SlideShare a Scribd company logo

$kernel->infect(): Creating a cryptovirus for Symfony2 apps

This document discusses creating a cryptovirus for Symfony applications as a proof of concept. It explains how a cryptovirus could work by getting a public key from a hacker server to encrypt data in the infected app, then paying to get the private key to decrypt the data. It covers relevant cryptography concepts like public key cryptography and OpenSSL. It also discusses techniques for hiding the virus from antivirus software like polymorphic code, gzip/base64 encoding, and checking file integrity with hash functions.

1 of 58
Download to read offline
MALICIOUS CRYPTOGRAPHY
IN SYMFONY APPS Raul Fraile
WHO AM I?
• PHP/Symfony2 developer at
• PHP 5.3 Zend Certified Engineer
• Symfony Certified Developer
• BS in Computer Science. Ms(Res) student in
Computing Technologies.
• Open source: Distill, LadybugPHP
https://leanpub.com/symfony-selfstudy
• Cryptovirology studies how to use
cryptography to design malicious
software.
• Closely related to ransomware and
private information retrieval.
• A fundamental twist in cryptography.
CRYPTOVIROLOGY
CREATING OUR
OWN CRYPTOVIRUS
…for fun and profit!
• This is not a real virus, just a proof of concept.
• I chose Symfony just because is my favourite
framework. It can be applied to any other
PHP framework.
• We assume that the virus is already in the
target computer.
• NOT AN EXPERT
#1 Get public key from the hacker server
GET public_key
Hacker serverApp server
OUR CRYPTOVIRUS
#2 Infect the Symfony 2.x app
app[_dev].php
bootstrap.php.cache
Kernel events
OUR CRYPTOVIRUS
#3 Use the public key to encrypt data
app[_dev].php
bootstrap.php.cache
Kernel events
Database
User uploads
Logs
…
OUR CRYPTOVIRUS
#4 Pay to get the private key to decrypt data
GET private_key
Hacker serverApp server
OUR CRYPTOVIRUS
#3 (b) Intercept user/passwords and save them encrypted
app[_dev].php
bootstrap.php.cache
Kernel events
raul
Submit
User
*****Password
OUR CRYPTOVIRUS
#4 (b) Get user/password pairs using a backdoor
GET users
Hacker serverApp server
OUR CRYPTOVIRUS
PUBLIC KEY
CRYPTOGRAPHY
• Public key (asymmetric) cryptography requires
two different keys: public and private.
• Based on one-way functions (trapdoors), which
are easy to compute in one direction, but
believed to be difficult to find its inverse.
• Most used one-way functions: integer
factorization, discrete logarithm and elliptic
curves.
PUBLIC KEY CRYPTOGRAPHY
WANT SEND image.jpg
Alice
A A
Bob
B B
B
image.jpg
101101001011001
PUBLIC KEY CRYPTOGRAPHY
p = 115307171677547
q = 190761112638809
n = p * q
= 21996124364443030184426121523
Having p and q, calculate n Having n, calculate p and q
Multiplication Factorization
SlowFast
not in Polinomial time
n = 21996124364443030184426121523
= p * q
= …
= 115307171677547 * 190761112638809
PUBLIC KEY CRYPTOGRAPHY
• Open Source toolkit for SSL/TLS, as well
as a full-strength general purpose
cryptography library.
• PHP extension: php-openssl.
OPENSSL
$config = array(
"digest_alg" => "sha512",
"private_key_bits" => 4096,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
);
// Create the private and public key
$resource = openssl_pkey_new($config);
// Extract the private key
openssl_pkey_export($resource, $privKey);
// Extract the public key
$pubKey = openssl_pkey_get_details($res);
$pubKey = $pubKey[“key"];
PHP + OPENSSL
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5gclOxvP9AyrUkk01b+b
aa3TQSclpol0B/2bU8e54DfJkCermqN8aHQFhscWtDQeQjZMBMa3LPjql/QW0cgw
knXrG0Ns+pk8960v8y1TBUK/AeOTfYJJ00A4Od6g7fA5oMOeI8IMaCD1eSJC5Fzi
bhVUygxMzc4ctqqvnJGDd7BPKo8Dg8pFHPnNF6hj7rb/JogWq9qiKZEXFRwMnJSg
…
-----END PUBLIC KEY-----
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDmByU7G8/0DKtS
STTVv5tprdNBJyWmiXQH/ZtTx7ngN8mQJ6uao3xodAWGxxa0NB5CNkwExrcs+OqX
9BbRyDCSdesbQ2z6mTz3rS/zLVMFQr8B45N9gknTQDg53qDt8Dmgw54jwgxoIPV5
IkLkXOJuFVTKDEzNzhy2qq+ckYN3sE8qjwODykUc+c0XqGPutv8miBar2qIpkRcV
HAyclKCPdhrW9OZiWX7IbhM95BwNJ3JZtPhWNA42IBlwv1tPMbiKnRcLC0FEL0qK
Iv7z1uPMaCYo+HioCcECUXj6b2nuDbdNIpXHQr98fC+vjxJWmd6zfcXG98h0eBrp
nbXU9SvNdX1fzHmDRrAl+NselZK5SHgyYY5aUb4gyyxQ+dVCWTaZQ1MmYZxiu4g4
a20tJHHYqkFV7ogS8u+Kfq4h/SlJ2wHeEhE4An1hXlEJXIZpK/z0+quScgKiqx9t
oBhkG44f4KIVfpqg9RKgrg9yFaavFjWJSIbXh+ciuLDDI/150as5pFKAtENuVXjS
xmrbpbbxeamKHNSD6O+wFbOaOw/r4NEWd1/p0AZ+qBRNl4fgCMCxRWDui6txjKGK
oiFVf6Brf3xg/69KoCTS3svJ4Kmm0TB8tloXKRW/qXhFkQJpn12wCwuazPE98nep
xApa2zTc7xcLt4ISJYHNCRX+n3puFwIDAQABAoICAB/K6QhsZaeTgLJUz+qjGvXW
…
-----END PRIVATE KEY-----
PHP + OPENSSL
$data = “Creating a cryptovirus for Symfony2 apps”;
// Encrypt the data
openssl_public_encrypt($data, $encrypted, $pubKey);
// Decrypt the encrypted data
openssl_private_decrypt($encrypted, $decrypted,
$privKey);
PHP + OPENSSL
SYMFONY
INTERNALS
kernel.request
Request
Response
kernel.controller
kernel.view kernel.response
kernel.terminate
kernel.exception
KERNEL EVENTS
• kernel.request is dispatched as soon as
the request arrives. Listeners can return a
Response and “end” the execution.
• kernel.controller is dispatched once the
controller has been resolved. Listeners
can manipulate the Controller callable.
KERNEL EVENTS
• kernel.view is dispatched only if the
Controller does not return a Response
object.
• kernel.response allows to modify or
replace the Response object after its
creation.
KERNEL EVENTS
• kernel.exception is dispatched if there is
an uncaught exception. Last chance to
convert an Exception object into a
Response object.
• kernel.terminate is dispatched once the
response has been sent. Allows to run
expensive post-response jobs.
KERNEL EVENTS
• The bootstrap.php.cache file is created
to improve performance, reducing IO
operations and autoload lookups.
• Just a copy&paste of common classes
and interfaces that will be used for sure.
BOOTSTRAP FILE
{
"name": "symfony/framework-standard-edition",
"scripts": {
"post-install-cmd": [
...,
“SensioBundleDistributionBundleComposer
ScriptHandler::buildBootstrap",
...
],
"post-update-cmd": [
...,
“SensioBundleDistributionBundleComposer
ScriptHandler::buildBootstrap",
...
]
}
}
BOOTSTRAP FILE
HIDING THE VIRUS
• Virus definitions. Antivirus software scans
files to find matches. Useful for known
malware (up-to-date antivirus).
• Heuristics allow antivirus software to identify
new or modified malware, even without virus
definition files. Based on system calls,
network packets, kernel events…
ANTIVIRUS
unlink(__FILE__);
REMOVING ITSELF
$originalCode = "phpinfo();";
// encode with base65 n times
$encoded = $originalCode;
