Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, Secrets, and Shenanigans

Db953d125f5cc49756edb6149f1b813e?s=47 Richard Schneeman
March 06, 2013
Programming
3
380

Security, Secrets, and Shenanigans

Db953d125f5cc49756edb6149f1b813e?s=128

Richard Schneeman

March 06, 2013
Tweet

More Decks by Richard Schneeman

See All by Richard Schneeman
[RubyConf] Beware the Dreaded Dead End
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
0
66
[Kaigi] Beware the Dead End
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
0
30
Threads Aren't Evil
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
0
270
Bayes is BAE
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
0
2.2k
Testing the Untestable
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
1
270
SLOMO
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
2
460
Saving Sprockets
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
8
15k
Memory Leaks, Tweaks, and Techniques
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
1
110
Speed Science
Db953d125f5cc49756edb6149f1b813e?s=48 schneems
20
31k

Other Decks in Programming

See All in Programming
RFC 9111: HTTP Caching
1ff811939fd0923df8321ec6d8bf9d4b?s=48 jxck
0
150
VisualProgramming_GoogleHome_LINE
Eeedbe91225c0207014a46f09eea1d30?s=48 nearmugi
1
140
#JJUG_CCC 「サポート」は製品開発? - JDBCライブラリ屋さんが実践する攻めのテクニカルサポートとJavaエンジニアのキャリアについて -
244963b5eab1dd775692490daea81a7f?s=48 cdataj
0
410
IE Graduation Certificate
1ff811939fd0923df8321ec6d8bf9d4b?s=48 jxck
6
4.7k
trocco® の品質を守る、とても普通な取り組み
E7d321bef653bcb8fce8032609321398?s=48 kekekenta
0
350
Reactive Java Microservices on Kubernetes with Spring and JHipster
7f408bc67dc9ae3b288ee92d16d3c4c2?s=48 deepu105
1
160
Web API連携でCSRF対策がどう実装されてるか調べた / how to implements csrf-detection on Web API
79fc33e55cacc42beef647541de24d58?s=48 yasuakiomokawa
2
300
言語処理ライブラリ開発における失敗談 / NLPHacks
7b5bbcad8cad0559a385206fbe038744?s=48 taishii
1
430
設計ナイト2022 トランザクションスクリプト
6521324f6ab5266cdcde1dd05945a27b?s=48 shinpeim
11
2k
競プロのすすめ
3a10a8f9ae25b2eb5bf3579dd3141dd8?s=48 uya116
0
650
"What's new in Swift"の要約 / swift_5_7_summary
42a6a049ac8f5265f31858a9509217fb?s=48 uhooi
1
280
engineer
E6706306bf41c5a5675e7296ecdb4103?s=48 spacemarket
0
700

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
269
11k
JavaScript: Past, Present, and Future - NDC Porto 2020
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
37
3.2k
jQuery: Nuts, Bolts and Bling
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
6.4k
Designing the Hi-DPI Web
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
272
32k
How to Ace a Technical Interview
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
265
21k
Building Adaptive Systems
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
1.1k
ReactJS: Keep Simple. Everything can be a component!
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
655
120k
Documentation Writing (for coders)
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
48
2.5k
WebSockets: Embracing the real-time Web
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
57
5.1k
Happy Clients
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
89
5.6k
Building a Scalable Design System with Sketch
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
447
30k
A Modern Web Designer's Workflow
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
689
180k

Transcript

  1. Security, Secrets, & Shenanigans Richard Schneeman @schneems

  2. @schneems

  3. Schnauser

  4. None

  5. I <3 Ruby

  6. Hans Peter Von Wolfe (the 5th)

  7. Sextant Gem

  8. Wicked ‘ ‘ Gem

  9. Triage Code codetriage.com

  10. None

  11. Adjunct Professor

  12. Good News Everyone! schneems.com/ut-rails

  13. I work for this one

  14. AUS Ruby Conf

  15. None

  16. Hello wroclove

  17. Close your Laptops

  18. Unless you’re commenting on rails/rails issues

  19. Web Security

  20. What does it mean to be secure

  21. I am not a security researcher

  22. You don’t have to be either

  23. Arm yourself with knowledge

  24. Every system has a weakness

  25. Security Bugs are Bugs

  26. 420,000 lines 11 versions 17 errors

  27. Bug free software is impossible

  28. Cover Common Exploits

  29. Talk about Mitigation Strategies

  30. Improve our security processes

  31. Availability

  32. Security isn’t just keeping others out

  33. Staying Available to Serve your customers

  34. DDoS

  35. Distributed Denial of Service

  36. None
  37. None
  38. None

  39. Block IP Addresses

  40. Memory Exploits

  41. :symbols aren’t fancy strings

  42. :symbols are never garbage collected

  43. params[:id].to_sym

  44. params[:id].to_sym Don’t Do This

  45. Parser Exploits

  46. A billion Laughs

  47. <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1

    "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>

  48. 10 Entities

  49. Each Reference Previous Entries

  50. Consumes ~3GB of ram to process

  51. Like a Zip Bomb for XML parsers

  52. Ouch

  53. modern XML parsers are not vulnerable to this attack Libxml2

  54. Authentication the act of confirming the truth of an attribute

    of a datum or entity

  55. e Armadillos

  56. YAML Parser

  57. YAML Ain’t Markup Language

  58. development: adapter: postgresql encoding: utf8 database: my_development pool: 5 host:

    localhost config/database.yml

  59. require 'yaml' db_config = YAML::load_file('config/database.yml') puts db_config["development"] # => {

