Security,Secrets,& ShenanigansRichard Schneeman@schneems
View Slide
@schneems
Schnauser
I <3Ruby
HansPeterVonWolfe (the 5th)
SextantGem
Wicked‘‘Gem
TriageCodecodetriage.com
AdjunctProfessor
Good NewsEveryone!schneems.com/ut-rails
I workforthis one
AUS RubyConf
Hellowroclove
Close yourLaptops
Unless you’recommentingon rails/railsissues
WebSecurity
What doesit mean tobe secure
I am not asecurityresearcher
You don’thave to beeither
Armyourselfwithknowledge
Everysystem hasa weakness
SecurityBugs areBugs
420,000 lines11 versions17 errors
Bug freesoftware isimpossible
CoverCommonExploits
Talk aboutMitigationStrategies
Improveour securityprocesses
Availability
Securityisn’t justkeepingothers out
StayingAvailable toServe yourcustomers
DDoS
DistributedDenialofService
Block IPAddresses
MemoryExploits
:symbolsaren’t fancystrings
:symbolsare nevergarbagecollected
params[:id].to_sym
params[:id].to_symDon’t DoThis
ParserExploits
A billionLaughs
]>&lol9;
10 Entities
EachReferencePreviousEntries
Consumes~3GB of ramto process
Like a ZipBomb forXMLparsers
Ouch
modern XMLparsers are notvulnerable to thisattackLibxml2
Authenticationthe act of confirming the truth of anattribute of a datum or entity
eArmadillos
YAMLParser
YAMLAin’tMarkupLanguage
development:adapter: postgresqlencoding: utf8database: my_developmentpool: 5host: localhostconfig/database.yml
require 'yaml'db_config = YAML::load_file('config/database.yml')puts db_config["development"]# => { "adapter" => "postgresql","encoding" => "utf8","database" => "example_development","pool" => 5,"host" => "localhost" }
YAMLAin’tjust for basicobjects
“--- !ruby/array:Array- jacket- sweater”YAML::load=> ???
“--- !ruby/array:Array- jacket- sweater”YAML::load=> [“jacket”, “sweater”]
“--- !ruby/hash:Useremail: [email protected]”YAML::load=> ???
“--- !ruby/hash:Useremail: [email protected]”YAML::load=> #
“--- !ruby/hash:Useremail: [email protected]”YAML::loaduser = User.new
“--- !ruby/hash:Useremail: [email protected]”YAML::loaduser = User.newuser[:email] = “[email protected]
“--- !ruby/hash:Useremail: [email protected]”YAML::loaduser = User.newuser[:email] = “[email protected]puts user=> #
Interesting,but is itinsecure?
class Foodef []=(name, value)puts value * 3endend“--- !ruby/hash:Foobar: hi”YAML::loadfoo = Foo.new
class Foodef []=(name, value)puts value * 3endend“--- !ruby/hash:Foobar: hi”YAML::loadfoo = Foo.newfoo[:bar] = “hi”=> “hihihi”
Let’s GetDirty
class Foodef []=(name, value)eval(name) + valueendend
class Foodef []=(name, value)eval(name) + valueendend--- !ruby/hash:Foo“puts '=== hello there'.inspect;”: hiYAML::load
class Foodef []=(name, value)eval(name) + valueendend--- !ruby/hash:Foo“puts '=== hello there'.inspect;”: hiYAML::loadfoo = Foo.newfoo["puts '=== hello there'.inspect"] = 'hi'=== hello thereNoMethodError: undefined method `+' for nil:NilClass
zOMGarbitrarycodeexecution
But how does anattacker get us toexecute arbitraryYAML?
XMLParser
object:UnsafeObjectattribute1: value1]]>
By defaultwill parsearbitraryYAML
I’m in URServersExecutingMy Code
Java/PHP/C++/etc.Secure?
SanatizeYour Inputs
And yourFloors
Never Trustyour users
Or your dogs
RoOmBaAttacks
ResponsibleDisclosure
Create a/securityreport page
IntrusionDetection/Logging
Papertrail
StayInformed
SubscribetoSecurityLists
PatchEarly, Patchoften
SecretsSecretsSecrets
CSRF
CrossSiteRequestForgery
config.security_token
the key toyour digitalkingdom
Would yougive yourCar keycopies to:
Interns?Your
Contractors?Your
YourOpen SourceContributors?
If secrets are inyour source,you’ve alreadygiven them yourdigital kingdom
ProtectYourCode
Secure keysin sourcecontrolaren’t secure
What’s analternative?
EnvironmentVariables
$ rake db:migrate RAILS_ENV=test
InDevelopment
Use a.env file
$ cat .envSECRET_TOKEN=d59c2a439f
Use dotenvgem
$ irb> Dotenv.load> puts ENV[‘SECRET_TOKEN’]> “d59c2a439f”
Use foremangem
$ foreman run irb> puts ENV[‘SECRET_TOKEN’]> “d59c2a439f”
InProduction
$ heroku config:add SECRET_TOKEN=d59c2a439f
VPS• Use Foreman/Dotenv• Add to bashrc• Add values directly to command$ SECRET_TOKEN=asd123 rails consoleruby-1.9.3> puts ENV[‘SECRET_TOKEN’]ruby-1.9.3> “asd123”
What if...
SomeoneCan read myENVVariables?
Then theycan readyour files too
Is your appsecure?
Is your appopensource-able?
SECRET_TOKENis just oneexample of Config
Define:Config
Config• What varies between deploys• resource strings to databases• credentials to S3, twitter, facebook, etc.• canonical values, hostname• security tokens
Can you deployyour app to changeyour S3 Bucket?
Do you NEED todeploy your app tochange your S3bucket?
EnvironmentVariables!Use
Config
But I likestoring mycredentialsin git!
What isConfig?Just becauseit works...
Wishlist:rotate-ablesecuritytokens
Security
Nothing isever 100%secure
Educateyourself
Secrets
Don’t storesecrets inGit
Use ENVVariables
Shenanigans
Vote @hone02(Terence Lee)Ruby Hero2013
Questions?@schneems