Podcast Detail

SANS Stormcast Thursday, July 9th, 2026: Stack Simulator; RootAsRole; Hoymiles; Git Hash Malleability

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10000.mp3

Podcast Logo
Stack Simulator; RootAsRole; Hoymiles; Git Hash Malleability
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Thursday, July 9th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Master's Degree Program in Information
 Security Engineering. And today we got from Xavier a new
 tool, the Stack Simulator. It's a web-based tool that
 Xavier created and that you can use. And what it's really
 about is whenever you're dealing with exploit
 development or if you're dealing with, for example,
 reversing malware, one of the important concepts to master
 is, well, how does the stack work? How do programs use the
 stack? And that is what this tool is about. It's really a
 learning tool to allow you to explore how sort of different
 values are passed in the stack, how, for example,
 commands can be executed, how pointers can be manipulated.
 And, well, give it a try, play with it. Like, it's really
 more learning tool. And so for anybody here sort of new to
 this kind of work, like reverse engineering and
 exploit development, probably a nice tool to go along with
 whatever classes you're taking. Xavier did develop
 this for our reversing malware class, Forensic 6.10. Well,
 I'm talking about tools. I figured we can also include
 another tool here that I just came across this week and I
 think some of you may be interested in, and that's root
 as role. So typically when you're dealing with Linux,
 what you usually do in order to assign elevated privileges
 to another user is sudo. That's the good old tool, has
 been around forever and, well, has caused problems forever
 with its approach to really sort of transferring all user
 rights instead of having sort of that more granular
 capabilities scheme and such that we have in modern Unix
 systems. But sudo pretty much sort of kind of ignores some
 of that and just gives you the full privileges of the other
 user. Well, root as role takes the other approach. You can
 now basically assign very specific capabilities or
 privileges to a particular user. You don't have to give
 them all rights associated with a particular user's
 account. And you can basically constrain how these rights can
 be used. Looks like a real interesting tool. Big problem,
 however, is it's not integrated in any major
 distributions other than Arch Linux. So Ubuntu, Red Hat and
 users like that. You have to compile it from scratch and
 then install it, which of course in many production
 environments is probably a little bit too cumbersome. But
 take a look and see if you find it useful. Well, and
 let's close it out with a little bit supply chain
 issues. One of the solutions that are often being offered
 in order to gain back some control over your supply chain
 is things like Git signatures and looking at Git commit
 hashes in order to better, well, figure out who created a
 certain commit and what actually changed and to
 identify specific commits. Jacob Ganesan from Carnegie
 Mellon University did publish a paper showing how, well,
 these signatures may not be as good as we thought. The
 problem here is in particular GitHub, but also some of the
 local Git implementations don't necessarily normalize
 whatever is being signed here. And, well, an attacker can
 essentially determine what parts of a particular Git
 commit are actually being added to a hash and a
 signature and what actually is being signed. And in doing so,
 it's possible to create a second Git commit with an
 identical hash and a valid signature with that. So that's
 certainly something to be aware of. There are a couple
 of solutions being offered here. In part, of course,
 these are bug fixes that need to be applied to Git and
 GitHub to fix some of these issues. But at this point,
 just awareness of the issue is probably already going to help
 somewhat. So take a look at the paper and see how these
 attacks exactly work and how to detect them. Well, and that
 it is for today. So thanks again for listening. Thanks
 for liking. Thanks for recommending this podcast and
 talk to you again tomorrow. Bye.