$30 off During Our Annual Pro Sale. View Details »

Security, Secrets, and Shenanigans

Security, Secrets, and Shenanigans

Richard Schneeman

March 06, 2013
Tweet

More Decks by Richard Schneeman

Other Decks in Programming

Transcript

  1. Security,
    Secrets,
    & Shenanigans
    Richard Schneeman
    @schneems

    View Slide

  2. @schneems

    View Slide

  3. Schnauser

    View Slide

  4. View Slide

  5. I <3
    Ruby

    View Slide

  6. Hans
    Peter
    Von
    Wolfe (the 5th)

    View Slide

  7. Sextant
    Gem

    View Slide

  8. Wicked


    Gem

    View Slide

  9. Triage
    Code
    codetriage.com

    View Slide

  10. View Slide

  11. Adjunct
    Professor

    View Slide

  12. Good News
    Everyone!
    schneems.com/ut-rails

    View Slide

  13. I work
    for
    this one

    View Slide

  14. AUS Ruby
    Conf

    View Slide

  15. View Slide

  16. Hello
    wroclove

    View Slide

  17. Close your
    Laptops

    View Slide

  18. Unless you’re
    commenting
    on rails/rails
    issues

    View Slide

  19. Web
    Security

    View Slide

  20. What does
    it mean to
    be secure

    View Slide

  21. I am not a
    security
    researcher

    View Slide

  22. You don’t
    have to be
    either

    View Slide

  23. Arm
    yourself
    with
    knowledge

    View Slide

  24. Every
    system has
    a weakness

    View Slide

  25. Security
    Bugs are
    Bugs

    View Slide

  26. 420,000 lines
    11 versions
    17 errors

    View Slide

  27. Bug free
    software is
    impossible

    View Slide

  28. Cover
    Common
    Exploits

    View Slide

  29. Talk about
    Mitigation
    Strategies

    View Slide

  30. Improve
    our security
    processes

    View Slide

  31. Availability

    View Slide

  32. Security
    isn’t just
    keeping
    others out

    View Slide

  33. Staying
    Available to
    Serve your
    customers

    View Slide

  34. DDoS

    View Slide

  35. Distributed
    Denial
    of
    Service

    View Slide

  36. View Slide

  37. View Slide

  38. View Slide

  39. Block IP
    Addresses

    View Slide

  40. Memory
    Exploits

    View Slide

  41. :symbols
    aren’t fancy
    strings

    View Slide

  42. :symbols
    are never
    garbage
    collected

    View Slide

  43. params[:id].to_sym

    View Slide

  44. params[:id].to_sym
    Don’t Do
    This

    View Slide

  45. Parser
    Exploits

    View Slide

  46. A billion
    Laughs

    View Slide












  47. ]>
    &lol9;

    View Slide

  48. 10 Entities

    View Slide

  49. Each
    Reference
    Previous
    Entries

    View Slide

  50. Consumes
    ~3GB of ram
    to process

    View Slide

  51. Like a Zip
    Bomb for
    XML
    parsers

    View Slide

  52. Ouch

    View Slide

  53. modern XML
    parsers are not
    vulnerable to this
    attack
    Libxml2

    View Slide

  54. Authentication
    the act of confirming the truth of an
    attribute of a datum or entity

    View Slide

  55. e
    Armadillos

    View Slide

  56. YAML
    Parser

    View Slide

  57. YAML
    Ain’t
    Markup
    Language

    View Slide

  58. development:
    adapter: postgresql
    encoding: utf8
    database: my_development
    pool: 5
    host: localhost
    config/database.yml

    View Slide

  59. require 'yaml'
    db_config = YAML::load_file('config/database.yml')
    puts db_config["development"]
    # => { "adapter" => "postgresql",
    "encoding" => "utf8",
    "database" => "example_development",
    "pool" => 5,
    "host" => "localhost" }

    View Slide

  60. YAML
    Ain’t
    just for basic
    objects

    View Slide

  61. “--- !ruby/array:Array
    - jacket
    - sweater”
    YAML::load
    => ???

