DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
Transaction Simulation Story: The Dry Run Is Not the Signed Result


Disclosure: AI tools were used for source collection and editorial review. The article was written by a human author, who checked the facts, code, and conclusions.

Crypto risk disclosure: This article is a technical explanation, not investment advice. It is not a recommendation to buy, sell or hold any cryptoasset.

Transaction Simulation Story is useful before a signature only when the preview says exactly what it simulated. A dry run can show a result against selected state, but the preview should not pretend that result is the future block, the final ordering, or the user’s full intent.

The mistake is easy to make in AI wallets and agent wallets. A transaction preview sounds like a single safety layer, while the actual evidence comes from different layers: Ethereum execution APIs, client debug methods, provider simulation APIs, ABI decoding, and wallet warning UX.

Simulation Receipt

The dry run needs a receipt before it needs a promise. The receipt below is deliberately provider-scoped: it separates a standard call result from trace, logs, and asset changes that only exist when a client or provider supplies them.

{
“request”: {
“from”: “0xUser”,
“to”: “0xContract”,
“value”: “0x0”,
“input”: “0xa9059cbb…”,
“gas”: “0x186a0”
},
“blockContext”: “latest”,
“providerMethod”: “eth_call”,
“standardResult”: {
“eth_callReturnData”: “0x…”
},
“providerResult”: {
“status”: “success”,
“revertReason”: null,
“gasUsed”: “provider_specific”,
“calls”: “provider_specific”,
“logs”: “provider_specific”,
“assetChanges”: “provider_specific”
},
“warnings”: (
“state may change before inclusion”,
“trace fields are not universal Ethereum JSON-RPC”,
“decoded asset changes depend on provider coverage and ABI”
)
}

Enter fullscreen mode

Exit fullscreen mode

That receipt is the article’s core artifact. Transaction Simulation Story becomes safer when each field has a source and a limit, because the wallet can show “this is a provider estimate” instead of “this will happen.”

Standard Call

The standard call layer is narrower than many previews imply. The Ethereum Execution APIs for eth_call support executing a call against selected state without creating an onchain transaction.

That is valuable, but it is not a full trace. The pre-signature preview should treat eth_call output as return data or an error for a selected block context, not as proof of future asset changes, call tree, or logs.

Simulation State

The most direct official simulation language comes from Ethereum Execution APIs eth_simulateV1. The method can simulate calls, accumulate state between simulated calls, and use block or state overrides.

That power is also the warning. The receipt has to name the state it used: latest, safe, finalized, pending, a specific block number, or a provider override. A successful result on one state is not a guarantee that a signed transaction will see the same state later.

Provider Trace

The trace layer is provider or client specific. Geth debug_traceCall belongs to the Geth debug namespace, while Tenderly simulations and Alchemy simulation APIs expose richer trace, asset, and balance views through provider APIs.

That difference should be visible to the user or agent. A wallet should not label a Tenderly asset-change object or an Alchemy internal-call list as “Ethereum said this.” Ethereum supplied the call/state primitive; the provider supplied the decoded preview.

Boundary Table

The next engineer needs a short boundary table so one field does not carry five meanings.

Layer
What it can say
What it cannot say

eth_call
Return data or error against selected state
Future inclusion, asset diff, full trace

eth_simulateV1
Simulated calls and state changes under chosen options
Guaranteed future block result

Geth debug_traceCall

Client debug trace under tracer configuration
Universal provider output

Tenderly/Alchemy simulation
Provider-decoded calls, logs, balances, or asset changes
Protocol-native guarantee

Wallet warning
User-facing caution before signature
Complete threat detection or signature block

This table keeps the preview out of the “dry run equals safety” trap. A preview is useful when it says which layer produced each claim.

Fee Preview

Gas and fee previews have their own boundary. Ethereum eth_estimateGas estimates gas for completion, while EIP-1559 defines fee fields such as max fee and max priority fee for type 0x02 transactions.

That does not make the displayed cost final. The wallet should say “estimated under this state and fee context,” because base fee, priority fee, pending block constraints, and state changes can move before inclusion.