$times = 5;
for ($i=0; $i<$times;$i++) {
$encoded = base64_encode($encoded);
}
// generate hidden code
$code = sprintf('eval(%s"%s"%s);',
str_repeat('base64_decode(', $times),
$encoded,
str_repeat(')', $times)
);
$code = gzdeflate($code);
var_dump($code); // K-K??HJ,N53...
GZIP + BASE64
eval(gzinflate($code));
GZIP + BASE64
• Polymorphic code is code that uses a
polymorphic engine to mutate while
keeping the original algorithm intact.
• Makes it difficult for antivirus software to
recognise the code as it constantly
changes.
• Emulation (sandbox) may be used.
POLYMORPHIC CODE
echo 'Hello world!';
echo 'Hello' . ' ' . 'world!';
printf('Hello world!');
file_put_contents('php://stdout', 'Hello world!');
printf('%c%c%c%c%c%c%c%c%c%c%c%c',
0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20,
0x77, 0x6f, 0x72, 0x6c, 0x64, 0x21
);
POLYMORPHIC CODE
All of them print “Hello world!”, but using
different code which generate different
AST/opcodes.
POLYMORPHIC CODE
Op Operands
1 ECHO Hello+world%21'
2
CONCAT Hello', '+'
CONCAT ~0, 'world%21'
ECHO ~1
3
SEND_VAL Hello+world%21'
DO_FCALL printf'
4
SEND_VAL php%3A%2F%2Fstdout'
SEND_VAL Hello+world%21'
DO_FCALL file_put_contents'
5
SEND_VAL %25c%25c%25c…%25c%25c’
SEND_VAL 72
SEND_VAL …101, 108, 108, 111, 32, 119, 111, 114, 108, 100, 33
DO_FCALL printf'
POLYMORPHIC CODE
• The goal would be to create a
polymorphic engine that generates
different code in each infection
randomly.
• Really difficult to get random numbers in
computers, as they can be predictable.
POLYMORPHIC CODE
rand() mt_rand()
RANDOM NUMBERS
• Computational methods are not considered
true random number generators. In practice,
they are sufficient for most tasks.
• Physical methods use physical phenomenon
expected to be random. For example,
atmospheric noise (random.org), radioactive
decay, radio noise or even a coin flipping.
RANDOM NUMBERS
PROTECTING US
PROTECTING US
• Before the infection: security measures,
restrictive permissions, disable php-
openssl if we don’t need it,
allow_url_fopen, read-only code…
• Once the app has been infected, we want
to know it as soon as possible, checking
its integrity.
PROTECTING US
Hash functions create a fixed-length digest
from data of arbitrary length.
Easy to compute.
Infeasible to generate a message that has a
given hash.
Infeasible to modify a message without
changing the hash.
Infeasible to find two different messages
with the same hash.
HASH FUNCTIONS
Tiny changes in source generate (with high
probability) big changes in the digest.
HASH FUNCTIONS
• md5() is not collision resistant. It is
possible to create two files that share the
same checksum.
• We can include the checksum of the
whole project in the build process and
check it regularly.
HASH FUNCTIONS
use SymfonyComponentFinderFinder;
$finder = new Finder();
$finder->in(__DIR__ . ‘/project')
->files()
->name('*.php');
$hashes = '';
foreach ($finder as $file) {
$hashes .= sha1($file->getContents());
}
// hash of the whole project
$hash = sha1($hashes);
HASH FUNCTIONS
HASH FUNCTIONS
• The PHAR extension provides a way to
put entire PHP applications into a single
file.
• Equivalent to Java JAR files.
• PHAR files can contain a signature
(checksum) of the included files.
PHAR SIGNATURES
Stub
Manifest
File contents
Signature
Actual contents of the files
Describes the contents of the files:
filename, size, timestamp, CRC32…
Phar Signature in MD5, SHA1,
SHA256 or SHA512
__HALT_COMPILER();
Usually contains loader functionality
PHAR SIGNATURES
23 21 2f 75 73 72 2f 62 69 6e 2f 65 6e 76 20 70 |#!/usr/bin/env p|
68 70 0a 3c 3f 70 68 70 0a 0a 50 68 61 72 3a 3a |hp.<?php..Phar::|
6d 61 70 50 68 61 72 28 27 74 65 73 74 2e 70 68 |mapPhar('test.ph|
61 72 27 29 3b 0a 65 63 68 6f 20 27 68 65 6c 6c |ar');.echo 'hell|
6f 20 77 6f 72 6c 64 21 27 3b 0a 0a 5f 5f 48 41 |o world!';..__HA|
4c 54 5f 43 4f 4d 50 49 4c 45 52 28 29 3b 20 3f |LT_COMPILER(); ?|
3e 0d 0a 33 00 00 00 01 00 00 00 11 00 00 00 01 |>..3............|
00 00 00 00 00 00 00 00 00 05 00 00 00 31 2e 74 |.............1.t|
78 74 10 00 00 00 d2 1e 50 53 10 00 00 00 26 fb |xt......PS....&.|
a7 61 b6 01 00 00 00 00 00 00 53 6f 6d 65 20 72 |.a........Some r|
61 6e 64 6f 6d 20 74 65 78 74 23 b5 11 ce 2c 41 |andom text#...,A|
e0 d4 3a db 21 ee cc ec c2 8c f6 3f 93 e2 02 00 |..:.!……?....|
00 00 47 42 4d 42 |..GBMB|
Stub
Manifest
File contents
Signature
Signature flags
Magic GBMB
PHAR SIGNATURES
23 21 2f 75 73 72 2f 62 69 6e 2f 65 6e 76 20 70 |#!/usr/bin/env p|
68 70 0a 3c 3f 70 68 70 0a 0a 50 68 61 72 3a 3a |hp.<?php..Phar::|
6d 61 70 50 68 61 72 28 27 74 65 73 74 2e 70 68 |mapPhar('test.ph|
61 72 27 29 3b 0a 65 63 68 6f 20 27 68 65 6c 6c |ar');.echo 'hell|
6f 20 74 68 65 72 65 21 27 3b 0a 0a 5f 5f 48 41 |o there!';..__HA|
4c 54 5f 43 4f 4d 50 49 4c 45 52 28 29 3b 20 3f |LT_COMPILER(); ?|
3e 0d 0a 33 00 00 00 01 00 00 00 11 00 00 00 01 |>..3............|
00 00 00 00 00 00 00 00 00 05 00 00 00 31 2e 74 |.............1.t|
78 74 10 00 00 00 d2 1e 50 53 10 00 00 00 26 fb |xt......PS....&.|
a7 61 b6 01 00 00 00 00 00 00 53 6f 6d 65 20 72 |.a........Some r|
61 6e 64 6f 6d 20 74 65 78 74 23 b5 11 ce 2c 41 |andom text#...,A|
e0 d4 3a db 21 ee cc ec c2 8c f6 3f 93 e2 02 00 |..:.!……?....|
00 00 47 42 4d 42 |..GBMB|
PharException: phar "test.phar" has a broken
signature in /home/raul/test.phar on line 4
PHAR SIGNATURES
23 21 2f 75 73 72 2f 62 69 6e 2f 65 6e 76 20 70 |#!/usr/bin/env p|
68 70 0a 3c 3f 70 68 70 0a 0a 50 68 61 72 3a 3a |hp.<?php..Phar::|
6d 61 70 50 68 61 72 28 27 74 65 73 74 2e 70 68 |mapPhar('test.ph|
61 72 27 29 3b 0a 65 63 68 6f 20 27 68 65 6c 6c |ar');.echo 'hell|
6f 20 74 68 65 72 65 21 27 3b 0a 0a 5f 5f 48 41 |o there!';..__HA|
4c 54 5f 43 4f 4d 50 49 4c 45 52 28 29 3b 20 3f |LT_COMPILER(); ?|
3e 0d 0a 33 00 00 00 01 00 00 00 11 00 00 00 00 |>..3............|
00 00 00 00 00 00 00 00 00 05 00 00 00 31 2e 74 |.............1.t|
78 74 10 00 00 00 d2 1e 50 53 10 00 00 00 26 fb |xt......PS....&.|
a7 61 b6 01 00 00 00 00 00 00 53 6f 6d 65 20 72 |.a........Some r|
61 6e 64 6f 6d 20 74 65 78 74 23 b5 11 ce 2c 41 |andom text#...,A|
e0 d4 3a db 21 ee cc ec c2 8c f6 3f 93 e2 02 00 |..:.!……?....|
00 00 47 42 4d 42 |..GBMB|
PharException: phar "test.phar" does not have
a signature in /home/raul/test.phar on line 4
phar.require_hash = On
PHAR SIGNATURES
DEMO
FURTHER READING
Malicious Cryptography. Exposing Cryptovirology
https://youtu.be/69mU6h1Sd2Q
slideshare.net/raulfraile/steganography-hiding-your-secrets-with-php
THANK YOU!
https://github.com/raulfraile/cryptosymfony

