DEF CON 22: The Open Crypto Audit Project

Transcript

1. The  Open  Crypto  Audit  Project:   Our  Story Kenneth White

   & Matthew Green DEF CON 22 | 2014.08.08

2. Open  Crypto  Audit  Project Everyone has a story. This is

   ours. DEF CON 22 | 2014.08.08

3. Agenda •  First Principles •  Post-Snowden Era •  The TrueCrypt

   Story •  Open Crypto Audit Project •  Secure Coding & Trust •  Looking Ahead •  Open Discussion (and swag!) DEF CON 22 | 2014.08.08

4. About  Us DEF CON 22 | 2014.08.08

5. Kenneth  White •  Interests: RT signals, embedded systems, analytics • 

   First DEFCON: DC10 •  Formal training: bio-signals (EEG/ERP, MRI, PET, EKG, EOG) •  Early career: databases, *nix, RTOS, h/w drivers •  Lifecycle: FDA (cardiac safety), SEI SEPG, IA •  Defense: network security, API endpoints •  Recently: public cloud security, ML/classification, safety-critical systems, breaking crypto/networks/ websites/OS’ •  Now: OCAP, Linux Foundation CII, NGO security •  @kennwhite DEF CON 22 | 2014.08.08

6. I  like  to  work  on  interesting  problems DEF CON 22

   | 2014.08.08

7. MaDhew  Green •  Johns Hopkins University: Computer Science •  Teaches

   applied cryptography •  Builds secure systems •  Trained under Susan Hohenberger &Avi Rubin •  Former senior research staff: AT&T Labs •  On-going Research includes: o  Techniques for privacy-enhanced information storage o  Anonymous payment systems (including ZeroCoin) o  Bilinear map-based cryptography •  @matthew_d_green DEF CON 22 | 2014.08.08

8. MaDhew  Green DEF CON 22 | 2014.08.08 (not his actual

   Dachshunds)

9. Long  journey  to  DEFCON  (no,  really) DEF CON 22 |

   2014.08.08 (my actual Shepherds, semi-medicated)

10. “I’m here to share what I know, and learn with

    and from you.” — Jack Daniel DEF CON 22 | 2014.08.08

11. First  Principles “If a bad guy can persuade you to

    run his program on your computer, it's not your computer anymore.” — Scott Culp DEF CON 22 | 2014.08.08

12. First  Principles “If a bad guy can persuade you to

    run his program on your computer, it's not your computer anymore.” — Scott Culp “Even if it has disk encryption.” — Kenn White DEF CON 22 | 2014.08.08

13. Crypto  101:  First  Principles Thompson: Reflections on Trusting Trust cm.bell-labs.com/who/ken/trust.html

    Culp: 10 Immutable Laws of Security technet.microsoft.com/library/cc722487 Zimmerman: Beware of Snake Oil www.philzimmermann.com/EN/essays/SnakeOil DEF CON 22 | 2014.08.08

14. Post-­‐‑Snowden  Era •  NYT, Propublica, Guardian: NSA spends $250M/yr to

    counter & undermine “the use of ubiquitous encryption across the internet” •  NIST technical standards “intentionally weakened” •  BULLRUN: NSA actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets” The New York Times, 2013/09/05 See: www.eff.org/nsa-spying/timeline DEF CON 22 | 2014.08.08

15. Post-­‐‑Snowden  Era “Furthermore, we will be reviewing our existing body

    of cryptographic work” — National Institute of Standards and Technology, Nov 2013 Recommends that the US government “fully support and not undermine efforts to create encryption standards” — Presidential Advisory Committee, Jan 2014 “[C]lassified [reports] have heightened concern over the possibility of a backdoor… after conducting its own review, NIST [has] removed DRBG” — National Institute of Standards and Technology, Apr 2014 DEF CON 22 | 2014.08.08

16. Which  bring  us  to  TrueCrypt DEF CON 22 | 2014.08.08

17. TrueCrypt •  File, volume, full disk encryption (FDE) •  30M+

    downloads •  Created Feb 2004 by anonymous development team •  Controversial license (Debian, Fedora, “forbidden items”) DEF CON 22 | 2014.08.08

18. TrueCrypt •  Tool of choice for human rights workers, activists,

    attorneys, thousands of organizations, investigative/national security journalists, security professionals, and...? DEF CON 22 | 2014.08.08

