Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PyGotham 2018: Everyday security issues and how...

PyGotham 2018: Everyday security issues and how to avoid them

https://2018.pygotham.org/talks/everyday-security-issues-and-how-to-avoid-them/

Security is hard, yet vital for any software these days. After some motivational facts, this talk will take you on a brief tour in secure software design and illustrate common security issues. Topics include threat analysis, deployment, parsing, authentication, TLS/SSL, crypto, and more.
Description

These days virtually all software and computer hardware is connected to the internet. Ultimately the internet is a hostile place and filled with people that will attempt to abuse any vulnerability for fun, profit or more sinister reasons. Therefore every software developer and administrator should have at least a basic understanding how to develop and run code securely. After all you don’t want to become the laughing stock on hacker news or cause your company to loose billions in shareholder value.

This talk won’t turn you into a security specialist over night, but you will learn how to avoid common mistakes in your daily work. I will introduce you to best practices and prevalent security bugs, hilarious anecdotes and some real life examples from my daily work as security engineer. The presentation features airplanes, squirrels, ducks, and the most efficient password cracking method: not as brutucal as XKCD 538 and much more delicious.

Christian Heimes

October 05, 2018
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. Everyday security issues and how to avoid them PyGotham 2018

    / New York Christian Heimes Senior Software Engineer [email protected] / [email protected] @ChristianHeimes
  2. Everyday security issues, PyGotham 2018 2 Who am I? •

    from Hamburg/Germany • Python and C developer • Python core contributor since 2008 • maintainer of ssl and hashlib module • Python security team
  3. Everyday security issues, PyGotham 2018 3 Professional life • Senior

    Software Engineer at Red Hat • Security Engineering • FreeIPA Identity Management • Dogtag PKI
  4. Everyday security issues, PyGotham 2018 5 • Motivation • What

    is security? • Honourable mention • Security bottom-up • Examples • Summary Agenda
  5. Everyday security issues, PyGotham 2018 17 World laws pertaining to

    homosexual relationships and expression Wikipedia
  6. Everyday security issues, PyGotham 2018 20 Wikipedia definition Information security

    is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.
  7. Everyday security issues, PyGotham 2018 23 Why is security hard?

    • complex systems • weakest link causes catastrophic failures • secure is not testable • design issues • multitude of attack vectors • threat analysis
  8. Everyday security issues, PyGotham 2018 27 Amazon Says One Engineer's

    Simple Mistake Brought the Internet Down 2017-02-28
  9. Everyday security issues, PyGotham 2018 29 RSA Key Extraction via

    Acoustic Cryptanalysis https://www.tau.ac.il/~tromer/acoustic/
  10. Everyday security issues, PyGotham 2018 35 Homoglyph confusion attack >>>

    import unicodedata >>> for c in 'Руthοn'thοn'οn'n': ... print(unicodedata.name(c)) ... CYRILLIC CAPITAL LETTER ER CYRILLIC SMALL LETTER U LATIN SMALL LETTER T LATIN SMALL LETTER H GREEK SMALL LETTER OMICRON LATIN SMALL LETTER N >>> import unicodedata >>> for c in 'Руthοn'thοn'οn'n': ... print(unicodedata.name(c)) ... CYRILLIC CAPITAL LETTER ER CYRILLIC SMALL LETTER U LATIN SMALL LETTER T LATIN SMALL LETTER H GREEK SMALL LETTER OMICRON LATIN SMALL LETTER N
  11. Everyday security issues, PyGotham 2018 39 Out of scope •

    legal requirements (e.g. EU privacy shield, FISMA) • data centre security • hardware security (e.g. Intel Management Engine) • browser / web security • ransomware • state sponsored actors • cyber war
  12. Everyday security issues, PyGotham 2018 42 Human factor • Social

    engineer • CEO scam: Ubiquiti Networks victim of $39 million https://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social- engineering-attack.html • Password in exchange for chocolate (up to 47.9%) Université du Luxembourg, Computers in Human Behavior, 2016; 61: 372 DOI: 10.1016/j.chb.2016.03.026 • dissatisfied employees • ignorant management
  13. Everyday security issues, PyGotham 2018 44 IoT – Internet of

