BruCON Agnitio Workshop

2,019 views

Published on

My slides from the Agnitio workshop I gave at BruCON 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,019
On SlideShare
0
From Embeds
0
Number of Embeds
635
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

BruCON Agnitio Workshop

  1. 1. David RookAgnitioSecurity code review swiss army knifeBruCON, BelgiumWednesday, 21 September 2011
  2. 2. if (slide == introduction) System.out.println("I’m David Rook"); • Application Security Lead, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (@securityninja) • Speaker at developer and security conferences • Microsoft Developer Security MVP • Developed and released AgnitioWednesday, 21 September 2011
  3. 3. Agenda • What is static analysis? • Agnitio: security code review Swiss army knife • Agnitio and mobile appsWednesday, 21 September 2011
  4. 4. Static analysis • What do I mean by static analysis? • A review of source code without executing the application • Can be either manual or automated through one or more tools • Human and/or tools analysing application source codeWednesday, 21 September 2011
  5. 5. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t softwareWednesday, 21 September 2011
  6. 6. Static analysis • Wetware or software? • Humans are needed with or without static analysis tools • The best thing about humans is that they aren’t software • The worst thing about humans is that they are humansWednesday, 21 September 2011
  7. 7. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1Wednesday, 21 September 2011
  8. 8. Static analysis • Wetware or software? http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/index.html?sf1100063=1Wednesday, 21 September 2011
  9. 9. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t humanWednesday, 21 September 2011
  10. 10. Static analysis • Wetware or software? • Tools can cover more code in less time than a human • The best thing about software is that it isn’t human • The worst thing about software is that it’s softwareWednesday, 21 September 2011
  11. 11. Wednesday, 21 September 2011
  12. 12. Wednesday, 21 September 2011
  13. 13. Wednesday, 21 September 2011
  14. 14. Wednesday, 21 September 2011
  15. 15. Wednesday, 21 September 2011
  16. 16. Wednesday, 21 September 2011
  17. 17. Wednesday, 21 September 2011
  18. 18. Wednesday, 21 September 2011
  19. 19. Wednesday, 21 September 2011
  20. 20. Wednesday, 21 September 2011
  21. 21. Agnitio • What is Agnitio? • Tool to help with manual static analysis • Checklist based with reviewer & developer guidance • Produces audit trails & enforces integrity checks • Single tool for security code review reports & metricsWednesday, 21 September 2011
  22. 22. Agnitio • What is Agnitio? • C# open source application, GPLv3 license • Four different versions in 10 months • 10,000+ downloads from users in over 100 countries • Used by SMEs, consulting firms and companies of the NYSEWednesday, 21 September 2011
  23. 23. Agnitio • Checklists? • An application for doing checklist reviews? *yawn* how boring! • Checklists are for n00bs! I dont need a checklist to review code! • I beg to differ, would you say Doctors and Pilots are n00bs?Wednesday, 21 September 2011
  24. 24. Wednesday, 21 September 2011
  25. 25. Wednesday, 21 September 2011
  26. 26. AgnitioWednesday, 21 September 2011
  27. 27. AgnitioWednesday, 21 September 2011
  28. 28. Agnitio • Checklists? • Do you use checklists for your source code reviews? • Whats the worst that could happen if you don’t?Wednesday, 21 September 2011
  29. 29. Ariane 5 flight 501Wednesday, 21 September 2011
  30. 30. Wednesday, 21 September 2011
  31. 31. Ariane 5 flight 501 L_M_BV_32 := TBD.T_ENTIER_32S ((1.0/C_M_LSB_BV) * G_M_INFO_DERIVE(T_ALG.E_BV)); if L_M_BV_32 > 32767 then P_M_DERIVE(T_ALG.E_BV) := 16#7FFF#; elsif L_M_BV_32 < -32768 then P_M_DERIVE(T_ALG.E_BV) := 16#8000#; else P_M_DERIVE(T_ALG.E_BV) := UC_16S_EN_16NS(TDB.T_ENTIER_16S(L_M_BV_32); end if; P_M_DERIVE(T_ALG.E_BH) := UC_16S_EN_16NS (TDB.T_ENTIER_16S ((1.0/C_M_LSB_BH) * G_M_INFO_DERIVE(T_ALG.E_BH))); http://moscova.inria.fr/~levy/talks/10enslongo/enslongo.pdfWednesday, 21 September 2011
