Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, Secrets, and Shenanigans

Security, Secrets, and Shenanigans

Db953d125f5cc49756edb6149f1b813e?s=128

Richard Schneeman

March 06, 2013
Tweet

Transcript

  1. Security, Secrets, & Shenanigans Richard Schneeman @schneems

  2. @schneems

  3. Schnauser

  4. None
  5. I <3 Ruby

  6. Hans Peter Von Wolfe (the 5th)

  7. Sextant Gem

  8. Wicked ‘ ‘ Gem

  9. Triage Code codetriage.com

  10. None
  11. Adjunct Professor

  12. Good News Everyone! schneems.com/ut-rails

  13. I work for this one

  14. AUS Ruby Conf

  15. None
  16. Hello wroclove

  17. Close your Laptops

  18. Unless you’re commenting on rails/rails issues

  19. Web Security

  20. What does it mean to be secure

  21. I am not a security researcher

  22. You don’t have to be either

  23. Arm yourself with knowledge

  24. Every system has a weakness

  25. Security Bugs are Bugs

  26. 420,000 lines 11 versions 17 errors

  27. Bug free software is impossible

  28. Cover Common Exploits

  29. Talk about Mitigation Strategies

  30. Improve our security processes

  31. Availability

  32. Security isn’t just keeping others out

  33. Staying Available to Serve your customers

  34. DDoS

  35. Distributed Denial of Service

  36. None
  37. None
  38. None
  39. Block IP Addresses

  40. Memory Exploits

  41. :symbols aren’t fancy strings

  42. :symbols are never garbage collected

  43. params[:id].to_sym

  44. params[:id].to_sym Don’t Do This

  45. Parser Exploits

  46. A billion Laughs

  47. <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1

    "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  48. 10 Entities

  49. Each Reference Previous Entries

  50. Consumes ~3GB of ram to process

  51. Like a Zip Bomb for XML parsers

  52. Ouch

  53. modern XML parsers are not vulnerable to this attack Libxml2

  54. Authentication the act of confirming the truth of an attribute

    of a datum or entity
  55. e Armadillos

  56. YAML Parser

  57. YAML Ain’t Markup Language

  58. development: adapter: postgresql encoding: utf8 database: my_development pool: 5 host:

    localhost config/database.yml
  59. require 'yaml' db_config = YAML::load_file('config/database.yml') puts db_config["development"] # => {

    "adapter" => "postgresql", "encoding" => "utf8", "database" => "example_development", "pool" => 5, "host" => "localhost" }
  60. YAML Ain’t just for basic objects

  61. “--- !ruby/array:Array - jacket - sweater” YAML::load => ???

  62. “--- !ruby/array:Array - jacket - sweater” YAML::load => [“jacket”, “sweater”]

  63. “--- !ruby/hash:User email: richard@example.com” YAML::load => ???

  64. “--- !ruby/hash:User email: richard@example.com” YAML::load => #<User id: 1, email:

    "richard@example.com">
  65. “--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new

  66. “--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =

    “richard@example.com
  67. “--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =

    “richard@example.com
  68. “--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =

    “richard@example.com puts user => #<User id: 1, email: "richard@example.com">
  69. Interesting, but is it insecure?

  70. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new
  71. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”
  72. class Foo def []=(name, value) puts value * 3 end

    end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”
  73. Let’s Get Dirty

  74. class Foo def []=(name, value) eval(name) + value end end

  75. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load
  76. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass
  77. class Foo def []=(name, value) eval(name) + value end end

    --- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass
  78. zOMG arbitrary code execution

  79. But how does an attacker get us to execute arbitrary

    YAML?
  80. XML Parser

  81. <?xml version="1.0" encoding="UTF-8"?> <boom type="yaml"><![CDATA[--- !ruby/ object:UnsafeObject attribute1: value1 ]]></boom>

  82. By default will parse arbitrary YAML

  83. I’m in UR Servers Executing My Code

  84. Java/ PHP/ C++/ etc. Secure?

  85. Sanatize Your Inputs

  86. And your Floors

  87. Never Trust your users

  88. Or your dogs

  89. Ro Om Ba Attacks

  90. RoOmBa Attacks

  91. Responsible Disclosure

  92. Create a /security report page

  93. None
  94. Intrusion Detection/ Logging

  95. Papertrail

  96. Stay Informed

  97. Subscribe to Security Lists

  98. Patch Early, Patch often

  99. Secrets Secrets Secrets

  100. CSRF

  101. Cross Site Request Forgery

  102. None
  103. config.security_token

  104. the key to your digital kingdom

  105. Would you give your Car key copies to:

  106. Interns? Your

  107. Contractors? Your

  108. Your Open Source Contributors?

  109. If secrets are in your source, you’ve already given them

    your digital kingdom
  110. Protect Your Code

  111. Secure keys in source control aren’t secure

  112. What’s an alternative?

  113. Environment Variables

  114. $ rake db:migrate RAILS_ENV=test

  115. $ rake db:migrate RAILS_ENV=test

  116. In Development

  117. Use a .env file

  118. $ cat .env SECRET_TOKEN=d59c2a439f

  119. Use dotenv gem

  120. $ irb > Dotenv.load > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”

  121. Use foreman gem

  122. $ foreman run irb > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”

  123. In Production

  124. $ heroku config:add SECRET_TOKEN=d59c2a439f

  125. VPS • Use Foreman/Dotenv • Add to bashrc • Add

    values directly to command $ SECRET_TOKEN=asd123 rails console ruby-1.9.3> puts ENV[‘SECRET_TOKEN’] ruby-1.9.3> “asd123”
  126. What if...

  127. Someone Can read my ENV Variables?

  128. Then they can read your files too

  129. Is your app secure?

  130. Is your app open source- able?

  131. SECRET_TOKEN is just one example of Config

  132. Define: Config

  133. Config • What varies between deploys • resource strings to

    databases • credentials to S3, twitter, facebook, etc. • canonical values, hostname • security tokens
  134. Can you deploy your app to change your S3 Bucket?

  135. Do you NEED to deploy your app to change your

    S3 bucket?
  136. Environment Variables! Use

  137. Config

  138. But I like storing my credentials in git!

  139. What is Config? Just because it works...

  140. Wishlist: rotate-able security tokens

  141. Security

  142. Nothing is ever 100% secure

  143. Educate yourself

  144. Secrets

  145. Don’t store secrets in Git

  146. Use ENV Variables

  147. Shenanigans

  148. None
  149. Vote @hone02 (Terence Lee) Ruby Hero 2013

  150. Questions? @schneems