19. DEF CON 22 | 2014.08.08 Aug 2014: docs.aws.amazon.com/AWSImportExport/latest/DG/encrypting-using-truecrypt.html

20. TrueCrypt •  Never thoroughly audited on Windows •  Differences reported

    in volume headers •  Small differences in distributed binaries vs. source •  Windows vs. Mac & Linux •  With exception of deniability volume, no formal cryptanalysis •  Deterministic build? (Xavier de Carné de Carnavalet) •  Last license review in 2008 by RedHat/Fedora/OSSI concluded “we would not be protected from a lawsuit” and “this license is non-free” DEF CON 22 | 2014.08.08

21. By  many  measures,   relatively  strong* DEF CON 22 |

    2014.08.08 *Hashes/sec on Sagitta Brutalis 290X: oclHashcat 1.00, AMD Catalyst 13.12 Accelerator: 8 x AMD Radeon R9 290X, stock clocks. Benchmark: Incremental brute force, alphanumcharset

22. Anonymous  Dev  Team The information is out there •  Follow

    the money •  Follow the attorneys •  What we can share •  What we won’t share DEF CON 22 | 2014.08.08

23. Public  Record •  State of Nevada Corporate Records •  US

    Trademark Office •  International Trademark Filings (UK, France, China, Russia, Czech Republic) •  Public IRS filings •  Usenet/mailing list forums •  Published academic papers •  Student theses DEF CON 22 | 2014.08.08

24. Public  Record Some things we chose not to share. DEF

    CON 22 | 2014.08.08

25. Why? DEF CON 22 | 2014.08.08

26. Remember  this  doxing? DEF CON 22 | 2014.08.08

27. Let’s  not  forget  this: DEF CON 22 | 2014.08.08

28. And  this: DEF CON 22 | 2014.08.08

29. And,  crucially,  this: DEF CON 22 | 2014.08.08

30. Back  to  the  Code DEF CON 22 | 2014.08.08

31. Conventional  Wisdom:   Given  enough  eyeballs,   all  bugs  are

     shallow. DEF CON 22 | 2014.08.08

32. Meet  Samuel  Reshevsky,  age  8  defeating  14   French  chess

     masters  at  once,  1920 DEF CON 22 | 2014.08.08

33. And  so,  it  began... DEF CON 22 | 2014.08.08

34. The  TrueCrypt  Audit •  IsTrueCryptAuditedYet.com: Sept 24, 2013 •  Announced

    on Twitter •  First contributions: Matthew & Me •  FundFill site set up DEF CON 22 | 2014.08.08

35. DEF CON 22 | 2014.08.08

36. DEF CON 22 | 2014.08.08

37. The  TrueCrypt  Audit "   Oct 9, 2014 •  Prof.

    Green blogs about it •  Front page Hacker News DEF CON 22 | 2014.08.08

38. Why,  hello  there! DEF CON 22 | 2014.08.08

39. And  so  it  went... •  No, we don’t take Bitcoin.

    •  Yes, we take Bitcoin. •  Yes, the site is mobile-friendly. •  No, we don’t take PayPal. •  /sets up IndieGoGo site. •  Yes! We take PayPal. DEF CON 22 | 2014.08.08

40. And  so  on... “Hi, I’d like to buy 500 t-shirts,

    please.” “Do you ship to Thailand?” Where does one purchase 150 DVDs of Sneakers? DEF CON 22 | 2014.08.08

41. Incredible  community DEF CON 22 | 2014.08.08

42. DEF CON 22 | 2014.08.08 Fiducial  responsibility  is   complicated

43. Fiducial  responsibility  is   complicated DEF CON 22 | 2014.08.08

44. Then,  a  few  days  later •  Ars Technica, ThreatPost, The

    Economist, Nature, CIO, The Register, InfoWorld, PC World, Network World . . . •  What do you mean you there’s $30,000 in PayPal?! DEF CON 22 | 2014.08.08

45. Then,  a  few  days  later •  Ars Technica, ThreatPost, The

    Economist, Nature, CIO, The Register, InfoWorld, PC World, Network World . . . •  What do you mean you there’s $30,000 in PayPal?! DEF CON 22 | 2014.08.08

46. And  thus  was  born  the  Open   Crypto  Audit  Project

    A U.S. non-profit organization, incorporated in the state of North Carolina, currently seeking federal 501c(3) tax-exempt designation DEF CON 22 | 2014.08.08

47. Open  Crypto  Audit  Project Mission o  Provide technical assistance to

    free open source software (“FOSS”) projects in the public interest o  Coordinate volunteer technical experts in security, software engineering, and cryptography o  Conduct analysis and research on FOSS and other widely software in the public interest DEF CON 22 | 2014.08.08