Signature Context

Structured signing helps the display layer but does not prove user understanding. EIP-712 defines typed structured data hashing and signing with domain separation, which can make a request easier to inspect than opaque bytes.

That display layer still needs the simulation receipt. A nicely typed signature is not proof that the user saw the eventual asset movement, provider trace, or MEV/order risk.

Wallet Warning

Wallet warnings are a user interface layer, not a consensus layer. MetaMask transaction insights let a Snap inspect an unsigned transaction request, while MetaMask security alerts document warning behavior and limits for MetaMask’s own system.

That makes the pattern useful for AI x crypto systems: an agent can prepare the receipt, but the wallet should still show the method, state, provider, decoded change, warning, and uncertainty before signature.

Ordering Risk

The final boundary is ordering. Flash Boys 2.0 is not a wallet simulation manual, but it is strong evidence that transaction ordering and priority dynamics matter in Ethereum-style systems.

That is why the dry-run story should end with a refusal to overpromise. A dry run can catch many mistakes before a signature, but it cannot freeze the mempool, future state, block builder behavior, or every provider decoding assumption.

Final Receipt

The pattern works when the wallet or agent says: “This is what the dry run saw, using this state, this provider method, and these decoded fields.” The signature decision is better because the uncertainty is visible.

That is the developer habit worth keeping. A simulation trace is not a prophecy; it is a labeled piece of evidence before a user or agent signs.



Source link

It’s not too late! Make your AWS Security Agent debut with a code review!


This article is an English translation of the article at the following URL, which was originally written in Japanese. The screenshots are still in Japanese. Sorry about that.

https://qiita.com/amarelo_n24/items/e196b74f718c750a0e18

The penetration testing feature for AWS Security Agent (hereinafter referred to only as “Security Agent”), which was announced at AWS re:Invent 2025, has been generally available (GA). Code review and design review are still in preview as of May 25th, so those who haven’t been able to try Security Agent yet can still try these features. I wasn’t able to try penetration testing during the preview period , so I decided to at least experience code review and made my Security Agent debut!

This article reflects the author’s personal views. It is based on personal testing and should be used for reference only. Furthermore, the author has no experience in app development, so the terminology used may not be entirely accurate. Any corrections or errors in the content would be greatly appreciated.This article was written based on information as of May 25, 2026.

As mentioned above, this service was announced during AWS re:Invent 2025. It is a frontier agent that proactively protects applications throughout the entire development lifecycle in all environments (quoted from the official AWS page).

https://aws.amazon.com/security-agent/

It includes three features that became generally available (GA) in April: penetration testing, design review, and code review (the subject of this article).

Function name
Feature Overview
Status(As of 2026/5/25)

Penetration testing
Attempting to infiltrate the system from an external source to evaluate security measures.
GA

Design Review
Analyze product specifications, architecture documents, and technical designs from a security risk perspective.
Preview

Code Review
Inspect source code and repositories to detect code-level vulnerabilities.
Preview

Code security review (hereinafter referred to as “code review”) is a web application diagnostic method that falls under “SAST” (Static Application Security Testing). It is considered a vulnerability assessment that checks for flaws in the source code during the development phase before it is deployed in a test environment, and detects vulnerabilities visible at the code level.

From here, I will describe the steps to enable the Security Agent and run a code review.

Enable Security Agent

To start using Security Agent, you first need to enable it. Incidentally, simply enabling Security Agent will not incur any charges.

① Click (Set up AWS Security Agent)

② Enter (Agent Space name).③ Specify (User access configuration).

If you have enabled AWS Organizations and also enabled IAM Identity Center, you might want to select “Single sign-on (SSO) with IAM Identity Center.” I chose this option because I also run a one-person organization. Even if you haven’t enabled Organizations yet, this might be a good opportunity to try out a one-person organization.

④ Enter a service role name. If there is no suitable role available in your account, a new service role will be created.⑤ If you want to use KMS encryption, check the encryption option checkbox. If the default encryption is sufficient, uncheck the checkbox.⑥ Set tags as needed.⑦ Click (Set up AWS Security Agent).

