DEV Community: okba tech

🚀 NeuroHTTP AI-Native High-Performance Web Server

okba tech — Fri, 17 Oct 2025 08:19:45 +0000

Redefining how AI APIs communicate with the Web.
Built entirely from scratch in C and Assembly, engineered for the new age of intelligent networking.

🧠 Introducing NeuroHTTP (Codename: AIMux)

NeuroHTTP isn’t just another web server — it’s the first AI-native web infrastructure designed specifically for real-time inference, model routing, and data-intensive AI workloads.

While traditional servers like Nginx, Apache, and Node.js were optimized for static or RESTful workloads, NeuroHTTP was built for AI APIs — where streaming, token-by-token inference, and ultra-low latency are critical.

🚀 Core Capabilities
Capability Description
🧠 AI-Powered Routing Intelligently routes requests across multiple AI models (GPT, Claude, LLaMA, etc.).
⚡ Smart Thread Pool Dynamically allocates workloads based on model complexity and concurrency.
📦 Assembly-Optimized JSON Parser SIMD-accelerated parsing for massive AI payloads with minimal latency.
🔌 AI Stream Mode Real-time, token-by-token streaming over HTTP/1.1, HTTP/3, or WebSocket.
🔐 Token Quota + API Keys Native authentication and quota control for multi-tenant AI APIs.
🛰️ gRPC + HTTP/3 Ready Modern, low-latency protocols built into the core.
🧩 Plugin System (C Modules) Extend functionality without recompilation.
📊 Telemetry & Metrics Real-time observability with latency, throughput, and memory analytics.
⚙️ Under the Hood

Every subsystem of NeuroHTTP is implemented in C, with critical hot paths written in Assembly for deterministic speed and zero overhead.

🧱 Core Components
Component Description
🧠 AI Router Embedded model intelligence for adaptive routing and contextual inference.
⚙️ Worker Threads Multi-threaded event loop optimized for CPU-bound AI workloads.
🔒 Internal Firewall Packet inspection and filtering built directly into the core.
⚡ Cache System (TTL-based) High-speed caching with configurable TTL for optimized reuse.
🧩 Runtime Optimizer Dynamically adjusts scheduling, caching, and concurrency based on live performance metrics.
🌍 Why NeuroHTTP Matters

🔥 No true AI-native web servers exist — until now.
NeuroHTTP pioneers a new class of networking technology designed for the next generation of intelligent workloads.

⚙️ Written in C & Assembly for extreme performance under inference-heavy loads.

🌐 Optimized for AI-native protocols, streaming, and model multiplexing.

🧩 Modular, extensible, and developer-first — open-source by design.

🧠 Self-optimizing architecture that learns and adapts to workload patterns.

🎬 Project Demo — AIONIC NeuroHTTP
https://github.com/okba14/NeuroHTTP/tree/main/videos

Experience NeuroHTTP in action.
Witness real-time inference, ultra-fast routing, and intelligent load balancing — all powered by C and Assembly.

🧠 The Vision

Build the world’s first AI-native web server capable of real-time, high-throughput inference with zero overhead.

NeuroHTTP isn’t just about serving requests —
it’s about serving intelligence.

💡 Join the Revolution

Be part of the movement redefining how AI APIs connect to the web.
Contribute. Extend. Optimize. Build the infrastructure of tomorrow.

👉 GitHub: https://github.com/okba14/NeuroHTTP

Exploiting the SSH_AUTH_SOCK Variable for Privilege Escalation via Fake ssh-agent

okba tech — Mon, 28 Jul 2025 18:52:01 +0000

🧩 Introduction:
SSH (Secure Shell) is one of the most critical secure communication protocols in modern systems. It is widely used for secure remote access, system administration, and server management.
One of the core components of SSH is the ssh-agent, a background process that holds private keys in memory, allowing applications to use these keys without prompting the user for the passphrase every time.
During an SSH session, the system exports a sensitive environment variable named SSH_AUTH_SOCK, which points to a Unix socket used to communicate with the ssh-agent.
This paper explores how this variable can be hijacked to achieve privilege escalation, by injecting a fake agent and executing a payload with root privileges.

🎯 Research Objectives:
• Demonstrate the potential of SSH_AUTH_SOCK as a vector for privilege escalation attacks.
• Present a practical scenario showing how to inject a fake agent and lure trusted system applications into communicating with it.
• Assess the severity and identify affected applications.
• Provide security recommendations for developers and system administrators.

🧪 Exploitation Steps:
✅ Step 1: Prepare the Payload
Compile the root shell binary that will be dropped by the fake agent:

gcc -o myrootsh myrootsh.c
xxd -i myrootsh | sed 's/myrootsh/myrootsh_bin/g' > myrootsh.h

The myrootsh.h file now contains the payload as a C array to be embedded in the fake agent.

✅ Step 2: Launch the Fake ssh-agent

sudo ./fake_agent

This program listens on a fake Unix socket: /tmp/fakeagent/ssh-agent.sock
It is ready to drop and activate the payload upon the first connection.

✅ Step 3: Trigger the Exploit via mysshtest

export SSH_AUTH_SOCK=/tmp/fakeagent/ssh-agent.sock
./mysshtest

The mysshtest binary is a simple setuid-root application that runs ssh-add -l, simulating real-world agent interaction.

✅ Step 4: Activate the Root Shell

sudo cp /tmp/.rootshell /usr/local/bin/.rootshell
sudo chmod 4755 /usr/local/bin/.rootshell
/usr/local/bin/.rootshell

Once executed, the regular user gains access to a root shell.

