myth busters open source and security by aseem jakhar
play

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ - PowerPoint PPT Presentation

Sep 18, 2022 •368 likes •659 views

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break things! things! We $ whoami When not working, we do charity $ whoami When not working, we do charity By breaking products for free :)

  1. Myth Busters Open source and Security By Aseem Jakhar

  2. $ whoami

  3. $ whoami We break break things! things! We

  4. $ whoami ● When not working, we do charity

  5. $ whoami ● When not working, we do charity ● By breaking products for free :) ● Cisco Linksys Wifi router Buffer overflow ● GSM network vulnerabilities in a few Indian Telecom operators ● Apple App store payment bypass ● Linkedin, ubuntu one and many more application vulnerabilities....

  6. $ whoami ● Founder – null - The open security community – Registered Non-profit Organization – 7 chapters – Pune, Bangalore, Hyderabad, Delhi, Mumbai, Chennai and Goa – Monthly Meets in all chapters – Open to all to share and learn – Details http://null.co.in ● Founder - nullcon Security Conference

  7. Disclaimer ● All views and ideas expressed in the presentation are personal and do not reflect that of my employer

  8. Disclaimer ● All views and ideas expressed in the presentation are personal and do not reflect that of my employer. ● For the open source lovers – Please don't take this presentation seriously and request you not kill me after the talk. ● I'm an open source developer and user too!

  9. Agenda ● Why Security? ● Myths ● *nix Vs Windows ● Statistics ● Conclusion ● References

  10. Why Security?

  11. Why Security?

  12. Myths ● Open source fanatics – Open source is secure. *nix OSes have user and file permission by design – Because it is the work of passionate techies the outcome is much better than closed source commercial software ● Closed source/Enterprise fanatics – Open source is a piece of software hacked together by a bunch of enthusiasts without a long term vision and hence insecure and unstable. – Because the source code is available people can find vulnerabilities very easily ● 100% security

  13. I want to play a game

  14. *nix Vs Windows ● When I say *nix I mean only Unix like (open source) operating systems. ● Which one is more secure? ● Lets talk about a few critical problems

  15. Buffer overflow ● Process layout design ● Stack frames hold the instruction pointer (EIP) ● Overwrite the instruction pointer ● Point EIP to a memory location within the program that contains malicious code ● Allows local or remote code execution and hijacking of systems ● *nix or Windows?

  16. Kernel NULL pointer dereference ● Programs can map the address zero as a valid memory location ● If Kernel null pointers can be controlled via a syscall triggered by a malicious program ● Malicious code/data can be stored and used/executed by the kernel ● Privilege escalation ● *nix or windows?

  17. Use after free ● Objects allocated and free()'ed on heap ● Free space previously utilised by valid object can now be allocated for a new allocation request. ● Adjusted requests with malicious code on the same place as previous object allocation. ● If object is used after freeing and the vulnerable code can be triggered, the malicious code will get executed. ● *nix or windows?

  18. Remote process infection ● Windows has CreateRemoteThread API – Function to create a thread within the context of another process on the same system – Actively abused by malware to infect legit processes such as IE – Bypass security restrictions – Stealth

  19. Remote process infection ● Linux? – No such API provided by the OS.

  20. Remote process infection ● Linux? – No such API provided by the OS. – So we created one :-P – Jugaad – remote thread injection kit – Indroid – For Android – Source code https://github.com/aseemjakhar/jugaad

  21. Question ● Question to “Linux is more secure” Bandwagon

  22. Question ● Question to “Linux is more secure” Bandwagon – Android and Security? Who's laughing now – Read at your leisure – http://www.brighthand.com/default.asp? newsID=18414&news=Top+10+Vulnerable+Smart phones+Malware

  23. Statistics ● Used only CVE data ● C ommon V ulnerabilities and E xposures ● http://cve.mitre.org ● Used CVEs from cvedetails.com for quick analysis ● Considered all vulnerabilities instead of year wise ● The recorded data may be less in some cases as it depended on searching with different names. ● Recorded only the vulnerabilities in the core software and not any sub components.

  24. Browser stats Browser CVE comparison 1000 909 900 772 800 736 700 600 500 CVE 400 300 300 200 100 0 Opera Internet Explorer Chrome Firefox Browsers

  25. Operating System stats OS CVE comparison 1050 1004 1000 950 CVE 900 880 850 800 Windows Linux Operating Systems

  26. Database stats Database CVE comparison 450 426 400 350 300 250 CVE 200 186 150 100 50 0 Mysql Oracle Database Software

  27. Conclusion ● Security has nothing to do with the ideology of open and closed source. ● Popularity/usage of the software matters when it comes to finding vulnerabilities. ● A Secure SLDC like process will make your software more secure than it currently is and reduce overall cost for ensuring a good security level and patching. ● More awareness among the developer community and the product management.

  28. References ● CVE data: http://cvedetails.com/ ● Hammer image source: http://commons.wikimedia.org/wiki/File:Claw-hammer.jpg ● Saw movie image source: http://www.wired.com/images_blogs/photos/uncategorized/2008/01/30/saw .jpg ● Karamchand image source: http://www.desidabba.in/wp- content/uploads/kc_800_600.jpg

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding Bully Prevention Myth Busters and Practical Strategies for Parents Presented by

Understanding Bully Prevention Myth Busters and Practical Strategies for Parents Presented by

Understanding Bully Prevention Myth Busters and Practical Strategies for Parents Presented by Cheryl Curry, M.S.Ed, M.A.E.L Are You Smarter than an Elementary Student? Myth or Fact? Bullying is a right of passage (boys will be boys and girls

427 views • 17 slides
2018 Annual Convention Myth Busters Legal Update The information in this document is

