Embed Size (px)
Citation preview
WHEN ARE WE GOING
TO FIX THIS MESS?
Adam Cecchetti
Deja Vu Security
dejavusecurity.com
Adam Cecchetti : Déjà vu Security
Seattle, WA Firm
Founder
We’ve hacked and helped secure lots of things
SCADA, Planes, Robotics, Medical, SiSoC, Radios
Web, Routers, Clouds, OS, Drivers, Apps, Browsers, CPUs
A Sense of Déjà vu
Déjà vu. Déjà vu. Déjà vu. Déjà vu.
Networks “The tubes are on fire!”
Applications “Your desktop is on fire!”
Web “The world is on fire!”
Cloud “The sky is on fire!”
Internet of things “Your pants are on fire!”
Marketing!
The Problem is Big
The first step to recovery is the hardest.
Awareness is good
Security issues must be found they can’t be created
Passed along like a bad gene in software ecosystem
Defense helps but we’ve spent a lot of time kicking over more rocks
Haven’t been winning a lot lately
The debugging tools we use to build systems are security issues
It’s time to start thinking differently about a few things.
Not That Differently
Premise 1: Computers are Awesome!
They don’t LET you do anything.
They DO anything!
And only things you tell them
CPU: AMMA that’s about Machine code to Microcode Good luck with the rest!
That’s not what I do!
General computation is good
However it means
No reliability, no availability, no security
This includes anything we build.
Memory Leak in /dev/litterbox?!
Premise 2: We’re at an Odd Juncture
Mobile/has begun to eat all markets the same way
the PC did.
User habits are changing again
Mobile and web ate the world.
User data shifts around regularly
Then lingers
And for those of us left that care we have to run
unknown kernel and firmware exploits to program
our phones.
Jailbroken
Tick Tock Tick Tock
User data replicates every decade or so
1970 : Mainframe (Centralized)
1980 : Personal computer (Distributed)
1990 : Web/Email (Centralized)
2000 : Social networks (Distributed)
2010 : Cloud : (Centralized)
2020 : Internet of Things (Distributed)
2030 : Internet of Me (Centralized)
Echoes and ghosts of usage models past leave data everywhere
Copies of copies of copies…
Premise 3: The Internet finally showed!
The amount of air gap between our lives and the internet is shrinking daily.
Soon it will be gone. Good Riddance! Plug me in!
Unless you’ve decided to live in a cave! And in another tick tock there’s still a chance it will have IP
enabled bat guano.
Technology is awesome!
In 5 years my self driving car will live stream.
Meaning localized live traffic video broadcasting and viewing is going to be a thing.
There are going to be people sitting in traffic watching other people sit in traffic around the world.
Live from the Interstate parking lot…
Be Still My Beating Heart
The Internet of Me is coming soon.
I can’t wait until my heart has an IP address..
And firmware updates
And an app store!
Cardio Trainer+ 4.0
Now with Twitter Integration!
Cardio Trainer+ 4.0.1
Pushed a patch as some users were excessively Twitching
while Tweeting.
Premise 4: Everybody Bugs
Bugs happen
Mistakes are proof you actually did something
Imperfection is the proof of life and existence
They happen to the best
They happen to the worst
CVE-2015 – Critical Bass Overflow
Scope 1: Data as Code
What do Cross Site Scripting, SQL Injection, and
Buffer Overflows all have in common?
They are all data being interpreted as code.
Any place that user or machine controlled data is being
used, interpreted, parsed.
This is big enough by itself and it’s just a part of the
problem.
We’ve actually started to make steps towards fixing
this problem in some places
Scope 2: Gamers are Going to Game
Logical Issues require someone to game the system
Must try and understand all the unexpected behavior
of the logic of the system.
Few good ways of automated testing here
The Meta Game
Attackers will continue to go for the weakest link
Unless the time / reward scenario is high
or the Motivation / reward scenario is super high
Scope 3: We Rely on Secrets
Password1!
Upper Lower, Numeric, Special
Secure by most standards!
“ Or ‘1’=‘1’; --
Upper, Lower, Numeric, Special
No key words,
16 characters!
Secure!
If not bad jumbles then bits generated by a machine given back to a machine
An Unhealthy Obsession With Time
Where have we won?
We’ve won 2.5 times
Firewalls
Encryption
Two Factor Authentication
Let’s remap that to solving a pain point
Firewalls
I don’t want to run Ethernet cable in my house.