  32. 32. Therac-25Wednesday, 21 September 2011
  33. 33. Mars Climate OrbiterWednesday, 21 September 2011
  34. 34. Mars Climate OrbiterWednesday, 21 September 2011
  35. 35. Agnitio • Checklists? • Do you use checklist for your source code reviews? • Whats the worst that could happen if you don’t? • Four people dead and over €700m of equipment destroyed • Checklists can be useful to pilots, doctors and code reviewers!Wednesday, 21 September 2011
  36. 36. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews!Wednesday, 21 September 2011
  37. 37. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smartWednesday, 21 September 2011
  38. 38. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit?Wednesday, 21 September 2011
  39. 39. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks?Wednesday, 21 September 2011
  40. 40. Agnitio • So, why did I develop Agnitio? • I love using checklists for security code reviews! • Even if your process is good it might not be smart • Is your review process really repeatable and easy to audit? • How about producing metrics, useful reports & integrity checks? • No? That’s why I developed Agnitio!Wednesday, 21 September 2011
  41. 41. Why did I develop Agnitio? • Demonstration: application profilesWednesday, 21 September 2011
  42. 42. Why did I develop Agnitio? • Demonstration: security code reviewsWednesday, 21 September 2011
  43. 43. Why did I develop Agnitio? • Demonstration: security code review reportsWednesday, 21 September 2011
  44. 44. Why did I develop Agnitio? • Demonstration: application security metricsWednesday, 21 September 2011
  45. 45. Why did I develop Agnitio? • Demonstration: customise your Agnitio installationWednesday, 21 September 2011
  46. 46. Agnitio hands on • Create a PHP ruleWednesday, 21 September 2011
  47. 47. Agnitio hands on • Analyse the PHP applicationWednesday, 21 September 2011
  48. 48. Mobile apps and Agnitio • Mobile apps can create value for a business • Businesses can benefit from having a mobile presence • Innovative apps for customers using mobile functionalityWednesday, 21 September 2011
  49. 49. Mobile apps and AgnitioWednesday, 21 September 2011
  50. 50. Mobile apps and AgnitioWednesday, 21 September 2011
  51. 51. Mobile apps and AgnitioWednesday, 21 September 2011
  52. 52. Mobile apps and AgnitioWednesday, 21 September 2011
  53. 53. Mobile apps and AgnitioWednesday, 21 September 2011
  54. 54. Mobile apps and AgnitioWednesday, 21 September 2011
  55. 55. Mobile apps and AgnitioWednesday, 21 September 2011
  56. 56. Mobile apps and AgnitioWednesday, 21 September 2011
  57. 57. Mobile apps and AgnitioWednesday, 21 September 2011
  58. 58. Mobile apps and AgnitioWednesday, 21 September 2011
  59. 59. Mobile apps and AgnitioWednesday, 21 September 2011
  60. 60. Mobile apps and Agnitio • Mobile apps can create value for a business • Businesses can benefit from having a mobile presence • Innovative apps for customers using mobile functionality • Most developers have not been trained to write secure codeWednesday, 21 September 2011
  61. 61. Mobile apps and Agnitio • Mobile apps can create value for a business • Businesses can benefit from having a mobile presence • Innovative apps for customers using mobile functionality • Most developers have not been trained to write secure code • Not trained to write secure code, new to mobile development......Wednesday, 21 September 2011
  62. 62. Mobile apps and Agnitio • Mobile apps can create value for a business • Businesses can benefit from having a mobile presence • Innovative apps for customers using mobile functionality • Most developers have not been trained to write secure code • Not trained to write secure code, new to mobile development...... • What could possibly go wrong?Wednesday, 21 September 2011
  63. 63. There’s an app for thatWednesday, 21 September 2011
  64. 64. There’s an app for thatWednesday, 21 September 2011
  65. 65. There’s an app for that • Lets assume the predicted growth happens • 1,000,000+ apps by the end of 2011 • How many have been developed with security in mind? • The answer isn’t “none” but it won’t be many, ≤1%?Wednesday, 21 September 2011
