Welcome to the 16th edition. Let’s dive into the content…

How I Learned to Love the CBOM

“CBOM” – an acronym you'll start hearing more often.

A cryptographic bill of materials (CBOM) is a comprehensive list of all the cryptography used in an application. It’s a relatively new concept, following on the heels of hardware BOMs and software BOMs (SBOMs).

We don’t have CBOMs for most software today. But as we migrate to quantum-safe cryptography, CBOMs will be critical for understanding existing systems and enabling crypto agility.

Last week, collaborators from Banco Santander, Microsoft and GitHub released tools to make this task easier.

Using GitHub’s CodeQL technology, the collaborators built tools that generate CBOMs by scanning source code. The results are machine-readable, allowing these tools to be incorporated into automated software development pipelines.

Kudos to the teams involved for an outstanding contribution to the crypto community.

You can find the tools on GitHub. There is also a GitHub blog on the topic.

Time to Get YouTube Premium

The videos from the PKI Consortium PQC Conference are now available online!

This conference was packed with excellent talks. I’m still writing about ideas from this event one month later.

If you care about PQC, I strongly recommend watching some of these talks in your spare time this week. Most are 30 minutes long. Here are a small selection of my favourites:

– Itan Barmes (Deloitte) explaining why it’s impossible to predict when the quantum threat will emerge: Watch on YouTube.

– Joppe Bos (NXP) describing the challenges of implementing PQC algorithms in hardware: Watch on YouTube.

– Jeremy King (PCI SSC) terrifying me about the slow movement of the payments industry: Watch on YouTube.

– Dustin Moody and Bill Newhouse (NIST) giving a state-of-the-nation update on PQC standardisation: Watch on YouTube.

It was a fantastic event, with a very high signal-to-noise ratio. I look forward to the next one.

Do You Hear a Fuzzing Sound?

I don't usually write about exploits, but I found LogoFAIL pretty interesting.

It highlights the importance of exhaustive testing in the most critical layers of device firmware.

The LogoFAIL attack gets its name because it exploits the vendor logos shown briefly whenever your laptop restarts.

Apparently, nobody stress-tested the image-parsing libraries used for this innocuous task. Researchers used fuzzing to discover over a dozen vulnerabilities affecting UEFIs from almost all major manufacturers.

The attack involves substituting the original logo file for a malicious copy. The evil copy looks the same but triggers bugs in the image parsers. Using this approach, the researchers were able to write executable files to disk before the operating system had even started. Game over.

The attack is particularly damaging because it affects one of the earliest boot phases. This means defences such as Intel's Secure Boot are not running when this attack happens.

You can read more about the attack in this blog from the researchers at Binarly.

Be sure to look out for updates from your vendors!