Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Security, Secrets, and Shenanigans
Richard Schneeman
March 06, 2013
Programming
3
380
Security, Secrets, and Shenanigans
Richard Schneeman
March 06, 2013
Tweet
Share
More Decks by Richard Schneeman
See All by Richard Schneeman
[RubyConf] Beware the Dreaded Dead End
schneems
0
66
[Kaigi] Beware the Dead End
schneems
0
30
Threads Aren't Evil
schneems
0
270
Bayes is BAE
schneems
0
2.2k
Testing the Untestable
schneems
1
270
SLOMO
schneems
2
460
Saving Sprockets
schneems
8
15k
Memory Leaks, Tweaks, and Techniques
schneems
1
110
Speed Science
schneems
20
31k
Other Decks in Programming
See All in Programming
RFC 9111: HTTP Caching
jxck
0
150
VisualProgramming_GoogleHome_LINE
nearmugi
1
140
#JJUG_CCC 「サポート」は製品開発? - JDBCライブラリ屋さんが実践する攻めのテクニカルサポートとJavaエンジニアのキャリアについて -
cdataj
0
410
IE Graduation Certificate
jxck
6
4.7k
trocco® の品質を守る、とても普通な取り組み
kekekenta
0
350
Reactive Java Microservices on Kubernetes with Spring and JHipster
deepu105
1
160
Web API連携でCSRF対策がどう実装されてるか調べた / how to implements csrf-detection on Web API
yasuakiomokawa
2
300
言語処理ライブラリ開発における失敗談 / NLPHacks
taishii
1
430
設計ナイト2022 トランザクションスクリプト
shinpeim
11
2k
競プロのすすめ
uya116
0
650
"What's new in Swift"の要約 / swift_5_7_summary
uhooi
1
280
engineer
spacemarket
0
700
Featured
See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
269
11k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
37
3.2k
jQuery: Nuts, Bolts and Bling
dougneiner
56
6.4k
Designing the Hi-DPI Web
ddemaree
272
32k
How to Ace a Technical Interview
jacobian
265
21k
Building Adaptive Systems
keathley
25
1.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
655
120k
Documentation Writing (for coders)
carmenhchung
48
2.5k
WebSockets: Embracing the real-time Web
robhawkes
57
5.1k
Happy Clients
brianwarren
89
5.6k
Building a Scalable Design System with Sketch
lauravandoore
447
30k
A Modern Web Designer's Workflow
chriscoyier
689
180k
Transcript
Security, Secrets, & Shenanigans Richard Schneeman @schneems
@schneems
Schnauser
None
I <3 Ruby
Hans Peter Von Wolfe (the 5th)
Sextant Gem
Wicked ‘ ‘ Gem
Triage Code codetriage.com
None
Adjunct Professor
Good News Everyone! schneems.com/ut-rails
I work for this one
AUS Ruby Conf
None
Hello wroclove
Close your Laptops
Unless you’re commenting on rails/rails issues
Web Security
What does it mean to be secure
I am not a security researcher
You don’t have to be either
Arm yourself with knowledge
Every system has a weakness
Security Bugs are Bugs
420,000 lines 11 versions 17 errors
Bug free software is impossible
Cover Common Exploits
Talk about Mitigation Strategies
Improve our security processes
Availability
Security isn’t just keeping others out
Staying Available to Serve your customers
DDoS
Distributed Denial of Service
None
None
None
Block IP Addresses
Memory Exploits
:symbols aren’t fancy strings
:symbols are never garbage collected
params[:id].to_sym
params[:id].to_sym Don’t Do This
Parser Exploits
A billion Laughs
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1
"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
10 Entities
Each Reference Previous Entries
Consumes ~3GB of ram to process
Like a Zip Bomb for XML parsers
Ouch
modern XML parsers are not vulnerable to this attack Libxml2
Authentication the act of confirming the truth of an attribute
of a datum or entity
e Armadillos
YAML Parser
YAML Ain’t Markup Language
development: adapter: postgresql encoding: utf8 database: my_development pool: 5 host:
localhost config/database.yml
require 'yaml' db_config = YAML::load_file('config/database.yml') puts db_config["development"] # => {
"adapter" => "postgresql", "encoding" => "utf8", "database" => "example_development", "pool" => 5, "host" => "localhost" }
YAML Ain’t just for basic objects
“--- !ruby/array:Array - jacket - sweater” YAML::load => ???
