JUG Saxony Day - Securing the JVM, not for fun not for profit but what choice do you have?

•Download as PPTX, PDF•

0 likes•460 views

Code reviews are good to improve the hardening of an application, but what if the malicious code was planted purposely? Some code buried in a commit could extract code from binary content, compile it on the fly, and then execute the code in the same JVM run… By default, the JVM is not secured! Securing the JVM for a non-trivial application is complex and time-consuming but the risks of not securing it could be disastrous. In this talk, I’ll show some of the things you could do in an unsecured JVM. I’ll also explain the basics of securing it, and finally demo a working process on how to do it.

Software

@nicolas_frankel
Neither for fun nor for profit,
but do you have a choice?
Securing the JVM

@nicolas_frankel
• Developer, team lead, architect,
whatever it takes
• Recent Developer Advocate
Me, myself and I

@nicolas_frankel
Hazelcast
HAZELCAST IMDG is an operational,
in-memory, distributed computing
platform that manages data using
in-memory storage, and performs
parallel execution for breakthrough
application speed and scale.
HAZELCAST JET is the ultra fast,
application embeddable, 3rd
generation stream processing
engine for low latency batch
and stream processing.

@nicolas_frankel
• Part of the JRE
• In the java.lang.reflect package
The Reflection API
5

@nicolas_frankel
• Dynamically-typed languages
• Groovy
• JPA frameworks
• Hibernate
• Others
• Spring
• etc.
Used by a lot of languages/frameworks

@nicolas_frankel
• Make networks calls
• Compile code on the fly
• Execute code
• etc.
But everything is possible
8

@nicolas_frankel
• Static analyzers
• Byte-code analyzers
• Code reviews
• Security team
• etc.
Safeguards?

@nicolas_frankel
“Steganography is the
practice of concealing a
file, message, image, or
video within another file,
message, image, or video”
Steganography
10

@nicolas_frankel
A simple process
1. Publish a new library to central
• With hidden steganographic/compile/run
features
2. Add the library to your POM
3. Add an image with embedded code
4. Call the library
• Pretend to read the image
5. Enjoy

@nicolas_frankel
• Meant to run on the client machine
• Forbidden to do “dangerous” stuff
• Run in a sandbox
Applets

@nicolas_frankel
• Standard mode
• a.k.a. “God Mode”
• Sandbox mode
• Through a SecurityManager
Available « modes »

@nicolas_frankel
• On the command line
• java -Djava.security.manager …
• Via the API
• System.setSecurityManager()
Activating the Security Manager

@nicolas_frankel
• Java 9
• conf/security/java.security
• ➔ conf/security/java.policy
• Java 8
• jre/lib/security/java.security
• ➔ jre/lib/security/java.policy
Permissions configuration

@nicolas_frankel
• Setting the policy file
• -Djava.security.policy==my.policy
• Adding additional permissions
• -Djava.security.policy=my.policy
Alternative policy file

@nicolas_frankel
“Requires that in a
particular abstraction layer of a
computing environment, every
module must be able to access only
the information and resources that
are necessary for its legitimate
purpose”
Principle of least privilege

@nicolas_frankel
• Listen on ports
• Read a few System properties
Default permissions

$@nicolas_frankel public class AccessibleObject implements AnnotatedElement { public void setAccessible(boolean flag) throws SecurityException { SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission(ACCESS_PERMISSION); setAccessible0(this, flag); } } Permissions are enforced in the JDK$

@nicolas_frankel
Permissions
Permission Details
AllPermission ☺
PropertyPermission • Read
• Write
FilePermission • Read
• Write
• Execute
• Delete
ReflectPermission Suppress reflective access checks
RuntimePermission • More granular reflective access checks
• Security-related
• Class-loading related
• Exit Virtual Machine, shutdown hooks, etc.

@nicolas_frankel
Permissions (continued)
Permission Details
SocketPermission • accept
• connect
• listen
• resolve
SSLPermission • Get/set SSL context
• Set hostname verifier
AuthPermission
ServicePermission Kerberos-related
AWTPermission • Clipboard
• Tray
• Windows
• Pointer
• etc.

$@nicolas_frankel grant codebase "file:myjar" { permission Foo "foo"; permission Bar "bar", "baz"; }; Structure of a policy file (simplified)$

@nicolas_frankel
• https://blog.frankel.ch/
• @nicolas_frankel
• https://git.io/fx54L
• https://git.io/fhZ4t
• https://bit.ly/2DQBRrt
Thanks a lot!