⑧ Once you see a message indicating that the application has been successfully enabled, the Security Agent has been successfully activated.

① Click “Enable code review”.

② Add a “Connected Integration”. Click “Add”.

③ Select “Create a new account” and “GitHub,” then click “Next.”

④ Click “Open AWS Security Agent on GitHub”.

⑤ You will be redirected to the GitHub page. Click “Install”.

⑥ Click on the GitHub account that contains the repository where you want to install the AWS Security Agent GitHub App.

⑦ Click “Only select repositories” and select the repository where you want to install the GitHub App from the “Select repositories” dropdown menu.

⑧ Click “Install,” and the setup is complete when a screen like the one below appears.

⑨ Return to the following screen and click “Add” again.

⑩ Select the added integration and click “Next”.

⑪ Select the GitHub repository name and click “Next”.

⑫ Select the features to enable. If you want to perform code reviews, enable “Code review comments”. If you want to automatically remediate detected vulnerabilities, enable “Automatic remediation”. Click Connect and confirm that “Integration resource added” is displayed.

⑬ Select the code review settings and click “Next”. I selected “Security requirements and vulnerability detection results,” which is selected by default.

⑭ If you want to obtain application operation logs in CloudWatch Logs, select the log group where you want to store the logs (you need to create the log group beforehand).⑮ Create a role for service access. If you have already created one, click “Use existing service role”. If the default role is acceptable, click “Create default role”.⑯ Click “Save”.

This time, we created a default role, but I think it’s necessary to create a role with carefully considered policy settings. I’ll investigate what policies are necessary in the future.

⑰When it displays as shown below and “Ready” appears in the code review section, code review is enabled.

Add an IAM Identity Center user to allow code reviews from the application.

For testing purposes, you can access it with “Administrator Access” without creating a user, but since administrators don’t usually perform vulnerability assessments in normal operation, we’ll configure a user even for testing purposes.

① Return to the “Agent Spaces” top page and click “Add Users” from the “Web App” tab.

② Select the IAM Identity Center username you want to allow access to the Security Agent web app and click “Add users”.

③ Once the message indicating that the user has been added is displayed, click the Agent Web App URL.

④ When the following screen appears, click “Sign in” or wait a moment, and you will be redirected to the Agent Web App screen.

⑤ The screen will display as shown below, and you should confirm that the created Agent Space name is displayed.

Now, we will run the code review.

① From the Agent Web App home screen, click “Create a code review.”

② Enter a title for the code review.③ Select the previously connected GitHub repository, the created service role, and the CloudWatch log group, and click “Create a code review.”

④ Once the message indicating that the code review has been created is displayed, click “Start review.” A confirmation screen will appear, so click “Start review” again.

⑤ The message “Code review started” will be displayed. Reloading the screen will display “In progress.”

⑥ Clicking on the created code review will show the progress. Wait until completion.

This time it was completed in about an hour.

① Once completed, you can view the code review results.

② The scan results are displayed as follows. Well-known vulnerabilities such as SQL injection, cross-site scripting, and path traversal were detected.

Although it says “Completed,” it remained showing “Finalizing” for some reason.

You can download the code review results as a PDF file. This is likely for requesting corrections or sharing information with developers who do not have an AWS account, or for storing it as evidence.

① Click “Generate Report” in the upper right corner of the code review results screen.

② Edit the extraction criteria and click “Generate and Download.” The code review results will be output as a PDF file to your PC’s download folder.

Detected vulnerabilities need to be fixed. It is possible to fix them automatically instead of manually.

① Select the vulnerability you want to automatically fix and click “Fix Code.”

② Code remediation will begin.

If “Automatic remediation” is not enabled, the following error will appear. In the GitHub repository’s features management, turn on the “Automatic remediation” toggle button and save.

③ Scroll to the bottom of the screen to see the detection results for the selected vulnerability. The code remediation status will be displayed. Once the fix is ​​complete and the status changes to “COMPLETED,” a pull request is sent to GitHub.

④ Opening the pull request reveals that it was automatically created by Security Agent and details of the changes. If there are no issues with the content, merge it.

