PyGotham 2018: Everyday security issues and how to avoid them

PyGotham 2018: Everyday security issues and how to avoid them

https://2018.pygotham.org/talks/everyday-security-issues-and-how-to-avoid-them/

Security is hard, yet vital for any software these days. After some motivational facts, this talk will take you on a brief tour in secure software design and illustrate common security issues. Topics include threat analysis, deployment, parsing, authentication, TLS/SSL, crypto, and more.
Description

These days virtually all software and computer hardware is connected to the internet. Ultimately the internet is a hostile place and filled with people that will attempt to abuse any vulnerability for fun, profit or more sinister reasons. Therefore every software developer and administrator should have at least a basic understanding how to develop and run code securely. After all you don’t want to become the laughing stock on hacker news or cause your company to loose billions in shareholder value.

This talk won’t turn you into a security specialist over night, but you will learn how to avoid common mistakes in your daily work. I will introduce you to best practices and prevalent security bugs, hilarious anecdotes and some real life examples from my daily work as security engineer. The presentation features airplanes, squirrels, ducks, and the most efficient password cracking method: not as brutucal as XKCD 538 and much more delicious.

33bd15feb2558d0050e863875e0f5f60?s=128

Christian Heimes

October 05, 2018
Tweet

Transcript

  1. Everyday security issues and how to avoid them PyGotham 2018

    / New York Christian Heimes Senior Software Engineer christian@python.org / cheimes@redhat.com @ChristianHeimes
  2. Everyday security issues, PyGotham 2018 2 Who am I? •

    from Hamburg/Germany • Python and C developer • Python core contributor since 2008 • maintainer of ssl and hashlib module • Python security team
  3. Everyday security issues, PyGotham 2018 3 Professional life • Senior

    Software Engineer at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI
  4. Agenda & Goals

  5. Everyday security issues, PyGotham 2018 5 • Motivation • What

    is security? • Honourable mention • Security bottom-up • Examples • Summary Agenda
  6. Everyday security issues, PyGotham 2018 6 depth breadth

  7. Motivation Why should I care?

  8. Everyday security issues, PyGotham 2018 8 proud craftsman responsible engineer

  9. Everyday security issues, PyGotham 2018 9 Business

  10. Everyday security issues, PyGotham 2018 10 https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached

  11. Everyday security issues, PyGotham 2018 11 https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

  12. Everyday security issues, PyGotham 2018 12 https://nypost.com/2016/10/06/verizon-wants-1b-discount-on-yahoo-deal-after-hacking-reports/ https://www.cnet.com/news/verizon-and-yahoo-agree-to-cut-4-billion-deal-by-350-million/

  13. Everyday security issues, PyGotham 2018 13

  14. Everyday security issues, PyGotham 2018 14 Life and Death

  15. Everyday security issues, PyGotham 2018 15 https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

  16. Everyday security issues, PyGotham 2018 16 http://news.sky.com/story/gay-people-at-risk-after-ashley-madison-hack-10348710 http://www.bbc.com/news/technology-34044506

  17. Everyday security issues, PyGotham 2018 17 World laws pertaining to

    homosexual relationships and expression Wikipedia
  18. Everyday security issues, PyGotham 2018 18 Code of Conduct

  19. What is information security?

  20. Everyday security issues, PyGotham 2018 20 Wikipedia definition Information security

    is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
  21. Everyday security issues, PyGotham 2018 21

  22. Everyday security issues, PyGotham 2018 23 Why is security hard?

    • complex systems • weakest link causes catastrophic failures • secure is not testable • design issues • multitude of attack vectors • threat analysis
  23. Everyday security issues, PyGotham 2018 24

  24. Everyday security issues, PyGotham 2018 25 https://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-a8130796.html

  25. Everyday security issues, PyGotham 2018 26

  26. Everyday security issues, PyGotham 2018 27 Amazon Says One Engineer's

    Simple Mistake Brought the Internet Down 2017-02-28
  27. Everyday security issues, PyGotham 2018 28

