Writing Secure Software is hard, but at least add mitigations!

Similar documents
AppSecUSA New York City 2013

OWASP Spain Barcelona 2014

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Bypassing Browser Memory Protections in Windows Vista

Bypassing Memory Protections: The Future of Exploitation

Why should I care about PDF application security?

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Turn the Page: Why now is the time to migrate off Windows Server 2003

BLACK HAT ASIA Singapore, March 2014

Creating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.

Computer Security: Principles and Practice

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

The SDL Progress Report. Progress reducing software vulnerabilities and developing threat mitigations at Microsoft

Common Errors in C/C++ Code and Static Analysis

SAFECode Security Development Lifecycle (SDL)

Hotpatching and the Rise of Third-Party Patches

Security & Exploitation

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

The Hacker Strategy. Dave Aitel Security Research

90% of data breaches are caused by software vulnerabilities.

Developing Secure Software in the Age of Advanced Persistent Threats

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

Modern Binary Exploitation Course Syllabus

Microsoft Update Management. Sam Youness Microsoft

WHITEPAPER. Nessus Exploit Integration

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Smartphone Apps Are Not That Smart: Insecure Development Practices

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

Using Microsoft Visual Studio API Reference

Custom Penetration Testing

Secure Development LifeCycles (SDLC)

Some Anti-Worm Efforts at Microsoft. Acknowledgements

Adobe Flash Player and Adobe AIR security

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

OSMOSIS. Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris

DOES OPEN MEAN VULNERABLE?

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Defense in Depth: Protecting Against Zero-Day Attacks

Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication

SkyRecon Cryptographic Module (SCM)

Chapter 15 Operating System Security

Software Development: The Next Security Frontier

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

Microsoft Security Bulletin MS Important

Introduction. Figure 1 Schema of DarunGrim2

Source Code Review Using Static Analysis Tools

Implementation Vulnerabilities in SSL/TLS

The Security Development Lifecycle

Red Hat. By Karl Wirth

Application Security Testing How to find software vulnerabilities before you ship or procure code

Cloud Application Security Assessment, Guerrilla Style

Testing for Security

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Session ID: Session Classification:

NVIDIA CUDA GETTING STARTED GUIDE FOR MAC OS X

What is Web Security? Motivation

Secure Network Communications FIPS Non Proprietary Security Policy

Exploiting nginx chunked overflow bug, the undisclosed attack vector

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Elements to a Secure Environment Becoming Resilient Towards Modern Cyberthreats. Windows XP Support Has Ended Why It Concerns You

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

HoneyBOT User Guide A Windows based honeypot solution

Maximizing customer protections

Software Vulnerabilities

Cyber Exploits: Improving Defenses Against Penetration Attempts

elearning for Secure Application Development

OPEN SOURCE SECURITY

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

INTERNAL USE ONLY (Set it to white if you do not need it)

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

UNCLASSIFIED CPA SECURITY CHARACTERISTIC WEB APPLICATION FIREWALLS. Version 1.3. Crown Copyright 2011 All Rights Reserved

Testing Control Systems

Crystal Reports.Net 1.1 Patch

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

Criteria for web application security check. Version

Operating System Security

An Analysis of Address Space Layout Randomization on Windows Vista

The Epic Turla Operation: Information on Command and Control Server infrastructure

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

UEFI Firmware Security Best Practices

Windows Phone 7 Internals and Exploitability

Securing Secure Browsers

Spyware Analysis. Security Event - April 28, 2004 Page 1

Enterprise Application Security Program

Web Application Security

DEVELOPING SECURE SOFTWARE

Jonathan Worthington Scarborough Linux User Group

Security Testing for Developers using OWASP ZAP

Protecting Your Organisation from Targeted Cyber Intrusion

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

FTP Client Engine Library for Visual dbase. Programmer's Manual

How To Fix A Snare Server On A Linux Server On An Ubuntu (Amd64) (Amd86) (For Ubuntu) (Orchestra) (Uniden) (Powerpoint) (Networking

Transcription:

Writing Secure Software is hard, but at least add mitigations! SESSION ID: ASEC-F02 Simon Roses Femerling CEO VULNEX @simonroses

ME? Simon Roses Femerling Founder & CEO, VULNEX www.vulnex.com Blog: www.simonroses.com Twitter: @simonroses Former Microsoft, PwC, @Stake DARPA Cyber Fast Track award on software security project Black Hat, RSA, OWASP, SOURCE, AppSec, DeepSec, MSFT TECHNET 2

BIG THANKS! DARPA Cyber Fast Track (CFT) Mudge The fine folks at BIT SYSTEMS 3

TALK OBJECTIVES Secure development Verify software security posture 4

AGENDA 1. Secure Development 2. Security Mitigations 3. BinSecSweeper 4. Case Studies 5. Conclusions 5

6 1. Secure Development

1. MICROSOFT SDL

1. OPENSAMM 8

1. IT S ABOUT SAVING MONEY! 9

1. LET S AVOID D-LINK ROUTER BACKDOOR CVE-2013-6462: Stack buffer overflow (20 years old) Multiple CVEs: CVE-2013-5359 CVE-2013-5358 CVE-2013-5357 CVE-2013-5349 10

1. BINARY INTELLIGENCE File Information Size Hash Timestamp Strings Compiler Name Version Security Mitigations DEP ASLR Stack Cookies Vulnerabilities Unsafe API Weak Crypto Backdoors

