This document discusses several network protocols and vulnerabilities. It begins with an overview of basic networking concepts like TCP/IP and routing. It then examines specific attacks like TCP spoofing and DNS poisoning. The document analyzes how protocols like IP, TCP, BGP, and DNS work and identifies security issues like a lack of authentication, predictable sequence numbers, and cache poisoning attacks. Defenses are discussed but many core protocols were not initially designed with security in mind.
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PROIDEA
Kazdy z nas w dobie obecnego Internetu i Pokemon Go ma swoja stronę internetowa, forum czy tez prowadzi sklep e-commerce. Z punktu widzenia klienta, rozwiązanie jest proste. Loguje się na swoje konto, uruchamia instalator CMS i zaczyna prowadzić swoje usługi bądź
tez dostarczać treści. Będzie to pierwsze case study skutecznej obrony przed potężnymi atakami
wolumetrycznymi mające na celu wyłącznie usług HTTP bądź HTTPS za pomocą wysyłania dużej ilości pakietów SYN na serwer który hostuje zainfekowana stronę www. Celem prezentacji jest pokazanie mechanizmu obrony przed szeroko znanego problemu jakim jestDDoS, metody mitygacji, blackholing oraz przykładowe scenariusze w raz z konfiguracja w oparciu o dystrybucje CentOS oraz modułu HAProxy.
The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems:
TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing.
IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section.
Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided
in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
Please note, this article does not intend to promote hacking. The intention is to help you understand the vulnerabilities in ssl and protect yourselves from the same. There are millions of innocent victims who fall prey because they are complacent the moment they see a 'secure https' symbol on their browser. I am trying to dispel that myth.
This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PROIDEA
Kazdy z nas w dobie obecnego Internetu i Pokemon Go ma swoja stronę internetowa, forum czy tez prowadzi sklep e-commerce. Z punktu widzenia klienta, rozwiązanie jest proste. Loguje się na swoje konto, uruchamia instalator CMS i zaczyna prowadzić swoje usługi bądź
tez dostarczać treści. Będzie to pierwsze case study skutecznej obrony przed potężnymi atakami
wolumetrycznymi mające na celu wyłącznie usług HTTP bądź HTTPS za pomocą wysyłania dużej ilości pakietów SYN na serwer który hostuje zainfekowana stronę www. Celem prezentacji jest pokazanie mechanizmu obrony przed szeroko znanego problemu jakim jestDDoS, metody mitygacji, blackholing oraz przykładowe scenariusze w raz z konfiguracja w oparciu o dystrybucje CentOS oraz modułu HAProxy.
The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems:
TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing.
IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section.
Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided
in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
Please note, this article does not intend to promote hacking. The intention is to help you understand the vulnerabilities in ssl and protect yourselves from the same. There are millions of innocent victims who fall prey because they are complacent the moment they see a 'secure https' symbol on their browser. I am trying to dispel that myth.
Your app lives on the network - networking for web developersWim Godden
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work.
I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP).
Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
Open source network forensics and advanced pcap analysisGTKlondike
Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
2. Outline
! Basic Networking:
How things work now plus some problems
! Some network attacks
Attacking host-to-host datagram protocols
TCP Spoofing, …
Attacking network infrastructure
Routing
Domain Name System
3. Backbone
ISP
ISP
Internet Infrastructure
! Local and interdomain routing
TCP/IP for routing, connections
BGP for routing announcements
! Domain Name System
Find IP address from symbolic name (www.cs.stanford.edu)
5. Data Formats
Application
Transport (TCP, UDP)
Network (IP)
Link Layer
Application message - data
TCP data TCP data TCP data
TCP Header
dataTCPIP
IP Header
dataTCPIPETH ETF
Link (Ethernet)
Header
Link (Ethernet)
Trailer
segment
packet
frame
message
6. Internet Protocol
! Connectionless
Unreliable
Best effort
! Notes:
src and dest ports
not parts of IP hdr
IP
Version Header Length
Type of Service
Total Length
Identification
Flags
Time to Live
Protocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
Options
Padding
IP Data
Fragment Offset
7. IP Routing
! Internet routing uses numeric IP address
! Typical route uses several hops
Meg
Tom
ISP
Office gateway
121.42.33.12
132.14.11.51
Source
Destination
Packet
121.42.33.12
121.42.33.1
132.14.11.51
132.14.11.1
8. IP Protocol Functions (Summary)
! Routing
IP host knows location of router (gateway)
IP gateway must know route to other networks
! Fragmentation and reassembly
If max-packet-size less than the user-data-size
! Error reporting
ICMP packet to source if packet is dropped
! TTL field: decremented after every hop
Packet dropped f TTL=0. Prevents infinite loops.