Wifi + Firewall = Win!
Encryption
I can’t make it to the bank/store today.
Commerce from home + encrypted tunnel = Win!
Two Factor Authentication
I don’t want to re-grid my character
WoW = Win!
When have we won?
We’ve won the same way everyone else has.
When we’ve made someone’s life better they
adopted a technology.
If we want to get pedantic we used Trojan horses to
backdoor security into peoples lives.
Applying security to a shift in user behavior
This is better!
We defined that part of being better was more secure!
Time Shifted
Users shift their data every decade or so
1970 : Mainframe (Centralized)
1980 : Personal computer (Distributed) Crypto Useful
1990 : Web/Email (Centralized) Firewall Useful
2000 : Social networks (Distributed) Firewall Common
2010 : Cloud : (Centralized) Crypto Common
2020 : Internet of Things (Distributed)
2030 : Internet of Me (Centralized)
Echoes and ghosts of usage models past leave data everywhere
When are we going to fix this mess?
Let’s look at using time to fix this mess.
Undefeated
Time to Fix This Mess
Time is the enemy of everyone
Targets move
Attacks of opportunity close
Things get patched
Systems get tossed
Interest shifts
Time has not been on the defenders side
We can make time be on our side
Time is the axis we need to start thinking on
You wouldn’t march this army today
You wouldn’t march this army in 2115
Security is a Snapshot in Time
Security is a snapshot in time
Tomorrow is a new day full of drama on Twitter!
Today is a great day to deprecate a system
Move user data to a safer and better place
The person building the system decides when that
snapshot is taken.
Let’s take a look at the game… .
The game if it was fair.
Release
Value Starts
to Shift
Attacker Start
Bugs Found
Value Gets Exploited
Users Start to Shift
Greenfield Everything
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Shipping with Known Vulns?
Release
Value Starts
to Shift
Attackers Start Value Gets Exploited
Users Start to ShiftReaction
Shipping with Unknown Vulns in ?
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftPatching
Bugs Found
Force Attackers to Spend Time
User Movement
Fast Patching
Training
Design Review
Manual Testing/Code Reviews
Fuzzing
Where can we force more time spent?
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Zoom in For a Second
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Ways To Finding Bugs
Fuzzing
Manual Testing
Code Reviews
Reverse Engineering
Can we get here?
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to Shift
Patching ends a timeline for subset of users
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited?
Users Start to Shift
User Movement
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Move the Critical From the Indefensible
Using user momentum to guide next security efforts
Take the snapshot as close as today as possible.
Start the clock when it moves in
Rent is due every day
Patching
Don’t pay rent? Time for your secure bits to go.
Will never shrink the long tail without an external
legal and audit requirement
Even then things aren’t going to magically be rebuilt
Training
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Design Review
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Code Review and Testing
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Fuzz Testing
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Fuzz Testing
Exploit the fact that machine time is cheap.
Make every builder a breaker!
We recommend www.peachfuzzer.com
Fuzzing doesn’t find every bug but it finds a lot.
It’s not going to fix your password problems.
Forces attackers to spend more time in different
ways
Closes security and reliability holes
Takes a tool from an attacker
What is Fuzzing?
Fuzzing Application and Hardware
Targeting application inputs with malicious data
Different for smart and dumb fuzzing
Try thousands or millions of variants
Machine time is cheap human time is not!
Scales, trivially parallel problem
What is This Fuzzing Stuff?
Target: Data Consumers
Data: Files (images, documents, etc.)
Data: Network packets (FTP, DNS, etc.)
Data: Web Service Calls
Data: GET/POST Parameters
Target: State Machines
State: Complex Protocols and Sessions
State: Internal Memory / References
State: Authentication and Authorization
Bugs Found via Fuzzing
Access violations
Hangs/Crashes
File/system access
Resource consumption
Simple design issues
Incorrect logic paths
Cross-site scripting*
SQL Injection*
Bugs that chain in
complex ways
Complex design and
logic issues
Found Less Found
Fuzzer On Multiple Products/Versions
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to ShiftReaction
Can we get here?
Release
Value Starts
to Shift
Attackers Start
Bugs Found
Value Gets Exploited
Users Start to Shift
Interested in fuzzing or Déjà vu Security?
www.peachfuzzer.com
www.dejavusecurity.com
Sales: [email protected]
Peach: [email protected]
Email: [email protected]
Twitter: @dejavusecurity, @peach_fuzzer,
@adamcecc
