Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

From an Experience of Vulnerability Reporting

698 views

Published on

An experience of vulnerability reporting when Lepidum found OpenSSL's bug "CCS Injection Vulnerability".

Presented in the Rump Session, SSR 2015, Tokyo.
http://ssr2015.com/

Published in: Internet
  • Be the first to comment

From an Experience of Vulnerability Reporting

  1. 1. https://lepidum.co.jp/ Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved. From an Experience of Reporting a Vulnerability - Case of CCS Injection - Tatsuya HAYASHI (@lef) Kaoru Maeda (@mad-p) Lepidum Co. Ltd. "SSR 2015" (2015/12/15)
  2. 2. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Agenda  CCS Injection Vulnerability  How did we find it?  Reporting a Vulnerability  Disclosing a Vulnerability  Lessons Learned
  3. 3. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Focus Area | Lepidum  Applied Research and Development  Personal Data, Digital Identity and Privacy  Secure and Safety Software Technology  Web and Internet Technology  De-Facto and Forum Standardization  Keywords:  Personal Data, Trust Framework, Privacy, ID Federation, Authentication/Authorization, Protocol Specification, * of Things(IoT, WoT), Software Defined Network, Autonomic Network, etc...
  4. 4. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ CCS INJECTION VULNERABILITY
  5. 5. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ CCS Injection Vulnerability CVE-2014-0224 (June 2014)  CCS = Change Cipher Spec  Early CCS Attack  http://ccsinjection.lepidum.co.jp/ 1. MITM crafts a CCS too early than expected 2. OpenSSL accepts it without necessary validation 3. Cipher Suites changed with uninitialized parameters 4. MITM can decrypt all the traffic
  6. 6. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ How was it found? Masashi Kikuchi (reporter) thought  Wanted to create a formal verification for that  Peeked into existing implementations  Found a flaw in OpenSSL's validation Most complex transitions in the SSL/TLS statemachine: handle ChangeCipherSpec
  7. 7. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Reporter's intial motivation  Everyone competes to hunt bugs. I want to do it efficiently  Want to use Coq somewhere  Select a suspicious module by experience  Want a clue to understand code that is difficult
  8. 8. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Reporter's intial motivation  Everyone competes to hunt bugs. I want to do it efficiently  Want to use Coq somewhere  Select a suspicious module by experience  Want a clue to understand code that is difficult But, he didn't need even Coq
  9. 9. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ A VULNERABILITY: REPORTING AND DISCLOSING IT
  10. 10. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ To whom should it be reported?  In Japanese or in English?  OpenSSL?CERT?  Correct impact analysis done?  Is our analysis correct, in the first place?  PoC attack  Information control intra company
  11. 11. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ After reported...  Prepare against possible 0-day attacks  We could not do anything than just wait for a response  We could not ask to/discuss with other organizations  Employees are instructed not to talk about it  We could not believe that "our reporting process is correct" without an response
  12. 12. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ After reported...  Prepare against possible 0-day attacks  We could not do anything than just wait for a response  We could not ask to/discuss with other organizations  Employees are instructed not to talk about it  We could not believe that "our reporting process is correct" without an response Bitter days
  13. 13. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ What we have done: Blog it  Take a new domain (against domain dropping)  Do not place any ads (better trust)  Prepare for high loaded access  Selecting a CDN  Cacheable blog pages  Test that the pages and CDN work, without disclosing  Review how to update the pages  Collect and manage incoming updates lessons learned
  14. 14. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ What is the right way to disclose it?  No one actually tell us the best practice  Schedule an announcement  Domain name gives a hint about the vulnerability. DNS settings delayed  ccsinjection.lepidum.co.jp  No rules, no guidelines  Commonsense ⇒ What's that? lessons learned
  15. 15. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ The day it announced  Disclosure date is told, but not the time  No one (incl. CERT) tells the reporter exactly when the CVE appears  Inqueries, interviews  Media handling, English support, customers, SNS...  The Guardian, New York Times, etc...  "Proper" interviews and not  Explain to customers what we have done  Fortunately, we had blog pages!  Updates  Catch up with software updates, etc.  Distinguish suggestions from experts and non-experts
  16. 16. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ The day it announced  Disclosure date is told, but not the time  No one (incl. CERT) tells the reporter exactly when the CVE appears  Inqueries, interviews  Media handling, English support, customers, SNS...  The Guardian, New York Times, etc...  "Proper" interviews and not  Explain to customers what we have done  Fortunately, we had blog pages!  Updates  Catch up with software updates, etc.  Distinguish suggestions from experts and non-experts A whole company work! Daily job suspended
  17. 17. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ FAQ, other things to consider  Why a logo?  "How much did you earned from this?"  Engineers' stresses  Business value
  18. 18. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Information control  Avoid unnecessary sense of crisis  Deliver precise information to where necessary  Announce counter measures when they are ready
  19. 19. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Vulnerability disclosure is not easy  Cannot call for a help, no help comes  We, a geek company, could do it. We could do it because we are an organization.
  20. 20. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Vulnerability disclosure is not easy  Cannot call for a help, no help comes  We, a geek company, could do it. We could do it because we are a organization. But it was worth doing it!
  21. 21. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ LESSONS LEARNED
  22. 22. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Vulnerability and Reporting  It comes, even when not prepared  Do it without how-to's nor guidelines  Prepare blog pages  But without disclosing much before the announcement  Be careful when setting up CDN and DNS
  23. 23. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Message: Implementation is the key Write specifications after implementing it That way, you should know where pitfalls are "Handle a complex protocol like TLS with Coq, you might need an experience of implementing it"
  24. 24. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/ Please contact us https://lepidum.co.jp/ @lepidum @lef @mad-p mailto:{hayashi,maeda}@lepidum.co.jp

×