Go Get My/Vulnerabilities: An In-Depth Analysis of Go Language Runtime and the New Class of Vulnerabilities It Introduces

Presented at Black Hat Asia 2017, March 31, 2017, 2:15 p.m. (60 minutes)

Golang is rapidly becoming the language of choice for programming both simple applications for embedded hardware and elaborated high end software for computational clusters. Many of the major companies have adopted it as the default choice for new projects and it is starting to be quite widespread even among independent programmers.<br> <br> One of the main features it introduces are goroutines: a new approach to multithreading that scales better with modern multi-core hardware and operating systems. It allows programmers to handle a higher amount of concurrent tasks with a lower cost in terms of performances.<br> <br> Goroutines are scheduled by the go runtime and in order to make them more efficient than traditional threads, some features have been taken away from them, like thread-local storage and thread pointers. These and many other changes have been applied in order to grant a competitive task-switching time.<br> <br> Go's approach makes it the language that performs better in concurrent applications, but like many other optimizations it doesn't come for free. While it is widely known that go is very efficient, there is still little to no information about the implications that come with relying on its internal scheduler. Many guides and documentations treat goroutines as if they were traditional threads, failing to warn programmers on the differences and risks involved, creating a dangerous trend for the next generation of software.<br> <br> What are the implications of using goroutines instead of threads? Do they introduce new vulnerabilities? Can they be used in a safe way?

Presenters:

• Roberto Clapis - Security Engineer, Secure Network
  Roberto Clapis is a Security Engineer, working as a penetration tester for Secure Network, Italy's leading security assessment company. He received a B.Sc. degree in Computer Engineering from Politecnico di Milano university in Italy. In his spare time Roberto contributes to open source projects and plays CTF with the "Tower of Hanoi" team. He has a strong interest in developing automated tools to optimize the process of penetration testing and code analysis.

Links:

• https://www.blackhat.com/asia-17/briefings/schedule/#go-get-myvulnerabilities-an-in-depth-analysis-of-go-language-runtime-and-the-new-class-of-vulnerabilities-it-introduces-5392
• https://www.youtube.com/watch?v=GGQcv7fK0JY

Similar Presentations:

• Black Hat Asia 2021 Virtual / Threat Hunting in Active Directory Environment
• Still Hacking Anyway (SHA2017) / Parkour communications: How you can communicate, free running style, using nothing but the 'fixtures' of the Internet.
• Black Hat USA 2021 / Keynote: Supply Chain Infections and the Future of Contactless Deliveries