Recognizing the Importance of SAST

This code review detected many types of vulnerabilities. It’s probably difficult to uncover all vulnerabilities through human code reviews alone. I believe it’s an important service that complements human code reviews by inspecting for remaining vulnerabilities. Furthermore, I realized that web application security testing should not only utilize external attack-based testing methods like DAST (Dynamic Application Security Testing), but also SAST, which identifies vulnerabilities at the code level and provides a starting point for fixes.

Completely Eliminating Human Reviews is Not Yet Possible

I realized that Security Agent doesn’t completely replace human code reviews.

After running the automatic fix and then performing another code review, the fixed vulnerabilities were not re-detected, but several new vulnerabilities were detected. It’s possible that a detection method was added during the initial code review, or that it was a false positive, but it’s also possible that a fix in one place affected the entire code or even the entire repository.

As such, the results of the review and the recommended fixes for vulnerabilities are not always optimal for the whole system. Furthermore, there’s a risk that applying automated fixes too readily could break the entire application. I think that unless people carefully review the fixes and decide whether to automate or manual fixes, it could lead to unnecessary work being done.

Wouldn’t it be great if it could be integrated with CodeCommit?

As of May 21, 2026, it’s not possible to target CodeCommit repositories for code reviews. It was truly surprising that S3 could be targeted for code reviews, but CodeCommit couldn’t. Currently, if a user of CodeCommit wants to perform code reviews with the Security Agent, they would have to either:

Store source code files in S3 and perform code reviews there
Migrate the repository to GitHub.

Storing files in S3 is troublesome, and migrating to GitHub doesn’t seem practical. I think it would be great if it could integrate with CodeCommit to easily perform code reviews.

CodeCommit was such a valuable service that it was shut down once before returning to GA (General Availability), so I thought it was a bit of a shame that it couldn’t be integrated. I guess we can only hope for future AWS updates.

It’s been almost six months since re:Invent 2025, but I finally got to try out Security Agent. Penetration testing, once GA is available, has become difficult to implement at an individual level. The preview period doesn’t last forever. I strongly felt that you should try it as soon as possible after the announcement.

You can still relatively easily experience Security Agent through code reviews, which are still in preview, so it’s not too late! Why not make your Security Agent debut with a code review and use it as an opportunity to learn about web application security?

Also, since design reviews are still in preview, I plan to try those out soon as well.

I hope this article is helpful to someone. Thank you for reading to the end!



Source link

Secure Firmware Updates with a Secure Element: Building Trust Into the Bootloader



Imagine your embedded device is deployed somewhere in the field – a smart meter, an industrial sensor, a vehicle ECU. You find a critical bug. You push a fix. The device downloads the new firmware over the air and flashes it.

But here’s the uncomfortable question: how does the device know that firmware actually came from you?

Anyone sitting on the same network could send a firmware package. A compromised update server could serve a malicious binary.

Without a proper trust mechanism, your device is one bad OTA away from running someone else’s code.

This is the problem a Secure Element solves – and this post walks through exactly how it works, from the chip itself to the bootloader verification flow.

What Is a Secure Element?

A Secure Element (SE) is a small, tamper-resistant chip whose one job is to safely store cryptographic keys and run crypto operations – without ever exposing those keys to the outside world.

Think of it as a locked safe soldered onto your board. Even if an attacker gets full control of your main CPU, dumps your flash, or probes your bus lines, the keys inside the SE remain out of reach.

It protects against:

Physical attacks (chip probing, decapping, glitch injection)
Software attacks (privilege escalation, memory dumps)
Side-channel attacks (power analysis, timing attacks)

Common SE chips used in embedded systems: ATECC608A, SE050, TPM 2.0.

What Can a Secure Element Do?

