The Tale of Smokey and the Crypto Bandits How Okteto uses Falco to keep users happy and our platform healthy Ramiro Berrelleza October 28, 2020 ● Co-founder of Okteto ● Former architect @ Atlassian malicious actions without requiring human intervention Future Ideas The Tale of Smokey and the Crypto Bandits Ramiro Berrelleza October 28, 2020

The fuzzy tale of an x/crypto vulnerability Michael McLoughlin Gophercon 2019 Lightning Talks Uber Advanced Technologies Group 8,140 lines of amd64 assembly in crypto 10,474 lines of amd64 assembly assembly in golang.org/x/crypto Fuzzing Fuzzing is an automated testing technique for hardening safety-critical software Typically used where code must handle untrusted inputs or correctness is paramount: 0 }  crypto/aes (GCM mode)  crypto/elliptic (P256)  crypto/sha1  crypto/sha256  crypto/sha512  x/crypto/chacha20poly1305  x/crypto/sha3  x/crypto/blake2b  x/crypto/blake2s  x/crypto/argon2

pluggable membership service provider is responsible for associating entities in the network with crypto- graphic identities. • An optional peer-to-peer gossip service disseminates the blocks output by other pertinent information • Channels contain Membership Service Provider instances allowing for crypto materials to be derived from different certificate authorities See the ledger topic for a deeper folder ˓→not found at [/Users/xxx/dev/byfn/crypto-config/ordererOrganizations/example.com/ ˓→msp/intermediatecerts]. Skipping.: [stat /Users/xxx/dev/byfn/crypto-config/ ˓→ordererOrganizations/example.

pluggable membership service provider is responsible for associating entities in the network with crypto- graphic identities. • An optional peer-to-peer gossip service disseminates the blocks output by other pertinent information • Channels contain Membership Service Provider instances allowing for crypto materials to be derived from different certificate authorities See the ledger topic for a deeper folder ˓→not found at [/Users/xxx/dev/byfn/crypto-config/ordererOrganizations/example.com/ ˓→msp/intermediatecerts]. Skipping.: [stat /Users/xxx/dev/byfn/crypto-config/ ˓→ordererOrganizations/example.

other pertinent information • Channel’s contain Membership Service Provider instances allowing for crypto materials to be derived from different certificate authorities See the Ledger topic for a deeper folder ˓→not found at [/Users/xxx/dev/byfn/crypto-config/ordererOrganizations/example.com/ ˓→msp/intermediatecerts]. Skipping.: [stat /Users/xxx/dev/byfn/crypto-config/ ˓→ordererOrganizations/example. explore the network setup one step at a time. The following will kill your containers, remove the crypto material and four artifacts, and delete the chaincode images from your Docker Registry: ./byfn.sh

FuzzCryptoKeysAny github.com/dapr/kit/crypto 9 FuzzCryptoKeysJson github.com/dapr/kit/crypto 10 FuzzCryptoKeysRaw github.com/dapr/kit/crypto 11 FuzzSymmetric github.com/dapr/kit/crypto 12 FuzzAescbcaead github github.com/dapr/kit/crypto/aescbcaead 13 FuzzParseEnvString github.com/dapr/dapr/pkg/injector/sidecar 14 FuzzIsOperationAllowedByAccessCo ntrolPolicy github.com/dapr/dapr/pkg/acl 15 FuzzIsEndpointAllowed FuzzCryptoKeysAny This fuzzer tests key parsing and serialization routines in github.com/dapr/kit/crypto. The fuzzer carries out three steps: It first creates a new key using the test case as the raw bytes

pluggable membership service provider is responsible for associating entities in the network with crypto- graphic identities. • An optional peer-to-peer gossip service disseminates the blocks output by other pertinent information • Channels contain Membership Service Provider instances allowing for crypto materials to be derived from different certificate authorities See the ledger topic for a deeper folder ˓→not found at [/Users/xxx/dev/byfn/crypto-config/ordererOrganizations/example.com/ ˓→msp/intermediatecerts]. Skipping.: [stat /Users/xxx/dev/byfn/crypto-config/ ˓→ordererOrganizations/example.

pluggable membership service provider is responsible for associating entities in the network with crypto- graphic identities. • An optional peer-to-peer gossip service disseminates the blocks output by other pertinent information • Channels contain Membership Service Provider instances allowing for crypto materials to be derived from different certificate authorities See the ledger topic for a deeper folder ˓→not found at [/Users/xxx/dev/byfn/crypto-config/ordererOrganizations/example.com/ ˓→msp/intermediatecerts]. Skipping.: [stat /Users/xxx/dev/byfn/crypto-config/ ˓→ordererOrganizations/example.

pluggable membership service provider is responsible for associating entities in the network with crypto- graphic identities. • An optional peer-to-peer gossip service disseminates the blocks output by other pertinent information • Channels contain Membership Service Provider instances allowing for crypto materials to be derived from different certificate authorities See the ledger topic for a deeper folder ˓→not found at [/Users/xxx/dev/byfn/crypto-config/ordererOrganizations/example.com/ ˓→msp/intermediatecerts]. Skipping.: [stat /Users/xxx/dev/byfn/crypto-config/ ˓→ordererOrganizations/example.

..............................................................................................42 Crypto 加密模块............................................................................................ setSecure(credentials) server.setSecure(credentials) server.setSecure(credentials) 允许此服务器支持 HTTS，配合 crypto 模块 credentials 指定私钥以及此服务器的证书，并且也可选择数字中心认 证的证书作为客户端的认证（方式）。 如果 authentication 中有一或多个数字认证中心证书，则服务器将请求客户端发出一个客户端证书作为 指明了将要连接的目标。在发出请求之前不会建立流(establishe a stream)。 secure 是一个可选的布尔值，用来表示是否启用 HTTPS。credentials 是一个来自于 crypto 模块的可选参数， credentials 中可以包含 client 的私钥，证书以及一个可信任的数字认证中心的证书列表. 如果连接使用了 secure 但是没有把数字认证中心证书传给 credentials，那么