2. Security Mitigations

2. SOME COMPILERS OFFER GOOD SECURITY DEFENSES Visual Studio GCC LLVM (Xcode) 13

2. SDL MICROSOFT GUIDE 5.2 Use minimum code generation suite and libraries. For unmanaged, native C/C++ code, use Visual C++ 2010 as it offers all the SDLmandated compiler and linker flags, including /GS, /DYNAMICBASE, /NXCOMPAT, and /SAFESEH. For managed code, use Visual Studio 2008 SP1 or later. Use the currently required (or later) versions of compilers to compile options for the Win32, Win64, WinCE, and Macintosh target platforms, as listed in Appendix E: SDL Required and Recommended Compilers, Tools, and Options for All Platforms. The biggest change in Visual Studio 2008 SP1 and later is Data Execution Prevention (DEP) support, enabled by default for all binaries, which can help protect against classes of buffer overrun. For unmanaged C or C++ code, BinScope must indicate a "Pass" in the compiler version field for all binaries. For managed code, an attestation is required that the compiler version used to ship the product is the version outlined in this document or later. Banned application programming interfaces (APIs). All native C and C++ code must not use banned versions of string buffer handling functions. http://www.microsoft.com/en-us/download/confirmation.aspx?id=29884 14

2. Visual Studio Defenses 1) Only available in Visual Studio Ultimate 2) Defense enhanced

2. Visual Studio Defenses Stack buffer protection (/GS) Code Analysis Data Execution Prevention (DEP) Address Space Layout Randomization (ASLR) Security Development Lifecycle (/SDL)(VS 2012) /sdl causes SDL mandatory compiler warnings to be treated as errors during compilation. /sdl enables additional code generation features such as increasing the scope of stack buffer overrun protection and initialization or sanitization of pointers in a limited set of welldefined scenarios. 16

2. GCC Defenses 17

2. GCC SECURITY Decent security defenses by not enabled by default Mudflap Pointer Debugging (removed in GCC 4.9, in favor of Address Sanitizer) Instruments for buffer overflows Address Sanitizer (http://code.google.com/p/address-sanitizer/) GCC 4.8 It finds use-after-free and {heap,stack,global}-buffer overflow bugs in C/C++ programs. -fstack-protector strong included in GCC 4.9, previous version as a patch 18

2. LLVM Defenses 1) Enhanced defense 19

2. LLVM SECURITY Some mitigations enabled by default Clang Static Analyzer http://clang-analyzer.llvm.org/available_checks.html 20

2. DEVELOPERS! DEVELOPERS! No excuse, build & ship software with defenses enabled 21

3. BinSecSweeper

3. Why BinSecSweeper? BinSecSweeper is VULNEX binary security verification tool to ensure applications have been built in compliance with Application Assurance best practices The goal for BinSecSweeper is a tool: Developers can use to verify that their output binaries are safe after compilation and before releasing their products IT security pros to scan their infrastructure to identify binaries with weak security defenses or vulnerabilities. BinSecSweeper is a cross platform tool (works on Windows and Linux) and can scan different file formats: PE and ELF.

3. FEATURES 100% open source Easy to use Cross-platform works on Windows & Linux Scans Windows (PE) and Unix (ELF) files for security checks Configurable Analysis Engine Extensible by plugins Reporting 24

3. BinSecSweeper in Action I

3. BinSecSweeper in Action II

3. Current Windows Checks CHECK DESCRIPTION Address space layout randomization (ASLR) Stack Cookies (GS) HotPatch Compatible with Data Execution Prevention (NXCOMPAT) Structured Exception Handling (SEH) Abobe Malware Classifier Visual Studio Compiler Fingerprinting Packer Insecure API Checks if binary has opted the ASLR. Link with /DYNAMICBASE Verifies if binary was compiled with Stack Cookies protection. Compile with /GS Checks if binary is prepared for hot patching. Compile with /hotpatch Validates if binary has opted hardware Data Execution Prevention (DEP). Link with /NXCOMPAT Checks if binary was linked with SafeSEH. Link with /SAFESEH Analyzes binary for malware behavior using machine learning algorithms Identifies if binary was compiled with Visual Studio and version (2005, 2008, 2010 & 2012) Checks if binary has been packed Check if binary uses banned API

3. Current Linux Checks CHECK Fortify Source DESCRIPTION Checks if binary was compiled with buffer overflow protection (bounds checking). Compile with D_FORTIFY_SOURCE=X Never execute (NX) Verifies if binary was compiled with NX to reduce the area an attacker can use to perform arbitrary code execution. Position Independent Code (PIE) Checks if binary was compiled with PIE to protects against "return-totext" and generally frustrates memory corruption attacks. Compile with fpie -pie RELocation Read-Only (RELRO) Validates if binary was compiled with RELRO (partial/full) to harden data sections. Compile with z,relro,-z,now Stack Canary Checks if binary was compiled with stack protector to protect against stack overflows. Compile with fstack-protector

3. Plugin Example: Windows ASLR

3. Plugin Example: Linux fortify_source

3. Reporting

3. BinSecSweeper: what s next! More plugins: Windows, Linux, etc. Mobile Malware Backdoors Compilers Packers Metrics panel Diff across product / versions

3. BinSecSwepeper: where? Download BinSecSweeper software from www.vulnex.com After RSA USA (please give us a couple of weeks to finish up doc )

4. Case Studies

4. Remember Picassa? Missing: ASLR + DEP Good: Stack Cookies But was still exploitable! 35

4. Are you compiling your app with zlib.dll? 36

4. Are your 3rd party components improving? Python 2.7 -> sqlite3.dll Python 3.3 -> sqlite3.dll 37

4. A DLL inside a well-known software 38

4. The most common word inside a Microsoft binary? 39

5. Conclusions

5. Verifying Software Security Posture Matters! Binaries contain a lot of information! The security posture of the software developed by you is important: Security improves Quality Branding (shows you care about security) How is the security posture of software vendors you use?

5. Does your Software: Has it been compiled with all possible mitigations? Use insecure APIs? Contain malware? Backdoors? 42

Q&A FIN Thanks! @simonroses

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information