“--- !ruby/array:Array - jacket - sweater” YAML::load => [“jacket”, “sweater”]
“--- !ruby/hash:User email: richard@example.com” YAML::load => ???
“--- !ruby/hash:User email: richard@example.com” YAML::load => #<User id: 1, email:
"richard@example.com">
“--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new
“--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =
“richard@example.com
“--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =
“richard@example.com
“--- !ruby/hash:User email: richard@example.com” YAML::load user = User.new user[:email] =
“richard@example.com puts user => #<User id: 1, email: "richard@example.com">
Interesting, but is it insecure?
class Foo def []=(name, value) puts value * 3 end
end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new
class Foo def []=(name, value) puts value * 3 end
end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”
class Foo def []=(name, value) puts value * 3 end
end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”
Let’s Get Dirty
class Foo def []=(name, value) eval(name) + value end end
class Foo def []=(name, value) eval(name) + value end end
--- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load
class Foo def []=(name, value) eval(name) + value end end
--- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass
class Foo def []=(name, value) eval(name) + value end end
--- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass
zOMG arbitrary code execution
But how does an attacker get us to execute arbitrary
YAML?
XML Parser
<?xml version="1.0" encoding="UTF-8"?> <boom type="yaml"><![CDATA[--- !ruby/ object:UnsafeObject attribute1: value1 ]]></boom>
By default will parse arbitrary YAML
I’m in UR Servers Executing My Code
Java/ PHP/ C++/ etc. Secure?
Sanatize Your Inputs
And your Floors
Never Trust your users
Or your dogs
Ro Om Ba Attacks
RoOmBa Attacks
Responsible Disclosure
Create a /security report page
None
Intrusion Detection/ Logging
Papertrail
Stay Informed
Subscribe to Security Lists
Patch Early, Patch often
Secrets Secrets Secrets
CSRF
Cross Site Request Forgery
None
config.security_token
the key to your digital kingdom
Would you give your Car key copies to:
Interns? Your
Contractors? Your
Your Open Source Contributors?
If secrets are in your source, you’ve already given them
your digital kingdom
Protect Your Code
Secure keys in source control aren’t secure
What’s an alternative?
Environment Variables
$ rake db:migrate RAILS_ENV=test
$ rake db:migrate RAILS_ENV=test
In Development
Use a .env file
$ cat .env SECRET_TOKEN=d59c2a439f
Use dotenv gem
$ irb > Dotenv.load > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”
Use foreman gem
$ foreman run irb > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”
In Production
$ heroku config:add SECRET_TOKEN=d59c2a439f
VPS • Use Foreman/Dotenv • Add to bashrc • Add
values directly to command $ SECRET_TOKEN=asd123 rails console ruby-1.9.3> puts ENV[‘SECRET_TOKEN’] ruby-1.9.3> “asd123”
What if...
Someone Can read my ENV Variables?
Then they can read your files too
Is your app secure?
Is your app open source- able?
SECRET_TOKEN is just one example of Config
Define: Config
Config • What varies between deploys • resource strings to
databases • credentials to S3, twitter, facebook, etc. • canonical values, hostname • security tokens
Can you deploy your app to change your S3 Bucket?
Do you NEED to deploy your app to change your
S3 bucket?
Environment Variables! Use
Config
But I like storing my credentials in git!
What is Config? Just because it works...
Wishlist: rotate-able security tokens
Security
Nothing is ever 100% secure
Educate yourself
Secrets
Don’t store secrets in Git
Use ENV Variables
Shenanigans
None
Vote @hone02 (Terence Lee) Ruby Hero 2013
Questions? @schneems