9. Problem: no src IP authentication
! Client is trusted to embed correct source IP
Easy to override using raw sockets
Libnet: a library for formatting raw packets with
arbitrary IP headers
! Anyone who owns their machine can send packets
with arbitrary source IP
… response will be sent back to forged source IP
Implications: (solutions in DDoS lecture)
Anonymous DoS attacks;
Anonymous infection attacks (e.g. slammer worm)
10. User Datagram Protocol
! Unreliable transport on top of IP:
No acknowledgment
No congenstion control
No message continuation
UDP
11. Transmission Control Protocol
! Connection-oriented, preserves order
Sender
Break data into packets
Attach packet numbers
Receiver
Acknowledge receipt; lost packets are resent
Reassemble packets in correct order
TCP
Book Mail each page Reassemble book
19
5
1
1 1
12. TCP Header
Source Port Dest port
SEQ Number
ACK Number
Other stuff
U
R
G
P
S
R
A
C
K
P
S
H
S
Y
N
F
I
N TCP Header
13. Review: TCP Handshake
C S
SYN:
SYN/ACK:
ACK:
Listening
Store SNC , SNS
Wait
Established
SNC←randC
ANC←0
SNS←randS
ANS←SNC
SN←SNC+1
AN←SNS
Received packets with SN too far out of window are dropped
14. Basic Security Problems
1. Network packets pass by untrusted hosts
Eavesdropping, packet sniffing
Especially easy when attacker controls a
machine close to victim
2. TCP state can be easy to guess
Enables spoofing and session hijacking
3. Denial of Service (DoS) vulnerabilities
DDoS lecture
15. 1. Packet Sniffing
! Promiscuous NIC reads all packets
Read all unencrypted data (e.g., “wireshark”)
ftp, telnet (and POP, IMAP) send passwords in clear!
Alice Bob
Eve
Network
Prevention: Encryption (next lecture: IPSEC)
Sweet Hall attack installed sniffer on local machine
16. 2. TCP Connection Spoofing
! Why random initial sequence numbers? (SNC , SNS )
! Suppose init. sequence numbers are predictable
Attacker can create TCP session on behalf of forged source IP
Breaks IP-based authentication (e.g. SPF, /etc/hosts )
Victim
Server
SYN/ACK
dstIP=victim
SN=server SNS
ACK
srcIP=victim
AN=predicted SNS
command
server thinks command
is from victim IP addr
attacker
TCP SYN
srcIP=victim
17. Example DoS vulnerability [Watson’04]
! Suppose attacker can guess seq. number for an
existing connection:
Attacker can send Reset packet to
close connection. Results in DoS.
Naively, success prob. is 1/232 (32-bit seq. #’s).
Most systems allow for a large window of
acceptable seq. #’s
Much higher success probability.
! Attack is most effective against long lived
connections, e.g. BGP
18. Random initial TCP SNs
! Unpredictable SNs prevent basic packet injection
… but attacker can inject packets after
eavesdropping to obtain current SN
! Most TCP stacks now generate random SNs
Random generator should be unpredictable
GPR’06: Linux RNG for generating SNs is predictable
Attacker repeatedly connects to server
Obtains sequence of SNs
Can predict next SN
Attacker can now do TCP spoofing (create TCP session
with forged source IP)
20. Routing Vulnerabilities
! Common attack: advertise false routes
Causes traffic to go though compromised hosts
! ARP (addr resolution protocol): IP addr -> eth addr
Node A can confuse gateway into sending it traffic for B
By proxying traffic, attacker A can easily inject packets
into B’s session (e.g. WiFi networks)
! OSPF: used for routing within an AS
! BGP: routing between ASs
Attacker can cause entire Internet to send traffic
for a victim IP to attacker’s address.
