Posts

gRPC recently deprecated its grpc.Dial in favor of the new grpc.NewClient. The latter performs no I/O and lazily connects when you are eventually doing a RPC call. It changed the way we perform retry in tetra, the CLI of Tetragon because we previously used the connect that happened at the client creation (with grpc.Dial and WithBlock) to make sure the connection was possible, and retry in this case. This wasn’t extremely resilient but had the good taste of being in a single place for all subcommands that will make an RPC call: during client creation....

tl;dr: please jump directly to the conclusion if you think you already have some knowledge about memory and just want the recap. The conclusion links back to the other sections for more details. Disclaimer This (long) article is a Frankenstein 🧟 compilation of personal digest notes on various topics. Some sections are direct digests or extracts of very good resources I found on the topic and could not write something better:...

The article is available on MISC magazine website. Note that this article is available behind a paywall, and in French. This article is an introduction to Tetragon, the project I’m working on at Isovalent.

This guide was originally published in the Tetragon documentation. It was first part of the getting started guides, but was later replaced and move to the tutorials section, that was later removed. Since we don’t want to maintain this guide anymore, it would have a good end of life on a blog if it can be useful to some people. Note that this guide is not a tutorial on how to deploy Tetragon standalone (i....

The article is available on Quarkslab’s blog. It explains the discovery of Microsoft OMI and how I fuzzed it to discover some crashes. It then details the finding and how they work.

The article is available on Quarkslab’s blog. The corresponding article on Falco blog is also available. It presents the findings of our audit of Falco. You can find the complete audit report here.

The article is available on MISC magazine website. Note that this article is available behind a paywall, and in French. In this article, we focus on what’s new in Kubernetes security enhancements on versions still being maintained at the time of writing: 1.22, 1.23 and 1.24 released in August 2021, December 2021 and May 2022 respectively.

The article was originally published on kubernetes.io blog. The PodSecurityPolicy (PSP) admission controller has been removed, as of Kubernetes v1.25. Its deprecation was announced and detailed in the blog post PodSecurityPolicy Deprecation: Past, Present, and Future, published for the Kubernetes v1.21 release. This article aims to provide historical context on the birth and evolution of PSP, explain why the feature never made it to stable, and show why it was removed and replaced by Pod Security admission control....

During the last three months, I had the opportunity to go to multiple events. First, a proposal I submitted to Black Hat Asia Arsenal was accepted to present kdigger, a Kubernetes security tool. Then I had the chance to go to the KubeCon Europe to meet the people with whom I interacted in the project. And finally, I got the last few tickets for a kernel developer conference in Paris, Kernel Recipes....

The article is available on Quarkslab’s blog. It traces the history of three Kubernetes-related vulnerabilities. Explaining what they are, how they were patched, and how they are related. The exploitation of these vulnerabilities allowed access to the underlying host filesystem for users that were not properly authorized.

The article is available on Quarkslab’s blog. It’s an introduction to Kubernetes security through the release of a new context discovery tool, kdigger, and its mini CTF companion, minik8s-ctf.

This project was done for between the end of my last TLS-SEC semester and the beginning of my final year internship. We were in pairs and had to choose our subject. We chose to work on code injection in video game via the game commands themselves. Abstract During this project, we tried to answer the question: "can you inject code and take control of the execution of a video game just by using its gameplay elements?...

This internship was a collaboration between INP-ENSEEIHT, Toulouse, France and Kyoto University of Advanced Science, Kyoto, Japan. It took place during the summer of 2020, when the Covid-19 pandemic prevented me from going to Japan, so it was unfortunately a remote internship. You can find all the sources of the project in the github repository. Abstract During this summer internship, Pr. Ian Piumarta and myself implemented a prototype-based programming language, simple and reflexive by design....