We performed a security assessment of Cloud Native Buildpacks to help improve it, in collaboration with Open Source Technology Improvement Fund, Inc .

Golang is the most used programming language for developing cloud technologies. Tools such as Kubernetes, Docker, Containerd and gVisor are all written in Go. Despite the fact that the code of these programs is open source, there is not an obvious way to analyze and extend their behaviour dynamically (for example through binary instrumentation) without recompiling their code. Is this due to the complex internals of the language or is there something else? In this third blog post, we will demonstrate how to dynamically instrument Golang code by implementing the function hooks described in the first blog post. Furthermore, we will tackle the limitations of this approach using FFI (Foreign function interfaces) in Golang which we saw in the second blog post of this series.

Discovery of two vulnerabilities (CVE-2024-34065) in Strapi, an open source content management system. In this post we explain how these vulnerabilities, if chained together, allow authentication to be bypassed.

This blogpost explains how we recovered the firmware of a fleet-sharing Electronic Control Unit (ECU) which has been erased from a FAT memory using Capstone disassembler to locate scattered parts, to be able to reverse-engineer it.

Golang is the most used programming language for developing cloud technologies. Tools such as Kubernetes, Docker, Containerd and gVisor are written in Go. Despite the fact that the code of these programs is open source, there is no way to analyze and extend their behaviour dynamically (for example through binary instrumentation) without recompiling their code. Is this due to the complex internals of the language? In this second blog post, we’ll showcase how to create runtime hooks for Golang programs using FFI (foreign function interfaces).

We did a quick study on the most common ways to deliver malware through LNK files.

Eclipse KUKSA's committers, with support from Eclipse Foundation, engaged with Quarkslab to perform an audit of Kuksa, an open-source framework that provides shared building blocks for Software Defined Vehicles. The goal of the audit was to assist the Eclipse Kuksa committers to increase their security posture using static and dynamic analysis (fuzzing in particular) and was organized by Open Source Technology Improvement Fund, Inc and made possible by the founding Eclipse Foundation received from the Alpha-Omega project.

Allbridge, with support from the Stellar Development Foundation, mandated Quarkslab to perform an audit of Estrela, an automated market maker for Stellar built on Soroban.

Analyzing an automotive ECU firmware is sometimes quite challenging, especially when you cannot emulate some of its most interesting functions to find vulnerabilities, like ECUs based on Renesas RH850 system-on-chips. This article details how we managed to add support for this specific architecture into Unicorn Engine, the various challenges we faced and how we successfully used this work to emulate and analyze a specific function during an assignment.

In cryptography audits, we often find vulnerabilities labeled as low or informational, usually for "non-compliance"... So, what should we do with them?