Recommended

Cli the other SAPI confoo11
Cli the other SAPI confoo11Cli the other SAPI confoo11
Cli the other SAPI confoo11Combell NV
 
Cli the other sapi pbc11
Cli the other sapi pbc11Cli the other sapi pbc11
Cli the other sapi pbc11Combell NV
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scriptsMichael Boelen
 
On secure application of PHP wrappers
On secure application  of PHP wrappersOn secure application  of PHP wrappers
On secure application of PHP wrappersPositive Hack Days
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
 

More Related Content

What's hot

CLI, the other SAPI phpnw11
CLI, the other SAPI phpnw11CLI, the other SAPI phpnw11
CLI, the other SAPI phpnw11Combell NV
 
PHP Tips for certification - OdW13
PHP Tips for certification - OdW13PHP Tips for certification - OdW13
PHP Tips for certification - OdW13julien pauli
 
PHP 7 – What changed internally? (PHP Barcelona 2015)
PHP 7 – What changed internally? (PHP Barcelona 2015)PHP 7 – What changed internally? (PHP Barcelona 2015)
PHP 7 – What changed internally? (PHP Barcelona 2015)Nikita Popov
 
Php in 2013 (Web-5 2013 conference)
Php in 2013 (Web-5 2013 conference)Php in 2013 (Web-5 2013 conference)
Php in 2013 (Web-5 2013 conference)julien pauli
 
The Php Life Cycle
The Php Life CycleThe Php Life Cycle
The Php Life CycleXinchen Hui
 