48. DEF CON 22 | 2014.08.08

49. Open  Crypto  Audit  Project Advisory Board o  Jean-Philippe Aumasson o 

    Nate Lawson o  Runa Sandvik o  Bruce Schneier o  Thomas Ptacek o  Jim Denaro o  Moxie Marlinspike o  Trevor Perrin o  Joseph Lorenzo Hall DEF CON 22 | 2014.08.08

50. And  thus  was  born  the  Open   Crypto  Audit  Project

    OpenCryptoAudit.org/people DEF CON 22 | 2014.08.08

51. Open  Crypto  Audit  Project Officers & Directors o  Matthew Green

    o  Marcia Hoffman o  Kenneth White DEF CON 22 | 2014.08.08

52. Our  first  Board  meeting DEF CON 22 | 2014.08.08

53. Making  the  connections... DEF CON 22 | 2014.08.08

54. The  work  begins •  Reached out to a few of

    the small handful of organizations that are capable of doing this work •  Great response from iSec Labs •  Open Technology Fund matching grant DEF CON 22 | 2014.08.08

55. Fast-­‐‑forward DEF CON 22 | 2014.08.08

56. Fast-­‐‑forward DEF CON 22 | 2014.08.08

57. Fast-­‐‑forward •  iSec’s final security assessment: •  Weak volume header

    key derivation (low kdf iteration count) •  Sensitive information could be paged out from kernel stacks •  Issues in the boot loader decompressor •  Use of memset() to clear sensitive data •  Overall findings: “no evidence of backdoors or intentional flaws” DEF CON 22 | 2014.08.08

58. What  does  that  mean? •  Password strength is crucial (same

    as always) •  Vulnerabilities discovered would likely require physical access to a mounted volume to construct exploit chains (scape key material, page files, etc) •  This is *not* a part of the TrueCrypt security model •  If your machine is compromised, disk crypto will not help you (see Culp-White Law, earlier) •  PSA: *All* major FDEs, including Bitlocker, DM-Crypt, and FileVault have identical attack vectors •  So far, so good. DEF CON 22 | 2014.08.08

59. But  then... DEF CON 22 | 2014.08.08

60. Life  is  what  happens  when  you’re   busy  making  other

     plans DEF CON 22 | 2014.08.08

61. TrueCrypt.org  goes  dark •  v. 7.2 is released, signed with

    developer keys (updated cert) •  Now read-only •  Archive is taken offline •  Recommendations for alternatives non-optimal DEF CON 22 | 2014.08.08

62. DEF CON 22 | 2014.08.08

63. Our  Response •  OCAP is continuing through with the Phase

    II (formal cryptanalysis) of the code •  We have created a trusted repository of source and binaries for all platforms •  Thomas Ptacek and Nate Lawson organizing Phase II •  We are considering several post-audit scenarios, •  /possibly/ including financial support for a trusted fork •  *Many* challenges and questions remain DEF CON 22 | 2014.08.08

64. Secure  Coding  and  Trust DEF CON 22 | 2014.08.08

65. Crypto  Engineering “There is no difference, from the attacker's point

    of view, between gross and tiny errors. Both of them are equally exploitable...This lesson is very hard to internalize. In the real world, if you build a bookshelf and forget to tighten one of the screws all the way, it does not burn down your house.” — Maciej Cegłowski DEF CON 22 | 2014.08.08

66. (In)secure  Coding:   Where  static  analysis  might  help •  Unintended

    compiler optimizations •  Primitive type transpositions •  Pointer assignment vs. array assignments/terminators From: www.viva64.com/en/examples (recommend preparing a tall glass of Scotch first) DEF CON 22 | 2014.08.08

67. (In)secure  Coding DEF CON 22 | 2014.08.08 “Source code is

    interesting. Everybody thinks if you have source code, you’re going to be able to find everything wrong with [a system]. That’s a misconception. It’s nice to have source code so if you see something funny happening, you can check and see why – try to dig down… But for somebody to [manually] analyze millions of lines of source code, it’s just not going to happen.” — Richard George Former Technical Director NSA Information Assurance Directorate Retrospective Keynote, June, 2014 vimeo.com/97891042 [35:50]