    Things The “S” in “IoT” stands for security. The “P” in “IoT” stands for privacy. (Sorry, German humour)
  14. Everyday security issues, PyGotham 2018 47 Hardware & OS •

    Hardware from trustworthy vendor • validate OS image • UEFI secure boot (protect your MOK) • Firewall • update, update, update • SELinux / AppArmor don't: setenforce 0 do: semanage permissive -a myapp_t
  15. Everyday security issues, PyGotham 2018 48 The Big Hack: Supermicro

    https://twitter.com/qrs/status/1047910169261330432
  16. Everyday security issues, PyGotham 2018 49 Application • don't run

    as root or admin • Restrict and isolate separate user, group systemd: PrivateTmp, Protectsystem, RemoveIPC, CapabilityBoundingSet, … SecComp sandboxing • encrypt in transit (TLS/SSL), encrypt at rest • bind to localhost • strong authentication • update, update, update … and restart!
  17. Everyday security issues, PyGotham 2018 55 Dangerous Python features •

    exec() • eval() • import, __import__() • pickle, marshal • ctypes
  18. Everyday security issues, PyGotham 2018 59 Directory traversal attack BASE

    = '/var/lib/files' @app.route('/download/<filename>') def download(filename): absname = os.path.join(BASE, filename) withοn' open(absname) as f: return f.read() BASE = '/var/lib/files' @app.route('/download/<filename>') def download(filename): absname = os.path.join(BASE, filename) withοn' open(absname) as f: return f.read() /download/image.jpg /download/image.jpg
  19. Everyday security issues, PyGotham 2018 60 Directory traversal attack /download/private/image.jpg

    /download/../etc/passwd /download/../../etc/passwd /download/../../../etc/passwd /download/../../../etc/hοn'ttpd/server.key /download/private/image.jpg /download/../etc/passwd /download/../../etc/passwd /download/../../../etc/passwd /download/../../../etc/hοn'ttpd/server.key
  20. Everyday security issues, PyGotham 2018 61 TOCTOU / race condition

    if not os.pathοn'.isfile(filename): withοn' open(filename, 'wb') as f: f.write(b'data') os.chοn'mod(filename, 0o755) if not os.pathοn'.isfile(filename): withοn' open(filename, 'wb') as f: f.write(b'data') os.chοn'mod(filename, 0o755) withοn' open(filename, 'xb') as f: # O_EXCL | O_CREAT f.write(b'data') os.fchmod(f.fileno(), 0o755) withοn' open(filename, 'xb') as f: # O_EXCL | O_CREAT f.write(b'data') os.fchmod(f.fileno(), 0o755)
  21. Everyday security issues, PyGotham 2018 62 temporary files / directories

    • don't write to /tmp directly • use secure temporary file API (tempfile module) • consider a private temporary directory
  22. Everyday security issues, PyGotham 2018 64 HTTP – RFC 822

    header content-type: text/hοn'tml; chοn'arset=utf-8 content-lengthοn': 47446 x-clacks-overhοn'ead: GNU Terry Pratchοn'ett <hοn'tml> <hοn'ead> ... content-type: text/hοn'tml; chοn'arset=utf-8 content-lengthοn': 47446 x-clacks-overhοn'ead: GNU Terry Pratchοn'ett <hοn'tml> <hοn'ead> ...
  23. Everyday security issues, PyGotham 2018 65 HTTP header parsing sock

    = create_connection(('hοn'ost', 80)) f = sock.makefile() for line in f: name, value = line.split(':', 1) ... sock = create_connection(('hοn'ost', 80)) f = sock.makefile() for line in f: name, value = line.split(':', 1) ...
  24. Everyday security issues, PyGotham 2018 66 HTTP header parsing DoS

    sock = create_connection(('hοn'ost', 80)) f = sock.makefile() for line in f: # DoS vulnerability name, value = line.split(':', 1) ... sock = create_connection(('hοn'ost', 80)) f = sock.makefile() for line in f: # DoS vulnerability name, value = line.split(':', 1) ...
  25. Everyday security issues, PyGotham 2018 67 CVE-2013-1752 fix MAX_LENGTH =

