secure in 2010 broken in 2011
play

Secure in 2010? Broken in 2011! Matias Madou, PhD Principal - PowerPoint PPT Presentation

Sep 10, 2022 •458 likes •1.02k views

Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher Matias Madou Principal Security Researcher, Fortify an HP Company Static Analysis Rules Insider Threat Research Runtime products: RTA and

  1. Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher

  2. Matias Madou • Principal Security Researcher, Fortify an HP Company – Static Analysis Rules – Insider Threat Research – Runtime products: RTA and SecurityScope – Hybrid 2.0: Correlation – Gray-box analysis • Contributor to Building Security in Maturity Model (BSIMM) Europe • History in code obfuscation (and binary rewriting)

  3. Overview • Introduction • The Test Application: Secure in 2010 • What’s new in 2011? – New vulnerabilities – New analysis techniques • Continues Testing

  4. Introduction History of the experiment: Gather empirical results while developing gray-box analysis. Test Application, criteria: • Extensively used • Undergone security improvements

  5. The Test Application • Selection criteria for the project working on: – Open source, java or .NET – Widely used • Apache 10.04

  6. The Test Application • Products and Projects based on Apache OFBiz: – OpenTaps

  7. The Test Application • End Users: – 1-800-Flowers – Olympus.de – United.com – BT.com – …

  8. The Test Application • Security? – Multiple vulnerabilities found in CVE – Other (Exploit Search) – … and an interesting video on how to become an admin by exploiting a XSS

  9. The Test Application

  10. The Test Application

  11. The Test Application

  12. The Test Application • Bug Tracking: Security Issues grouped together

  13. The Test Application • In the end: All known issues are fixed in Apache OFBiz 10.04 Secure in 2010!

  14. So… what’s new in 2011? 1) New vulnerabilities: Denial-of-service: Parse Double 2) Analysis techniques: Gray box analysis

  15. Denial-of-Service: Parse Double • Problem description:

  16. Denial-of-Service: Parse Double More concrete: • Value: 2.2250738585072012e-308 • API: Double.parseDouble(value) Infinite loop! http://blog.fortify.com/blog/2011/02/08/Double-Trouble

  17. Denial-of-Service: Parse Double • Feb 01, 2011? No, no. March 04, 2001! • Why is this fixed within 1 month after the rediscover?

  18. Denial-of-Service: Parse Double Examples: • Application: Apache Tomcat • Usage: Tomcat uses parseDouble() on the value of the Accept-Language HTTP header when an application calls request.getLocale() Infinite loop! http://blog.fortify.com/blog/2011/02/08/Double-Trouble

  19. Denial-of-Service: Parse Double What is the problem? • Root case is a Java problem, not an application problem! • Everybody uses the fixed java version, right? (Version Java 6 Update 24 or later) • Everybody runs a patched or latest Tomcat version, right? (Tomcat 7.0.8, 6.0.32, 5.5.33 or later)

  20. Denial-of-Service: Parse Double Tomcat fix

  21. Denial-of-Service: Parse Double Java fix

  22. Denial-of-Service: Parse Double • Seen in the field: adding the pattern to WAF • Problems: 1. Does not protect against persistent 2. Are you sure your patterns cover everything? Pattern often used: 2.2250738585072012e-308 How about: 0.22250738585072012e-307

  23. Denial-of-Service: Parse Double • Seen in the field: adding the pattern to WAF • Problems: 2. Are you sure your patterns cover everything?

  24. Denial-of-Service: Parse Double How many issues in Apache OFBiz? Used analysis techniques: • Static Analysis (White Box) • Penetration Testing (Black Box)

