Does anyone know how Google #beyondcorp mitigates against 0-day RCE in their Internet-exposed systems? If "Connecting from a particular network must not determine which services you can access," your code will be exposed to any maniac on the Internet, yes? cloud.google.com/beyondcorp/
Conversation
Replying to
0day RCE in internet-exposed systems (e.g., webservers, accidentally leaving open vulnerable RDP) would not be mitigated by BeyondCorp, although lateral movement is likely hindered by isolation of systems once on-host.
2
1
15
The systems I studied are unlikely to prevent this because they mostly leverage low integrity mechanism (eg user mode process) to report device trust and most MFA identity claims are cached for days or weeks.
2
1
If you leverage system guard runtime attestation to provide “over watch” of a user mode edr or epp agent you get the closest (I know of) to reasonable device claims
1
2
You can also report on the “elam” status of kernel components
1
I haven’t seen many products working for it, they seem to be mostly working at marketing
1
I also think auditor app for Android is a pretty awesome reference for doing hardware device trust on mobile platforms
1
1
Some relevant links:
attestation.app/about
github.com/GrapheneOS/Aud
github.com/GrapheneOS/Att
play.google.com/store/apps/det
There's still a lot of work to do on the user experience for the remote attestation service. It can do local verification between devices without networking too.
This is the foundation for a lot of future work. It can keep adding support for the new standard Android attestation features along with adding support for vendor-specific APIs offering more functionality. I plan on collaborating with Google and hardware vendors on this more too.