered the firmware of a fleet-sharing Electronic Control Unit (ECU) which has been erased from a FAT memory using Capstone disassembler to locate scattered parts, to be able to reverse-engineer it.

Golang is the most used programming language for developing cloud technologies. Tools such as Kubernetes, Docker, Containerd and gVisor are written in Go. Despite the fact that the code of these programs is open source, there is no way to analyze and extend their behaviour dynamically (for example through binary instrumentation) without recompiling their code. Is this due to the complex internals of the language? In this second blog post, we’ll showcase how to create runtime hooks for Golang programs using FFI (foreign function interfaces).

We did a quick study on the most common ways to deliver malware through LNK files.