2018 Annual Convention Myth Busters Legal Update The information in this document is

Team VADA 2018 Annual Convention Myth Busters Legal Update The information in this document is confidential and may contain information protected by law. This presentation is intended to be reviewed only by members of the Virginia Automobile

693 views • 48 slides
EB-5 Myth Busters: Separating Fact from Fiction about Raising EB-5 Capital Aaron Goforth, W right

EB-5 Myth Busters: Separating Fact from Fiction about Raising EB-5 Capital Aaron Goforth, W right

Panel 1B EB-5 Myth Busters: Separating Fact from Fiction about Raising EB-5 Capital Aaron Goforth, W right Johnson LLC Brian Su, Artisan Business Group Lili W ang, New City Group Mike Schoenfeld, EB5 Affiliate Network Moderator: Nima

633 views • 21 slides
Myth Busters: Presentation Plan [20 min] Supporting Gatsby benchmark 2 Aims and Outcomes:

Myth Busters: Presentation Plan [20 min] Supporting Gatsby benchmark 2 Aims and Outcomes:

Myth Busters: Presentation Plan [20 min] Supporting Gatsby benchmark 2 Aims and Outcomes: Short-term outcomes: o Learners will evaluate a set of assumptions about Level 4+study. o Learners will calculate association costs based on factual, current

61 views • 3 slides
Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Computer-Aided Security Proofs, Aarhus, Oct 9 13 2017 Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest VERified End-to-end Secure Transport Everest*: Verified Drop-in Replacements for TLS/HTTPS

464 views • 34 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Medium-Fi Prototype Team Stress Busters Chillzone Our Mission: To provide an easy-to-use source

Medium-Fi Prototype Team Stress Busters Chillzone Our Mission: To provide an easy-to-use source

Medium-Fi Prototype Team Stress Busters Chillzone Our Mission: To provide an easy-to-use source of quick stress-reducing activities that can fit into anyones busy lifestyle. Moderate Task Simple Task Complex Task Share your favorite Get

874 views • 21 slides
Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By Sevan Janiyan What is pkgsrc Cross platform packaging system 23 listed platforms in 2015Q3 release notes Strive to keep local changes minimal

563 views • 44 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
GOOSE BUSTERS CANADA GOOSE CONTROL GOOSE BUSTERS 1997 Started Business Goose removal only

GOOSE BUSTERS CANADA GOOSE CONTROL GOOSE BUSTERS 1997 Started Business Goose removal only

GOOSE BUSTERS CANADA GOOSE CONTROL GOOSE BUSTERS 1997 Started Business Goose removal only 5 sites, 822 geese removed avg. 164 per site 1998 Became sole proprietor 1999 Added Nest Destruction 2011 Added Dog Hazing

242 views • 21 slides
Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis 2 TRENDS IN OPEN

462 views • 31 slides
Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead Mark is the lead maintainer of Guardr, a suite of modules predicated around Drupal security. He is passionate about architecting systems to solve

812 views • 38 slides
Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015 Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting

718 views • 44 slides
OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System System Overview Purpose To provide a framework for security assessors to correlate and

438 views • 12 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario https://dadario.com.br - - - - - - - - - - - - - - Source: https://blog.ripstech.com/2016/the-state-of-wordpress-security/ [1] Source:

752 views • 71 slides
Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation

Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation

Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation For <Name> Date Location Special thanks to Your Speaker Bob Weiss MCSE, A+, CEH Senior Cybersecurity Engineer at CIT

718 views • 55 slides
Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November

Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November

Intelligent Transportation Systems (ITS) Joint Program Office (JPO) Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November & December 2013 1 Commercial Vehicle & Freight Applications of

545 views • 36 slides
TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction Session Goals Presenter and Trustwave SpiderLabs background Analysis Overview Data Source Most frequently found SEVERE vulnerabilities

907 views • 62 slides
E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton

E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton

E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton derek.crabtree@merton.gov.uk E-SAFETY E -Safety isn't all about your technical skills. It's about behaviour and parenting! Really no different to what

459 views • 24 slides
The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What

The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What

The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What is CDBS? A set of makefile fragments to include into debian/rules Makes packaging complex packages easier. Makes packaging simple packages harder.

449 views • 27 slides
Building Secure ColdFusion Applications Presented By Pete Freitag Principal Consultant, Foundeo

Building Secure ColdFusion Applications Presented By Pete Freitag Principal Consultant, Foundeo

Building Secure ColdFusion Applications Presented By Pete Freitag Principal Consultant, Foundeo Inc. The Plan: 1. Unchecked Input 2. File Uploads 3. XSS - Cross Site Scripting 4. SQL Injection 5. Cross Site Request Forgery 6. CRLF

425 views • 16 slides
NetFPGA Hardware Modules for Input, Output and EWMA Bit-Rate Computation 1 Alfio Lombardo, 2 Diego

NetFPGA Hardware Modules for Input, Output and EWMA Bit-Rate Computation 1 Alfio Lombardo, 2 Diego

I n t e r n a t i o n a l J o u r n a l o f F u t u r e G e n e r a t i o n C o mmu n i c a t i o n a n d N e t w o r k i n g V o l . 5 , N o . 2 , J u n e , 2 0 1 2

318 views • 14 slides
in Digital Currenc y Soups Ranjan (soups@coinbase.com) Dir. of Data Science & Risk

in Digital Currenc y Soups Ranjan (soups@coinbase.com) Dir. of Data Science & Risk

Preventing Fraud and Account Takeovers in Digital Currenc y Soups Ranjan (soups@coinbase.com) Dir. of Data Science & Risk engineering Weve helped ~6M users in 33 countries exchange $6B in & out of digital currency cross-border

789 views • 49 slides

More recommend