  25. Denial-of-Service: Parse Double Static Analysis (White Box)

  26. Denial-of-Service: Parse Double Penetration Testing (Black Box): http://yourofbiz.com/ecommerce/control/modifycart (update_0, update_1, …) http://yourofbiz.com/ecommerce/control/additem/showcart (quantity, add_product_id) http://yourofbiz.com/ecommerce/control/additem/quickadd (quantity) http://yourofbiz.com/ecommerce/control/additem/keywordsearch (quantity) http://yourofbiz.com/ecommerce/control/additem/advancedsearch (quantity) http://yourofbiz.com/ecommerce/control/additem/showPromotionDetails (quantity) http://yourofbiz.com/ecommerce/control/additem/product (quantity,add_amount) http://yourofbiz.com/ecommerce/control/additem/lastViewedProduct (update_0) http://yourofbiz.com/ecommerce/control/additem/showForum (quantity) http://yourofbiz.com/ecommerce/control/additem/category (quantity) http://yourofbiz.com/ecommerce/control/additem/main (quantity) http://yourofbiz.com/ecommerce/control/additem (quantity) http://yourofbiz.com/ecommerce/control/additem/setDesiredAlternateGwpProductID (…) …

  27. Gray Box Analysis

  28. Black-Box Testing • System-level tests • No assumptions about implementation • Example: fuzzing • Good: concrete results • Bad: a losing game

  29. White-Box Testing • Examine implementation • Test components in isolation • Example: static analysis • Good: thorough • Bad: too thorough • Bad: no “show me” exploits

  30. Gray-Box Testing • System-level tests (like black-box) • Examine implementation (like white-box)

  31. Hybrid == Gray Box Analysis… Right? • NO!

  32. Hybrid Analysis Application Dynamic Static Monitor Analysis Analysis Correlation Engine Correlated Vulnerability List

  33. Internals: Lining Up an Attack with the Code Dynamic Static Monitor http://www. sales.xyz.com?n =… File: MyCode.cs File: MyCode.cs Line: 27 Line: 27 ID: 234 ID: 234 Source trace: <com.my.xxx>

  34. Gray-box analysis: Integrated Analysis Application Dynamic Analysis Real-Time Analysis Real-time link • Find More • Fix Faster

  35. Find More • Detect new types of vulnerabilities – Privacy violation, Log Forging • Find more of all kinds of vulnerabilities – Automatic attack surface identification – Understand effects of attacks

  36. Attack surface identification /login.jsp /pages/account.jsp /pages/balance.jsp /backdoor.jsp • File system • Configuration-driven • Programmatic

  37. Attack surface identification Point to a particular start page and scan: • Crawl will find some directories

  38. Attack surface identification Point to a particular start page and scan • Crawl is no longer necessary! The Runtime Component just tells the pen tester the attack surface.

  39. Understand effects of attacks ✗ /backdoor.jsp ✔ sysadmin$./sh Command Injection

  40. Fix Faster • Provide Actionable Details – Stack trace – Line of code • Group Symptoms with a Common Cause

  41. Actionable Details /login.jsp

  42. Group Symptoms with a common cause • Counting issues seems to be hard! /login.jsp /pages/account.jsp /pages/balance.jsp 1 Cross-Site Scripting Symptom 2 Cross-Site Scripting Symptoms 3 Cross-Site Scripting Symptoms 1 Cross-Site Scripting Cause

  43. Fix Faster: Actionable details

  44. Fix Faster: Actionable details

  45. Fix Faster: Group symptoms

  46. Group symptoms: details • Detailed information on where to fix the issue

  47. For the record: the proof • The page • Page Source

  48. More to come: Automated anti-anti automation

  49. Solution Which one are you talking about? • Solution to fix the code • Solution to keep it protected

  50. Solution to fix the code • It’s still open source, so you can DIY (found in the bug databse)

  51. Solution to fix the code Right now and no time: (vulns in these slides) • Run the Java 6 Update 24 or later (no DoS: Parse Double issues) • In Framework/webslinger/modules/defaults.zip: www/Errors/Codes/404.vtl Remove ${webslinger.payload.pathInfo} • In: Remove the mapKey

  52. Solution to keep it protected • Continues testing ?

  53. Solution to keep it protected • How about the application in production? WAF Static Analysis Security Integration Design Code Test Operate /Staging Development IT / Operations Gray-box Analysis Penetration Testing

  54. Solution to keep it protected • Code changes, keep scanning • New vulnerabilities are discovered. Update with the latest security information No rocket science, right?