    "adapter" => "postgresql", "encoding" => "utf8", "database" => "example_development", "pool" => 5, "host" => "localhost" }

  60. YAML Ain’t just for basic objects

  61. “--- !ruby/array:Array - jacket - sweater” YAML::load => ???

  62. “--- !ruby/array:Array - jacket - sweater” YAML::load => [“jacket”, “sweater”]

  63. “--- !ruby/hash:User email: richard@example.com” YAML::load => ???

  64. “--- !ruby/hash:User email: richard@example.com” YAML::load => #<User id: 1, email:

    "richard@example.com">

  65. “--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new

  66. “--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =

    “richard@example.com

  67. “--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =

    “richard@example.com

  68. “--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =

    “richard@example.com puts user => #<User id: 1, email: "richard@example.com">

  69. Interesting, but is it insecure?

  70. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new

  71. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”

  72. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”

  73. Let’s Get Dirty

  74. class Foo def []=(name, value) eval(name) + value end end

  75. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load

  76. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass

  77. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass

  78. zOMG arbitrary code execution

  79. But how does an attacker get us to execute arbitrary

    YAML?

  80. XML Parser

  81. <?xml version="1.0" encoding="UTF-8"?> <boom type="yaml"><![CDATA[--- !ruby/ object:UnsafeObject attribute1: value1 ]]></boom>

  82. By default will parse arbitrary YAML

  83. I’m in UR Servers Executing My Code

  84. Java/ PHP/ C++/ etc. Secure?

  85. Sanatize Your Inputs

  86. And your Floors

  87. Never Trust your users

  88. Or your dogs

  89. Ro Om Ba Attacks

  90. RoOmBa Attacks

  91. Responsible Disclosure

  92. Create a /security report page

  93. None

  94. Intrusion Detection/ Logging

  95. Papertrail

  96. Stay Informed

  97. Subscribe to Security Lists

  98. Patch Early, Patch often

  99. Secrets Secrets Secrets

  100. CSRF

  101. Cross Site Request Forgery

  102. None

  103. config.security_token

  104. the key to your digital kingdom

  105. Would you give your Car key copies to:

  106. Interns? Your

  107. Contractors? Your

  108. Your Open Source Contributors?

  109. If secrets are in your source, you’ve already given them

    your digital kingdom

  110. Protect Your Code

  111. Secure keys in source control aren’t secure

  112. What’s an alternative?

  113. Environment Variables

  114. $ rake db:migrate RAILS_ENV=test

  115. $ rake db:migrate RAILS_ENV=test

  116. In Development

  117. Use a .env file

  118. $ cat .env SECRET_TOKEN=d59c2a439f

  119. Use dotenv gem

  120. $ irb > Dotenv.load > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”

  121. Use foreman gem

  122. $ foreman run irb > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”

  123. In Production

  124. $ heroku config:add SECRET_TOKEN=d59c2a439f

  125. VPS • Use Foreman/Dotenv • Add to bashrc • Add

    values directly to command $ SECRET_TOKEN=asd123 rails console ruby-1.9.3> puts ENV[‘SECRET_TOKEN’] ruby-1.9.3> “asd123”

  126. What if...

  127. Someone Can read my ENV Variables?

  128. Then they can read your files too

  129. Is your app secure?

  130. Is your app open source- able?

  131. SECRET_TOKEN is just one example of Config

  132. Define: Config

  133. Config • What varies between deploys • resource strings to

    databases • credentials to S3, twitter, facebook, etc. • canonical values, hostname • security tokens

  134. Can you deploy your app to change your S3 Bucket?

  135. Do you NEED to deploy your app to change your

    S3 bucket?

  136. Environment Variables! Use

  137. Config

  138. But I like storing my credentials in git!

  139. What is Config? Just because it works...

  140. Wishlist: rotate-able security tokens

  141. Security

  142. Nothing is ever 100% secure

  143. Educate yourself

  144. Secrets

  145. Don’t store secrets in Git

  146. Use ENV Variables

  147. Shenanigans

  148. None

  149. Vote @hone02 (Terence Lee) Ruby Hero 2013

  150. Questions? @schneems