Quick tour of PHP from inside
Quick tour of PHP from insideQuick tour of PHP from inside
Quick tour of PHP from insidejulien pauli
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 
Understanding PHP objects
Understanding PHP objectsUnderstanding PHP objects
Understanding PHP objectsjulien pauli
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 

What's hot (17)

Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
CLI, the other SAPI phpnw11
CLI, the other SAPI phpnw11CLI, the other SAPI phpnw11
CLI, the other SAPI phpnw11
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
PHP Tips for certification - OdW13
PHP Tips for certification - OdW13PHP Tips for certification - OdW13
PHP Tips for certification - OdW13
 
PHP 7 – What changed internally? (PHP Barcelona 2015)
PHP 7 – What changed internally? (PHP Barcelona 2015)PHP 7 – What changed internally? (PHP Barcelona 2015)
PHP 7 – What changed internally? (PHP Barcelona 2015)
 
Php in 2013 (Web-5 2013 conference)
Php in 2013 (Web-5 2013 conference)Php in 2013 (Web-5 2013 conference)
Php in 2013 (Web-5 2013 conference)
 
PHP7 is coming
PHP7 is comingPHP7 is coming
PHP7 is coming
 
The Php Life Cycle
The Php Life CycleThe Php Life Cycle
The Php Life Cycle
 
Quick tour of PHP from inside
Quick tour of PHP from insideQuick tour of PHP from inside
Quick tour of PHP from inside
 
Codes
CodesCodes
Codes
 
08 php-files
08 php-files08 php-files
08 php-files
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Understanding PHP objects
Understanding PHP objectsUnderstanding PHP objects
Understanding PHP objects
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Shell Script
Shell ScriptShell Script
Shell Script
 
Php security3895
Php security3895Php security3895
Php security3895
 
extending-php
extending-phpextending-php
extending-php
 

Viewers also liked

Symfony2 Authentication
Symfony2 AuthenticationSymfony2 Authentication
Symfony2 AuthenticationOFlorin
 
Building a Website to Scale to 100 Million Page Views Per Day and Beyond
Building a Website to Scale to 100 Million Page Views Per Day and Beyond Building a Website to Scale to 100 Million Page Views Per Day and Beyond
Building a Website to Scale to 100 Million Page Views Per Day and Beyond Trieu Nguyen
 
Cryptovirology - by Malathi
Cryptovirology - by MalathiCryptovirology - by Malathi
Cryptovirology - by MalathiSanthosh Sundar
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Sumy PHP User Grpoup
 
Scaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK MeetupScaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK MeetupKacper Gunia
 
Effective Doctrine2: Performance Tips for Symfony2 Developers
Effective Doctrine2: Performance Tips for Symfony2 DevelopersEffective Doctrine2: Performance Tips for Symfony2 Developers
Effective Doctrine2: Performance Tips for Symfony2 DevelopersMarcin Chwedziak
 
Love and Loss: A Symfony Security Play
Love and Loss: A Symfony Security PlayLove and Loss: A Symfony Security Play
Love and Loss: A Symfony Security PlayKris Wallsmith
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 

Viewers also liked (9)

Symfony2 Authentication
Symfony2 AuthenticationSymfony2 Authentication
Symfony2 Authentication
 
Building a Website to Scale to 100 Million Page Views Per Day and Beyond
Building a Website to Scale to 100 Million Page Views Per Day and Beyond Building a Website to Scale to 100 Million Page Views Per Day and Beyond
Building a Website to Scale to 100 Million Page Views Per Day and Beyond
 
Cryptovirology - by Malathi
Cryptovirology - by MalathiCryptovirology - by Malathi
Cryptovirology - by Malathi
 
Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2Service approach for development REST API in Symfony2
Service approach for development REST API in Symfony2
 
Scaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK MeetupScaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
Scaling Symfony2 apps with RabbitMQ - Symfony UK Meetup
 
Effective Doctrine2: Performance Tips for Symfony2 Developers
Effective Doctrine2: Performance Tips for Symfony2 DevelopersEffective Doctrine2: Performance Tips for Symfony2 Developers
Effective Doctrine2: Performance Tips for Symfony2 Developers
 
Introducing symfony2
Introducing symfony2Introducing symfony2
Introducing symfony2
 
Love and Loss: A Symfony Security Play
Love and Loss: A Symfony Security PlayLove and Loss: A Symfony Security Play
Love and Loss: A Symfony Security Play
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 

Similar to $kernel->infect(): Creating a cryptovirus for Symfony2 apps

Php through the eyes of a hoster confoo
Php through the eyes of a hoster confooPhp through the eyes of a hoster confoo
Php through the eyes of a hoster confooCombell NV
 
PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckrICh morrow
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php confHash Lin
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy CodeRowan Merewood
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...anshkhurana01
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018Mandi Walls
 
Ran Mizrahi - Symfony2 meets Drupal8
Ran Mizrahi - Symfony2 meets Drupal8Ran Mizrahi - Symfony2 meets Drupal8
Ran Mizrahi - Symfony2 meets Drupal8Ran Mizrahi
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopBuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopMandi Walls
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
php fundamental
php fundamentalphp fundamental
php fundamentalzalatarunk
 
Php introduction with history of php
Php introduction with history of phpPhp introduction with history of php
Php introduction with history of phppooja bhandari
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 

Similar to $kernel->infect(): Creating a cryptovirus for Symfony2 apps (20)

Php through the eyes of a hoster confoo
Php through the eyes of a hoster confooPhp through the eyes of a hoster confoo
Php through the eyes of a hoster confoo
 
PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course Deck
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php conf
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy Code
 
Web application security
Web application securityWeb application security
Web application security
 
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
 
Day1
Day1Day1
Day1
 
Php Tutorial
Php TutorialPhp Tutorial
Php Tutorial
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
 
Composer
ComposerComposer
Composer
 
Ran Mizrahi - Symfony2 meets Drupal8
Ran Mizrahi - Symfony2 meets Drupal8Ran Mizrahi - Symfony2 meets Drupal8
Ran Mizrahi - Symfony2 meets Drupal8
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopBuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec Workshop
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
php fundamental
php fundamentalphp fundamental
php fundamental
 