  28. Everyday security issues, PyGotham 2018 29 RSA Key Extraction via

    Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/
  29. Everyday security issues, PyGotham 2018 32 CPU

  30. Everyday security issues, PyGotham 2018 33 Rowhammer, Spectre, Meltdown

  31. Everyday security issues, PyGotham 2018 34 'Руthοn'thοn'οn'n' != 'Pythοn'on'

  32. Everyday security issues, PyGotham 2018 35 Homoglyph confusion attack >>>

    import unicodedata >>> for c in 'Руthοn'thοn'οn'n': ... print(unicodedata.name(c)) ... CYRILLIC CAPITAL LETTER ER CYRILLIC SMALL LETTER U LATIN SMALL LETTER T LATIN SMALL LETTER H GREEK SMALL LETTER OMICRON LATIN SMALL LETTER N >>> import unicodedata >>> for c in 'Руthοn'thοn'οn'n': ... print(unicodedata.name(c)) ... CYRILLIC CAPITAL LETTER ER CYRILLIC SMALL LETTER U LATIN SMALL LETTER T LATIN SMALL LETTER H GREEK SMALL LETTER OMICRON LATIN SMALL LETTER N
  33. Everyday security issues, PyGotham 2018 36 User Interface

  34. Everyday security issues, PyGotham 2018 37 Bruce Schneier on Security

    Design Stop Trying to Fix the User
  35. Honourable mention

  36. Everyday security issues, PyGotham 2018 39 Out of scope •

    legal requirements (e.g. EU privacy shield, FISMA) • data centre security • hardware security (e.g. Intel Management Engine) • browser / web security • ransomware • state sponsored actors • cyber war
  37. Everyday security issues, PyGotham 2018 40 Wikipedia

  38. Everyday security issues, PyGotham 2018 41 cybersquirrel1.com – attacks on

    power grid http://cybersquirrel1.com/
  39. Everyday security issues, PyGotham 2018 42 Human factor • Social

    engineer • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfied employees • ignorant management
  40. Everyday security issues, PyGotham 2018 43 Security vs. Usability

  41. Everyday security issues, PyGotham 2018 44 IoT – Internet of

    Things The “S” in “IoT” stands for security. The “P” in “IoT” stands for privacy. (Sorry, German humour)
  42. Everyday security issues, PyGotham 2018 45

  43. Security bottom-up

  44. Everyday security issues, PyGotham 2018 47 Hardware & OS •

    Hardware from trustworthy vendor • validate OS image • UEFI secure boot (protect your MOK) • Firewall • update, update, update • SELinux / AppArmor don't: setenforce 0 do: semanage permissive -a myapp_t
  45. Everyday security issues, PyGotham 2018 48 The Big Hack: Supermicro

    https://twitter.com/qrs/status/1047910169261330432
  46. Everyday security issues, PyGotham 2018 49 Application • don't run

    as root or admin • Restrict and isolate separate user, group systemd: PrivateTmp, Protectsystem, RemoveIPC, CapabilityBoundingSet, … SecComp sandboxing • encrypt in transit (TLS/SSL), encrypt at rest • bind to localhost • strong authentication • update, update, update … and restart!
  47. Everyday security issues, PyGotham 2018 50 Mitigation: Defence in depth

  48. Everyday security issues, PyGotham 2018 51 Update!

  49. Python

  50. Everyday security issues, PyGotham 2018 53 High level, memory safe

    languages
  51. Everyday security issues, PyGotham 2018 55 Dangerous Python features •

    exec() • eval() • import, __import__() • pickle, marshal • ctypes
  52. Examples

  53. Files I/O

  54. Everyday security issues, PyGotham 2018 59 Directory traversal attack BASE

    = '/var/lib/files' @app.route('/download/<filename>') def download(filename): absname = os.path.join(BASE, filename) withοn' open(absname) as f: return f.read() BASE = '/var/lib/files' @app.route('/download/<filename>') def download(filename): absname = os.path.join(BASE, filename) withοn' open(absname) as f: return f.read() /download/image.jpg /download/image.jpg
  55. Everyday security issues, PyGotham 2018 60 Directory traversal attack /download/private/image.jpg