  66. 66. There’s an app for that • Lets assume the predicted growth happens • 1,000,000+ apps by the end of 2011 • How many have been developed with security in mind? • The answer isn’t “none” but it won’t be many, ≤1%? • But none of us are surprised by this are we?Wednesday, 21 September 2011
  67. 67. There’s an app for that • Lets assume the predicted growth happens • 1,000,000+ apps by the end of 2011 • How many have been developed with security in mind? • The answer isn’t “none” but it won’t be many, ≤1%? • But none of us are surprised by this are we? • I want us to try and find the insecure apps with AgnitioWednesday, 21 September 2011
  68. 68. Mobile app security issues • Data in transit and at rest • Dangerous inputsWednesday, 21 September 2011
  69. 69. There’s an app for thatWednesday, 21 September 2011
  70. 70. Android Source Code package com.denimgroup.android.training.pandemobium.stocktrader; import android.app.Activity; import android.os.Bundle; import android.util.Log; import android.webkit.WebView; public class TipsActivity extends Activity { private WebView wvTips;     /** Called when the activity is first created. */     @Override     public void onCreate(Bundle savedInstanceState) {      Log.i("TipsActivity", " Loading up browser page to display stock tips");              super.onCreate(savedInstanceState);         setContentView(R.layout.tips);                  wvTips = (WebView)findViewById(R.id.wv_tips);         wvTips.loadUrl(getString(R.string.tip_list));     } }Wednesday, 21 September 2011
  71. 71. AndroidManifest.xml • A good place to start your security code reviews! • Applications and System code have an AndroidManifest file • Declares the package name, a unique identifier for the app • Defines the permissions needed by the application • Defines app activities and intents • Compressed XML file in the .apkWednesday, 21 September 2011
  72. 72. Agnitio hands on • AndroidManifest.xml - before and afterWednesday, 21 September 2011
  73. 73. Android Static Analysis • Context.openFileOutput() • Context.openOrCreateDatabase() • rawQuery() • URLConnection() • HttpResponse() • MODE_PRIVATE • MODE_WORLD_READABLE • MODE_WORLD_WRITABLEWednesday, 21 September 2011
  74. 74. Agnitio hands on • Analyse the Android Pandemobium appWednesday, 21 September 2011
  75. 75. iOS Source Code #import "TipViewController.h" #import "StockDatabase.h" #import "/usr/include/sqlite3.h" #import "ASIHTTPRequest.h" #import "ASIFormDataRequest.h" @implementation TipViewController @synthesize keyboardToolbar; - (id)initWithNibName:(NSString *)nibNameOrNil bundle:(NSBundle *)nibBundleOrNil {     self = [super initWithNibName:nibNameOrNil bundle:nibBundleOrNil];     if (self) {         // Custom initialization         stockDB = [[StockDatabase alloc] init];     }     return self; }Wednesday, 21 September 2011
  76. 76. iOS Static Analysis • writeToFile() • openURL() • sqlite3_prepare() • NSFILEWednesday, 21 September 2011
  77. 77. Agnitio hands on • Automated analysis of Android .apk filesWednesday, 21 September 2011
  78. 78. Using Agnitio • How you can use Agnitio in your reviews • Download Agnitio from Source Forge • Focus security code reviews on root causes not vulnerabilities • Use your language/s in all code examples and checklist items • Use Agnitio to conduct principles based security code reviewsWednesday, 21 September 2011
  79. 79. My USB key........ • I have some things on my USB key you might want • .apk files of popular and “suspicious” Android apps • System.img file for v2.2 emulator to enable the marketplace • My slides from this workshop • You have to trust my USB key is safe to use ;-)Wednesday, 21 September 2011
  80. 80. Do you want to work with me? • I’m expanding our application security team • 1x Application Security Analyst • 2x Junior Application Security Analyst • Speak to me today or tomorrow! • jobs@realexpayments.comWednesday, 21 September 2011
  81. 81. www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaWednesday, 21 September 2011
  82. 82. QUESTIONS? www.securityninja.co.uk http://sourceforge.net/projects/agnitiotool/ @securityninja /realexninja /securityninja /realexninjaWednesday, 21 September 2011

×