    View Slide

  62. “--- !ruby/array:Array
    - jacket
    - sweater”
    YAML::load
    => [“jacket”, “sweater”]

    View Slide

  63. “--- !ruby/hash:User
    email: [email protected]
    YAML::load
    => ???

    View Slide

  64. “--- !ruby/hash:User
    email: [email protected]
    YAML::load
    => #

    View Slide

  65. “--- !ruby/hash:User
    email: [email protected]
    YAML::load
    user = User.new

    View Slide

  66. “--- !ruby/hash:User
    email: [email protected]
    YAML::load
    user = User.new
    user[:email] = “[email protected]

    View Slide

  67. “--- !ruby/hash:User
    email: [email protected]
    YAML::load
    user = User.new
    user[:email] = “[email protected]

    View Slide

  68. “--- !ruby/hash:User
    email: [email protected]
    YAML::load
    user = User.new
    user[:email] = “[email protected]
    puts user
    => #

    View Slide

  69. Interesting,
    but is it
    insecure?

    View Slide

  70. class Foo
    def []=(name, value)
    puts value * 3
    end
    end
    “--- !ruby/hash:Foo
    bar: hi”
    YAML::load
    foo = Foo.new

    View Slide

  71. class Foo
    def []=(name, value)
    puts value * 3
    end
    end
    “--- !ruby/hash:Foo
    bar: hi”
    YAML::load
    foo = Foo.new
    foo[:bar] = “hi”
    => “hihihi”

    View Slide

  72. class Foo
    def []=(name, value)
    puts value * 3
    end
    end
    “--- !ruby/hash:Foo
    bar: hi”
    YAML::load
    foo = Foo.new
    foo[:bar] = “hi”
    => “hihihi”

    View Slide

  73. Let’s Get
    Dirty

    View Slide

  74. class Foo
    def []=(name, value)
    eval(name) + value
    end
    end

    View Slide

  75. class Foo
    def []=(name, value)
    eval(name) + value
    end
    end
    --- !ruby/hash:Foo
    “puts '=== hello there'.inspect;”: hi
    YAML::load

    View Slide

  76. class Foo
    def []=(name, value)
    eval(name) + value
    end
    end
    --- !ruby/hash:Foo
    “puts '=== hello there'.inspect;”: hi
    YAML::load
    foo = Foo.new
    foo["puts '=== hello there'.inspect"] = 'hi'
    === hello there
    NoMethodError: undefined method `+' for nil:NilClass

    View Slide

  77. class Foo
    def []=(name, value)
    eval(name) + value
    end
    end
    --- !ruby/hash:Foo
    “puts '=== hello there'.inspect;”: hi
    YAML::load
    foo = Foo.new
    foo["puts '=== hello there'.inspect"] = 'hi'
    === hello there
    NoMethodError: undefined method `+' for nil:NilClass

