This is an old post-compromise trick used when an attacker needs to download a payload or make a network connection and curl, wget and nc are all not available.
Thanks for this. Another tool in the box is always welcome. We desperately need more competitors in this arena.
Please take this as loving feedback. We need more of this! This use case is very dear to my heart. I have tracked over a dozen products that claim to do what Atlasphere is offering to do, and they all seem to fall short.
The most common issues are:
- They rely on https://github.com/mingrammer/diagrams which has simply not gotten any attention for a long time. It's too out-of-date to be useful, and any issue with rendering gets a response to "go use graphviz instead"
- When pointing these tools to anything moderately complicated, they implode or create non-nonsensical diagrams. Think: VPC Peering, VPC Security Groups, multi-account resources.
- They get the cloud resources OK, but neglect primitives like routing and policies that are just as important.
Just looking at the examples on the website: Claude Code can do this natively. Just a consideration.
I will also echo what others have said: allowing another account access to ours is a non-starter, even if Read-Only. It needs to use a security principal we have complete control over.
I can't tell from the project page what IAM permissions are in your "Read-only IAM role". That's something I would also need to know, regardless of how it is deployed.
I can tell from this post and the site that this is a labor of love, and I hope you keep up the good work. Like I said, this is an area where we need more, better tools. I want projects like this to succeed.
> I will also echo what others have said: allowing another account access to ours is a non-starter, even if Read-Only. It needs to use a security principal we have complete control over.
You own and control the IAM role, not us. You allow Atlasphere to assume that role, and then Atlasphere's discovery service uses it to discover your resources.
Technically, Atlasphere doesn't need a ton of permissions. If you create a role that can only list, say, Lambda functions, then Atlasphere will only find Lambda functions.
IAM provides a default ReadOnly policy that can be attached to any role. This was the simplest way for me to get things going. But ReadOnly is indeed way too broad. I could generate an IAM policy based on the AWS services that Atlasphere can work with.
> I can tell from this post and the site that this is a labor of love, and I hope you keep up the good work. Like I said, this is an area where we need more, better tools. I want projects like this to succeed.
Thanks a ton! There are mind-blowing features in the roadmap. I want Atlasphere to succeed.
Yes I realized after reading the response that we would control the permissions. What may not be obvious is many organizations have gatekeepers that don't understand IAM and would just not permit this at all.
On the technical side, you are probably underestimating the access you need to accurately gather the information the tool needs. For example, last time I reviewed the AWS-Managed ReadOnly role it does not allow you to read some important things like Managed Prefix Lists.
I completely understand you need a starting point and you picked a good one. Anxious to see how this proceeds. Best of luck.
that just prevents the faulty module from loading. So you have time to fix it properly (kernel upgrade)
Technically there should be zero impact (the very very few tools that use it will fall back to userspace), I haven't even found that module loaded in infrastructure
Then check if it is loaded, and if it is, unload/reboot
I would say any sanely written application would fall back to doing the requested operations in userspace if it cannot use the AF_ALG socket.
It could fail though. But I have not yet heard of anyone noticing big problems due to disabling the problematic modules. And I have not noticed any such issues on our systems at ${DAYJOB}.
IMHO, since these parts of the Linux kernel are so crappy I personally would say disabling them is a good default choice. YMMV. But if you encounter problems, then you can always re-enable the modules. (Preferably after upgrading your kernel, obviously.)
check if module is loaded. if it isn't nothing is using it and you can safely add it. I'd also imagine most software doesn't fail but just use userspace lib
tl;dr: switch to podman :-) or (for docker, not mention in the post but...) just `allowPrivilegeEscalation=False` in the deployment's SCC and you'll be fine at the pod level. Most deployments don't need priv escalation anyway, the ones that do need to either limits perms through capabilities or make sure the node (meaning the kernel) is patched.
My concern is to try to understand the mechanisms of the exploit.
Copy Fail is not simply ”hey, kernel, give me root”. I would say it’s more general than that. It’s rather: ”Hey, kernel, when you present file /foo to a process, make the contents of that file appear according to my wishes”. Which can be used (in various ways) to advance the attacker’s position.
That’s why I think it’s interesting to ponder if that power allows the attacker to simply sneak past security policies such as allowPrivilegeEscalation=false.
This is cool!
NASA uses Imperial units (well, unless the it's the Mars Climate Orbiter). Can we get a version that follows the units they are using with their public feeds?
I created a ycombinator account after years of resisting, just to respond to this post.
Stop creating web pages with huge-ass gutters/margins.
If you are concerned about design you would realize your page looks ridiculous and borderline illegible on modern screens (that are not phones). Text color is an issue, but layout is worse.
This doesn't seem too far off from ~80 characters per line, which I believe is best practice for readability. Though you could make the column wider and bump up the font size and it would be even more readable.
They have huge gutters and margins, and not-quite-black text on creme/off-white/never-actually-white backgrounds... why? Because it's easier of the eyes for long blocks of text.
Depends on the width of the browser window. Wide margins that are welcome in a full-page browser on a large or ultrawide display are cancer when I'm tiling windows 2 or 3 up on a smaller or narrower display.
Scroll, scroll, scroll, scroll, scroll, scroll, scroll, scroll, scroll, scroll, scroll.
Just no.
reply