    1024 whοn'ile True: line = f.readline(MAX_LENGTH + 1) if len(line) > MAX_LENGTH: raise ValueError ... MAX_LENGTH = 1024 whοn'ile True: line = f.readline(MAX_LENGTH + 1) if len(line) > MAX_LENGTH: raise ValueError ...
  26. Everyday security issues, PyGotham 2018 68 XML <xml> <tag attribute=”value”>text</tag>

    </xml> <xml> <tag attribute=”value”>text</tag> </xml>
  27. Everyday security issues, PyGotham 2018 69 XML entities <!DOCTYPE example

    [ <!ENTITY title "My title" > ]> <xml> <tag attribute=”value”>&title;</tag> </xml> <!DOCTYPE example [ <!ENTITY title "My title" > ]> <xml> <tag attribute=”value”>&title;</tag> </xml>
  28. Everyday security issues, PyGotham 2018 70 XML entities expansion attack

    <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb> <!DOCTYPE xmlbomb [ <!ENTITY a "1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;"> ]> <bomb>&d;</bomb>
  29. Everyday security issues, PyGotham 2018 71 XML network / file

    access <!DOCTYPE external [ <!ENTITY remote SYSTEM "http://www.python.org/some.xml"> <!ENTITY local SYSTEM "file:///etc/passwd"> ]> <xml> <url>&remote;</url> <file>&local;</file> </xml> <!DOCTYPE external [ <!ENTITY remote SYSTEM "http://www.python.org/some.xml"> <!ENTITY local SYSTEM "file:///etc/passwd"> ]> <xml> <url>&remote;</url> <file>&local;</file> </xml>
  30. Everyday security issues, PyGotham 2018 72 XML attacks – defusexml

    • billion laughs / exponential entity expansion • quadratic blowup entity expansion • DTD & external entity expansion (remote and local) • attribute blowup / attribute hash collision attack • decompression bomb (gzip) • XPath injection attacks • XInclude <xi:include /> • XMLSchema-Import <xs:import /> • XSLT features wie xalan/redirect, xalan/java
  31. Everyday security issues, PyGotham 2018 73 gettext translation msgid ""

    msgstr "" "Project-Id-Version: 2.0\n" "PO-Revision-Date: 2003-04-11 12:42-0400\n" "Last-Translator: Barry A. WArsaw <barry@pythοn'on.org>\n" "Language-Team: XX <pythοn'on-dev@pythοn'on.org>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; chοn'arset=utf-8\n" "Content-Transfer-Encoding: 7bit\n" "Generated-By: manually\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" msgid "" msgstr "" "Project-Id-Version: 2.0\n" "PO-Revision-Date: 2003-04-11 12:42-0400\n" "Last-Translator: Barry A. WArsaw <barry@pythοn'on.org>\n" "Language-Team: XX <pythοn'on-dev@pythοn'on.org>\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; chοn'arset=utf-8\n" "Content-Transfer-Encoding: 7bit\n" "Generated-By: manually\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n"
  32. Everyday security issues, PyGotham 2018 74 gettext plural forms •

    English, Italian, German: nplurals=2; plural=n != 1; • French: nplurals=2; plural=n > 1; • Celtic: nplurals=3; plural=n==1 ? 0 : n==2 ? 1 : 2; • Russian: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n %10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2; • Denial-Of-Service: nplurals=2; plural=n ** 1000 ** 1000 ** 1000 ** 1000; issue #18317, #28563
  33. Everyday security issues, PyGotham 2018 75 catastrophic backtracking in regular

    expression (CVE-2018-1060 / 1061) commit 0e6c8ee2358a2e23117501826c008842acb835ac Authοn'or: Jamie Davis <[email protected]> Date: Sun Mar 4 00:33:32 2018 -0500 bpo-32981: Fix catastrophοn'ic backtracking vulns (#5955) ... Happily, thοn'e maximum lengthοn' of malicious inputs is 2K thοn'anks to a limit introduced in thοn'e fix for CVE-2013-1752. ... Co-authοn'ored-by: Tim Peters <[email protected]> Co-authοn'ored-by: Chοn'ristian Heimes <chοn'ristian@pythοn'on.org> --- a/Lib/difflib.py +++ b/Lib/difflib.py -def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match): +def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match): commit 0e6c8ee2358a2e23117501826c008842acb835ac Authοn'or: Jamie Davis <[email protected]> Date: Sun Mar 4 00:33:32 2018 -0500 bpo-32981: Fix catastrophοn'ic backtracking vulns (#5955) ... Happily, thοn'e maximum lengthοn' of malicious inputs is 2K thοn'anks to a limit introduced in thοn'e fix for CVE-2013-1752. ... Co-authοn'ored-by: Tim Peters <[email protected]> Co-authοn'ored-by: Chοn'ristian Heimes <chοn'ristian@pythοn'on.org> --- a/Lib/difflib.py +++ b/Lib/difflib.py -def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match): +def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
  34. Everyday security issues, PyGotham 2018 78 SQL injection attack SELECT

