DevSecOps is a Binary Decision.
Meet the JFrog security experts team at our booth #2134
August 7 – 8 | Las Vegas, NV
Mandalay Bay | Booth #2134
Learn how DevSecOps, Site Reliability Engineering (SRE), AI/MLOps and Platform Engineering use cases are influenced by priorities such as speed, reliability, security, and developer experience.
Book 1:1 time with JFrog’s CISO, R&D Team Leader, and Senior Director Security Research to see how we can secure your software supply chain with one platform.
Field CISO, JFrog
R&D Team Leader, JFrog
Senior Director Security Research, JFrog
Shachar Menashe, JFrog Senior Director Security Research, and Ofri Ouzan, JFrog Security Researcher, will be presenting onstage at Black Hat.
Shachar Menashe | Sr. Director Security Research, JFrog
Tracks: AI, ML, & Data Science, Platform Security
Following the widespread adoption of AI, ML and LLMs, organizations are required to facilitate MLOps. The easiest way to streamline these processes is to deploy an open-source ML platform in the organization, such as MLflow, Kubeflow or Metaflow, which supports actions such as model building, training, evaluation, sharing, publishing and more.
Our talk will explain how MLOps platforms can become a gold mine for attackers seeking to penetrate the organization and move laterally within it – we will present an analysis of the six most popular OSS MLOps platforms, showing how each MLOps feature can be directly mapped to a real-world attack. We will demonstrate how server-side and client-side CVEs we discovered in multiple platforms can be used for infecting both the MLOps platform servers and their clients (data scientists and MLOps CI/CD machines).
Most importantly – we will illustrate how the inherent vulnerabilities in the formats used by these MLOps platforms can be abused to infect an entire organization, even when the platforms are fully patched!
The talk will provide insights both for red teams and blue teams – attendees will gain knowledge on how to better deploy an MLOps platform in the organization, how to brief users of these platforms and how each feature of these platforms can be attacked.
HardeningMeter is an open-source Python tool carefully designed to comprehensively assess the security protections of binaries and systems. Its robust capabilities include thorough checks of various binary exploitation protection mechanisms, including Stack Canary, RELRO, Lazy Binding, PIE/PIC, None Exec Stack, Shadow Stack, IBT, Fortify and ASAN in binary files and ASLR, NX bit, SMEP, SMAP, PTI, IBT in the system.
Many of these mitigations cannot be detected by any existing open-source solutions. For the mitigations that can – HardeningMeter provides a much higher detection precision compared to existing tools.
The genesis of HardeningMeter stems from extensive research into the dynamic cat-and-mouse game between attackers and defenders when exploiting memory vulnerabilities. While certain protections are designed to thwart memory exploitation, resourceful attackers continue to find ways to circumvent these protections.
HardeningMeter is a wake-up call that raises awareness of the critical need to protect against memory exploitation, monitors vulnerable binaries and systems that lack critical hardening, and promotes a broader understanding of the offensive research landscape.
HardeningMeter’s uniqueness lies in its precision, which is based on a deep understanding of binary and system structures, exploitation techniques, and hardening mechanisms and was built to support all Linux systems and binary file types.
The tool offers a significant benefit to users, each check that the tool performs is documented in detail to allow users to dive into the inner workings of binary hardening. Users can gain a deeper understanding of the underlying concepts, explore the intricacies of binary exploitation protection mechanisms, and expand their knowledge in this important area. Moreover, users can set the output to receive tailored recommendations on which binary files require heightened attention and monitoring.
We hope to contribute to the cybersecurity community and benefit from their ideas and perceptions to make HardeningMeter a better tool that supports all Operating Systems.
Be sure to follow us on x.com @JFrog for a chance to win special prizes throughout the Black Hat USA Conference 2024!
We have received your request for a 1:1 session with a JFrog expert at Black Hat. Check your email for a calendar confirmation and additional information.
Please note that you will receive a Zoom link to your email shortly. Please save it.