Security, Secrets, and Shenanigans

Transcript

1. Security, Secrets, & Shenanigans Richard Schneeman @schneems

2. @schneems

3. Schnauser

4. None

5. I <3 Ruby

6. Hans Peter Von Wolfe (the 5th)

7. Sextant Gem

8. Wicked ‘ ‘ Gem

9. Triage Code codetriage.com

10. None

11. Adjunct Professor

12. Good News Everyone! schneems.com/ut-rails

13. I work for this one

14. AUS Ruby Conf

15. None

16. Hello wroclove

17. Close your Laptops

18. Unless you’re commenting on rails/rails issues

19. Web Security

20. What does it mean to be secure

21. I am not a security researcher

22. You don’t have to be either

23. Arm yourself with knowledge

24. Every system has a weakness

25. Security Bugs are Bugs

26. 420,000 lines 11 versions 17 errors

27. Bug free software is impossible

28. Cover Common Exploits

29. Talk about Mitigation Strategies

30. Improve our security processes

31. Availability

32. Security isn’t just keeping others out

33. Staying Available to Serve your customers

34. DDoS

35. Distributed Denial of Service

36. None
37. None
38. None

39. Block IP Addresses

40. Memory Exploits

41. :symbols aren’t fancy strings

42. :symbols are never garbage collected

43. params[:id].to_sym

44. params[:id].to_sym Don’t Do This

45. Parser Exploits

46. A billion Laughs

47. <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1

    "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>

48. 10 Entities

49. Each Reference Previous Entries

50. Consumes ~3GB of ram to process

51. Like a Zip Bomb for XML parsers

52. Ouch

53. modern XML parsers are not vulnerable to this attack Libxml2

54. Authentication the act of confirming the truth of an attribute

    of a datum or entity

55. e Armadillos

56. YAML Parser

57. YAML Ain’t Markup Language

58. development: adapter: postgresql encoding: utf8 database: my_development pool: 5 host:

    localhost config/database.yml

59. require 'yaml' db_config = YAML::load_file('config/database.yml') puts db_config["development"] # => {

    "adapter" => "postgresql", "encoding" => "utf8", "database" => "example_development", "pool" => 5, "host" => "localhost" }

60. YAML Ain’t just for basic objects

61. “--- !ruby/array:Array - jacket - sweater” YAML::load => ???

62. “--- !ruby/array:Array - jacket - sweater” YAML::load => [“jacket”, “sweater”]

63. “--- !ruby/hash:User email: [email protected]” YAML::load => ???

64. “--- !ruby/hash:User email: [email protected]” YAML::load => #<User id: 1, email:

    "[email protected]">

65. “--- !ruby/hash:User email: [email protected]” YAML::load user = User.new

66. “--- !ruby/hash:User email: [email protected]” YAML::load user = User.new user[:email] =

    “[email protected]

67. “--- !ruby/hash:User email: [email protected]” YAML::load user = User.new user[:email] =

    “[email protected]

68. “--- !ruby/hash:User email: [email protected]” YAML::load user = User.new user[:email] =

    “[email protected] puts user => #<User id: 1, email: "[email protected]">

69. Interesting, but is it insecure?

70. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new

71. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”

72. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”

73. Let’s Get Dirty

74. class Foo def []=(name, value) eval(name) + value end end

75. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load

76. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass

77. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass

78. zOMG arbitrary code execution

79. But how does an attacker get us to execute arbitrary

    YAML?

80. XML Parser

81. <?xml version="1.0" encoding="UTF-8"?> <boom type="yaml"><![CDATA[--- !ruby/ object:UnsafeObject attribute1: value1 ]]></boom>

82. By default will parse arbitrary YAML

83. I’m in UR Servers Executing My Code

84. Java/ PHP/ C++/ etc. Secure?

85. Sanatize Your Inputs

86. And your Floors

87. Never Trust your users

88. Or your dogs

89. Ro Om Ba Attacks

90. RoOmBa Attacks

91. Responsible Disclosure

92. Create a /security report page

93. None

94. Intrusion Detection/ Logging

95. Papertrail

96. Stay Informed

97. Subscribe to Security Lists

98. Patch Early, Patch often

99. Secrets Secrets Secrets

100. CSRF

101. Cross Site Request Forgery

102. None

103. config.security_token

104. the key to your digital kingdom

105. Would you give your Car key copies to:

106. Interns? Your

107. Contractors? Your

108. Your Open Source Contributors?

109. If secrets are in your source, you’ve already given them

     your digital kingdom

110. Protect Your Code

111. Secure keys in source control aren’t secure

112. What’s an alternative?

113. Environment Variables

114. $ rake db:migrate RAILS_ENV=test

115. $ rake db:migrate RAILS_ENV=test

116. In Development

117. Use a .env file

118. $ cat .env SECRET_TOKEN=d59c2a439f

119. Use dotenv gem

120. $ irb > Dotenv.load > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”

121. Use foreman gem

122. $ foreman run irb > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”

123. In Production

124. $ heroku config:add SECRET_TOKEN=d59c2a439f

125. VPS • Use Foreman/Dotenv • Add to bashrc • Add

     values directly to command $ SECRET_TOKEN=asd123 rails console ruby-1.9.3> puts ENV[‘SECRET_TOKEN’] ruby-1.9.3> “asd123”

126. What if...

127. Someone Can read my ENV Variables?

128. Then they can read your files too

129. Is your app secure?

130. Is your app open source- able?

131. SECRET_TOKEN is just one example of Config

132. Define: Config

133. Config • What varies between deploys • resource strings to

     databases • credentials to S3, twitter, facebook, etc. • canonical values, hostname • security tokens

134. Can you deploy your app to change your S3 Bucket?

135. Do you NEED to deploy your app to change your

     S3 bucket?

136. Environment Variables! Use

137. Config

138. But I like storing my credentials in git!

139. What is Config? Just because it works...

140. Wishlist: rotate-able security tokens

141. Security

142. Nothing is ever 100% secure

143. Educate yourself

144. Secrets

145. Don’t store secrets in Git

146. Use ENV Variables

147. Shenanigans

148. None

149. Vote @hone02 (Terence Lee) Ruby Hero 2013

150. Questions? @schneems