A Secure Element is not just a key storage box – it is a self-contained cryptographic engine. Here is what it can do:

Key generation and storage – private keys are created and stored inside the chip and never leave it, not even during factory programming

Digital signatures (ECDSA / Ed25519) – signs or verifies data using stored keys; the core operation behind firmware verification

Key agreement (ECDH)- two parties derive a shared encryption key from exchanged public keys, without the secret ever crossing the wire

Symmetric encryption (AES) – encrypts and decrypts data directly on-chip; used to protect firmware package contents in transit

Hashing (SHA-256) – computes a fixed 32-byte fingerprint of any data; one byte changed = completely different hash

True random number generation (TRNG) – hardware entropy source for generating nonces, session keys, and signature randomness

Monotonic counter – a number that only goes up, never down, even across power cycles; blocks firmware downgrade attacks

Certificate storage – stores X.509 certificates to prove device identity during TLS or OTA authentication

Why Firmware Updates Need Signature Verification

When a device receives an OTA update, it has no way of knowing by default whether that firmware is genuine or has been tampered with.

An attacker could:

Intercept the OTA transfer and swap in malicious firmware
Replay an older, vulnerable firmware version
Extract a key from plain flash memory, sign a fake binary, and serve it

Signature verification closes this. The firmware is cryptographically signed by the manufacturer before it ever leaves the build system. The bootloader verifies that signature on the device before touching a single flash sector. If verification fails, nothing gets flashed.

The Secure Element is what makes this guarantee solid – the verification key lives inside hardware-protected storage, not in flash memory where it can be read or replaced.

The Verification Flow – Step by Step

On the Manufacturer Side

Firmware binary is compiled and a version header is attached (version number, hardware revision, magic bytes).
A SHA-256 hash of the entire firmware is computed – a fixed 32-byte fingerprint of the binary.
That hash is signed using an ECDSA private key stored in a Hardware Security Module (HSM) on the build server. The result is a signature.
Package is uploaded to the OTA server. The final package ships as:

{ firmware binary + version header + ECDSA signature }

Enter fullscreen mode

Exit fullscreen mode

On the Device Side – Inside the Bootloader

1. Firmware package arrives and is written to a staging area in flash.
(Primary firmware slot is untouched at this point.)

2. Bootloader reads the firmware header:
– Magic number → is this a valid package format?
– Hardware rev → is this firmware built for this exact hardware?
– Version number → is this newer than what is currently running?

3. Bootloader computes SHA-256 over the full firmware binary.
→ 32-byte hash of exactly what was received.

4. Bootloader hands the hash + the signature to the Secure Element:
SE.verify(hash, signature, public_key)

5. Secure Element runs ECDSA verification internally:
– Uses the public key it has stored inside it
– Mathematically checks whether the signature was produced
by the matching private key over this exact hash
– Returns PASS or FAIL – nothing else leaves the SE

6a. PASS:
→ Erase the primary firmware slot
→ Copy firmware from staging to primary slot
→ Increment the SE monotonic counter (locks out older versions)
→ Reboot and jump to new firmware entry point

6b. FAIL:
→ Erase the staging area
→ Boot the existing firmware as a safe fallback
→ Log the failure for reporting on next server connection

Enter fullscreen mode

Exit fullscreen mode

The key insight: the private key that signed the firmware on the build server never exists on the device. Only the public key is on the device – locked inside the SE. A public key can verify signatures but cannot create them. So even if an attacker fully dumps the device’s flash, they cannot forge firmware that passes verification.

Anti-Rollback: Why a Valid Signature Is Not Enough

Here is a subtle attack worth understanding. Firmware v1.2 had a vulnerability – you patched it in v1.3. But v1.2 was real firmware, signed by your real private key. Its signature is completely valid.

An attacker replays the old v1.2 package. Signature check passes. Device flashes vulnerable firmware. You are back to square one.

The fix is the SE monotonic counter – a number stored inside the SE that only ever increments.

SE stores: minimum_allowed_version = 1.3

Bootloader receives firmware v1.2:
1.2

Enter fullscreen mode

Exit fullscreen mode

Because the counter is inside the SE, no software attack – not even a full OS compromise – can reset it.

Conclusion

Firmware security is not just about encryption or passwords. It is about establishing a chain of trust – from the moment code leaves your build system to the moment a device executes it.

The Secure Element is the hardware anchor of that chain. The private key stays with you. The public key stays locked in silicon on the device. The bootloader does the verification. And the monotonic counter makes sure there is no going back.



Source link