Kubernetes in general, and Istio in particular, have changed a lot the way we look at Ops-related constraints: monitoring, load-balancing, health checks, etc. Before those products became available, there were already available solutions to handle those constraints. Among them is Resilience4J, a Java library. From the site: "Resilience4j is a fault tolerance library designed for Java8 and functional programming." In particular, Resilience4J provides an implementation of the Circuit Breaker pattern, which prevents a network or service failure from cascading to other services. But now Istio also provides the same capability. In this talk, we will have a look at how Istio and Resilience4J implement the Circuit Breaker pattern, and what pros/cons each of them has. After this talk, you’ll be able to decide which one is the best fit in your context.

Owning windows 8 with human interface devices

Nikhil Mittal

This document discusses using human interface devices like the Teensy microcontroller in penetration tests against Windows 8 systems. It introduces the Kautilya toolkit for programming Teensy payloads and demonstrates attacks against Windows 8 by connecting the Teensy and executing payloads with the privileges of the logged-in user. Limitations of this technique include storage limits on Teensy and an inability to read responses or clear itself after running. Defenses include disabling removable devices or locking USB ports.

Lateral Movement with PowerShell

kieranjacobsen

PowerShell, the must have tool for administrators, and the long overlooked security challenge. See Kieran Jacobsen present how PowerShell, with its deep Microsoft platform integration can be utilised by an attack to become a powerful attack tool. Learn how an attacker can move from a compromised workstation to a domain controller using PowerShell and WinRM whilst learning how to defend against these attacks.

Post Exploitation Using Meterpreter

Shubham Mittal

The document discusses using Meterpreter for post exploitation activities after gaining access to a target system. Meterpreter provides an advanced multi-function payload that injects itself into running processes to provide core and advanced command functionality through extensions in a more stealthy way than normal payloads. The document outlines how Meterpreter works and can be used for activities like enumeration, privilege escalation, information harvesting, and pivoting across a network during post exploitation.

More fun using Kautilya

Nikhil Mittal

CNIT 128 9. Writing Secure Android Applications

Sam Bowne

Security workflow with ansible

devanshdubey7

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Priyanka Aash

This document discusses hacking mainframe systems like IBM z/OS. It describes how the speaker was able to gain access to mainframes through methods like credential theft, exploiting vulnerabilities in programs like Tivoli NetView, and escalating privileges using tools to ultimately achieve root access. The speaker demonstrates hacking tools they have created like BIRP, TShocker, and Maintp that can be used to conduct reconnaissance of mainframes and execute code through techniques like FTP.

The document describes InfectNet, a massively multiplayer online strategy game powered by code written by players. It discusses the game's architecture, which includes separate server and client repositories on GitHub. The game uses a domain-specific language for players to write code that gets executed on the server. Key aspects of the architecture include entity component systems, action/request queues to handle asynchronous behavior, and various game systems that power different aspects like spawning and movement.

CNIT 128: 3. Attacking iOS Applications (Part 2)

Sam Bowne

The document discusses attacking iOS applications by exploiting their runtime environment and interprocess communication capabilities. It covers method swizzling to instrument the Objective-C runtime, using Cydia Substrate to inject code into apps, and attacking entry points like UIWebViews, file handling routines, and application extensions to achieve code injection. The goal is to demonstrate how the iOS runtime can be leveraged to bypass protections and potentially pivot to internal networks in some cases.

Malware Collection and Analysis via Hardware Virtualization

Tamas K Lengyel

This document outlines a system for collecting and analyzing malware using hardware virtualization. It discusses using virtualization to meet requirements of scalability, stealth, isolation and fidelity. The system captures over 115,000 malware samples and monitors their system calls and kernel heap allocations. It identifies limitations in using virtualization for analysis and contributions of the work in developing prototypes and identifying requirements that must be addressed. Future work areas are discussed, such as dealing with evolving malware techniques and hardware.

The Dark Side of PowerShell by George Dobrea

EC-Council

PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.

Buffer Overflow Attacks

securityxploded

Kali Linux

Sumit Singh

Kali linux tutorial

HarikaReddy115

Kali Linux is an open-source security package containing tools divided into categories. It can be installed as an operating system or in a virtual machine. This tutorial discusses installing Kali Linux by first downloading VirtualBox, then downloading and installing Kali Linux as a virtual machine. It also covers updating Kali Linux and setting up a testing machine using Metasploitable to perform security tests. The key tools covered include Nmap/Zenmap for scanning, stealth scanning using SYN packets, and Searchsploit for exploiting vulnerabilities.

