Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Thursday, July 9th, 2026: Stack Simulator; RootAsRole; Hoymiles; Git Hash Malleability
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10000.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
My Stack Simulator https://isc.sans.edu/diary/My%20Stack%20Simulator/33138
RootAsRole
https://github.com/LeChatP/RootAsRole
Hoymiles Inverter Vulnerability
https://www.ccc.de/system/uploads/382/original/hoymiles_dtu_vuln.pdf
Git Hash Chain Malleability
https://arxiv.org/abs/2607.02820
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Thursday, July 9th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Master's Degree Program in Information Security Engineering. And today we got from Xavier a new tool, the Stack Simulator. It's a web-based tool that Xavier created and that you can use. And what it's really about is whenever you're dealing with exploit development or if you're dealing with, for example, reversing malware, one of the important concepts to master is, well, how does the stack work? How do programs use the stack? And that is what this tool is about. It's really a learning tool to allow you to explore how sort of different values are passed in the stack, how, for example, commands can be executed, how pointers can be manipulated. And, well, give it a try, play with it. Like, it's really more learning tool. And so for anybody here sort of new to this kind of work, like reverse engineering and exploit development, probably a nice tool to go along with whatever classes you're taking. Xavier did develop this for our reversing malware class, Forensic 6.10. Well, I'm talking about tools. I figured we can also include another tool here that I just came across this week and I think some of you may be interested in, and that's root as role. So typically when you're dealing with Linux, what you usually do in order to assign elevated privileges to another user is sudo. That's the good old tool, has been around forever and, well, has caused problems forever with its approach to really sort of transferring all user rights instead of having sort of that more granular capabilities scheme and such that we have in modern Unix systems. But sudo pretty much sort of kind of ignores some of that and just gives you the full privileges of the other user. Well, root as role takes the other approach. You can now basically assign very specific capabilities or privileges to a particular user. You don't have to give them all rights associated with a particular user's account. And you can basically constrain how these rights can be used. Looks like a real interesting tool. Big problem, however, is it's not integrated in any major distributions other than Arch Linux. So Ubuntu, Red Hat and users like that. You have to compile it from scratch and then install it, which of course in many production environments is probably a little bit too cumbersome. But take a look and see if you find it useful. Well, and let's close it out with a little bit supply chain issues. One of the solutions that are often being offered in order to gain back some control over your supply chain is things like Git signatures and looking at Git commit hashes in order to better, well, figure out who created a certain commit and what actually changed and to identify specific commits. Jacob Ganesan from Carnegie Mellon University did publish a paper showing how, well, these signatures may not be as good as we thought. The problem here is in particular GitHub, but also some of the local Git implementations don't necessarily normalize whatever is being signed here. And, well, an attacker can essentially determine what parts of a particular Git commit are actually being added to a hash and a signature and what actually is being signed. And in doing so, it's possible to create a second Git commit with an identical hash and a valid signature with that. So that's certainly something to be aware of. There are a couple of solutions being offered here. In part, of course, these are bug fixes that need to be applied to Git and GitHub to fix some of these issues. But at this point, just awareness of the issue is probably already going to help somewhat. So take a look at the paper and see how these attacks exactly work and how to detect them. Well, and that it is for today. So thanks again for listening. Thanks for liking. Thanks for recommending this podcast and talk to you again tomorrow. Bye.