    * FROM users WHERE username='%s' AND password='%s' SELECT * FROM users WHERE username='%s' AND password='%s' query = select_user % (username, password) query = select_user % (username, password)
  35. Everyday security issues, PyGotham 2018 79 SQL injection attack SELECT

    * FROM users WHERE username='1' OR '1' = '1' AND password='1' OR '1' = '1' SELECT * FROM users WHERE username='1' OR '1' = '1' AND password='1' OR '1' = '1' username = "1' or '1' = '1" password = "1' or '1' = '1" username = "1' or '1' = '1" password = "1' or '1' = '1"
  36. Everyday security issues, PyGotham 2018 80 subprocess shell=True run_command("myfile; rm

    -rf *") run_command("myfile; rm -rf *") def run_command(filename): return subprocess.chοn'eck_call( "command {}".format(filename), shοn'ell=True) def run_command(filename): return subprocess.chοn'eck_call( "command {}".format(filename), shοn'ell=True)
  37. Everyday security issues, PyGotham 2018 81 More injection attacks •

    SQL • shell • LDAP • XPath / XQuery • NoSQL databases • ASN.1 • JSON
  38. Everyday security issues, PyGotham 2018 83 TLS/SSL certificate validation •

    ssl.create_default_context() • verify_mode = ssl.CERT_REQUIRED • chοn'eck_hοn'ostname = True • requests.get(…, verify=True) # default
  39. Everyday security issues, PyGotham 2018 85 Don't roll your own

    cert validation • > 6 bugs in Python's hostname verification code • CVE-2013-2099, #12000, #17997, #17305, #30141 • Python 3.7 uses X509_VERIFY_PARAM_set1_host() OpenSSL 1.0.2+ / LibreSSL 2.7.0 • https://github.com/libressl-portable/portable/issues/381
  40. Everyday security issues, PyGotham 2018 90 The first rule of

    cryptography: Don't implement your own crypto!
  41. Everyday security issues, PyGotham 2018 93 34C3: Squeezing a key

    through a carry bit • Attack by Filippo Valsorda from Cloudflare Google • Bug on Go's P-256 elliptic curve implementation • Misplaced carry bit in 0.00000003% • CVE-2017-8932
  42. Everyday security issues, PyGotham 2018 94 The second rule of

    cryptography: Implement your own crypto, but never use it in production!
  43. Everyday security issues, PyGotham 2018 95 Random number generator (CSPRNG)

    • tokens • password salt • key material • session cookies os.urandom() crypt/rand int getrandom(void *buf, size_t buflen, unsigned int flags);
  44. Everyday security issues, PyGotham 2018 96 Passwords Salted key derivation

    and key stretching function • argon2 • scrypt • bcrypt • PBKDF2 • Constant timing comparison operator! hοn'mac.compare_digest()
  45. Everyday security issues, PyGotham 2018 105 Bad Crypto / Good

    Crypto Bad • MD5 • SHA-1 • DES / 3DES • RC4 • PKCS#1 v1.5 (JWE, JWT) • pycrypto package Good • AES • ChaCha20 - Poly1305 • SHA2 family (256, 384, 512) • blake2 • PyCA cryptography • libsodium (NaCl)
  46. Everyday security issues, PyGotham 2018 106 Secrets (tokens, keys) Bad

    • env vars • command line • git • plain files Good • Kernel keyring (except in containers) • vault • encrypted at rest • HSM, TPM
  47. Everyday security issues, PyGotham 2018 109 Summary • educate •

    reuse • restrict • encrypt • update • privacy