Php introduction with history of php
Php introduction with history of phpPhp introduction with history of php
Php introduction with history of php
 
php
phpphp
php
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Basics PHP
Basics PHPBasics PHP
Basics PHP
 

More from Raul Fraile

Aplicaciones CLI profesionales con Symfony
Aplicaciones CLI profesionales con SymfonyAplicaciones CLI profesionales con Symfony
Aplicaciones CLI profesionales con SymfonyRaul Fraile
 
Steganography: Hiding your secrets with PHP
Steganography: Hiding your secrets with PHPSteganography: Hiding your secrets with PHP
Steganography: Hiding your secrets with PHPRaul Fraile
 
How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014Raul Fraile
 
How GZIP works... in 10 minutes
How GZIP works... in 10 minutesHow GZIP works... in 10 minutes
How GZIP works... in 10 minutesRaul Fraile
 
Symfony en Drupal 8 - DrupalCamp Spain
Symfony en Drupal 8 - DrupalCamp Spain Symfony en Drupal 8 - DrupalCamp Spain
Symfony en Drupal 8 - DrupalCamp Spain Raul Fraile
 
Materiales del curso de Symfony2
Materiales del curso de Symfony2Materiales del curso de Symfony2
Materiales del curso de Symfony2Raul Fraile
 
Sistemas de ficheros para dispositivos embebidos
Sistemas de ficheros para dispositivos embebidosSistemas de ficheros para dispositivos embebidos
Sistemas de ficheros para dispositivos embebidosRaul Fraile
 
Refactoring PHP/Symfony2 apps
Refactoring PHP/Symfony2 appsRefactoring PHP/Symfony2 apps
Refactoring PHP/Symfony2 appsRaul Fraile
 
Refactorización de aplicaciones PHP/Symfony2
Refactorización de aplicaciones PHP/Symfony2Refactorización de aplicaciones PHP/Symfony2
Refactorización de aplicaciones PHP/Symfony2Raul Fraile
 
MidwestPHP Symfony2 Internals
MidwestPHP Symfony2 InternalsMidwestPHP Symfony2 Internals
MidwestPHP Symfony2 InternalsRaul Fraile
 
Symfony internals [english]
Symfony internals [english]Symfony internals [english]
Symfony internals [english]Raul Fraile
 
DeSymfony 2012: Symfony internals
DeSymfony 2012: Symfony internalsDeSymfony 2012: Symfony internals
DeSymfony 2012: Symfony internalsRaul Fraile
 
Symfony2: Interacción con CSS, JS y HTML5
Symfony2: Interacción con CSS, JS y HTML5Symfony2: Interacción con CSS, JS y HTML5
Symfony2: Interacción con CSS, JS y HTML5Raul Fraile
 
Symfony2: Optimización y rendimiento
Symfony2: Optimización y rendimientoSymfony2: Optimización y rendimiento
Symfony2: Optimización y rendimientoRaul Fraile
 
Symfony2: Framework para PHP5
Symfony2: Framework para PHP5Symfony2: Framework para PHP5
Symfony2: Framework para PHP5Raul Fraile
 
Symfony2: Framework para PHP5
Symfony2: Framework para PHP5Symfony2: Framework para PHP5
Symfony2: Framework para PHP5Raul Fraile
 
Presentacion Symfony2
Presentacion Symfony2Presentacion Symfony2
Presentacion Symfony2Raul Fraile
 

More from Raul Fraile (17)

Aplicaciones CLI profesionales con Symfony
Aplicaciones CLI profesionales con SymfonyAplicaciones CLI profesionales con Symfony
Aplicaciones CLI profesionales con Symfony
 
Steganography: Hiding your secrets with PHP
Steganography: Hiding your secrets with PHPSteganography: Hiding your secrets with PHP
Steganography: Hiding your secrets with PHP
 
How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014How GZIP compression works - JS Conf EU 2014
How GZIP compression works - JS Conf EU 2014
 
How GZIP works... in 10 minutes
How GZIP works... in 10 minutesHow GZIP works... in 10 minutes
How GZIP works... in 10 minutes
 
Symfony en Drupal 8 - DrupalCamp Spain
Symfony en Drupal 8 - DrupalCamp Spain Symfony en Drupal 8 - DrupalCamp Spain
Symfony en Drupal 8 - DrupalCamp Spain
 
Materiales del curso de Symfony2
Materiales del curso de Symfony2Materiales del curso de Symfony2
Materiales del curso de Symfony2
 
Sistemas de ficheros para dispositivos embebidos
Sistemas de ficheros para dispositivos embebidosSistemas de ficheros para dispositivos embebidos
Sistemas de ficheros para dispositivos embebidos
 
Refactoring PHP/Symfony2 apps
Refactoring PHP/Symfony2 appsRefactoring PHP/Symfony2 apps
Refactoring PHP/Symfony2 apps
 
Refactorización de aplicaciones PHP/Symfony2
Refactorización de aplicaciones PHP/Symfony2Refactorización de aplicaciones PHP/Symfony2
Refactorización de aplicaciones PHP/Symfony2
 
MidwestPHP Symfony2 Internals
MidwestPHP Symfony2 InternalsMidwestPHP Symfony2 Internals
MidwestPHP Symfony2 Internals
 
Symfony internals [english]
Symfony internals [english]Symfony internals [english]
Symfony internals [english]
 
DeSymfony 2012: Symfony internals
DeSymfony 2012: Symfony internalsDeSymfony 2012: Symfony internals
DeSymfony 2012: Symfony internals
 
Symfony2: Interacción con CSS, JS y HTML5
Symfony2: Interacción con CSS, JS y HTML5Symfony2: Interacción con CSS, JS y HTML5
Symfony2: Interacción con CSS, JS y HTML5
 
Symfony2: Optimización y rendimiento
Symfony2: Optimización y rendimientoSymfony2: Optimización y rendimiento
Symfony2: Optimización y rendimiento
 
Symfony2: Framework para PHP5
Symfony2: Framework para PHP5Symfony2: Framework para PHP5
Symfony2: Framework para PHP5
 
Symfony2: Framework para PHP5
Symfony2: Framework para PHP5Symfony2: Framework para PHP5
Symfony2: Framework para PHP5
 
Presentacion Symfony2
Presentacion Symfony2Presentacion Symfony2
Presentacion Symfony2
 

