2026-05-18: Practical Deep Dive into Kubernetes Security (Workshop)

Kubernetes is now the backbone of modern infrastructure - and one of the most attractive targets for attackers. As such, I'm excited to bring a hands-on workshop focusing on the security of Kubernetes to hackArcana. Here's some useful info about it:

• Workshop: Practical Deep Dive into Kubernetes Security
• Format: Live online (with instructors), exercise-based workshop
• Instructors: Jarosław Jedynak, Michał Leszczyński (I've worked and played/made CTFs with them - they are SOLID!)
• Duration: 18 hours over 6 weeks (6 modules)
• Recordings: All sessions are recorded and available for at least 3 months
• Schedule: Tuesdays, 7 PM CEST, 9.06, 16.06, 23.06, 30.06, 07.07, 14.07
• Language: English
• Level: Intermediate (you should know basics of K8s)

You can find all the details on the workshop's page, but here's also the agenda:

Module 1 - Kubernetes Architecture
Session: June 9th, Tuesday, 7 PM CEST

• Kubernetes components and how they interact
• Threat modeling the cluster: what attackers target and why
• Workshop environment walkthrough and lab access
• First hands-on exercises: exploring the cluster from an attacker's perspective

Module 2 - Build Phase Security
Session: June 16th, Tuesday, 7 PM CEST

• Container image pitfalls and common misconfigurations
• Source code and dependency scanning in CI/CD pipelines
• Supply chain risks: what happens before the image reaches the cluster
• Lab: identifying and fixing vulnerable image builds

Module 3 - Deploy Phase Security
Session: June 23rd, Tuesday, 7 PM CEST

• Image signing and verification
• Namespaces, pod security standards, and admission policies
• Secrets management: what goes wrong and how to fix it
• Lab: hardening deployment manifests and catching misconfigurations before they reach production

Module 4 - Runtime Phase Security
Session: June 30th, Tuesday, 7 PM CEST

• Service account tokens and their abuse
• Cloud environment pitfalls and metadata API attacks
• Privilege escalation and container breakout scenarios
• Lab: reproducing real runtime attack paths and applying mitigations

Module 5 - Administration, Access Control, and Networking
Session: July 7th, Tuesday, 7 PM CEST

• Authentication mechanisms and common weaknesses
• RBAC deep dive: misconfigurations, auditing, and least privilege
• Admission controllers and policy enforcement
• CNI configuration, network policies, firewalls, and network-level attacks
• Service meshes and their role in cluster security
• Lab: attacking and hardening cluster access and network segmentation

Module 6 - Low-Level Container Security
Session: July 14th, Tuesday, 7 PM CEST

• Linux namespaces, cgroups, and capabilities in depth
• Seccomp profiles: building and applying them
• Kernel exploits and container escape techniques
• Wrap-up, Q&A, and next steps in your Kubernetes security journey
• Lab: hands-on container isolation assessment and hardening

Workshop starts on June 9th and you can secure your place (and later your K8s) here: Sign up!

[ 0 comments ]

2026-05-19: Practical Deep Dive into Kubernetes Security (Szkolenie)

Kubernetes jest fundamentem nowoczesnej infrastruktury - i jednym z najbardziej atrakcyjnych celów dla atakujących. W związku z tym z wielką przyjemnością chciałbym dać znać, że na moim serwisie szkoleniowych hackArcana pojawiły się praktyczne warsztaty poświęcone bezpieczeństwu Kubernetes. Oto garść informacji na ich temat:

• Szkolenie: Practical Deep Dive into Kubernetes Security
• Format: Online, na żywo (z trenerami), szkolenie z ćwiczeniami
• Trenerzy: Jarosław Jedynak, Michał Leszczyński (miałem okazję pracować / robić CTF z nimi, są solidni!)
• Czas trwania: 18 godzin rozbite na 6 tygodni (6 modułów)
• Nagrania: Wszystkie sesje będą nagrywane a nagrania będą dostępne minimum 3 miesiące
• Harmonogram: Wtorki, 19:00 CEST, 9.06, 16.06, 23.06, 30.06, 07.07, 14.07
• Język: Angielski
• Poziom: średnio zaawansowany (tj. trzeba znać podstawy K8s)

Wszystkie informacje są na stronie szkolenia, ale wklejam tutaj również agendę (po angielsku, z uwagi na to, że szkolenie i tak jest w tym języku):