    View Slide

  78. zOMG
    arbitrary
    code
    execution

    View Slide

  79. But how does an
    attacker get us to
    execute arbitrary
    YAML?

    View Slide

  80. XML
    Parser

    View Slide


  81. object:UnsafeObject
    attribute1: value1
    ]]>

    View Slide

  82. By default
    will parse
    arbitrary
    YAML

    View Slide

  83. I’m in UR
    Servers
    Executing
    My Code

    View Slide

  84. Java/
    PHP/
    C++/
    etc.
    Secure?

    View Slide

  85. Sanatize
    Your Inputs

    View Slide

  86. And your
    Floors

    View Slide

  87. Never Trust
    your users

    View Slide

  88. Or your dogs

    View Slide

  89. Ro
    Om
    Ba
    Attacks

    View Slide

  90. RoOmBa
    Attacks

    View Slide

  91. Responsible
    Disclosure

    View Slide

  92. Create a
    /security
    report page

    View Slide

  93. View Slide

  94. Intrusion
    Detection/
    Logging

    View Slide

  95. Papertrail

    View Slide

  96. Stay
    Informed

    View Slide

  97. Subscribe
    to
    Security
    Lists

    View Slide

  98. Patch
    Early, Patch
    often

    View Slide

  99. Secrets
    Secrets
    Secrets

    View Slide

  100. CSRF

    View Slide

  101. Cross
    Site
    Request
    Forgery

    View Slide

  102. View Slide

  103. config.security_token

    View Slide

  104. the key to
    your digital
    kingdom

    View Slide

  105. Would you
    give your
    Car key
    copies to:

    View Slide

  106. Interns?
    Your

    View Slide

  107. Contractors?
    Your

    View Slide

  108. Your
    Open Source
    Contributors?

    View Slide

  109. If secrets are in
    your source,
    you’ve already
    given them your
    digital kingdom

    View Slide

  110. Protect
    Your
    Code

    View Slide

  111. Secure keys
    in source
    control
    aren’t secure

    View Slide

  112. What’s an
    alternative?

    View Slide

  113. Environment
    Variables

    View Slide

  114. $ rake db:migrate RAILS_ENV=test

    View Slide

  115. $ rake db:migrate RAILS_ENV=test

    View Slide

  116. In
    Development

    View Slide

  117. Use a
    .env file

    View Slide

  118. $ cat .env
    SECRET_TOKEN=d59c2a439f

    View Slide

  119. Use dotenv
    gem

    View Slide

  120. $ irb
    > Dotenv.load
    > puts ENV[‘SECRET_TOKEN’]
    > “d59c2a439f”

    View Slide

  121. Use foreman
    gem

    View Slide

  122. $ foreman run irb
    > puts ENV[‘SECRET_TOKEN’]
    > “d59c2a439f”

    View Slide

  123. In
    Production

    View Slide

  124. $ heroku config:add SECRET_TOKEN=d59c2a439f

    View Slide

  125. VPS
    • Use Foreman/Dotenv
    • Add to bashrc
    • Add values directly to command
    $ SECRET_TOKEN=asd123 rails console
    ruby-1.9.3> puts ENV[‘SECRET_TOKEN’]
    ruby-1.9.3> “asd123”

    View Slide

  126. What if...

    View Slide

  127. Someone
    Can read my
    ENV
    Variables?

    View Slide

  128. Then they
    can read
    your files too

    View Slide

  129. Is your app
    secure?

    View Slide

  130. Is your app
    open
    source-
    able?

    View Slide

  131. SECRET_TOKEN
    is just one
    example of Config

    View Slide

  132. Define:
    Config

    View Slide

  133. Config
    • What varies between deploys
    • resource strings to databases
    • credentials to S3, twitter, facebook, etc.
    • canonical values, hostname
    • security tokens

    View Slide

  134. Can you deploy
    your app to change
    your S3 Bucket?

    View Slide

  135. Do you NEED to
    deploy your app to
    change your S3
    bucket?

    View Slide

  136. Environment
    Variables!
    Use

    View Slide

  137. Config

    View Slide

  138. But I like
    storing my
    credentials
    in git!

    View Slide

  139. What is
    Config?
    Just because
    it works...

    View Slide

  140. Wishlist:
    rotate-able
    security
    tokens

    View Slide

  141. Security

    View Slide

  142. Nothing is
    ever 100%
    secure

    View Slide

  143. Educate
    yourself

    View Slide

  144. Secrets

    View Slide

  145. Don’t store
    secrets in
    Git

    View Slide

  146. Use ENV
    Variables

    View Slide

  147. Shenanigans

    View Slide

  148. View Slide

  149. Vote @hone02
    (Terence Lee)
    Ruby Hero
    2013

    View Slide

  150. Questions?
    @schneems

    View Slide