PyCon UK 2017: Everyday security issues and how to avoid them

Everyday security issues
and how to avoid them
PyCon UK 2017 / Cardiff
Christian Heimes
Senior Software Engineer
[email protected] / [email protected]
@ChristianHeimes

View Slide

Everyday security issues, PyCon UK 2017
2
Who am I?
●
from Hamburg/Germany
●
Python dev since 2003
●
Python core contributor since 2008
●
PEP 370, 454, 456, 543
●
maintainer of ssl and hashlib module

View Slide

3
Professional life
●
Senior Software Engineer at Red Hat
●
Security Engineering
●
OpenShift security team
●
FreeIPA Identity Management
●
Dogtag PKI
●
Custudia secrets management

View Slide

Agenda
&
Goals

View Slide

5
●
Motivation
●
What is security?
●
Honourable mention
●
Security bottom-up
●
Python security
●
Files and I/O,
●
Parsing
●
Input validation
●
Cryptography
●
Summary
Agenda

View Slide

6
depth
breadth

View Slide

Motivation
Why should I care?

View Slide

8
proud craftsman
responsible engineer

View Slide

9
Business

View Slide

10
https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached

View Slide

11
https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

View Slide

12
https://nypost.com/2016/10/06/verizon-wants-1b-discount-on-yahoo-deal-after-hacking-reports/
https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/

View Slide

13
Life and Death

View Slide

14
https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

View Slide

15
http://news.sky.com/story/gay-people-at-risk-after-ashley-madison-hack-10348710
http://www.bbc.com/news/technology-34044506

View Slide

16
World laws pertaining to homosexual
relationships and expression
Wikipedia

View Slide

What is
information security?

View Slide

18
Wikipedia definition
Information security is the practice of preventing
unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction of
information.

View Slide

19
Info Sec
●
prevention
●
mitigation
●
auditing
●
recovery
●
privacy

View Slide

20
Why is security hard?
●
complex systems
●
weakest link causes
catastrophic failures
●
secure is not testable
●
design issues
●
multitude of attack vectors
●
threat analysis

View Slide

21
RSA Key Extraction via Acoustic Cryptanalysis
https://www.tau.ac.il/~tromer/acoustic/

View Slide

22
Compiler and CPU optimization
char *demo(const char *msg, int msg_len)
{
char secret[16];
char *output;
get_secret_key(secret);
output = encrypt(secret, msg, msg_len);
/* wipe secret key from memory */
memset(secret, 0x00, sizeof(secret));
return output;
}
char *demo(const char *msg, int msg_len)
{
char secret[16];
char *output;
get_secret_key(secret);
output = encrypt(secret, msg, msg_len);
/* wipe secret key from memory */
memset(secret, 0x00, sizeof(secret));
return output;
}

View Slide

23
Compiler optimization
$ clang -O3
0000000000000000 :
0: 55 push %rbp
1: 41 56 push %r14
3: 53 push %rbx
4: 48 83 ec 10 sub $0x10,%rsp
8: 89 f5 mov %esi,%ebp
a: 48 89 fb mov %rdi,%rbx
d: 4c 8d 34 24 lea (%rsp),%r14
11: 4c 89 f7 mov %r14,%rdi
14: e8 00 00 00 00 callq 19
15: R_X86_64_PC32 get_secret_key-0x4
19: 4c 89 f7 mov %r14,%rdi
1c: 48 89 de mov %rbx,%rsi
1f: 89 ea mov %ebp,%edx
21: e8 00 00 00 00 callq 26
22: R_X86_64_PC32 encrypt-0x4
26: 48 83 c4 10 add $0x10,%rsp
2a: 5b pop %rbx
2b: 41 5e pop %r14
2d: 5d pop %rbp
2e: c3 retq
$ clang -O0
0000000000000000 :
0: 55 push %rbp
1: 48 89 e5 mov %rsp,%rbp
4: 48 83 ec 30 sub $0x30,%rsp
8: 48 8d 45 e0 lea -0x20(%rbp),%rax
c: 48 89 7d f8 mov %rdi,-0x8(%rbp)
10: 89 75 f4 mov %esi,-0xc(%rbp)
13: 48 89 c7 mov %rax,%rdi
16: e8 00 00 00 00 callq 1b
17: R_X86_64_PC32 get_secret_key-0x4
1b: 48 8d 7d e0 lea -0x20(%rbp),%rdi
1f: 48 8b 75 f8 mov -0x8(%rbp),%rsi
23: 8b 55 f4 mov -0xc(%rbp),%edx
26: 89 45 d4 mov %eax,-0x2c(%rbp)
29: e8 00 00 00 00 callq 2e
2a: R_X86_64_PC32 encrypt-0x4
2e: be af 00 00 00 mov $0x00,%esi
33: 48 ba 10 00 00 00 00 movabs $0x10,%rdx
3a: 00 00 00
3d: 48 8d 7d e0 lea -0x20(%rbp),%rdi
41: 48 89 45 d8 mov %rax,-0x28(%rbp)
45: e8 00 00 00 00 callq 4a
46: R_X86_64_PC32 memset-0x4
4a: 48 8b 45 d8 mov -0x28(%rbp),%rax
4e: 48 83 c4 30 add $0x30,%rsp
52: 5d pop %rbp
53: c3 retq

