Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

C4[2] Software Security Presentation

6.763 visualizaciones

Publicado el

  • Inicia sesión para ver los comentarios

C4[2] Software Security Presentation

  1. 1. software security: ur doin it rong
  2. 2. 1. how much to care.
  3. 3. how much should YOU care? Less.
  4. 4. a sucker’s bet ! “my UTU protocol uses ISO IEC 48798783 without the Helsinki vulnerability, bitches!”.
  5. 5. a sucker’s bet ! FAIL* “Only two remote holes in the default install”.
  6. 6. a sucker’s bet ! FTW! 10 years, no exploitable flaws in a top-5 mail server. UNPOSSIBLE!
  7. 7. in it for the girlies and the ! actually jason fried (not to scale) • The guy in the rated R movie. So money! • Not bad at security. Just not awesome. FTW!
  8. 8. why I care? ⌘ I’m Paranoid ⌘ What could you tell me to make me feel better about running Adium? ⌘ Not. ⌘ Much.
  9. 9. why I care? ⌘ How to make literally tens of dollars with • Moveable Type • NetNewswire • John Gruber == target rich environment • 99.99% of Mac devs
  10. 10. is your blog pwned? Pwnie for mass 0wnage ’08: Wordpress
  11. 11. stupid mac bugs I have known ⌘ “The "Repair Permissions" tool in Disk Utility makes /usr/bin/emacs setuid” ⌘ “osascript -e 'tell app "ARDAgent" to do shell script "whoami"'” ⌘ QTPointerRef p = h.toQTPointer(-2000000000, 10 / *size*/); ⌘ install_crontab --DejaVu
  12. 12. 2. all you need to know
  13. 13. if you get this, you’re 90% done ⌘ length is scary • now you get: stack overflows, heap overflows, integer overflows, integer underflows, uninitialized variables, null pointer offsets. • initialize variables, abort when malloc fails, count, with unsigned ints, and don’t let them wrap. • go live your life. ⌘ content is scary • now you get: XSS, SQL injection, shell injection, xpath injection. • whitelist to alphanumeric and swap punctuation for HTML entities. • go live your life.
  14. 14. but what about...? ⌘ return-based exploitation of stack cookies leaked through stale memory that defeat 8 bit ASLR seeding on... ⌘ internationalized best-fit shift-JIS filter evasion with union selects...
  15. 15. Overview of the Same Origin • Goal is to prevent a resource loaded from one site manipulating or communicating with another site • Evil.com should not be able drive interaction on my behalf to bank.com I mean, what do you do in Las Vegas?  You gamble - and you go to strip clubs - Scott
  16. 16. Enter Jafar Attacks You took too much man, too much, too much. – Benecio Del Toro
  17. 17. That’s GIFAR Attacks, Not Jafar • What’s a GIFAR? – A combination of a GIF and a JAR resulting from the fact that a JAR keeps its relevant data within the footer of a file, whereas GIFs keep their relevant metadata in the header – Allows us to create a file that is both a GIF and a JAR – Will load just as any image would, but will also load as a JAR (Applet in this case) He who makes a beast out of himself gets rid of the pain of being a man. – Hunter S.
  18. 18. What’s WRONG with this Picture?
  19. 19. These aren’t the JARs you’re looking for
  20. 20. What does this get US? • A “Bridge” is created • Applet can talk to your domain • My webpage (evil.com) can talk to the APPLET • We use your cookies  • We drive interaction on your behalf
  21. 21. 3. features that fuck over developers.
  22. 22. don’t do these things. ⌘ encraption • unless it’s openssl or gpg. ⌘ password storage • unless it’s bcrypt. ⌘ write directly into the DOM • ever. ⌘ installers • thanks for making my app writeable. ⌘ listeners • do not want another web server. cannot use. ⌘ content controlled code • blog templates ⌘ file upload/download
  23. 23. rubber chicken security ⌘ SSL ⌘ hackersafe ⌘ little lock icons ⌘ javascript crypto ⌘ scripting languages
  24. 24. the myth of the passive ⌘ it’s not 1994 ⌘ the backbone sun4m doesn’t got ethersniff ⌘ they have better things to do • wifi assoc • arp • dns • bgp • xss ⌘ it’s all mitm now
  25. 25. by all means piss us off ⌘ #1 security feature: big long random urls • not http://app/customer/Bob or http://app/ customer/101 • http://app/customer/dZFdv5SWP23RMVADyT819UK7J ⌘ encode your data, but jumble the b64 charset. ⌘ encrypt your data. fixed key! just scramble the sboxes! add a round! xor the keystream!
  26. 26. 4. fuzzing: pretty much all you need to do.
  27. 27. what’s a fuzzer? ⌘ figure out the protocol packets or file formats you use. ⌘ define structures for them. ⌘ replace fields with random garbage • long strings, high ascii, metacharacters, negative numbers ⌘ iterate over all fields ⌘ this finds, what, 60% of all reported vulnerabilities?
  28. 28. be the world expert for your ⌘ writing a contact manager? • write a vCard fuzzer ⌘ writing a calendar? • write an iCal fuzzer ⌘ writing an IM client? • write an OSCAR fuzzer ⌘ Run it. Every release. Fix stuff. ⌘ Publish it. Now you’re an expert. ⌘ Be a jerk: run it on your competitors.
  29. 29. there’s a framework for you ⌘ use python? get peach fuzzer, or sulley ⌘ use C? get spike ⌘ use Perl? try fuzzled ⌘ use ruby? here’s ruckus
  30. 30. here’s ours: ruckus ⌘ lay out structures
  31. 31. here’s ours: ruckus ⌘ everything is composable ⌘ forms a DOM: • fields => html class • “tag” => html ID
  32. 32. here’s ours: ruckus ⌘ cascading fuzz sheets ⌘ write test cases, run them, find stuff, fix, get on with your life.
  33. 33. web dev? if you buy one thing: ⌘ make it burp suite • first google hit for burp! ⌘ €99. • 1% of your graphic design budget
  34. 34. 6. there are no secrets.
  35. 35. you have no hope
  36. 36. state of the art on win32 ⌘ differential debugging ⌘ virtualization
  37. 37. osx lagging 6 months behind,
  38. 38. 7. outreach.
  39. 39. for god’s sake have a security ⌘ Link on your website: • To report a security problem, click here. ⌘ Post a GPG key. ⌘ Designate someone your security contact. ⌘ Publish advisories. ⌘ Act like you’ve done this before.
  40. 40. oh the researchers you’ll meet ⌘ kids • want the cred, a new 360. ⌘ consultants • want the cred. ⌘ criminals • aren’t talking to you anyways. ⌘ researchers • want the cred. ⌘ customers • want you to fix it.
  41. 41. when they come to you... ⌘ don’t call them enhancements ⌘ don’t argue about severity
  42. 42. 8. an indie sdlc.
  43. 43. all you need to do: ⌘ fuzz ⌘ secure auto-update • with a signed cert! ⌘ crash reporter with stack/regs ⌘ outreach ⌘ stop worrying
  44. 44. no really we sweated this deck
  45. 45. Questions (are your way of proving you paid attention)

×