Software Security : From school to reality and back!

Transcript

1. Software Security From school to reality and back!

2. #outline * terminology * hacker-hats * From school * tools

   * competitions * progress * references

3. Programing ? * Program : Transformation of question / task

   to math-logic problem * Code : Smart calculator based on sequences of reads and writes * Performance how smart you build logic of your calculator

4. hacker http://en.wikipedia.org/wiki/Hacker Hacker (term), is a term used in computing

   that can describe several types of persons 1. Hacker (computer security) someone who seeks and exploits weaknesses in a computer system or computer network 2. Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment 3. Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities

5. vulnerability http://en.wikipedia.org/wiki/Vulnerability_(computing) In computer security, a vulnerability is a weakness

   which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.[1] To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface

6. exploitation http://en.wikipedia.org/wiki/Exploit_(computer_security) An exploit (from the English verb to exploit,

   meaning "using something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause *UNINTENDED OR UNANTICIPATED BEHAVIOR* to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.

7. Exploitation [??? guys] ▪ Hunt vulnerabilities – Write fuzzers, checkers,

   support tools … – Use 0days for their own reasons, cyber weapons, spying.. ▪ Invent / copy methodologies – Misuse hole in protection mechanism for attack! – Do 0day business with 3rd party – Keep their research private

8. What ??? do

9. Exploitation [good guys] ▪ Hunt vulnerabilities – Write fuzzers, checkers,

   support tools … – Report to vendors & Cooperate on fix ▪ Invent new methodologies – To uncover weakness of current protection mechanism – Cooperate on effective mitigations – Share research with community for faster improvement

10. What good guys do

11. CALC … Seriously ?!

12. Attack chain • Social engineering • Vulnerability Attack vector :

    • Killing 0days proactive solution! Prevent to automatic install malware • Cure after- effects Dissecting malware If proactive fails Targeted attack here won already!

13. Aftermath Low hanging fruits Poping calcs Good luck …

14. ... It is all about bugs ... ▪ We are

    humans and making mistakes ▪ Many bugs in code, especially in large codebase ▪ OS introduce many defensive mechanism for effective mitigating techniques for exploiting bugs ▪ What every programmer should know – Algorithms – Designs problems & principles – CPU & Memory (& at least basic understanding of your compiler) – vulnerability classes – mitigation techniques – auditing tools

15. Algorithms [RP, Tvorba efekt. algo.] ▪ Most of times you

    will not re-implement binary trees, fibonaci heaps, flow algo … ▪ But Algorithmic thinking helps you to find a way how to effective solve given problems ▪ It learns you out-of-box thinking ▪ BUT, Can also push you to the corners! ▪ Always keep in mind : PERFORMANCE > SECURITY is very *very* bad idea ▪ First think about design, later optimize! https://www.topcoder.com/community/data-science/data-science-tutorials/

16. Design [Programovanie (3)] ▪ OOP is very effective way to

    build complex systems ▪ Reuse code, modularity, abstraction ▪ Keep clean code, descriptive naming, simple one purpose functions ▪ Keep focus on language features, and its newest development! ▪ Design patterns can help /show you generalization of problem ▪ But design patterns are *not* solution for everything ▪ Think about design patterns and use them when it is appropriate ▪ Good design leads to easier maintance, refactoring & review https://sourcemaking.com/design_patterns http://www.stroustrup.com/C++11FAQ.html

17. MEMORY & CPU [Principy pocitacov] ▪ Understand memory & cpu

    – How are data stored – Instructions – assembler ▪ X86, arm ▪ Understand “program->compiler->assembly” – Variables – Functions – Loops & calls https://www.recurse.com/blog/5-learning-c-with-gdb https://www.recurse.com/blog/7-understanding-c-by-learning-assembly http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html

18. SAT Solvers [FOJA, Algebra] ▪ Magic Blackbox with right answer

    – Boolean Satisfiability Problem ▪ Based on Boolean algebra ▪ NP-complete , but some optimalization used  ▪ Appropriate & smart formulation of problem (part of problem), helps in fuzzers and explotation as well ▪ Competition of sat solvers! http://www.quarkslab.com/dl/StHack2015-Dynamic-Behavior-Analysis-using- Binary-Instrumentation-Jonathan-Salwan.pdf https://github.com/0vercl0k/z3-playground/blob/master/hackingweek- reverse400_z3.py http://en.wikipedia.org/wiki/Boolean_satisfiability_problem http://www.satcompetition.org/