  55. Solution to keep it protected • Try out new assessment techniques • Work the scans. Tune them to work in your environment

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with infinite computational resources. (There are other (weaker) types of security; well talk about those later.) A cryptosystem is unconditionally secure

642 views • 4 slides
All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab

All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab

All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab - SEEMOO Technische Universitt Darmstadt, Germany A foundation talk??? Wireless communication is fun damentally broken focus: everything in

687 views • 42 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
Securing Vacant and Abandoned Buildings IAAI/USFA Abandoned Building Project The &quot;Broken

Securing Vacant and Abandoned Buildings IAAI/USFA Abandoned Building Project The &quot;Broken

Securing Vacant and Abandoned Buildings IAAI/USFA Abandoned Building Project The &quot;Broken Windows&quot; Theory of Social Disorder From one broken window, you can lose a street Target Properties Secure and well maintained properties

1.03k views • 58 slides
Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus

Galatians Whos Your Mama? Broken people know theyre broken! They know they need Jesus &amp; have given up on being their own savior! Abraham Sarah (wife) Isaac (son) Hagar (maidservant) Ishmael (son) Abraham, our broken spiritual

258 views • 21 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff &amp; Kenneth R. Van Wyk

753 views • 17 slides
Because you cant fix what you dont know is broken About me Initiator of the Automated

Because you cant fix what you dont know is broken About me Initiator of the Automated

Because you cant fix what you dont know is broken About me Initiator of the Automated Error Reporting Initiative Project Lead of Eclipse Code Recommenders Eclipse Committer since 2010 Plug-in Developer for 10+ years

811 views • 66 slides
F-Secure Corporation Annual General Meeting March 30, 2011 Kimmo Alkio, President and CEO

F-Secure Corporation Annual General Meeting March 30, 2011 Kimmo Alkio, President and CEO

F-Secure Corporation Annual General Meeting March 30, 2011 Kimmo Alkio, President and CEO Protecting the irreplaceable | f-secure.com F-Secure today Global presence Subsidiaries in 16 countries More than 200 operator partners in

416 views • 26 slides
2010-2011 Budget Development March 18, 2010 2010-2011 Budget Development Current Fiscal

2010-2011 Budget Development March 18, 2010 2010-2011 Budget Development Current Fiscal

2010-2011 Budget Development March 18, 2010 2010-2011 Budget Development Current Fiscal Environment Rising Costs Pension Contributions / Insurance Rates / Contractual Obligations Declining Revenues State Aid / Interest Income

597 views • 10 slides
Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10

Broken Authentication: What it means, and what you can do hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access

207 views • 6 slides
GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines

GOD BLESSED THE BROKEN LINES This much I know is true. God blessed the broken lines that led me straight to Christ. MATTHEW 1:1-17 UNCONDITIONAL &amp; CONDITIONAL I. UNDERLYING COVENANTS Edenic &amp; Adamic Covenants A. 1.

364 views • 20 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides
G GMC Stakeholder Process 2011-2012 C S 2011 2012 April 21 2010 April 21, 2010 10 am - 2 pm

G GMC Stakeholder Process 2011-2012 C S 2011 2012 April 21 2010 April 21, 2010 10 am - 2 pm

G GMC Stakeholder Process 2011-2012 C S 2011 2012 April 21 2010 April 21, 2010 10 am - 2 pm Lake Tahoe Conf Rooms Agenda ge da Opening remarks Timeline Review Status of GMC 2001-2003 Refund Review of GMC rate

321 views • 17 slides
University of South Carolina Upstate 2010 2011 Planning Overview 2010 2011 Planning

University of South Carolina Upstate 2010 2011 Planning Overview 2010 2011 Planning

University of South Carolina Upstate 2010 2011 Planning Overview 2010 2011 Planning Overview Presented by John C. Stockwell, Chancellor USC Upstate 2009-2010 Accomplishments Graduated over 700 students this semester; partnered with

438 views • 23 slides
ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas

ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas

ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas Jagannath Darko Marinov IBM Research Almaden. San Jose, CA. August 10, 2010 Google. Mountain View, CA. August 11, 2010 Passing Unit Tests

