Trojaned Gems: You can't tell you're using one

Trojaned Gems: You can't tell you're using one

This talk was presented at THOTCON 0x6, Beacon and OWASP Chicago. Brandon Myers and I talk about our research on Ruby Gem security. We talk about RubyGem 101 basics, transport layer security risks, how to trojan a gem, and discuss how to bypass gem signing. We also discuss a research tool we created to demonstrate the exploitation and trojaning process. We also provide guidance on how developers and users can better protect themselves from such weaknesses.

Demonstration Video #1: Gem Install Request Hijacking

Demonstration Video #2: Trojaning a Gem in Transit

Demonstration Video #3: Bypassing Signed Gems (on MediumSecurity)

Blog Post:


Jonathan Claudius

May 15, 2015