Module 1 - Kubernetes Architecture
Session: June 9th, Tuesday, 7 PM CEST

• Kubernetes components and how they interact
• Threat modeling the cluster: what attackers target and why
• Workshop environment walkthrough and lab access
• First hands-on exercises: exploring the cluster from an attacker's perspective

Module 2 - Build Phase Security
Session: June 16th, Tuesday, 7 PM CEST

• Container image pitfalls and common misconfigurations
• Source code and dependency scanning in CI/CD pipelines
• Supply chain risks: what happens before the image reaches the cluster
• Lab: identifying and fixing vulnerable image builds

Module 3 - Deploy Phase Security
Session: June 23rd, Tuesday, 7 PM CEST

• Image signing and verification
• Namespaces, pod security standards, and admission policies
• Secrets management: what goes wrong and how to fix it
• Lab: hardening deployment manifests and catching misconfigurations before they reach production

Module 4 - Runtime Phase Security
Session: June 30th, Tuesday, 7 PM CEST

• Service account tokens and their abuse
• Cloud environment pitfalls and metadata API attacks
• Privilege escalation and container breakout scenarios
• Lab: reproducing real runtime attack paths and applying mitigations

Module 5 - Administration, Access Control, and Networking
Session: July 7th, Tuesday, 7 PM CEST

• Authentication mechanisms and common weaknesses
• RBAC deep dive: misconfigurations, auditing, and least privilege
• Admission controllers and policy enforcement
• CNI configuration, network policies, firewalls, and network-level attacks
• Service meshes and their role in cluster security
• Lab: attacking and hardening cluster access and network segmentation

Module 6 - Low-Level Container Security
Session: July 14th, Tuesday, 7 PM CEST

• Linux namespaces, cgroups, and capabilities in depth
• Seccomp profiles: building and applying them
• Kernel exploits and container escape techniques
• Wrap-up, Q&A, and next steps in your Kubernetes security journey
• Lab: hands-on container isolation assessment and hardening

Szkolenie zaczyna się 9 czerwca, a zapisać można się tutaj: Zarejestruj się!

[ 0 komentarzy ]

Five newest or recently updated notes (these are unfinished posts, code snippets, links or commands I find useful but always forget, and other notes that just don't fit on the blog):

• 2024-12-19: End of Year Talk Watchlist 2024
• 2023-01-17: AI related lawsuits
• 2022-07-31: Python "sandbox" escape
• 2021-09-15: C++ Hello World!
• 2021-08-02: 8-bit number to binary string ("01011010") [C/C++]

Click here for a list of all notes.

• DLL shared sections: a ghost of the past - research notes taken while revisiting the infamous DLL shared sections; also, a description of finding and exploiting a Cygwin vulnerability. See also this post and these tools.
• PHP LFI to arbitratry code execution via rfc1867 file upload temporary files is an attempt to bring a specific LFI exploitation technique to common knowledge. You might also want to check out a follow-up paper by Brett Moore.
• Exploiting the otherwise non-exploitable - Windows Kernel-mode GS Cookies subverted described the internal mechanisms of generating GS cookies in drivers and a way to predict them.
• GDT and LDT in Windows kernel vulnerability exploitation is another paper I've written with j00ru, this time about using call-gates in kernel exploitation - quite a cool method since it works even if you have only a 1-byte write-what-where condition.

Some conference slides are linked at the bottom of this page.