Recently uploaded

Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024BookNet Canada
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingerssuser9354ce
 
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Jay Zhao
 
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfQ4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfTejal81
 
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGBoosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGRick Ossendrijver
 
Java Optional (Kitworks Team Study 김성호 발표)
Java Optional (Kitworks Team Study 김성호 발표)Java Optional (Kitworks Team Study 김성호 발표)
Java Optional (Kitworks Team Study 김성호 발표)Wonjun Hwang
 
AI-Plugins-Planners-Persona-SemanticKernel.pptx
AI-Plugins-Planners-Persona-SemanticKernel.pptxAI-Plugins-Planners-Persona-SemanticKernel.pptx
AI-Plugins-Planners-Persona-SemanticKernel.pptxUdaiappa Ramachandran
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...James Anderson
 
Trading Software Development_ Trends to Watch in 2024.pdf
Trading Software Development_ Trends to Watch in 2024.pdfTrading Software Development_ Trends to Watch in 2024.pdf
Trading Software Development_ Trends to Watch in 2024.pdfLucas Lagone
 
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubHow We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubShapeBlue
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Cprime
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...ShapeBlue
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024ThousandEyes
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewAshraf Fouad
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIVijayananda Mohire
 
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueCloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueShapeBlue
 
Artificial Intelligence - AI For Everyone
Artificial Intelligence - AI For EveryoneArtificial Intelligence - AI For Everyone
Artificial Intelligence - AI For EveryoneSridhar Seshadri
 
Mastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationMastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationAppsthentic Technology
 

Recently uploaded (20)

Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostinger
 
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
Leonis Insights: The State of AI (7 trends for 2023 and 7 predictions for 2024)
 
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfQ4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
 
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUGBoosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
Boosting Developer Effectiveness with a Java platform team 1.4 - ArnhemJUG
 
Java Optional (Kitworks Team Study 김성호 발표)
Java Optional (Kitworks Team Study 김성호 발표)Java Optional (Kitworks Team Study 김성호 발표)
Java Optional (Kitworks Team Study 김성호 발표)
 
AI-Plugins-Planners-Persona-SemanticKernel.pptx
AI-Plugins-Planners-Persona-SemanticKernel.pptxAI-Plugins-Planners-Persona-SemanticKernel.pptx
AI-Plugins-Planners-Persona-SemanticKernel.pptx
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
 
Trading Software Development_ Trends to Watch in 2024.pdf
Trading Software Development_ Trends to Watch in 2024.pdfTrading Software Development_ Trends to Watch in 2024.pdf
Trading Software Development_ Trends to Watch in 2024.pdf
 
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubHow We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
Improving IT Investment Decisions and Business Outcomes with Integrated Enter...
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book Review
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AI
 
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueCloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
 
Artificial Intelligence - AI For Everyone
Artificial Intelligence - AI For EveryoneArtificial Intelligence - AI For Everyone
Artificial Intelligence - AI For Everyone
 
Mastering Play Store App Listing and Optimization
Mastering Play Store App Listing and OptimizationMastering Play Store App Listing and Optimization
Mastering Play Store App Listing and Optimization
 

