Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security, Secrets, and Shenanigans
Search
Richard Schneeman
March 06, 2013
Programming
490
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Security, Secrets, and Shenanigans
Richard Schneeman
March 06, 2013
More Decks by Richard Schneeman
See All by Richard Schneeman
[RubyConf] Beware the Dreaded Dead End
schneems
1
410
[Kaigi] Beware the Dead End
schneems
0
210
Threads Aren't Evil
schneems
0
640
Bayes is BAE
schneems
0
4.1k
Testing the Untestable
schneems
1
950
SLOMO
schneems
2
1.3k
Saving Sprockets
schneems
8
17k
Memory Leaks, Tweaks, and Techniques
schneems
1
260
Speed Science
schneems
20
37k
Other Decks in Programming
See All in Programming
技術的負債解消で開発者の未来を開く- AIの力でコード刷新
kmd2kmd
0
130
[2026年度第1回ORセミナー] 計画最適化ベンチャーと競技プログラミング人材
terryu16
0
280
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
minodriven
14
6.5k
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
yusukebe
7
1.6k
例外の正しい扱い方 そのエラー try-catchして大丈夫?
jinwatanabe
0
310
吝嗇家のためのAI活用 / AI development for miser - ChatGPT + Issue Driven Development
tooppoo
0
130
気づいたらRubyで100作品 ー クリエイティブコーディングが生活の一部になるまで / 100 Ruby Sketches Later: How Creative Coding Became Part of My Life
chobishiba
3
630
気圧・高度・GPSを記録&可視化するアプリ「Koudo」を作った話
hjmkth
1
330
任せる範囲はこう広がった / How the Scope of AI Delegation Has Expanded
nrslib
1
220
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
620
これからAgentCoreを触る方へトレンドはGatewayです
har1101
6
450
自作OSでスライド発表する
uyuki234
1
3.5k
Featured
See All Featured
Visualization
eitanlees
152
17k
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.9k
Optimizing for Happiness
mojombo
378
71k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Building Flexible Design Systems
yeseniaperezcruz
330
40k
Redefining SEO in the New Era of Traffic Generation
szymonslowik
1
350
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
170
Site-Speed That Sticks
csswizardry
13
1.2k
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
220
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.5k
Transcript
Security, Secrets, & Shenanigans Richard Schneeman @schneems
@schneems
Schnauser
None
I <3 Ruby
Hans Peter Von Wolfe (the 5th)
Sextant Gem
Wicked ‘ ‘ Gem
Triage Code codetriage.com
None
Adjunct Professor
Good News Everyone! schneems.com/ut-rails
I work for this one
AUS Ruby Conf
None
Hello wroclove
Close your Laptops
Unless you’re commenting on rails/rails issues
Web Security
What does it mean to be secure
I am not a security researcher
You don’t have to be either
Arm yourself with knowledge
Every system has a weakness
Security Bugs are Bugs
420,000 lines 11 versions 17 errors
Bug free software is impossible
Cover Common Exploits
Talk about Mitigation Strategies
Improve our security processes
Availability
Security isn’t just keeping others out
Staying Available to Serve your customers
DDoS
Distributed Denial of Service
None
None
None
Block IP Addresses
Memory Exploits
:symbols aren’t fancy strings
:symbols are never garbage collected
params[:id].to_sym
params[:id].to_sym Don’t Do This
Parser Exploits
A billion Laughs
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol1
"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
10 Entities
Each Reference Previous Entries
Consumes ~3GB of ram to process
Like a Zip Bomb for XML parsers
Ouch
modern XML parsers are not vulnerable to this attack Libxml2
Authentication the act of confirming the truth of an attribute
of a datum or entity
e Armadillos
YAML Parser
YAML Ain’t Markup Language
development: adapter: postgresql encoding: utf8 database: my_development pool: 5 host:
localhost config/database.yml
require 'yaml' db_config = YAML::load_file('config/database.yml') puts db_config["development"] # => {
"adapter" => "postgresql", "encoding" => "utf8", "database" => "example_development", "pool" => 5, "host" => "localhost" }
YAML Ain’t just for basic objects
“--- !ruby/array:Array - jacket - sweater” YAML::load => ???
