Security for Ruby/Rails Devs v2

Transcript

1. Ruby/Rails  Security   Gavin  Miller     @gavingmiller   gavinmiller.io

    

2. Cisco   Advanced  Malware  Protec=on  (AMP)  

3. Sources:  h+ps://haveibeenpwned.com/PwnedWebsites                

                    h+p://betanews.com/2014/12/17/the-­‐top-­‐10-­‐worst-­‐security-­‐breaches-­‐of-­‐2014/  

4. Sources:  h+ps://haveibeenpwned.com/PwnedWebsites                

                    h+p://betanews.com/2014/12/17/the-­‐top-­‐10-­‐worst-­‐security-­‐breaches-­‐of-­‐2014/  

5. Adobe   Poor  EncrypDon   Sony   SQL  InjecDon  +

    OnSite  Breach  /  Stolen   CredenDals   Dominos   Weak  MD5  password  Hashing   Snapchat   Brute  force  enumeraDon  of  phone  numbers   Yahoo   SQL  InjecDon   Target     Stolen  HVAC  credenDals  &  pivoted  into  POS   system   eBay   Stolen  employee  credenDals   Ashley   Madison   Internal  data  dump   Source:  h+p://krebsonsecurity.com/2014/02/target-­‐hackers-­‐broke-­‐in-­‐via-­‐hvac-­‐company/                                h+p://www.businessinsider.com/how-­‐the-­‐hackers-­‐broke-­‐into-­‐sony-­‐2014-­‐12  

6. Most  of  the  industry’s  worst  security  problems   happened  because

    smart  developers   approached  security  code  the  same  way  they   did  the  rest  of  their  code.     The  difference  between  security  code  and   applica<on  code  is,  when  applica<on  code  fails,   you  find  out  right  away.       When  security  code  fails,  you  find  out  4  years   from  now,  when  a  DVD  with  all  your  customer’s   credit  card  and  CVV2  informa<on  starts   circula<ng    -­‐  Thomas  Ptacek   Source:  h+p://web.archive.org/web/20130407190430/h+p://chargen.matasano.com/chargen/                                      2007/9/7/enough-­‐with-­‐the-­‐rainbow-­‐tables-­‐what-­‐you-­‐need-­‐to-­‐know-­‐about-­‐s.html  

7. Goals   Could  we  be  breached  like  that?    

   Glimpse  into  tools  hackers  use     Pee  your  pants  a  liIle   Scare  you  a  <ny  bit  

8. Topics   •  AIacks:     – SQL  Injec<on,  Side  Channel

     •  Preven<on:   – Brakeman,  CVES,  Process  

9. SQL  Injec=on    

10. SQL  Injec=on  

11. SQL  Injec=on  

12. SQL  Injec=on  

13. SQL  Injec=on  

14. SQL  Injec=on  

15. None
16. None

17. Source:  h*p://www.troyhunt.com/2015/09/good-­‐news-­‐your-­‐credit-­‐card-­‐is-­‐fine-­‐and.html  

18. Quiz  Time  (&  give  away)  

19. None

20. Side  Channel   An  aJack  to  exploit  the  informa=on  gained/

    leaked  from  the  implementa=on  of  a  system   Source:  h+ps://en.wikipedia.org/wiki/Side-­‐channel_a+ack  

21. Side  Channel   An  aJack  to  exploit  the  informa=on  gained/

    leaked  from  the  implementa=on  of  a  system     •  Timing  AJacks   •  Power  Monitoring  AJacks   •  Acous=c  Cryptanalysis   •  Row  Hammer   Source:  h+ps://en.wikipedia.org/wiki/Side-­‐channel_a+ack  

