Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
https://lepidum.co.jp/ Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.
From an Experience of
Reporting a Vulne...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Agenda
 CCS Injection Vulnerability
 H...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Focus Area | Lepidum
 Applied Research ...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
CCS INJECTION
VULNERABILITY
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
CCS Injection Vulnerability
CVE-2014-022...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
How was it found?
Masashi Kikuchi (repor...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Reporter's intial motivation
 Everyone ...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Reporter's intial motivation
 Everyone ...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
A VULNERABILITY:
REPORTING AND DISCLOSIN...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
To whom should it be reported?
 In Japa...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
After reported...
 Prepare against poss...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
After reported...
 Prepare against poss...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
What we have done: Blog it
 Take a new ...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
What is the right way to disclose it?
 ...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
The day it announced
 Disclosure date i...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
The day it announced
 Disclosure date i...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
FAQ, other things to consider
 Why a lo...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Information control
 Avoid unnecessary ...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Vulnerability disclosure is not easy
 C...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Vulnerability disclosure is not easy
 C...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
LESSONS LEARNED
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Vulnerability and Reporting
 It comes, ...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Message: Implementation is the key
Write...
Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Please contact us
https://lepidum.co.jp/...
Upcoming SlideShare
Loading in …5
×

From an Experience of Vulnerability Reporting

An experience of vulnerability reporting when Lepidum found OpenSSL's bug "CCS Injection Vulnerability".

Presented in the Rump Session, SSR 2015, Tokyo.
http://ssr2015.com/

  • Be the first to comment

From an Experience of Vulnerability Reporting

  1. 1. https://lepidum.co.jp/ Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved. From an Experience of Reporting a Vulnerability - Case of CCS Injection - Tatsuya HAYASHI (@lef) Kaoru Maeda (@mad-p) Lepidum Co. Ltd. "SSR 2015" (2015/12/15)
  2. 2. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Agenda  CCS Injection Vulnerability  How did we find it?  Reporting a Vulnerability  Disclosing a Vulnerability  Lessons Learned
  3. 3. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Focus Area | Lepidum  Applied Research and Development  Personal Data, Digital Identity and Privacy  Secure and Safety Software Technology  Web and Internet Technology  De-Facto and Forum Standardization  Keywords:  Personal Data, Trust Framework, Privacy, ID Federation, Authentication/Authorization, Protocol Specification, * of Things(IoT, WoT), Software Defined Network, Autonomic Network, etc...
  4. 4. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ CCS INJECTION VULNERABILITY
  5. 5. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ CCS Injection Vulnerability CVE-2014-0224 (June 2014)  CCS = Change Cipher Spec  Early CCS Attack  http://ccsinjection.lepidum.co.jp/ 1. MITM crafts a CCS too early than expected 2. OpenSSL accepts it without necessary validation 3. Cipher Suites changed with uninitialized parameters 4. MITM can decrypt all the traffic
  6. 6. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ How was it found? Masashi Kikuchi (reporter) thought  Wanted to create a formal verification for that  Peeked into existing implementations  Found a flaw in OpenSSL's validation Most complex transitions in the SSL/TLS statemachine: handle ChangeCipherSpec
  7. 7. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Reporter's intial motivation  Everyone competes to hunt bugs. I want to do it efficiently  Want to use Coq somewhere  Select a suspicious module by experience  Want a clue to understand code that is difficult
  8. 8. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Reporter's intial motivation  Everyone competes to hunt bugs. I want to do it efficiently  Want to use Coq somewhere  Select a suspicious module by experience  Want a clue to understand code that is difficult But, he didn't need even Coq
  9. 9. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ A VULNERABILITY: REPORTING AND DISCLOSING IT
  10. 10. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ To whom should it be reported?  In Japanese or in English?  OpenSSL?CERT?  Correct impact analysis done?  Is our analysis correct, in the first place?  PoC attack  Information control intra company
  11. 11. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ After reported...  Prepare against possible 0-day attacks  We could not do anything than just wait for a response  We could not ask to/discuss with other organizations  Employees are instructed not to talk about it  We could not believe that "our reporting process is correct" without an response
  12. 12. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ After reported...  Prepare against possible 0-day attacks  We could not do anything than just wait for a response  We could not ask to/discuss with other organizations  Employees are instructed not to talk about it  We could not believe that "our reporting process is correct" without an response Bitter days
  13. 13. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ What we have done: Blog it  Take a new domain (against domain dropping)  Do not place any ads (better trust)  Prepare for high loaded access  Selecting a CDN  Cacheable blog pages  Test that the pages and CDN work, without disclosing  Review how to update the pages  Collect and manage incoming updates lessons learned
  14. 14. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ What is the right way to disclose it?  No one actually tell us the best practice  Schedule an announcement  Domain name gives a hint about the vulnerability. DNS settings delayed  ccsinjection.lepidum.co.jp  No rules, no guidelines  Commonsense ⇒ What's that? lessons learned
  15. 15. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ The day it announced  Disclosure date is told, but not the time  No one (incl. CERT) tells the reporter exactly when the CVE appears  Inqueries, interviews  Media handling, English support, customers, SNS...  The Guardian, New York Times, etc...  "Proper" interviews and not  Explain to customers what we have done  Fortunately, we had blog pages!  Updates  Catch up with software updates, etc.  Distinguish suggestions from experts and non-experts
  16. 16. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ The day it announced  Disclosure date is told, but not the time  No one (incl. CERT) tells the reporter exactly when the CVE appears  Inqueries, interviews  Media handling, English support, customers, SNS...  The Guardian, New York Times, etc...  "Proper" interviews and not  Explain to customers what we have done  Fortunately, we had blog pages!  Updates  Catch up with software updates, etc.  Distinguish suggestions from experts and non-experts A whole company work! Daily job suspended
  17. 17. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ FAQ, other things to consider  Why a logo?  "How much did you earned from this?"  Engineers' stresses  Business value
  18. 18. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Information control  Avoid unnecessary sense of crisis  Deliver precise information to where necessary  Announce counter measures when they are ready
  19. 19. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Vulnerability disclosure is not easy  Cannot call for a help, no help comes  We, a geek company, could do it. We could do it because we are an organization.
  20. 20. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Vulnerability disclosure is not easy  Cannot call for a help, no help comes  We, a geek company, could do it. We could do it because we are a organization. But it was worth doing it!
  21. 21. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ LESSONS LEARNED
  22. 22. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Vulnerability and Reporting  It comes, even when not prepared  Do it without how-to's nor guidelines  Prepare blog pages  But without disclosing much before the announcement  Be careful when setting up CDN and DNS
  23. 23. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Message: Implementation is the key Write specifications after implementing it That way, you should know where pitfalls are "Handle a complex protocol like TLS with Coq, you might need an experience of implementing it"
  24. 24. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Please contact us https://lepidum.co.jp/ @lepidum @lef @mad-p mailto:{hayashi,maeda}@lepidum.co.jp

×