“--- !ruby/array:Array - jacket - sweater” YAML::load => [“jacket”, “sweater”]
“--- !ruby/hash:User email:
[email protected]
” YAML::load => ???
“--- !ruby/hash:User email:
[email protected]
” YAML::load => #<User id: 1, email:
"
[email protected]
">
“--- !ruby/hash:User email:
[email protected]
” YAML::load user = User.new
“--- !ruby/hash:User email:
[email protected]
” YAML::load user = User.new user[:email] =
“
[email protected]
“--- !ruby/hash:User email:
[email protected]
” YAML::load user = User.new user[:email] =
“
[email protected]
“--- !ruby/hash:User email:
[email protected]
” YAML::load user = User.new user[:email] =
“
[email protected]
puts user => #<User id: 1, email: "
[email protected]
">
Interesting, but is it insecure?
class Foo def []=(name, value) puts value * 3 end
end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new
class Foo def []=(name, value) puts value * 3 end
end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”
class Foo def []=(name, value) puts value * 3 end
end “--- !ruby/hash:Foo bar: hi” YAML::load foo = Foo.new foo[:bar] = “hi” => “hihihi”
Let’s Get Dirty
class Foo def []=(name, value) eval(name) + value end end
class Foo def []=(name, value) eval(name) + value end end
--- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load
class Foo def []=(name, value) eval(name) + value end end
--- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass
class Foo def []=(name, value) eval(name) + value end end
--- !ruby/hash:Foo “puts '=== hello there'.inspect;”: hi YAML::load foo = Foo.new foo["puts '=== hello there'.inspect"] = 'hi' === hello there NoMethodError: undefined method `+' for nil:NilClass
zOMG arbitrary code execution
But how does an attacker get us to execute arbitrary
YAML?
XML Parser
<?xml version="1.0" encoding="UTF-8"?> <boom type="yaml"><![CDATA[--- !ruby/ object:UnsafeObject attribute1: value1 ]]></boom>
By default will parse arbitrary YAML
I’m in UR Servers Executing My Code
Java/ PHP/ C++/ etc. Secure?
Sanatize Your Inputs
And your Floors
Never Trust your users
Or your dogs
Ro Om Ba Attacks
RoOmBa Attacks
Responsible Disclosure
Create a /security report page
None
Intrusion Detection/ Logging
Papertrail
Stay Informed
Subscribe to Security Lists
Patch Early, Patch often
Secrets Secrets Secrets
CSRF
Cross Site Request Forgery
None
config.security_token
the key to your digital kingdom
Would you give your Car key copies to:
Interns? Your
Contractors? Your
Your Open Source Contributors?
If secrets are in your source, you’ve already given them
your digital kingdom
Protect Your Code
Secure keys in source control aren’t secure
What’s an alternative?
Environment Variables
$ rake db:migrate RAILS_ENV=test
$ rake db:migrate RAILS_ENV=test
In Development
Use a .env file
$ cat .env SECRET_TOKEN=d59c2a439f
Use dotenv gem
$ irb > Dotenv.load > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”
Use foreman gem
$ foreman run irb > puts ENV[‘SECRET_TOKEN’] > “d59c2a439f”
In Production
$ heroku config:add SECRET_TOKEN=d59c2a439f
VPS • Use Foreman/Dotenv • Add to bashrc • Add
values directly to command $ SECRET_TOKEN=asd123 rails console ruby-1.9.3> puts ENV[‘SECRET_TOKEN’] ruby-1.9.3> “asd123”
What if...
Someone Can read my ENV Variables?
Then they can read your files too
Is your app secure?
Is your app open source- able?
SECRET_TOKEN is just one example of Config
Define: Config
Config • What varies between deploys • resource strings to
databases • credentials to S3, twitter, facebook, etc. • canonical values, hostname • security tokens
Can you deploy your app to change your S3 Bucket?
Do you NEED to deploy your app to change your
S3 bucket?
Environment Variables! Use
Config
But I like storing my credentials in git!
What is Config? Just because it works...
Wishlist: rotate-able security tokens
Security
Nothing is ever 100% secure
Educate yourself
Secrets
Don’t store secrets in Git
Use ENV Variables
Shenanigans
None
Vote @hone02 (Terence Lee) Ruby Hero 2013
Questions? @schneems