Tweet
Tweet

Slide 1

Slide 1 text

Security, Secrets, & Shenanigans Richard Schneeman @schneems

Slide 2

Slide 2 text

@schneems

Slide 3

Slide 3 text

Schnauser

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

I <3 Ruby

Slide 6

Slide 6 text

Hans Peter Von Wolfe (the 5th)

Slide 7

Slide 7 text

Sextant Gem

Slide 8

Slide 8 text

Wicked ‘ ‘ Gem

Slide 9

Slide 9 text

Triage Code codetriage.com

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

Adjunct Professor

Slide 12

Slide 12 text

Good News Everyone! schneems.com/ut-rails

Slide 13

Slide 13 text

I work for this one

Slide 14

Slide 14 text

AUS Ruby Conf

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

Hello wroclove

Slide 17

Slide 17 text

Close your Laptops

Slide 18

Slide 18 text

Unless you’re commenting on rails/rails issues

Slide 19

Slide 19 text

Web Security

Slide 20

Slide 20 text

What does it mean to be secure

Slide 21

Slide 21 text

I am not a security researcher

Slide 22

Slide 22 text

You don’t have to be either

Slide 23

Slide 23 text

Arm yourself with knowledge

Slide 24

Slide 24 text

Every system has a weakness

Slide 25

Slide 25 text

Security Bugs are Bugs

Slide 26

Slide 26 text

420,000 lines 11 versions 17 errors

Slide 27

Slide 27 text

Bug free software is impossible

Slide 28

Slide 28 text

Cover Common Exploits

Slide 29

Slide 29 text

Talk about Mitigation Strategies

Slide 30

Slide 30 text

Improve our security processes

Slide 31

Slide 31 text

Availability

Slide 32

Slide 32 text

Security isn’t just keeping others out

Slide 33

Slide 33 text

Staying Available to Serve your customers

Slide 34

Slide 34 text

DDoS

Slide 35

Slide 35 text

Distributed Denial of Service

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Block IP Addresses

Slide 40

Slide 40 text

Memory Exploits

Slide 41

Slide 41 text

:symbols aren’t fancy strings

Slide 42

Slide 42 text

:symbols are never garbage collected

Slide 43

Slide 43 text

params[:id].to_sym

Slide 44

Slide 44 text

params[:id].to_sym Don’t Do This

Slide 45

Slide 45 text

Parser Exploits

Slide 46

Slide 46 text

A billion Laughs

Slide 47

Slide 47 text

]> &lol9;

Slide 48

Slide 48 text

10 Entities

Slide 49

Slide 49 text

Each Reference Previous Entries

Slide 50

Slide 50 text

Consumes ~3GB of ram to process

Slide 51

Slide 51 text

Like a Zip Bomb for XML parsers

Slide 52

Slide 52 text

Ouch

Slide 53

Slide 53 text

modern XML parsers are not vulnerable to this attack Libxml2

Slide 54

Slide 54 text

Authentication the act of confirming the truth of an attribute of a datum or entity

Slide 55

Slide 55 text

e Armadillos

Slide 56

Slide 56 text

YAML Parser

Slide 57

Slide 57 text

YAML Ain’t Markup Language

Slide 58

Slide 58 text

development: adapter: postgresql encoding: utf8 database: my_development pool: 5 host: localhost config/database.yml

Slide 59

Slide 59 text

require 'yaml' db_config = YAML::load_file('config/database.yml') puts db_config["development"] # => { "adapter" => "postgresql", "encoding" => "utf8", "database" => "example_development", "pool" => 5, "host" => "localhost" }

Slide 60

Slide 60 text

YAML Ain’t just for basic objects

Slide 61

Slide 61 text

“--- !ruby/array:Array - jacket - sweater” YAML::load => ???

Slide 62

Slide 62 text

“--- !ruby/array:Array - jacket - sweater” YAML::load => [“jacket”, “sweater”]

Slide 63

Slide 63 text

“--- !ruby/hash:User email: [email protected]” YAML::load => ???

Slide 64

Slide 64 text

“--- !ruby/hash:User email: [email protected]” YAML::load => #

Slide 65

Slide 65 text

“--- !ruby/hash:User email: [email protected]” YAML::load user = User.new

Slide 66

Slide 66 text

“--- !ruby/hash:User email: [email protected]” YAML::load user = User.new user[:email] = “[email protected]

Slide 67

Slide 67 text

“--- !ruby/hash:User email: [email protected]” YAML::load user = User.new user[:email] = “[email protected]

Slide 68

Slide 68 text

“--- !ruby/hash:User email: [email protected]” YAML::load user = User.new user[:email] = “[email protected] puts user => #

Slide 69

Slide 69 text

Interesting, but is it insecure?

Slide 70

Slide 70 text

class Foo def []=(name, value) puts value * 3 end end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new

Slide 71

Slide 71 text

class Foo def []=(name, value) puts value * 3 end end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”

Slide 72

Slide 72 text

class Foo def []=(name, value) puts value * 3 end end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”

Slide 73

Slide 73 text

Let’s Get Dirty

Slide 74

Slide 74 text

class Foo def []=(name, value) eval(name) + value end end

Slide 75

Slide 75 text

class Foo def []=(name, value) eval(name) + value end end --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load

Slide 76

Slide 76 text

class Foo def []=(name, value) eval(name) + value end end --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass

Slide 77

Slide 77 text

class Foo def []=(name, value) eval(name) + value end end --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass

Slide 78

Slide 78 text

zOMG arbitrary code execution

Slide 79

Slide 79 text

But how does an attacker get us to execute arbitrary YAML?