22. Timing  AJack   A  type  of  side  channel  aJack  that

     exploits   the  =me  an  algorithm  takes  to  execute  

23. You  repeatedly  send  guesses  about  a  secret   value  to

     the  server,  which  rejects  them  as   incorrect.       However,  if  your  first  byte  of  the  guess  is   correct,  it  takes  a  very  slightly  longer  Ame  to   return  the  error.       With  many  measurements  and  some  filtering,   you  can  disAnguish  this  difference.    -­‐  Nate  Lawson   Source:  h+p://rdist.root.org/2010/07/19/exploiDng-­‐remote-­‐Dming-­‐a+acks/  
24. None
25. None
26. None

27. Total  Time:  0T  

28. Total  Time:  1T   ✓  

29. Total  Time:  2T   ✓   ✓  

30. Total  Time:  3T   ✓   ✓   ✓  

31. Total  Time:  8T   ✓   ✓   ✓  ✓

      ✓   ✓  ✓   ✓  

32. Total  Time:  0T  

33. Total  Time:  1T   ✓  

34. Total  Time:  2T   ✓   ✓  

35. Total  Time:  3T   ✓   ✓   ✓  

36. Total  Time:  4T   ✓   ✓   ✓  ✗

     

37. Exploitable?   Ruby  comparison  takes  0.840ns/byte   (effec<vely  per  character)

        Can  measure  a  30μs  difference  over  the   internet   Which  means  you  can't  exploit  a  <ming   aIack  over  the  internet  …  (in  Ruby)     Source:  h+ps://www.youtube.com/watch?v=idjDiBtu93Y  

38. Exploitable!   So  get  closer…   EC2  to  EC2  can

     measure  a  15-­‐400ns   difference.   ==  <ming  aIacks  are  exploitable     Source:  h+ps://www.youtube.com/watch?v=idjDiBtu93Y  

39. How?  

40. How?  

41. How?   Source:  h+ps://www.youtube.com/watch?v=idjDiBtu93Y   Normal  Histogram   Vulnerable  Histogram

     (Exaggerated)  
42. None

43. Secure  Comparisons   daxtens/fast_secure_compare   Devise   hIps:/ /github.com/plataformatec/devise/blob/ 014859ecff37af31b3b6fad371e41b7da23f244

    b/lib/devise.rb   Rails   hIp:/ /api.rubyonrails.org/classes/Ac<veSupport/ SecurityU<ls.html#method-­‐c-­‐secure_compare  

44. Preven=on  

45. Copy-­‐Paste  Coding   Source:  Actual  StackOverflow  code  –  no  url

     to  protect  the  guilty  

46. Process   "Put  someone  on  your  team  in  charge  of

     tracking   your  dependencies  (C  libraries,  Ruby  gems,  Python   easy_install  thingies)  and  have  a  process  by  which  you   periodically  check  to  make  sure  you’re  capturing   upstream  security  fixes.       You  should  run  your  service  aware  of  the  fact  that   major  vulnerabili<es  in  third-­‐party  library  code  are   ojen  fixed  without  fanfare  or  advisories;  when   maintainers  don’t  know  exactly  who’s  affected  how,   the  whole  announcement  might  happen  in  a  git   commit."    -­‐  Thomas  Ptacek     Source:  h+ps://news.ycombinator.com/item?id=3940286    

47. War  Games   -­‐  Hack  Yourself  First!   -­‐  Spend

     a  day  trying  to  get  into  your  system    

48. Mailing  Lists  &  CVEs   •  Ruby  Security  List  

    –  hIps:/ /groups.google.com/forum/#!forum/ruby-­‐security-­‐ann   •  Rails  Security  List   –  hIps:/ /groups.google.com/forum/?fromgroups#!forum/ rubyonrails-­‐security   •  CVE  Databases   –  hIps:/ /www.cvedetails.com/  

49. PRs  /  Code  Review  

50. None

51. 2013  Rails  YAML  CVE  

52. /security  

53. /security  

54. bundle  outdated  

55. bundle-­‐audit  check  

56. Brakeman  

57. Brakeman  

58. Thanks  :)   Make  good  decisions        

      @gavingmiller   gavinmiller.io