View Slide

24
CPU

View Slide

25
'Руthοn'
!=
'Python'

View Slide

26
Homoglyph confusion attack
>>> import unicodedata
>>> for c in 'Руthοn':
... print(unicodedata.name(c))
...
CYRILLIC CAPITAL LETTER ER
CYRILLIC SMALL LETTER U
LATIN SMALL LETTER T
LATIN SMALL LETTER H
GREEK SMALL LETTER OMICRON
LATIN SMALL LETTER N
>>> import unicodedata
>>> for c in 'Руthοn':
... print(unicodedata.name(c))
...
CYRILLIC CAPITAL LETTER ER
CYRILLIC SMALL LETTER U
LATIN SMALL LETTER T
LATIN SMALL LETTER H
GREEK SMALL LETTER OMICRON
LATIN SMALL LETTER N

View Slide

Honourable mention

View Slide

28
Out of scope
●
legal requirements (e.g. EU privacy shield, FISMA)
●
data centre security
●
hardware security (e.g. Intel Management Engine)
●
browser / web security
●
ransomware
●
state sponsored actors
●
cyber war

View Slide

29
Wikipedia

View Slide

30
cybersquirrel1.com – attacks on power grid
http://cybersquirrel1.com/

View Slide

31
Human factor
●
Social engineer
●
CEO scam: Ubiquiti Networks victim of $39 million
https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-
engineering-attack.html
●
Password in exchange for chocolate (up to 47.9%)
Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026
●
dissatisfied employees
●
ignorant management

View Slide

32
Security vs. Usability

View Slide

33
IoT – Internet of Things
The “S” in “IoT” stands for security.
The “P” in “IoT” stands for privacy.
(Sorry, German humour)

View Slide

Security bottom-up

View Slide

35
Hardware & OS
●
Hardware from trustworthy vendor
●
validate OS image
●
UEFI secure boot (protect your MOK)
●
Firewall
●
update, update, update
●
SELinux / AppArmor
don't: setenforce 0
do: semanage permissive -a myapp_t

View Slide

36
Application
●
don't run as root or admin
●
Restrict and isolate
separate user, group
systemd: PrivateTmp, Protectsystem, RemoveIPC, CapabilityBoundingSet, …
SecComp sandboxing
●
encrypt in transit (TLS/SSL), encrypt at rest
●
bind to localhost
●
strong authentication
●
update, update, update … and restart!

View Slide

37
Mitigation: Defence in depth

View Slide

38
Update!
g

View Slide

Python

View Slide

40
High level, memory safe
●
buffer overflow
●
stack overflow
●
memory leak

View Slide

41
Dangerous features
●
exec()
●
eval()
●
import, __import__()
●
pickle, marshal
●
ctypes

View Slide

42
gettext translation
msgid ""
msgstr ""
"Project-Id-Version: 2.0\n"
"PO-Revision-Date: 2003-04-11 12:42-0400\n"
"Last-Translator: Barry A. WArsaw \n"
"Language-Team: XX \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 7bit\n"
"Generated-By: manually\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
msgid ""
msgstr ""
"Project-Id-Version: 2.0\n"
"PO-Revision-Date: 2003-04-11 12:42-0400\n"
"Last-Translator: Barry A. WArsaw \n"
"Language-Team: XX \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 7bit\n"
"Generated-By: manually\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"

