Blue Team Con 2026

10:30am CDT

Your User, Their Rules: Rethinking the OS trust model for the AI-era

Saturday September 12, 2026 10:30am - 11:30am CDT

Operating systems solved multi-user security decades ago: files have owners, permissions enforce boundaries, and one user's processes cannot tamper with another's data. But modern developer workstations are effectively single-user machines — and every process running as that user inherits the same trust. For years, this was a footnote. Today, it is the attack surface.

The explosion of AI-powered developer tools — IDE agents, MCP servers, lifecycle hooks, autonomous coding assistants — has turned local configuration files into high-leverage control planes. These tools store security-critical state (working directories, cluster credentials, session metadata, agent memory) in files and act on them without integrity validation due to assumed trust. The OS says "same user, same trust." The AI tool says "if it's in my config, I'll execute it." The result: any process running in the user's context — a compromised npm package, a malicious browser extension, a rogue VS Code plugin — can cause havoc: silently hijack an AI agent's behavior, redirect kubectl to an attacker-controlled server, or trigger recursive deletion of arbitrary directories to name a few.

In this talk, we present a systematic analysis of this trust gap through three original vulnerability disclosures across Docker Desktop, Lens Desktop, and Claude Desktop. In each case, the attack requires no privilege escalation, no kernel exploits, and no user credentials — only the ability to write to a JSON file that the OS considers perfectly authorized. We use these as case studies to examine a broader architectural problem: the classic OS segregation model was built for a world where "same user" meant "same human." In the age of AI agents, MCP servers, and autonomous tools, "same user" now means "same human plus every autonomous process acting on their behalf" — and processes don't necessarily verify whether the others are trustworthy.

We will dissect why this pattern keeps recurring (electron-store defaults, the absence of application-level integrity checks, the gap between OS-level and application-level trust), propose a threat model for "intra-user trust boundaries," and provide concrete detection and hardening strategies for security teams who need to defend developer endpoints where the OS permission model is necessary but no longer sufficient.

Speakers

Golan Myers

Security Researcher, Bloom Security

Golan is a security researcher at Bloom Security, with previous experience as a researcher within the Cortex Cloud Posture Security research group at Palo Alto Networks, focusing on AI, identity, and data security.

Ofir Balassiano

Co-Founder, Bloom Security

Ofir is an experienced security researcher turned co-founder at Bloom Security. Led the Cortex Cloud Posture Security research group at Palo Alto Networks, focusing on AI, identity, and data security. Previously led the research group at Dig Security (acquired by PANW), served as... Read More →

Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA

Talk

Company Bloom security
Audience Intermediate
Subject Application Security / DevSecOps
global Y

Blue Team Con 2026

From $0.00

Tickets

Success you have shared X tickets.

Blue Team Con 2026

10:30am CDT

Golan Myers

Ofir Balassiano

Get help with the event

Choose your checkout method

Success you have shared X tickets.

Blue Team Con 2026

10:30am CDT

Golan Myers

Ofir Balassiano

Get help with the event