Security, Secrets, and Shenanigans

Security,
Secrets,
& Shenanigans
Richard Schneeman
@schneems

View Slide

@schneems

View Slide

Schnauser

View Slide

View Slide

I <3
Ruby

View Slide

Hans
Peter
Von
Wolfe (the 5th)

View Slide

Sextant
Gem

View Slide

Wicked
‘
‘
Gem

View Slide

Triage
Code
codetriage.com

View Slide

View Slide

Adjunct
Professor

View Slide

Good News
Everyone!
schneems.com/ut-rails

View Slide

I work
for
this one

View Slide

AUS Ruby
Conf

View Slide

View Slide

Hello
wroclove

View Slide

Close your
Laptops

View Slide

Unless you’re
commenting
on rails/rails
issues

View Slide

Web
Security

View Slide

What does
it mean to
be secure

View Slide

I am not a
security
researcher

View Slide

You don’t
have to be
either

View Slide

Arm
yourself
with
knowledge

View Slide

Every
system has
a weakness

View Slide

Security
Bugs are
Bugs

View Slide

420,000 lines
11 versions
17 errors

View Slide

Bug free
software is
impossible

View Slide

Cover
Common
Exploits

View Slide

Talk about
Mitigation
Strategies

View Slide

Improve
our security
processes

View Slide

Availability

View Slide

Security
isn’t just
keeping
others out

View Slide

Staying
Available to
Serve your
customers

View Slide

DDoS

View Slide

Distributed
Denial
of
Service

View Slide

View Slide

Block IP
Addresses

View Slide

Memory
Exploits

View Slide

:symbols
aren’t fancy
strings

View Slide

:symbols
are never
garbage
collected

View Slide

params[:id].to_sym

View Slide

params[:id].to_sym
Don’t Do
This

View Slide

Parser
Exploits

View Slide

A billion
Laughs

View Slide

]>
&lol9;

View Slide

10 Entities

View Slide

Each
Reference
Previous
Entries

View Slide

Consumes
~3GB of ram
to process

View Slide

Like a Zip
Bomb for
XML
parsers

View Slide

Ouch

View Slide

modern XML
parsers are not
vulnerable to this
attack
Libxml2

View Slide

Authentication
the act of conﬁrming the truth of an
attribute of a datum or entity

View Slide

e
Armadillos

View Slide

YAML
Parser

View Slide

YAML
Ain’t
Markup
Language

View Slide

development:
adapter: postgresql
encoding: utf8
database: my_development
pool: 5
host: localhost
config/database.yml

View Slide

require 'yaml'
db_config = YAML::load_file('config/database.yml')
puts db_config["development"]
# => { "adapter" => "postgresql",
"encoding" => "utf8",
"database" => "example_development",
"pool" => 5,
"host" => "localhost" }

View Slide

YAML
Ain’t
just for basic
objects

View Slide

“--- !ruby/array:Array
- jacket
- sweater”
YAML::load
=> ???

View Slide

“--- !ruby/array:Array
- jacket
- sweater”
YAML::load
=> [“jacket”, “sweater”]

View Slide

“--- !ruby/hash:User
email: [email protected]”
YAML::load
=> ???

View Slide

YAML::load
=> #

View Slide

YAML::load
user = User.new

View Slide

YAML::load
user = User.new
user[:email] = “[email protected]

View Slide

YAML::load
user = User.new
user[:email] = “[email protected]
puts user
=> #

View Slide

Interesting,
but is it
insecure?

View Slide

class Foo
def []=(name, value)
puts value * 3
end
end
“--- !ruby/hash:Foo
bar: hi”
YAML::load
foo = Foo.new

View Slide

class Foo
puts value * 3
end
end
“--- !ruby/hash:Foo
bar: hi”
YAML::load
foo = Foo.new
foo[:bar] = “hi”
=> “hihihi”

View Slide

Let’s Get
Dirty

View Slide

class Foo
eval(name) + value
end
end

View Slide

class Foo
eval(name) + value
end
end
--- !ruby/hash:Foo
“puts '=== hello there'.inspect;”: hi
YAML::load

View Slide

class Foo
eval(name) + value
end
end
--- !ruby/hash:Foo
“puts '=== hello there'.inspect;”: hi
YAML::load
foo = Foo.new
foo["puts '=== hello there'.inspect"] = 'hi'
=== hello there
NoMethodError: undefined method `+' for nil:NilClass

View Slide

zOMG
arbitrary
code
execution

View Slide

But how does an
attacker get us to
execute arbitrary
YAML?

View Slide

XML
Parser

View Slide

object:UnsafeObject
attribute1: value1
]]>

View Slide

By default
will parse
arbitrary
YAML

View Slide

I’m in UR
Servers
Executing
My Code

View Slide

Java/
PHP/
C++/
etc.
Secure?

View Slide

Sanatize
Your Inputs

View Slide

And your
Floors

View Slide

Never Trust
your users

View Slide

Or your dogs

View Slide

Ro
Om
Ba
Attacks

View Slide

RoOmBa
Attacks

View Slide

Responsible
Disclosure

View Slide

Create a
/security
report page

View Slide

View Slide

Intrusion
Detection/
Logging

View Slide

Papertrail

View Slide

Stay
Informed

View Slide

Subscribe
to
Security
Lists

View Slide

Patch
Early, Patch
often

View Slide

Secrets
Secrets
Secrets

View Slide

CSRF

View Slide

Cross
Site
Request
Forgery

View Slide

View Slide

config.security_token

View Slide

the key to
your digital
kingdom

View Slide

Would you
give your
Car key
copies to:

View Slide

Interns?
Your

View Slide

Contractors?
Your

View Slide

Your
Open Source
Contributors?

View Slide

If secrets are in
your source,
you’ve already
given them your
digital kingdom

View Slide

Protect
Your
Code

View Slide

Secure keys
in source
control
aren’t secure

View Slide

What’s an
alternative?

View Slide

Environment
Variables

View Slide

$ rake db:migrate RAILS_ENV=test

View Slide

In
Development

View Slide

Use a
.env file

View Slide

$ cat .env
SECRET_TOKEN=d59c2a439f

View Slide

Use dotenv
gem

View Slide

$ irb
> Dotenv.load
> puts ENV[‘SECRET_TOKEN’]
> “d59c2a439f”

View Slide

Use foreman
gem

View Slide

$ foreman run irb
> puts ENV[‘SECRET_TOKEN’]
> “d59c2a439f”

View Slide

In
Production

View Slide

$ heroku config:add SECRET_TOKEN=d59c2a439f

View Slide

VPS
• Use Foreman/Dotenv
• Add to bashrc
• Add values directly to command
$ SECRET_TOKEN=asd123 rails console
ruby-1.9.3> puts ENV[‘SECRET_TOKEN’]
ruby-1.9.3> “asd123”

View Slide

What if...

View Slide

Someone
Can read my
ENV
Variables?

View Slide

Then they
can read
your files too

View Slide

Is your app
secure?

View Slide

Is your app
open
source-
able?

View Slide

SECRET_TOKEN
is just one
example of Config

View Slide

Define:
Config

View Slide

Config
• What varies between deploys
• resource strings to databases
• credentials to S3, twitter, facebook, etc.
• canonical values, hostname
• security tokens

View Slide

Security, Secrets, and Shenanigans

Security, Secrets, and Shenanigans

Richard Schneeman

More Decks by Richard Schneeman

Other Decks in Programming

Featured

Transcript