C4[2] Software Security Presentation


Published on

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • You care more about getting out there. Style and performance. Being a security wonk doesn’t do anything to improve the probability that your project will be successful in the marketplace...
  • ...just ask Zed...
  • ...or Theo...
  • ...or Dr. Bernstein...
  • Companies like 37signals have the right idea.
  • Security guys telling you not to care that much about security? There isn’t much you can tell *us* that will make us feel better about running what you write.
  • If you find a 0day in wordpress, you have the opportunity to own 99.99% of the mac development community and make literally tens of dollars.
  • It’s like 10,000 spoons when all you need is one spoon.
  • Even developers working within a decades old security model deliver vulnerable apps.
  • If you understand these two things, you’re 90% of the way there.
  • Security wonks are the audience for the average Blackhat talk. Trying to understand inside baseball (granted with a pretty good fantasy lineup) will only confuse you.
  • Nate recently gave a blackhat talk that demonstrates the idea. If you understand that you shouldn’t trust user-controlled content and you have a plan, you don’t need the details.
  • If you look REALLY closely… you’ll see that there is absolutely NOTHING wrong with this image…
  • Now… THIS image is a little different… This image is a GIFAR. It renders PERFECTLY with image rendering software, YET retains all the properties of a Java JAR
  • This is the HEADER of the file shown in the previous slide. Notice how of the header if fully intact.
  • Here is the footer of the same file. This is where things get interesting. Notice the PK, indicating a Zip format. Java JARs are essentially a zip file. This is an old skool stego trick.
  • These are the “7 deadly sins” of application development. If you avoid these, you’re ahead of just about everyone. Don’t try to do them correctly, DON’T DO THEM.
  • Things that make applications *appear* more secure but don’t actually do anything to improve security. Absolutely do these things. They’re easy to do. Don’t believe they improve the security of your application.
  • Attackers sniffing the backbone aren’t your threat model. Worry about them getting in the middle of your connections.
  • But chumming the water is a bad idea. Some things attract attention and attackers go right after them.
  • If you write a fuzzer and fix what it finds, you’re taking the “pole position”.
  • For whatever environment you’re developing in, there’s a fuzzer out there for you to build on.
  • Ruckus is ours.
  • Our favorite tool for testing web applications is Burp. Buy Burp. Seriously. Go do it right now.
  • The current state of the art of reverse engineering means that trying to hide things in the binaries you deliver is a lost cause.
  • Pedram Amini was sent back from the future to destroy you one disassembly at a time.
  • Security outreach is the number one thing you can do to improve the security of your products.
  • There’s only one person on this list that cares if you actually fix the issue (and they are paying you to do just that).
  • Semantics are important. Phrases like “...not exploitable...” and “...not severe...” show up in the press all the time, just long enough for the guy living in mom’s basement to publish exploit code.
  • SDLC is a great buzzword if you’re selling software to an enterprise and Microsoft is great at it. It doesn’t really help indie developers secure their apps.
  • Include these 4 things in your daily life and the 5th one is free.
  • C4[2] Software Security Presentation