    /download/../etc/passwd /download/../../etc/passwd /download/../../../etc/passwd /download/../../../etc/hοn'ttpd/server.key /download/private/image.jpg /download/../etc/passwd /download/../../etc/passwd /download/../../../etc/passwd /download/../../../etc/hοn'ttpd/server.key
  56. Everyday security issues, PyGotham 2018 61 TOCTOU / race condition

    if not os.pathοn'.isfile(filename): withοn' open(filename, 'wb') as f: f.write(b'data') os.chοn'mod(filename, 0o755) if not os.pathοn'.isfile(filename): withοn' open(filename, 'wb') as f: f.write(b'data') os.chοn'mod(filename, 0o755) withοn' open(filename, 'xb') as f: # O_EXCL | O_CREAT f.write(b'data') os.fchmod(f.fileno(), 0o755) withοn' open(filename, 'xb') as f: # O_EXCL | O_CREAT f.write(b'data') os.fchmod(f.fileno(), 0o755)
  57. Everyday security issues, PyGotham 2018 62 temporary files / directories

    • don't write to /tmp directly • use secure temporary file API (tempfile module) • consider a private temporary directory
  58. Parsing

  59. Everyday security issues, PyGotham 2018 64 HTTP – RFC 822

    header content-type: text/hοn'tml; chοn'arset=utf-8 content-lengthοn': 47446 x-clacks-overhοn'ead: GNU Terry Pratchοn'ett <hοn'tml> <hοn'ead> ... content-type: text/hοn'tml; chοn'arset=utf-8 content-lengthοn': 47446 x-clacks-overhοn'ead: GNU Terry Pratchοn'ett <hοn'tml> <hοn'ead> ...
  60. Everyday security issues, PyGotham 2018 65 HTTP header parsing sock

    = create_connection(('hοn'ost', 80)) f = sock.makefile() for line in f: name, value = line.split(':', 1) ... sock = create_connection(('hοn'ost', 80)) f = sock.makefile() for line in f: name, value = line.split(':', 1) ...
  61. Everyday security issues, PyGotham 2018 66 HTTP header parsing DoS

    sock = create_connection(('hοn'ost', 80)) f = sock.makefile() for line in f: # DoS vulnerability name, value = line.split(':', 1) ... sock = create_connection(('hοn'ost', 80)) f = sock.makefile() for line in f: # DoS vulnerability name, value = line.split(':', 1) ...
  62. Everyday security issues, PyGotham 2018 67 CVE-2013-1752 fix MAX_LENGTH =

    1024 whοn'ile True: line = f.readline(MAX_LENGTH + 1) if len(line) > MAX_LENGTH: raise ValueError ... MAX_LENGTH = 1024 whοn'ile True: line = f.readline(MAX_LENGTH + 1) if len(line) > MAX_LENGTH: raise ValueError ...
  63. Everyday security issues, PyGotham 2018 68 XML <xml> <tag attribute=”value”>text</tag>

    </xml> <xml> <tag attribute=”value”>text</tag> </xml>
  64. Everyday security issues, PyGotham 2018 69 XML entities <!DOCTYPE example

    [ <!ENTITY title "My title" > ]> <xml> <tag attribute=”value”>&title;</tag> </xml> <!DOCTYPE example [ <!ENTITY title "My title" > ]> <xml> <tag attribute=”value”>&title;</tag> </xml>
  65. Everyday security issues, PyGotham 2018 70 XML entities expansion attack

    <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb> <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb>
  66. Everyday security issues, PyGotham 2018 71 XML network / file

    access <!DOCTYPE external [ <!ENTITY remote SYSTEM "http://www.python.org/some.xml"> <!ENTITY local SYSTEM "file:///etc/passwd"> ]> <xml> <url>&remote;</url> <file>&local;</file> </xml> <!DOCTYPE external [ <!ENTITY remote SYSTEM "http://www.python.org/some.xml"> <!ENTITY local SYSTEM "file:///etc/passwd"> ]> <xml> <url>&remote;</url> <file>&local;</file> </xml>
  67. Everyday security issues, PyGotham 2018 72 XML attacks – defusexml