68. Consider  a  hypothetical: DEF CON 22 | 2014.08.08

69. Consider  a  hypothetical: DEF CON 22 | 2014.08.08

70. In  Action Credits: Program Verification Systems (http://www.viva64.com/en/d/0208/) DEF CON 22

    | 2014.08.08

71. Visual  Studio  2010 DEF CON 22 | 2014.08.08

72. memset()  didn’t DEF CON 22 | 2014.08.08

73. Back  to  the  source DEF CON 22 | 2014.08.08

74. RtlSecureZeroMemory()  does DEF CON 22 | 2014.08.08

75. Multiple  options •  Prefer secure memory/copy functions of stdlib • 

    Review limitations of the language/framework •  Understand compiler optimization side-effects •  GCC 4.4+ (2009) offers a pragma for function-level optimization control or prevention (see: gcc.gnu.org/onlinedocs/gcc-4.4.0/gcc/Optimize-Options.html) •  Learn from others’ experience DEF CON 22 | 2014.08.08

76. Multiple  options •  Prefer secure memory/copy functions of stdlib • 

    Review limitations of the language/framework •  Understand compiler optimization side-effects •  GCC 4.4+ (2009) offers a pragma for function-level optimization control or prevention (see: gcc.gnu.org/onlinedocs/gcc-4.4.0/gcc/Optimize-Options.html) •  Learn from others’ experience DEF CON 22 | 2014.08.08

77. The  Onion  Router  (TOR) crypto.c tortls.c connection_or.c onion.c rendclient.c tor-gencert.c

    DEF CON 22 | 2014.08.08

78. The  Onion  Router  (TOR) crypto.c tortls.c connection_or.c onion.c rendclient.c tor-gencert.c

    DEF CON 22 | 2014.08.08

79. Network  Security  Services   (NSS) sha512.c DEF CON 22 |

    2014.08.08

80. Network  Security  Services   (NSS) sha512.c DEF CON 22 |

    2014.08.08

81. OpenSSL ec_mult.c DEF CON 22 | 2014.08.08

82. OpenSSL ec_mult.c DEF CON 22 | 2014.08.08

83. On  Trust DEF CON 22 | 2014.08.08

84. Probably  not  your  threat  model DEF CON 22 | 2014.08.08

85. Trust  is  complicated DEF CON 22 | 2014.08.08

86. *Really*  complicated DEF CON 22 | 2014.08.08

87. On  Trust DEF CON 22 | 2014.08.08

88. On  Trust DEF CON 22 | 2014.08.08

89. Strong  crypto  does  not   equal  secure  code DEF CON

    22 | 2014.08.08

90. Forward  Secrecy  won’t  help DEF CON 22 | 2014.08.08

91. Even  with  the  best  designs… DEF CON 22 | 2014.08.08

92. Things  that  make  you  go   “hmmm” DEF CON 22

    | 2014.08.08

93. It  bears  repeating... DEF CON 22 | 2014.08.08

94. Usable  Crypto  is  HARD DEF CON 22 | 2014.08.08

95. Take-­‐‑Aways •  Many recent catastrophic failures are secure coding errors,

    not crypto errors •  Static analyzers are not enough •  Manual inspection is not enough •  Source code can result in unexpected binary code •  Subject matter experts (protocols, crypto, network) may bring more perspective than “enough” eyes DEF CON 22 | 2014.08.08

96. If  the  game  is  rigged,  strong   crypto  probably  won’t

     help  you. DEF CON 22 | 2014.08.08

97. DEF CON 22 | 2014.08.08 Looking  forward

98. Recap:  Where  are  we  now? •  Phase I Report released

    April 23, 2014 •  Beginning Phase II, to include: •  Formal cryptanalysis •  OSX & Linux review •  Additional license work •  Partnering with Linux Foundation Core Infrastructure Initiative •  Auditing OpenSSL, possibly more •  Looking ahead! •  Trusted TC mirror: github.com/AuditProject/truecrypt-verified-mirror DEF CON 22 | 2014.08.08

99. Final  Thoughts  &  Goals •  Unpaid volunteers are not enough

    •  One-off bug bounties are not enough •  Encourage secure coding practices •  Support & create smarter test harnesses •  Develop a workable model for public code review DEF CON 22 | 2014.08.08

100. Open  Discussion   DEF CON 22 | 2014.08.08

101. Talk  to  us DEF CON 22 | 2014.08.08 @matthew_d_green @kennwhite

     @OpenCryptoAudit [email protected] IsTrueCryptAuditedYet.com (partly!) OpenCryptoAudit.org blog.cryptographyengineering.com github.com/AuditProject/truecrypt-verified-mirror