• A few Microsoft Windows privilege escalations and some DoSes patched by MS10-021 and MS10-011 - this research was presented on HITB Dubai 2010 and CONFidence 2010 (video available here).
• Well, actually a few more bugs in Windows kernel and drivers discovered during our Bochspwn research (see this post and this one) using our kfetch-toolkit. They were patched in MS13-016, MS13-017, MS13-031 and MS13-036.
• Adobe Reader 9.5.1 and 10.1.3 multiple vulnerabilities - 62 unique crashes, from that 31 trivially exploitable and 9 more potentially exploitable, 11 CVE's assigned (CVE-2012-4149 to CVE-2012-4160). Some of these bugs were fixed for Windows and OSX releases of Adobe Reader in APSB12-16.
• Adobe Flash had also quite a lot of fixes (around 60 CVEs assigned). Some details can be found in these bulletins (in random order): APSB12-27, APSB12-24, APSB12-22, APSB13-17, APSB13-14, APSB13-11, APSB13-09, APSB13-05 and APSB13-01.
• Contributed to discovery of multiple low-to-high vulnerabilities in Google Chrome (CVE-2012-2851, CVE-2012-2855, CVE-2012-2856, CVE-2012-2862, CVE-2012-2863 and some other) - some of these were mentioned in this post.
• A lot of bugs in ffmpeg and libav which resulted in 892 (sic!) patches in ffmpeg and 299 patches in libav (CVE-2011-3930 to CVE-2011-3952 and some other).
• Cygwin cygwin1.dll shared section local privilege escalation (demo video) - discovered while revisiting old-school classes of bugs (see paper above).
• Two minor bugs in PuTTY and aterm and rxvt found while playing with terminal control codes. Put here to create some illusion of diversity.
• Mozilla Firefox 2.0.0.11 and Opera 9.50 information leak, also midly affected Safair, Konqueror and some other products (CVE-2007-6524, CVE-2008-0420, CVE-2008-0894, CVE-2008-1573). A demo video is also available.
• A small but funny bug in Total Commander 7.01 - an FTP client gets attacked by the server, leading to a path traversal.
• And there were also these two: a local privilege escalation that required a USB stick of death, and a funny compiler bug.

The full list of vulnerabilities discovered by me (including collaborative work) can be found here (please note that the list might be out of date).

The Google Application Security / Research site might also contain some of my findings.

• Unicode fun: PHP preg_match and UTF-8 with analysis of what happens when you forget that UTF-8 is multibyte; and a String-to-Integer vs Unicode - yes, the standard 0-9 digits are not the only ones supported by programming languages or unicode (see also this post).
• Digging deeper into C/C++: internals of static variables initialization, a discussion with myself about NULL/nullptr, the curious case of int a=5; a=a++ + ++a;, and what happens when scanf/atoi/strtol get an overly large number. Also, a way to magically make a list of functions at compilation time, and a way to create naked functions in gcc/g++ (or rather pure-assembly functions with no additional prologs/epilogs).
• Low-level goodies: a Hello World in C without using any headers / library functions, a process that frees almost all the memory it owns, and embedding GDB in assembly source code.
• Do not do this at work kids - OOP in .bat and OpenGL in .bat.

W wolnym czasie prowadzę videocasty na żywo o programowaniu, reverse engineeringu oraz hackingu/security:

Livestream | Kanał na YT | Archiwum starszych odcinków
Najnowszy odcinek: Gynvael's Livestream #75: Implementujemy serwer FTP
[ 0 thumbs up | 0 comments | 0 views ]

Dodatkowo: ReverseCraft - starsza seria podcastów o reverse engineeringu i assembly.

Dla programistów:

• Poradnik Początkującego Programisty - czyli jaki język wybrać, z czego się uczyć, jak samodzielnie rozwiązywać problemy i co dalej jak już się zna podstawy.
• Zmienne i stałe: wartość, kodowanie, reprezentacja - rozłożenie zmiennych na części pierwsze, od wysokiego poziomu abstrakcji, do kodowania na poziomie RAMu i CPU.

Security / hacking:

• Hacking - jak uczyć się security/hackingu i spać spokojnie.

Dodatkowo, kilka przemyśleń na temat odnajdywania się na rynku pracy w IT:

• Wybór studiów a szanse na rynku pracy - mój punkt widzenia na wybór studiów, rynek pracy, oczywiście w kontekście informatyki, programowania, itp.
• Spis sposobów na dokumentowanie swojej wiedzy, czyli co można wpisać w CV oprócz praktyk i papierka z uczelni.

• Trochę o PHP, preg_match i UTF-8, czyli o problemach związanych z niespójnym kodowaniem znaków.
• Kilka przemyśleń na temat intów, do tego kilka eksperymentów z wrzucaniem dużych liczb (większych od INT_MAX) w funkcje scanf/atoi/strtol, oraz różnice w wynikach w dzieleniu z udziałem liczb ujemnych w różnych językach.
• int a = 5; a = a++ + ++a;, ile wynosi "a"? Wynik jest oczywiście niezdefiniowany, ale jednak jakiś musi wypaść.
• Sposób na stworzenie funkcji naked w gcc/g++.
• Z przymróżeniem oka - programowanie obiektowe oraz OpenGL w języku skryptowym batch (aka .bat).

← trochę więcej postów jest po angielskojęzycznej stronie.