Slide 80

Slide 80 text

XML Parser

Slide 81

Slide 81 text

Slide 82

Slide 82 text

By default will parse arbitrary YAML

Slide 83

Slide 83 text

I’m in UR Servers Executing My Code

Slide 84

Slide 84 text

Java/ PHP/ C++/ etc. Secure?

Slide 85

Slide 85 text

Sanatize Your Inputs

Slide 86

Slide 86 text

And your Floors

Slide 87

Slide 87 text

Never Trust your users

Slide 88

Slide 88 text

Or your dogs

Slide 89

Slide 89 text

Ro Om Ba Attacks

Slide 90

Slide 90 text

RoOmBa Attacks

Slide 91

Slide 91 text

Responsible Disclosure

Slide 92

Slide 92 text

Create a /security report page

Slide 93

Slide 93 text

No content

Slide 94

Slide 94 text

Intrusion Detection/ Logging

Slide 95

Slide 95 text

Papertrail

Slide 96

Slide 96 text

Stay Informed

Slide 97

Slide 97 text

Subscribe to Security Lists

Slide 98

Slide 98 text

Patch Early, Patch often

Slide 99

Slide 99 text

Secrets Secrets Secrets

Slide 100

Slide 100 text

CSRF

Slide 101

Slide 101 text

Cross Site Request Forgery

Slide 102

Slide 102 text

No content

Slide 103

Slide 103 text

config.security_token

Slide 104

Slide 104 text

the key to your digital kingdom

Slide 105

Slide 105 text

Would you give your Car key copies to:

Slide 106

Slide 106 text

Interns? Your

Slide 107

Slide 107 text

Contractors? Your

Slide 108

Slide 108 text

Your Open Source Contributors?

Slide 109

Slide 109 text

If secrets are in your source, you’ve already given them your digital kingdom

Slide 110

Slide 110 text

Protect Your Code

Slide 111

Slide 111 text

Secure keys in source control aren’t secure

Slide 112

Slide 112 text

What’s an alternative?

Slide 113

Slide 113 text

Environment Variables

Slide 114

Slide 114 text

$ rake db:migrate RAILS_ENV=test

Slide 115

Slide 115 text

$ rake db:migrate RAILS_ENV=test

Slide 116

Slide 116 text

In Development

Slide 117

Slide 117 text

Use a .env file

Slide 118

Slide 118 text

$ cat .env SECRET_TOKEN=d59c2a439f

Slide 119

Slide 119 text

Use dotenv gem

Slide 120

Slide 120 text

$ irb > Dotenv.load > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”

Slide 121

Slide 121 text

Use foreman gem

Slide 122

Slide 122 text

$ foreman run irb > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”

Slide 123

Slide 123 text

In Production

Slide 124

Slide 124 text

$ heroku config:add SECRET_TOKEN=d59c2a439f

Slide 125

Slide 125 text

VPS • Use Foreman/Dotenv • Add to bashrc • Add values directly to command $ SECRET_TOKEN=asd123 rails console ruby-1.9.3> puts ENV[‘SECRET_TOKEN’] ruby-1.9.3> “asd123”

Slide 126

Slide 126 text

What if...

Slide 127

Slide 127 text

Someone Can read my ENV Variables?

Slide 128

Slide 128 text

Then they can read your files too

Slide 129

Slide 129 text

Is your app secure?

Slide 130

Slide 130 text

Is your app open source- able?

Slide 131

Slide 131 text

SECRET_TOKEN is just one example of Config

Slide 132

Slide 132 text

Define: Config

Slide 133

Slide 133 text

Config • What varies between deploys • resource strings to databases • credentials to S3, twitter, facebook, etc. • canonical values, hostname • security tokens

Slide 134

Slide 134 text

Can you deploy your app to change your S3 Bucket?

Slide 135

Slide 135 text

Do you NEED to deploy your app to change your S3 bucket?

Slide 136

Slide 136 text

Environment Variables! Use

Slide 137

Slide 137 text

Config

Slide 138

Slide 138 text

But I like storing my credentials in git!

Slide 139

Slide 139 text

What is Config? Just because it works...

Slide 140

Slide 140 text

Wishlist: rotate-able security tokens

Slide 141

Slide 141 text

Security

Slide 142

Slide 142 text

Nothing is ever 100% secure

Slide 143

Slide 143 text

Educate yourself

Slide 144

Slide 144 text

Secrets

Slide 145

Slide 145 text

Don’t store secrets in Git

Slide 146

Slide 146 text

Use ENV Variables

Slide 147

Slide 147 text

Shenanigans

Slide 148

Slide 148 text

No content

Slide 149

Slide 149 text

Vote @hone02 (Terence Lee) Ruby Hero 2013

Slide 150

Slide 150 text

Questions? @schneems