19. bugs & bugs http://www.sublimetext.com/ http://en.wikipedia.org/wiki/Buffer_overflow

20. CODE : Bubble sort ? http://www.vim.org/ https://inguma.eu/projects/bokken

21. VULNERABILITY Bubble sort ! As signed numbers can represent NEGATIVE

    numbers, they lose a range of positive numbers that can only be represented with unsigned numbers of the same size (in bits) because roughly half the possible values are non-positive values (so if an 8- bit is signed, positive unsigned values 128 to 255 are gone while -128 to 127 are present). Unsigned variables can dedicate all the possible values to the positive number range. https://www.visualstudio.com/ en-us/products/visual-studio-community-vs.aspx

22. EXPLOITATION Bubble sort !

23. Some of hardening Stack canaries Memory allocation randomiza tion Memory

    object separation DEP i want exec Those are data

24. How to Start … tools, competitions …

25. IDE (+ plugins!) programming environment • Visual Studio 2013 (community

    edition) • Vim • Sublime

26. REVERSE ENGENEERING • bokken • windbg • gdb (lldb)

27. Virtual machine + emulators • Virtual Box • Bochsd •

    Qemu

28. Additional tools (win) • ConEmu (far manager) • Hiew •

    cygwin

29. Additional tools • Z3 • Capstone • Git • Process

    explorer

30. ALGO - COMPETITIONS

31. CTF - COMPETITIONS

32. Final words … advices, references …

33. SELF – learning For ever and ever best approach *DO

    SPORT* Keep balanced body and mind essential for creative ideas ;) HARDwork Push 110% to everything in your life (learning, sport, work, study, …)

34. #whoami * Peter Hlavaty - @zer0mem * GJH (2004-2008) *

    Matfyz (2008-2010) * ESET (2010-2014) * KEEN (2014-…) * Conferences (…) * Lectures (…) * Pwn Events (...) Feel free to ContacT me I will try to help (with some delay +- :)

35. tweets ▪ @aionescu ▪ @Ivanlef0u ▪ @K33nTeam ▪ @binitamshah ▪

    @taviso ▪ @team509 ▪ @mdowd ▪ @d_olex ▪ @grsecurity ▪ @kernelpool ▪ @gynvael ▪ @j00ru ▪ @lcamtuf ▪ @0verl0ck ▪ @matrosov ▪ @vxradius ▪ @trimosx ▪ @solardiz

36. References - tools editor: http://www.vim.org/ https://www.visualstudio.com/en-us/ products/visual-studio-community-vs.aspx http://www.sublimetext.com/ re :

    https://inguma.eu/projects/bokken http://www.radare.org/r/ http://www.capstone-engine.org/ http://www.windbg.org/ https://msdn.microsoft.com/en- us/library/windows/hardware/ff551063(v=vs.85).aspx http://www.gnu.org/software/gdb/ http://lldb.llvm.org/ virtual : https://www.virtualbox.org/ http://bochs.sourceforge.net/ http://wiki.qemu.org/Main_Page tools: http://www.farmanager.com/ http://www.hiew.ru/ http://conemu.github.io/ https://www.cygwin.com/ https://github.com/Z3Prover/z3 http://rise4fun.com/z3/tutorial http://www.capstone-engine.org/ https://github.com/ https://technet.microsoft.com/sk- sk/sysinternals/bb896653

37. References - events http://ctf.codegate.org/ https://ctf.0ops.sjtu.cn/ https://legitbs.net/ http://ghostintheshellcode.com/ http://play.plaidctf.com/ https://ctf.dragonsector.pl/ https://github.com/ctfs/write-ups-2015/

    http://uva.onlinejudge.org/ https://www.topcoder.com/community/data-science/data- science-tutorials/ https://arena.topcoder.com/#/a/home http://zenit.edu.sk/ https://www.ksp.sk/ http://people.ksp.sk/~acm/welcome.php