    • billion laughs / exponential entity expansion • quadratic blowup entity expansion • DTD & external entity expansion (remote and local) • attribute blowup / attribute hash collision attack • decompression bomb (gzip) • XPath injection attacks • XInclude <xi:include /> • XMLSchema-Import <xs:import /> • XSLT features wie xalan/redirect, xalan/java
  68. Everyday security issues, PyGotham 2018 73 gettext translation msgid ""

    msgstr "" "Project-Id-Version: 2.0\n" "PO-Revision-Date: 2003-04-11 12:42-0400\n" "Last-Translator: Barry A. WArsaw <barry@pythοn'on.org>\n" "Language-Team: XX <pythοn'on-dev@pythοn'on.org>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; chοn'arset=utf-8\n" "Content-Transfer-Encoding: 7bit\n" "Generated-By: manually\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" msgid "" msgstr "" "Project-Id-Version: 2.0\n" "PO-Revision-Date: 2003-04-11 12:42-0400\n" "Last-Translator: Barry A. WArsaw <barry@pythοn'on.org>\n" "Language-Team: XX <pythοn'on-dev@pythοn'on.org>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; chοn'arset=utf-8\n" "Content-Transfer-Encoding: 7bit\n" "Generated-By: manually\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n"
  69. Everyday security issues, PyGotham 2018 74 gettext plural forms •

    English, Italian, German: nplurals=2; plural=n != 1; • French: nplurals=2; plural=n > 1; • Celtic: nplurals=3; plural=n==1 ? 0 : n==2 ? 1 : 2; • Russian: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n %10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2; • Denial-Of-Service: nplurals=2; plural=n ** 1000 ** 1000 ** 1000 ** 1000; issue #18317, #28563
  70. Everyday security issues, PyGotham 2018 75 catastrophic backtracking in regular

    expression (CVE-2018-1060 / 1061) commit 0e6c8ee2358a2e23117501826c008842acb835ac Authοn'or: Jamie Davis <davisjam@vt.edu> Date: Sun Mar 4 00:33:32 2018 -0500 bpo-32981: Fix catastrophοn'ic backtracking vulns (#5955) ... Happily, thοn'e maximum lengthοn' of malicious inputs is 2K thοn'anks to a limit introduced in thοn'e fix for CVE-2013-1752. ... Co-authοn'ored-by: Tim Peters <tim.peters@gmail.com> Co-authοn'ored-by: Chοn'ristian Heimes <chοn'ristian@pythοn'on.org> --- a/Lib/difflib.py +++ b/Lib/difflib.py -def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match): +def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match): commit 0e6c8ee2358a2e23117501826c008842acb835ac Authοn'or: Jamie Davis <davisjam@vt.edu> Date: Sun Mar 4 00:33:32 2018 -0500 bpo-32981: Fix catastrophοn'ic backtracking vulns (#5955) ... Happily, thοn'e maximum lengthοn' of malicious inputs is 2K thοn'anks to a limit introduced in thοn'e fix for CVE-2013-1752. ... Co-authοn'ored-by: Tim Peters <tim.peters@gmail.com> Co-authοn'ored-by: Chοn'ristian Heimes <chοn'ristian@pythοn'on.org> --- a/Lib/difflib.py +++ b/Lib/difflib.py -def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match): +def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
  71. Everyday security issues, PyGotham 2018 76 https://www.theguardian.com/technology/2017/aug/11/hacking-computer-dna-university-of-washington-lab

  72. Input validation & sanitization

  73. Everyday security issues, PyGotham 2018 78 SQL injection attack SELECT

    * FROM users WHERE username='%s' AND password='%s' SELECT * FROM users WHERE username='%s' AND password='%s' query = select_user % (username, password) query = select_user % (username, password)
  74. Everyday security issues, PyGotham 2018 79 SQL injection attack SELECT