View Slide

43
gettext plural forms
●
English, German: nplurals=2; plural=n != 1;
●
French: nplurals=2; plural=n > 1;
●
Celtic: nplurals=3; plural=n==1 ? 0 : n==2 ? 1 : 2;
●
Russian: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n
%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;
●
Denial-Of-Service:
nplurals=2; plural=n ** 1000 ** 1000 ** 1000 ** 1000;
issue #18317, #28563

View Slide

44
Typo Squatting (skcsirt-sa-20170909-pypi)
Malicious packages in Python Package Index
●
acqusition
●
bzip
●
setup-tools
●
urlib3

View Slide

Files
I/O

View Slide

46
Directory traversal attack
BASE = '/var/lib/files'
@app.route('/download/')
def download(filename):
absname = os.path.join(BASE, name)
with open(absname) as f:
return f.read()
BASE = '/var/lib/files'
@app.route('/download/')
def download(filename):
absname = os.path.join(BASE, name)
with open(absname) as f:
return f.read()
/download/image.jpg
/download/image.jpg

View Slide

47
Directory traversal attack
/download/private/image.jpg
/download/../etc/passwd
/download/../../etc/passwd
/download/../../../etc/passwd
/download/../../../etc/httpd/server.key
/download/private/image.jpg
/download/../etc/passwd
/download/../../etc/passwd
/download/../../../etc/passwd
/download/../../../etc/httpd/server.key

View Slide

48
TOCTOU / race condition
if not os.path.isfile(filename):
with open(filename, 'wb') as f:
f.write(b'data')
os.chmod(filename, 0o755)
if not os.path.isfile(filename):
with open(filename, 'wb') as f:
f.write(b'data')
os.chmod(filename, 0o755)
with open(filename, 'xb') as f: # O_EXCL | O_CREAT
f.write(b'data')
os.fchmod(f.fileno(), 0o755)
with open(filename, 'xb') as f: # O_EXCL | O_CREAT
f.write(b'data')
os.fchmod(f.fileno(), 0o755)

View Slide

49
temporary files / directories
●
Don't write to /tmp directly
●
always use tempfile module!
●
consider a private temporary directory

View Slide

Parsing

View Slide

51
HTTP – RFC 822 header
content-type: text/html; charset=utf-8
content-length: 47446
x-clacks-overhead: GNU Terry Pratchett

...
content-type: text/html; charset=utf-8
content-length: 47446
x-clacks-overhead: GNU Terry Pratchett

...

View Slide

52
HTTP header parsing
sock = create_connection(('host', 80))
f = sock.makefile()
for line in f:
name, value = line.split(':', 1)
...
f = sock.makefile()
for line in f:
...

View Slide

53
HTTP header parsing DoS
f = sock.makefile()
for line in f: # DoS vulnerability
...
f = sock.makefile()
for line in f: # DoS vulnerability
...

View Slide

54
CVE-2013-1752 fix
MAX_LENGTH = 1024
while True:
line = f.readline(MAX_LENGTH + 1)
if len(line) > MAX_LENGTH:
raise ValueError
...
MAX_LENGTH = 1024
while True:
line = f.readline(MAX_LENGTH + 1)
if len(line) > MAX_LENGTH:
raise ValueError
...

View Slide

55
XML

text

text

View Slide

56
XML entities

]>

&title;

]>

&title;

View Slide

57
XML entities expansion attack

]>
&d;

]>
&d;

View Slide

58
XML network / file access
"http://www.python.org/some.xml">
"file:///etc/passwd">
]>

&remote;
&local;

"http://www.python.org/some.xml">
"file:///etc/passwd">
]>

&remote;
&local;

View Slide

59
XML attacks – defusexml
●
billion laughs / exponential entity expansion
●
quadratic blowup entity expansion
●
DTD & external entity expansion (remote and local)
●
attribute blowup / attribute hash collision attack
●
decompression bomb (gzip)
●
XPath injection attacks
●
XInclude
●
XMLSchema-Import
●
XSLT features wie xalan/redirect, xalan/java