702 views • 58 slides
Presentation to Investors &amp; Analysts 26 th July 2011 Q2 2011 Q Chief Executive Officer

Presentation to Investors &amp; Analysts 26 th July 2011 Q2 2011 Q Chief Executive Officer

Presentation to Investors &amp; Analysts 26 th July 2011 Q2 2011 Q Chief Executive Officer Andrew Witty Sustained underlying growth with contribution from Pharma, Consumer and Vaccines FY 2010 FY 2010 1Q 2011 1Q 2011 2Q 2011 2Q 2011 4%

701 views • 32 slides
Using Twitter Strategically Amanda Carnes, MPH, CHES Social Media Lead Education, Training, and

Using Twitter Strategically Amanda Carnes, MPH, CHES Social Media Lead Education, Training, and

Using Twitter Strategically Amanda Carnes, MPH, CHES Social Media Lead Education, Training, and Communication Team Division of Viral Hepatitis National Center for HIV/AIDS, Viral Hepatitis, STD &amp; TB Prevention Division of Viral Hepatitis

454 views • 23 slides
Semantic Markup Languages: A Gentle Introduction Yolanda Gil USC/Information Sciences Institute

Semantic Markup Languages: A Gentle Introduction Yolanda Gil USC/Information Sciences Institute

Semantic Markup Languages: A Gentle Introduction Yolanda Gil USC/Information Sciences Institute gil@isi.edu Yolanda Gil 1 Outline I: The Big Picture The Semantic Web

862 views • 41 slides
Routing Process of distributing information through network so routers can build forwarding

Routing Process of distributing information through network so routers can build forwarding

Routing Process of distributing information through network so routers can build forwarding tables Forwarding vs. routing tables Forwarding table maps network number to interface, data link address Routing table maps network

330 views • 12 slides
The web is broken Let's fjx it! Roberuo Clapis Michele Spagnuolo Roberuo Clapis Michele

The web is broken Let's fjx it! Roberuo Clapis Michele Spagnuolo Roberuo Clapis Michele

#HackInBo Bologna, Italy 2019 The web is broken Let's fjx it! Roberuo Clapis Michele Spagnuolo Roberuo Clapis Michele Spagnuolo Sofuware Engineer Senior Information Security (Security) Engineer We work in a focus area of the Google

709 views • 48 slides
L A O G 1 You had one job L A O G 1 7 tool categories... Lets begin... 1/7

L A O G 1 You had one job L A O G 1 7 tool categories... Lets begin... 1/7

L A O G 1 You had one job L A O G 1 7 tool categories... Lets begin... 1/7 1. MozBar - plugin Demo 2. Ayima redirect checker - plugin Demo 3. Broken link checker - plugin Demo 4. Keywords Everywhere - Plugin Demo 2/7

639 views • 51 slides
An Internet Architecture for the 21st Century Adrian Perrig Network Security Group, ETH Zrich

An Internet Architecture for the 21st Century Adrian Perrig Network Security Group, ETH Zrich

An Internet Architecture for the 21st Century Adrian Perrig Network Security Group, ETH Zrich monumental structure stood the test of time &amp; seems immutable 2 Just like todays Internet ? Can we fix its issues, though?

555 views • 40 slides
1 Web APIs that Developers Love Kai Spichale @kspichale 2 Communication Decoupling from

1 Web APIs that Developers Love Kai Spichale @kspichale 2 Communication Decoupling from

1 Web APIs that Developers Love Kai Spichale @kspichale 2 Communication Decoupling from among developers implementation Client API Implementation Integration &amp; reuse Operations with input and output 3 Developer Perspective ?

726 views • 54 slides
Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3.

Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3.

Routing In Ad Hoc Networks 1. Introduction to Ad-hoc networks 2. Routing in Ad-hoc networks 3. Proactive routing protocols DSDV 4. Reactive routing protocols DSR, AODV 5. Non-uniform routing protocols ZRP, CEDAR 6. Other

392 views • 22 slides

More recommend