    * FROM users WHERE username='1' OR '1' = '1' AND password='1' OR '1' = '1' SELECT * FROM users WHERE username='1' OR '1' = '1' AND password='1' OR '1' = '1' username = "1' or '1' = '1" password = "1' or '1' = '1" username = "1' or '1' = '1" password = "1' or '1' = '1"
  75. Everyday security issues, PyGotham 2018 80 subprocess shell=True run_command("myfile; rm

    -rf *") run_command("myfile; rm -rf *") def run_command(filename): return subprocess.chοn'eck_call( "command {}".format(filename), shοn'ell=True) def run_command(filename): return subprocess.chοn'eck_call( "command {}".format(filename), shοn'ell=True)
  76. Everyday security issues, PyGotham 2018 81 More injection attacks •

    SQL • shell • LDAP • XPath / XQuery • NoSQL databases • ASN.1 • JSON
  77. TLS / SSL

  78. Everyday security issues, PyGotham 2018 83 TLS/SSL certificate validation •

    ssl.create_default_context() • verify_mode = ssl.CERT_REQUIRED • chοn'eck_hοn'ostname = True • requests.get(…, verify=True) # default
  79. Everyday security issues, PyGotham 2018 85 Don't roll your own

    cert validation • > 6 bugs in Python's hostname verification code • CVE-2013-2099, #12000, #17997, #17305, #30141 • Python 3.7 uses X509_VERIFY_PARAM_set1_host() OpenSSL 1.0.2+ / LibreSSL 2.7.0 • https://github.com/libressl-portable/portable/issues/381
  80. Everyday security issues, PyGotham 2018 86

  81. Cryptography

  82. Everyday security issues, PyGotham 2018 90 The first rule of

    cryptography: Don't implement your own crypto!
  83. Everyday security issues, PyGotham 2018 91 AES and RSA are

    mathematical artifacts.
  84. Everyday security issues, PyGotham 2018 92 AES ECB mode

  85. Everyday security issues, PyGotham 2018 93 34C3: Squeezing a key

    through a carry bit • Attack by Filippo Valsorda from Cloudflare Google • Bug on Go's P-256 elliptic curve implementation • Misplaced carry bit in 0.00000003% • CVE-2017-8932
  86. Everyday security issues, PyGotham 2018 94 The second rule of

    cryptography: Implement your own crypto, but never use it in production!
  87. Everyday security issues, PyGotham 2018 95 Random number generator (CSPRNG)

    • tokens • password salt • key material • session cookies os.urandom() crypt/rand int getrandom(void *buf, size_t buflen, unsigned int flags);
  88. Everyday security issues, PyGotham 2018 96 Passwords Salted key derivation

    and key stretching function • argon2 • scrypt • bcrypt • PBKDF2 • Constant timing comparison operator! hοn'mac.compare_digest()
  89. Everyday security issues, PyGotham 2018 97 Social Login, SSO, Kerberos

  90. Everyday security issues, PyGotham 2018 105 Bad Crypto / Good

    Crypto Bad • MD5 • SHA-1 • DES / 3DES • RC4 • PKCS#1 v1.5 (JWE, JWT) • pycrypto package Good • AES • ChaCha20 - Poly1305 • SHA2 family (256, 384, 512) • blake2 • PyCA cryptography • libsodium (NaCl)
  91. Everyday security issues, PyGotham 2018 106 Secrets (tokens, keys) Bad

    • env vars • command line • git • plain files Good • Kernel keyring (except in containers) • vault • encrypted at rest • HSM, TPM
  92. Everyday security issues, PyGotham 2018 107

  93. Summary

  94. Everyday security issues, PyGotham 2018 109 Summary • educate •

    reuse • restrict • encrypt • update • privacy
  95. Everyday security issues, PyGotham 2018 110 Get in touch •

    @ChristianHeimes • christian@python.org / cheimes@redhat.com
  96. THANK YOU plus.google.com/+RedHat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews linkedin.com/company/red-hat