$kernel->infect(): Creating a cryptovirus for Symfony2 apps

  • 2. WHO AM I? • PHP/Symfony2 developer at • PHP 5.3 Zend Certified Engineer • Symfony Certified Developer • BS in Computer Science. Ms(Res) student in Computing Technologies. • Open source: Distill, LadybugPHP
  • 4. • Cryptovirology studies how to use cryptography to design malicious software. • Closely related to ransomware and private information retrieval. • A fundamental twist in cryptography. CRYPTOVIROLOGY
  • 6. • This is not a real virus, just a proof of concept. • I chose Symfony just because is my favourite framework. It can be applied to any other PHP framework. • We assume that the virus is already in the target computer. • NOT AN EXPERT
  • 7. #1 Get public key from the hacker server GET public_key Hacker serverApp server OUR CRYPTOVIRUS
  • 8. #2 Infect the Symfony 2.x app app[_dev].php bootstrap.php.cache Kernel events OUR CRYPTOVIRUS
  • 9. #3 Use the public key to encrypt data app[_dev].php bootstrap.php.cache Kernel events Database User uploads Logs … OUR CRYPTOVIRUS
  • 10. #4 Pay to get the private key to decrypt data GET private_key Hacker serverApp server OUR CRYPTOVIRUS
  • 11. #3 (b) Intercept user/passwords and save them encrypted app[_dev].php bootstrap.php.cache Kernel events raul Submit User *****Password OUR CRYPTOVIRUS
  • 12. #4 (b) Get user/password pairs using a backdoor GET users Hacker serverApp server OUR CRYPTOVIRUS
  • 14. • Public key (asymmetric) cryptography requires two different keys: public and private. • Based on one-way functions (trapdoors), which are easy to compute in one direction, but believed to be difficult to find its inverse. • Most used one-way functions: integer factorization, discrete logarithm and elliptic curves. PUBLIC KEY CRYPTOGRAPHY
  • 15. WANT SEND image.jpg Alice A A Bob B B B image.jpg 101101001011001 PUBLIC KEY CRYPTOGRAPHY
  • 16. p = 115307171677547 q = 190761112638809 n = p * q = 21996124364443030184426121523 Having p and q, calculate n Having n, calculate p and q Multiplication Factorization SlowFast not in Polinomial time n = 21996124364443030184426121523 = p * q = … = 115307171677547 * 190761112638809 PUBLIC KEY CRYPTOGRAPHY
  • 17. • Open Source toolkit for SSL/TLS, as well as a full-strength general purpose cryptography library. • PHP extension: php-openssl. OPENSSL
  • 18. $config = array( "digest_alg" => "sha512", "private_key_bits" => 4096, "private_key_type" => OPENSSL_KEYTYPE_RSA, ); // Create the private and public key $resource = openssl_pkey_new($config); // Extract the private key openssl_pkey_export($resource, $privKey); // Extract the public key $pubKey = openssl_pkey_get_details($res); $pubKey = $pubKey[“key"]; PHP + OPENSSL
  • 19. -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5gclOxvP9AyrUkk01b+b aa3TQSclpol0B/2bU8e54DfJkCermqN8aHQFhscWtDQeQjZMBMa3LPjql/QW0cgw knXrG0Ns+pk8960v8y1TBUK/AeOTfYJJ00A4Od6g7fA5oMOeI8IMaCD1eSJC5Fzi bhVUygxMzc4ctqqvnJGDd7BPKo8Dg8pFHPnNF6hj7rb/JogWq9qiKZEXFRwMnJSg … -----END PUBLIC KEY----- -----BEGIN PRIVATE KEY----- MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDmByU7G8/0DKtS STTVv5tprdNBJyWmiXQH/ZtTx7ngN8mQJ6uao3xodAWGxxa0NB5CNkwExrcs+OqX 9BbRyDCSdesbQ2z6mTz3rS/zLVMFQr8B45N9gknTQDg53qDt8Dmgw54jwgxoIPV5 IkLkXOJuFVTKDEzNzhy2qq+ckYN3sE8qjwODykUc+c0XqGPutv8miBar2qIpkRcV HAyclKCPdhrW9OZiWX7IbhM95BwNJ3JZtPhWNA42IBlwv1tPMbiKnRcLC0FEL0qK Iv7z1uPMaCYo+HioCcECUXj6b2nuDbdNIpXHQr98fC+vjxJWmd6zfcXG98h0eBrp nbXU9SvNdX1fzHmDRrAl+NselZK5SHgyYY5aUb4gyyxQ+dVCWTaZQ1MmYZxiu4g4 a20tJHHYqkFV7ogS8u+Kfq4h/SlJ2wHeEhE4An1hXlEJXIZpK/z0+quScgKiqx9t oBhkG44f4KIVfpqg9RKgrg9yFaavFjWJSIbXh+ciuLDDI/150as5pFKAtENuVXjS xmrbpbbxeamKHNSD6O+wFbOaOw/r4NEWd1/p0AZ+qBRNl4fgCMCxRWDui6txjKGK oiFVf6Brf3xg/69KoCTS3svJ4Kmm0TB8tloXKRW/qXhFkQJpn12wCwuazPE98nep xApa2zTc7xcLt4ISJYHNCRX+n3puFwIDAQABAoICAB/K6QhsZaeTgLJUz+qjGvXW … -----END PRIVATE KEY----- PHP + OPENSSL
  • 20. $data = “Creating a cryptovirus for Symfony2 apps”; // Encrypt the data openssl_public_encrypt($data, $encrypted, $pubKey); // Decrypt the encrypted data openssl_private_decrypt($encrypted, $decrypted, $privKey); PHP + OPENSSL
  • 23. • kernel.request is dispatched as soon as the request arrives. Listeners can return a Response and “end” the execution. • kernel.controller is dispatched once the controller has been resolved. Listeners can manipulate the Controller callable. KERNEL EVENTS
  • 24. • kernel.view is dispatched only if the Controller does not return a Response object. • kernel.response allows to modify or replace the Response object after its creation. KERNEL EVENTS
  • 25. • kernel.exception is dispatched if there is an uncaught exception. Last chance to convert an Exception object into a Response object. • kernel.terminate is dispatched once the response has been sent. Allows to run expensive post-response jobs. KERNEL EVENTS
  • 26. • The bootstrap.php.cache file is created to improve performance, reducing IO operations and autoload lookups. • Just a copy&paste of common classes and interfaces that will be used for sure. BOOTSTRAP FILE
  • 27. { "name": "symfony/framework-standard-edition", "scripts": { "post-install-cmd": [ ..., “SensioBundleDistributionBundleComposer ScriptHandler::buildBootstrap", ... ], "post-update-cmd": [ ..., “SensioBundleDistributionBundleComposer ScriptHandler::buildBootstrap", ... ] } } BOOTSTRAP FILE
  • 29. • Virus definitions. Antivirus software scans files to find matches. Useful for known malware (up-to-date antivirus). • Heuristics allow antivirus software to identify new or modified malware, even without virus definition files. Based on system calls, network packets, kernel events… ANTIVIRUS
  • 31. $originalCode = "phpinfo();"; // encode with base65 n times $encoded = $originalCode; $times = 5; for ($i=0; $i<$times;$i++) { $encoded = base64_encode($encoded); } // generate hidden code $code = sprintf('eval(%s"%s"%s);', str_repeat('base64_decode(', $times), $encoded, str_repeat(')', $times) ); $code = gzdeflate($code); var_dump($code); // K-K??HJ,N53... GZIP + BASE64