🧭 Discovering Affected Applications:
Use the following commands to identify binaries interacting with SSH_AUTH_SOCK:

grep -r 'ssh-add\|SSH_AUTH_SOCK\|ssh ' /usr/bin /usr/sbin /usr/lib 2>/dev/null
grep -r 'SSH_AUTH_SOCK' /etc /usr 2>/dev/null

🔍 Analysis of Affected Applications:
Several real-world applications shipped with distributions like Kali Linux were tested and confirmed to interact with the ssh-agent via SSH_AUTH_SOCK, making them susceptible to fake agent injection.

/usr/bin/ssh-copy-id
• Function: Copies the user’s public key to the authorized_keys file on the remote machine.
• Agent Interaction: Yes. Relies on ssh-agent if the passphrase isn’t stored.
• Risk Level: 🟠 High
Hijacking the agent could allow the attacker to redirect the session or inject their own key into the target machine, leading to persistence.
ssh-add -l
• Function: Lists keys currently loaded in the ssh-agent.
• Agent Interaction: Yes, direct interaction through SSH_AUTH_SOCK.
• Risk Level: 🟡 Medium
While it doesn’t initiate external connections, it confirms successful agent hijack and may serve as a launch point for the payload.
git ls-remote git@github.com:...
• Function: Lists branches and refs from a remote Git repository.
• Agent Interaction: Yes. Git invokes ssh, which in turn uses ssh-agent for authentication.
• Risk Level: 🔴 Critical
Git is often executed in automated environments (CI/CD), possibly with elevated privileges. A fake agent here could result in unauthorized remote connections or backdoors during automated fetches.

🟥 Risk Ranking Summary:
Application Risk Level Notes
git ls-remote 🔴 Critical Common in CI/CD pipelines, may execute automatically as root.
ssh-copy-id 🟠 High Can inject persistent keys to remote targets.
ssh-add -l 🟡 Medium Confirms interaction; useful for agent validation and payload init.

⚠️ Security Analysis:
This attack does not exploit a bug in ssh-agent or Git itself.
Instead, it leverages a design flaw in how environment variables are handled:
• SSH_AUTH_SOCK is an unprotected environment variable and can be manipulated.
• Most applications do not verify the ownership or permissions of the socket.
• If a setuid-root binary uses this variable without sanitization, an indirect privilege escalation occurs.

🛡️ Security Recommendations:
To mitigate this class of attacks, developers and sysadmins should:
1. Sanitize the environment in all setuid programs:
Clear variables like SSH_AUTH_SOCK before executing privileged operations.
2. Verify socket ownership and permissions:
Avoid trusting arbitrary agents unless the socket is owned by the current user.
3. Reduce reliance on setuid binaries:
Favor controlled privilege elevation via sudo with strict policies.
4. Enforce AppArmor/SELinux profiles:
Restrict access to unauthorized Unix sockets using mandatory access control.
5. Audit and monitor ssh-agent interactions:
Use tools like auditd or strace in sensitive environments to detect misuse.

✅ Conclusion:
This paper demonstrates how a seemingly benign environment variable like SSH_AUTH_SOCK can be weaponized for serious privilege escalation.
The exploit is field-tested, reproducible, and effective against real-world tools on popular Linux distributions like Kali Linux.
This attack is categorized as:
Indirect Privilege Escalation via Environment Variable Hijacking
Moreover, it can serve as a foundation for more advanced threats such as:
• CI/CD pipeline compromises
• Development-stage backdooring
• Persistent access in production systems

📫 Author
👤 Name: GUIAR OQBA
📧 Email: techokba@gmail.com
🌐 ORCID: https://orcid.org/0009-0008-1629-0002
💼 LinkedIn: https://www.linkedin.com/in/guiar-oqba-0207a9253/
💻 GitHub: https://github.com/okba14
📚 Zenodo: https://zenodo.org/records/15786076
📝 Hashnode: https://hashnode.com/@okba
✈️ Telegram: @okba_elkantara
📱 Phone: +2136-71-36-04-38

🧠Entropy Bias in BIP-39 Seed Phrase Generation By [GUIAR OQBA] . Security Researcher

okba tech — Fri, 18 Apr 2025 17:41:34 +0000

👋 Hello Dev Community ,
I hope this post finds you well.

Over the past few months, I’ve conducted extensive security research into the generation and validation of BIP-39 mnemonic recovery phrases used across multiple blockchain ecosystems — including Ethereum, Solana, Bytecoin, and others.

During this analysis, I discovered a potential non-uniform entropy distribution in the generated seed phrases — a subtle but concerning irregularity that may compromise wallet security in specific scenarios.

🔍 Key Observations
High Word Frequency Bias
Certain words appear disproportionately as the first, middle, or last words in mnemonic sequences.

Example: Some words occurred over 300 times as the initial word in generated valid 12- or 24-word phrases.

Abnormal Validation Rates
From a test batch of 150,000 programmatically generated phrases, we observed:

✅ 9,600+ valid wallets for 12-word English phrases

✅ 14,000+ valid wallets for 24-word English phrases

✅ 8,000+ valid wallets for 24-word Czech phrases

Statistical Anomalies
These rates suggest that valid mnemonic discovery is not entirely random, potentially due to:

Biased word distribution

Flawed entropy sources

Weak random number generation (RNG)

🛡️ Potential Impact
If BIP-39 implementations across platforms are found to have biases or entropy flaws, it could reduce the effective search space — making brute-force or partial-recovery attacks more feasible.

This weakness might affect wallet providers or applications using BIP-39 without adequate entropy enhancements or post-generation entropy checks.