Example: Youtube mishap (see DDoS lecture)
21. Interdomain Routing
connected group of one or
more Internet Protocol
prefixes under a single
routing policy (aka domain)
OSPF
BGP
Autonomous
System
earthlink.net Stanford.edu
22. BGP overview
! Iterative path announcement
Path announcements grow from destination to
source
Packets flow in reverse direction
! Protocol specification
Announcements can be shortest path
Not obligated to use announced path
23. BGP example [D. Wetherall]
! Transit: 2 provides transit for 7
! Algorithm seems to work OK in practice
BGP is does not respond well to frequent node outages
3 4
6 5
7
1
8 2
7
7
2 7
2 7
2 7
3 2 7
6 2 7
2 6 52 6 5
2 6 5
3 2 6 5
7 2 6 5
6 5
5
5
24. Issues
! Security problems
Potential for disruptive attacks
BGP packets are un-authenticated
Attacker can advertise arbitrary routes
Advertisement will propagate everywhere
Used for DoS and spam (detailed example in DDoS lecture)
! Incentive for dishonesty
ISP pays for some routes, others free
26. Domain Name System
! Hierarchical Name Space
root
edunetorg ukcom ca
wisc ucb stanford cmu mit
cs ee
www
DNS
27. DNS Root Name Servers
! Hierarchical service
Root name servers for
top-level domains
Authoritative name
servers for subdomains
Local name resolvers
contact authoritative
servers when they do
not know a name
28. DNS Lookup Example
Client
Local DNS
resolver
root & edu
DNS server
stanford.edu
DNS server
www.cs.stanford.edu
NS stanford.eduwww.cs.stanford.edu
NS cs.stanford.edu
cs.stanford.edu
DNS server
DNS record types (partial list):
- NS: name server (points to other server)
- A: address record (contains IP address)
- MX: address in charge of handling email
- TXT: generic text (e.g. used to distribute site public keys (DKIM) )
29. Caching
! DNS responses are cached
Quick response for repeated translations
Useful for finding servers as well as addresses
NS records for domains
! DNS negative queries are cached
Save time for nonexistent sites, e.g. misspelling
! Cached data periodically times out
Lifetime (TTL) of data controlled by owner of data
TTL passed with every record
30. DNS Packet
! Query ID:
16 bit random value
Links response to query
(from Steve Friedl)
32. Response to resolver
Response contains IP
addr of next NS server
(called “glue”)
Response ignored if
unrecognized QueryID
33. Authoritative response to resolver
final answer
bailiwick checking:
response is cached if
it is within the same
domain of query
(i.e. a.com cannot
set NS for b.com)
34. Basic DNS Vulnerabilities
! Users/hosts trust the host-address mapping
provided by DNS:
Used as basis for many security policies:
Browser same origin policy, URL address bar
! Obvious problems
Interception of requests or compromise of DNS servers can
result in incorrect or malicious responses
e.g.: hijack BGP route to spoof DNS
Solution – authenticated requests/responses
Provided by DNSsec … but no one uses DNSsec
35. DNS cache poisoning (a la Kaminsky’08)
! Victim machine visits attacker’s web site, downloads Javascript
user
browser
local
DNS
resolver
Query:
a.bank.com
a.bank.com
QID=x1
attackerattacker wins if ∃j: x1 = yj
response is cached and
attacker owns bank.com
ns.bank.com
IPaddr
256 responses:
Random QID y1, y2, …
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
36. If at first you don’t succeed …
! Victim machine visits attacker’s web site, downloads Javascript
user
browser
local
DNS
resolver
Query:
b.bank.com
b.bank.com
QID=x2
attacker
256 responses:
Random QID y1, y2, …
NS bank.com=ns.bank.com
A ns.bank.com=attackerIP
attacker wins if ∃j: x2 = yj
response is cached and
attacker owns bank.com
ns.bank.com
IPaddr
success after ≈ 256 tries (few minutes)
37. Defenses
! Increase Query ID size. How?
a. Randomize src port, additional 11 bits
Now attack takes several hours
b. Ask every DNS query twice:
Attacker has to guess QueryID correctly twice (32 bits)
Apparently DNS system cannot handle the load
38. Pharming
! DNS poisoning attack (less common than phishing)
Change IP addresses to redirect URLs to fraudulent sites
Potentially more dangerous than phishing attacks
No email solicitation is required
! DNS poisoning attacks have occurred:
January 2005, the domain name for a large New York ISP,
Panix, was hijacked to a site in Australia.
In November 2004, Google and Amazon users were sent to
Med Network Inc., an online pharmacy
In March 2003, a group dubbed the "Freedom Cyber Force
Militia" hijacked visitors to the Al-Jazeera Web site and
presented them with the message "God Bless Our Troops"
39. DNS Rebinding Attack
Read permitted: it’s the “same origin”
Firewall
www.evil.com
web server
ns.evil.com
DNS server
171.64.7.115
www.evil.com?
corporate
web server
171.64.7.115 TTL = 0
<iframe src="http://www.evil.com">
192.168.0.100
192.168.0.100
[DWF’96, R’01]
DNS-SEC cannot
stop this attack
40. DNS Rebinding Defenses
! Browser mitigation: DNS Pinning
Refuse to switch to a new IP
Interacts poorly with proxies, VPN, dynamic DNS, …
Not consistently implemented in any browser
! Server-side defenses
Check Host header for unrecognized domains
Authenticate users with something other than IP
! Firewall defenses
External names can’t resolve to internal addresses
Protects browsers inside the organization
41. Summary
! Core protocols not designed for security
Eavesdropping, Packet injection, Route stealing,
DNS poisoning
Patched over time to prevent basic attacks
(e.g. random TCP SN)
! More secure variants exist (next lecture) :
IP -> IPsec
DNS -> DNSsec
BGP -> SBGP