  • 33. • Polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. • Makes it difficult for antivirus software to recognise the code as it constantly changes. • Emulation (sandbox) may be used. POLYMORPHIC CODE
  • 34. echo 'Hello world!'; echo 'Hello' . ' ' . 'world!'; printf('Hello world!'); file_put_contents('php://stdout', 'Hello world!'); printf('%c%c%c%c%c%c%c%c%c%c%c%c', 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64, 0x21 ); POLYMORPHIC CODE
  • 35. All of them print “Hello world!”, but using different code which generate different AST/opcodes. POLYMORPHIC CODE
  • 36. Op Operands 1 ECHO Hello+world%21' 2 CONCAT Hello', '+' CONCAT ~0, 'world%21' ECHO ~1 3 SEND_VAL Hello+world%21' DO_FCALL printf' 4 SEND_VAL php%3A%2F%2Fstdout' SEND_VAL Hello+world%21' DO_FCALL file_put_contents' 5 SEND_VAL %25c%25c%25c…%25c%25c’ SEND_VAL 72 SEND_VAL …101, 108, 108, 111, 32, 119, 111, 114, 108, 100, 33 DO_FCALL printf' POLYMORPHIC CODE
  • 37. • The goal would be to create a polymorphic engine that generates different code in each infection randomly. • Really difficult to get random numbers in computers, as they can be predictable. POLYMORPHIC CODE
  • 39. • Computational methods are not considered true random number generators. In practice, they are sufficient for most tasks. • Physical methods use physical phenomenon expected to be random. For example, atmospheric noise (random.org), radioactive decay, radio noise or even a coin flipping. RANDOM NUMBERS
  • 42. • Before the infection: security measures, restrictive permissions, disable php- openssl if we don’t need it, allow_url_fopen, read-only code… • Once the app has been infected, we want to know it as soon as possible, checking its integrity. PROTECTING US
  • 43. Hash functions create a fixed-length digest from data of arbitrary length. Easy to compute. Infeasible to generate a message that has a given hash. Infeasible to modify a message without changing the hash. Infeasible to find two different messages with the same hash. HASH FUNCTIONS
  • 44. Tiny changes in source generate (with high probability) big changes in the digest. HASH FUNCTIONS
  • 45. • md5() is not collision resistant. It is possible to create two files that share the same checksum. • We can include the checksum of the whole project in the build process and check it regularly. HASH FUNCTIONS
  • 46. use SymfonyComponentFinderFinder; $finder = new Finder(); $finder->in(__DIR__ . ‘/project') ->files() ->name('*.php'); $hashes = ''; foreach ($finder as $file) { $hashes .= sha1($file->getContents()); } // hash of the whole project $hash = sha1($hashes); HASH FUNCTIONS
  • 48. • The PHAR extension provides a way to put entire PHP applications into a single file. • Equivalent to Java JAR files. • PHAR files can contain a signature (checksum) of the included files. PHAR SIGNATURES
  • 49. Stub Manifest File contents Signature Actual contents of the files Describes the contents of the files: filename, size, timestamp, CRC32… Phar Signature in MD5, SHA1, SHA256 or SHA512 __HALT_COMPILER(); Usually contains loader functionality PHAR SIGNATURES
  • 50. 23 21 2f 75 73 72 2f 62 69 6e 2f 65 6e 76 20 70 |#!/usr/bin/env p| 68 70 0a 3c 3f 70 68 70 0a 0a 50 68 61 72 3a 3a |hp.<?php..Phar::| 6d 61 70 50 68 61 72 28 27 74 65 73 74 2e 70 68 |mapPhar('test.ph| 61 72 27 29 3b 0a 65 63 68 6f 20 27 68 65 6c 6c |ar');.echo 'hell| 6f 20 77 6f 72 6c 64 21 27 3b 0a 0a 5f 5f 48 41 |o world!';..__HA| 4c 54 5f 43 4f 4d 50 49 4c 45 52 28 29 3b 20 3f |LT_COMPILER(); ?| 3e 0d 0a 33 00 00 00 01 00 00 00 11 00 00 00 01 |>..3............| 00 00 00 00 00 00 00 00 00 05 00 00 00 31 2e 74 |.............1.t| 78 74 10 00 00 00 d2 1e 50 53 10 00 00 00 26 fb |xt......PS....&.| a7 61 b6 01 00 00 00 00 00 00 53 6f 6d 65 20 72 |.a........Some r| 61 6e 64 6f 6d 20 74 65 78 74 23 b5 11 ce 2c 41 |andom text#...,A| e0 d4 3a db 21 ee cc ec c2 8c f6 3f 93 e2 02 00 |..:.!……?....| 00 00 47 42 4d 42 |..GBMB| Stub Manifest File contents Signature Signature flags Magic GBMB PHAR SIGNATURES
  • 51. 23 21 2f 75 73 72 2f 62 69 6e 2f 65 6e 76 20 70 |#!/usr/bin/env p| 68 70 0a 3c 3f 70 68 70 0a 0a 50 68 61 72 3a 3a |hp.<?php..Phar::| 6d 61 70 50 68 61 72 28 27 74 65 73 74 2e 70 68 |mapPhar('test.ph| 61 72 27 29 3b 0a 65 63 68 6f 20 27 68 65 6c 6c |ar');.echo 'hell| 6f 20 74 68 65 72 65 21 27 3b 0a 0a 5f 5f 48 41 |o there!';..__HA| 4c 54 5f 43 4f 4d 50 49 4c 45 52 28 29 3b 20 3f |LT_COMPILER(); ?| 3e 0d 0a 33 00 00 00 01 00 00 00 11 00 00 00 01 |>..3............| 00 00 00 00 00 00 00 00 00 05 00 00 00 31 2e 74 |.............1.t| 78 74 10 00 00 00 d2 1e 50 53 10 00 00 00 26 fb |xt......PS....&.| a7 61 b6 01 00 00 00 00 00 00 53 6f 6d 65 20 72 |.a........Some r| 61 6e 64 6f 6d 20 74 65 78 74 23 b5 11 ce 2c 41 |andom text#...,A| e0 d4 3a db 21 ee cc ec c2 8c f6 3f 93 e2 02 00 |..:.!……?....| 00 00 47 42 4d 42 |..GBMB| PharException: phar "test.phar" has a broken signature in /home/raul/test.phar on line 4 PHAR SIGNATURES
  • 52. 23 21 2f 75 73 72 2f 62 69 6e 2f 65 6e 76 20 70 |#!/usr/bin/env p| 68 70 0a 3c 3f 70 68 70 0a 0a 50 68 61 72 3a 3a |hp.<?php..Phar::| 6d 61 70 50 68 61 72 28 27 74 65 73 74 2e 70 68 |mapPhar('test.ph| 61 72 27 29 3b 0a 65 63 68 6f 20 27 68 65 6c 6c |ar');.echo 'hell| 6f 20 74 68 65 72 65 21 27 3b 0a 0a 5f 5f 48 41 |o there!';..__HA| 4c 54 5f 43 4f 4d 50 49 4c 45 52 28 29 3b 20 3f |LT_COMPILER(); ?| 3e 0d 0a 33 00 00 00 01 00 00 00 11 00 00 00 00 |>..3............| 00 00 00 00 00 00 00 00 00 05 00 00 00 31 2e 74 |.............1.t| 78 74 10 00 00 00 d2 1e 50 53 10 00 00 00 26 fb |xt......PS....&.| a7 61 b6 01 00 00 00 00 00 00 53 6f 6d 65 20 72 |.a........Some r| 61 6e 64 6f 6d 20 74 65 78 74 23 b5 11 ce 2c 41 |andom text#...,A| e0 d4 3a db 21 ee cc ec c2 8c f6 3f 93 e2 02 00 |..:.!……?....| 00 00 47 42 4d 42 |..GBMB| PharException: phar "test.phar" does not have a signature in /home/raul/test.phar on line 4 phar.require_hash = On PHAR SIGNATURES
  • 53. DEMO