Malware Analysis Using Free Software

Xavier Mertens

This document discusses setting up an automated malware analysis sandbox using Cuckoo and Bro. It recommends using Cuckoo to dynamically analyze malware samples and Bro to monitor network traffic and extract suspicious files. Bro scripts are shown to extract files and submit them to Cuckoo for analysis. The talk emphasizes automating the analysis workflow and correlating indicators from Cuckoo with external threat intelligence in OSSEC to aid detection.

Kali Linux

Chanchal Dabriya

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It contains over 300 security tools and can run on various hardware architectures. Kali is an updated version of BackTrack, which it replaced in 2013 to address dependency issues. Some key tools included are nmap, Wireshark, John the Ripper, and Aircrack-ng. It is maintained by Offensive Security and intended to perform tests from an attacker's perspective to evaluate system vulnerabilities.

CyberSEED: Virtual Machine Introspection to Detect and Protect

Tamas K Lengyel

Tamas K Lengyel gives a presentation on virtual machine introspection and how it can be used to detect and protect against threats. He discusses how virtualization adds layers that can be leveraged for security monitoring. However, he notes that the approach of adding more layers is not a true solution and just increases the cost to break through defenses. Lengyel argues that the root hypervisor and lowest system layers are ultimately not fully transparent or accessible, leaving security imperfect similar to the concept of turtles all the way down.

Client side attacks using PowerShell

Nikhil Mittal

This document discusses using PowerShell for lethal client-side attacks. It introduces several tools created by the author (Out-Word, Out-Excel, etc.) that generate malicious Microsoft Office files, shortcuts, HTML files and Java files containing PowerShell payloads. These payloads allow executing commands, downloading/running scripts and more complex attacks on the victim's system. The document provides examples usage and discusses using PowerShell's capabilities for effective post-exploitation on client machines. It concludes with recommendations for defense and credits references used in developing the tools.

CNIT 128 2. Analyzing iOS Applications (Part 1)

Sam Bowne

Outlook and Exchange for the bad guys

Nick Landers

DerbyCon 2016 Nick Landers @monoxgas External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.

[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...

Hackito Ergo Sum

Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed. Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER! https://www.hackitoergosum.org

A Distributed Malware Analysis System Cuckoo Sandbox

Andy Lee

This document describes a distributed malware analysis system using Cuckoo Sandbox. It discusses: 1) Cuckoo Sandbox is an open source automated malware analysis system that runs binary files in virtual machines to record behaviors like API calls, files created, registry access, and network traffic. 2) The motivation for a distributed system is that the computing power of a single machine is limited, causing performance bottlenecks for analyzing large numbers of samples. 3) The distributed Cuckoo system uses a master-worker architecture to assign analysis tasks to multiple worker nodes in parallel, reducing total analysis time and allowing the system to scale to more samples as hardware resources increase.

$HOME Sweet $HOME

Xavier Mertens

Xavier Mertens gave a presentation on the security risks posed by the growing Internet of Things in homes and businesses. He discussed how IoT devices have revolutionized homes but can also become an "Internet of Nightmares" if not properly secured. Some of the common vulnerabilities in IoT devices are insecure interfaces, lack of encryption, and privacy issues. Mertens provided recommendations on how to mitigate risks, such as implementing network filters, monitoring unknown devices, and virtualizing critical systems. He concluded by emphasizing that many existing security tools can help control IoT devices if users think of them as computers and only deploy technologies that provide necessary functionality.

Apache Struts2 CVE-2017-5638

Riyaz Walikar

This document discusses CVE-2017-5638, a remote code execution vulnerability in Apache Struts2. Nike Zheng reported that a bug in the Jakarta Multipart parser used by Struts2 could allow remote code execution by sending a crafted Content-Type header. The vulnerability lies in how Struts2 evaluates OGNL expressions in multipart requests, which can be exploited to execute system commands on the server.

Javantura - Securing the JVM

JUG Saxony Day - Securing the JVM, not for fun not for profit but what choice do you have?

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to JUG Saxony Day - Securing the JVM, not for fun not for profit but what choice do you have?

Similar to JUG Saxony Day - Securing the JVM, not for fun not for profit but what choice do you have? (20)

More from Nicolas Fränkel

More from Nicolas Fränkel (20)

Recently uploaded

Recently uploaded (20)

JUG Saxony Day - Securing the JVM, not for fun not for profit but what choice do you have?