View Slide

60
https://www.theguardian.com/technology/2017/aug/11/hacking-computer-dna-university-of-washington-lab

View Slide

Input validation
& sanitization

View Slide

62
SQL injection attack
SELECT * FROM users
WHERE username='%s' AND password='%s'
SELECT * FROM users
WHERE username='%s' AND password='%s'
query = select_user % (username, password)
query = select_user % (username, password)

View Slide

63
SQL injection attack
SELECT * FROM users
WHERE username='1' OR '1' = '1'
AND password='1' OR '1' = '1'
SELECT * FROM users
WHERE username='1' OR '1' = '1'
AND password='1' OR '1' = '1'
username = "1' or '1' = '1"
password = "1' or '1' = '1"
username = "1' or '1' = '1"
password = "1' or '1' = '1"

View Slide

64
subprocess shell=True
run_command("myfile; rm -rf *")
run_command("myfile; rm -rf *")
def run_command(filename):
return subprocess.check_call(
"command {}".format(filename),
shell=True)
def run_command(filename):
return subprocess.check_call(
"command {}".format(filename),
shell=True)

View Slide

65
More injection attacks
●
SQL
●
shell
●
LDAP
●
XPath / XQuery
●
NoSQL databases

View Slide

Cryptography

View Slide

67
The first rule of cryptography:
Don't implement your own crypto!

View Slide

68
TLS/SSL certificate validation
●
ssl.create_default_context()
●
verify_mode = ssl.CERT_REQUIRED
●
check_hostname = True
●
requests.get(…, verify=True) # default

View Slide

69
Random number generator (CSPRNG)
●
tokens
●
password salt
●
key material
●
session cookies
random.random()
os.urandom()

View Slide

70
Passwords
Salted key derivation and key stretching function
●
PBKDF2
●
scrypt
●
argon2
●
bcrypt
●
hmac.compare_digest()

View Slide

71
Social Login, SSO, Kerberos

View Slide

72
AES ECB mode

View Slide

73

View Slide

74
Malleability
malleable encryption algorithm

View Slide

75
Hashing: Length extension attack
# bad
hashlib.sha256(data + secret_token)
# bad
hashlib.sha256(data + secret_token)
# correct
hmac.HMAC(secret_token, data, 'sha256')
hashlib.blake2b(data, key=secret_token)
# correct
hmac.HMAC(secret_token, data, 'sha256')
hashlib.blake2b(data, key=secret_token)

View Slide

76
Authenticated encryption AES-GCM
def encrypt_image(payload, key, nonce, add_data):
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(nonce),
backend=default_backend()
).encryptor()
encryptor.authenticate_additional_data(add_data)
ciphertext = encryptor.update(payload)
ciphertext += encryptor.finalize()
return ciphertext, encryptor.tag
def encrypt_image(payload, key, nonce, add_data):
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(nonce),
backend=default_backend()
).encryptor()
encryptor.authenticate_additional_data(add_data)
ciphertext = encryptor.update(payload)
ciphertext += encryptor.finalize()
return ciphertext, encryptor.tag

View Slide

77
XOR
Encrypted with same nonce and same key

View Slide

78
Nonce collision

View Slide

79
Bad Crypto / Good Crypto
Bad
●
MD5
●
SHA-1
●
DES / 3DES
●
RC4
●
PKCS#1 v1.5 (JWE, JWT)
●
pycrypto package
Good
●
AES
●
ChaCha20 - Poly1305
●
SHA2 family (256, 384, 256)
●
blake2
●
PyCA cryptography
●
libsodium (NaCl)

View Slide

80
Secrets (tokens, keys)
Bad
●
env vars
●
command line
●
git
●
plain files
Good
●
Kernel keyring
(except in containers)
●
vault
●
encrypted at rest
●
HSM, TPM

View Slide

81

View Slide

Summary

View Slide

83
Summary
●
educate
●
reuse
●
restrict
●
encrypt
●
update
●
privacy

View Slide

THANK YOU
plus.google.com/+RedHat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews
linkedin.com/company/red-hat

View Slide

PyCon UK 2017: Everyday security issues and how to avoid them

PyCon UK 2017: Everyday security issues and how to avoid them

Christian Heimes

More Decks by Christian Heimes

Other Decks in Programming

Featured

Transcript