    1. 1. software security: ur doin it rong
    2. 2. 1. how much to care.
    3. 3. how much should YOU care? Less.
    4. 4. a sucker’s bet ! “my UTU protocol uses ISO IEC 48798783 without the Helsinki vulnerability, bitches!”.
    5. 5. a sucker’s bet ! FAIL* “Only two remote holes in the default install”.
    6. 6. a sucker’s bet ! FTW! 10 years, no exploitable flaws in a top-5 mail server. UNPOSSIBLE!
    7. 7. in it for the girlies and the ! actually jason fried (not to scale) • The guy in the rated R movie. So money! • Not bad at security. Just not awesome. FTW!
    8. 8. why I care? ⌘ I’m Paranoid ⌘ What could you tell me to make me feel better about running Adium? ⌘ Not. ⌘ Much.
    9. 9. why I care? ⌘ How to make literally tens of dollars with • Moveable Type • NetNewswire • John Gruber == target rich environment • 99.99% of Mac devs
    10. 10. is your blog pwned? Pwnie for mass 0wnage ’08: Wordpress
    11. 11. stupid mac bugs I have known ⌘ “The "Repair Permissions" tool in Disk Utility makes /usr/bin/emacs setuid” ⌘ “osascript -e 'tell app "ARDAgent" to do shell script "whoami"'” ⌘ QTPointerRef p = h.toQTPointer(-2000000000, 10 / *size*/); ⌘ install_crontab --DejaVu
    12. 12. 2. all you need to know
    13. 13. if you get this, you’re 90% done ⌘ length is scary • now you get: stack overflows, heap overflows, integer overflows, integer underflows, uninitialized variables, null pointer offsets. • initialize variables, abort when malloc fails, count, with unsigned ints, and don’t let them wrap. • go live your life. ⌘ content is scary • now you get: XSS, SQL injection, shell injection, xpath injection. • whitelist to alphanumeric and swap punctuation for HTML entities. • go live your life.
    14. 14. but what about...? ⌘ return-based exploitation of stack cookies leaked through stale memory that defeat 8 bit ASLR seeding on... ⌘ internationalized best-fit shift-JIS filter evasion with union selects...
    15. 15. Overview of the Same Origin • Goal is to prevent a resource loaded from one site manipulating or communicating with another site • Evil.com should not be able drive interaction on my behalf to bank.com I mean, what do you do in Las Vegas?  You gamble - and you go to strip clubs - Scott
    16. 16. Enter Jafar Attacks You took too much man, too much, too much. – Benecio Del Toro
    17. 17. That’s GIFAR Attacks, Not Jafar • What’s a GIFAR? – A combination of a GIF and a JAR resulting from the fact that a JAR keeps its relevant data within the footer of a file, whereas GIFs keep their relevant metadata in the header – Allows us to create a file that is both a GIF and a JAR – Will load just as any image would, but will also load as a JAR (Applet in this case) He who makes a beast out of himself gets rid of the pain of being a man. – Hunter S.
    18. 18. What’s WRONG with this Picture?
    19. 19. These aren’t the JARs you’re looking for
    20. 20. What does this get US? • A “Bridge” is created • Applet can talk to your domain • My webpage (evil.com) can talk to the APPLET • We use your cookies  • We drive interaction on your behalf
    21. 21. 3. features that fuck over developers.
    22. 22. don’t do these things. ⌘ encraption • unless it’s openssl or gpg. ⌘ password storage • unless it’s bcrypt. ⌘ write directly into the DOM • ever. ⌘ installers • thanks for making my app writeable. ⌘ listeners • do not want another web server. cannot use. ⌘ content controlled code • blog templates ⌘ file upload/download
    23. 23. rubber chicken security ⌘ SSL ⌘ hackersafe ⌘ little lock icons ⌘ javascript crypto ⌘ scripting languages
    24. 24. the myth of the passive ⌘ it’s not 1994 ⌘ the backbone sun4m doesn’t got ethersniff ⌘ they have better things to do • wifi assoc • arp • dns • bgp • xss ⌘ it’s all mitm now
    25. 25. by all means piss us off ⌘ #1 security feature: big long random urls • not http://app/customer/Bob or http://app/ customer/101 • http://app/customer/dZFdv5SWP23RMVADyT819UK7J ⌘ encode your data, but jumble the b64 charset. ⌘ encrypt your data. fixed key! just scramble the sboxes! add a round! xor the keystream!
    26. 26. 4. fuzzing: pretty much all you need to do.
    27. 27. what’s a fuzzer? ⌘ figure out the protocol packets or file formats you use. ⌘ define structures for them. ⌘ replace fields with random garbage • long strings, high ascii, metacharacters, negative numbers ⌘ iterate over all fields ⌘ this finds, what, 60% of all reported vulnerabilities?
    28. 28. be the world expert for your ⌘ writing a contact manager? • write a vCard fuzzer ⌘ writing a calendar? • write an iCal fuzzer ⌘ writing an IM client? • write an OSCAR fuzzer ⌘ Run it. Every release. Fix stuff. ⌘ Publish it. Now you’re an expert. ⌘ Be a jerk: run it on your competitors.
    29. 29. there’s a framework for you ⌘ use python? get peach fuzzer, or sulley ⌘ use C? get spike ⌘ use Perl? try fuzzled ⌘ use ruby? here’s ruckus
    30. 30. here’s ours: ruckus ⌘ lay out structures
    31. 31. here’s ours: ruckus ⌘ everything is composable ⌘ forms a DOM: • fields => html class • “tag” => html ID
    32. 32. here’s ours: ruckus ⌘ cascading fuzz sheets ⌘ write test cases, run them, find stuff, fix, get on with your life.
    33. 33. web dev? if you buy one thing: ⌘ make it burp suite • first google hit for burp! ⌘ €99. • 1% of your graphic design budget
    34. 34. 6. there are no secrets.
    35. 35. you have no hope
    36. 36. state of the art on win32 ⌘ differential debugging ⌘ virtualization
    37. 37. osx lagging 6 months behind,
    38. 38. 7. outreach.
    39. 39. for god’s sake have a security ⌘ Link on your website: • To report a security problem, click here. ⌘ Post a GPG key. ⌘ Designate someone your security contact. ⌘ Publish advisories. ⌘ Act like you’ve done this before.
    40. 40. oh the researchers you’ll meet ⌘ kids • want the cred, a new 360. ⌘ consultants • want the cred. ⌘ criminals • aren’t talking to you anyways. ⌘ researchers • want the cred. ⌘ customers • want you to fix it.
    41. 41. when they come to you... ⌘ don’t call them enhancements ⌘ don’t argue about severity
    42. 42. 8. an indie sdlc.
    43. 43. all you need to do: ⌘ fuzz ⌘ secure auto-update • with a signed cert! ⌘ crash reporter with stack/regs ⌘ outreach ⌘ stop worrying
    44. 44. no really we sweated this deck
    45. 45. Questions (are your way of proving you paid attention)