AppSecUSA New York City 2013

Similar documents
OWASP Spain Barcelona 2014

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Bypassing Browser Memory Protections in Windows Vista

Why should I care about PDF application security?

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Bypassing Memory Protections: The Future of Exploitation

BLACK HAT ASIA Singapore, March 2014

Adobe Flash Player and Adobe AIR security

Turn the Page: Why now is the time to migrate off Windows Server 2003

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Creating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.

SAFECode Security Development Lifecycle (SDL)

WHITEPAPER. Nessus Exploit Integration

Security & Exploitation

The SDL Progress Report. Progress reducing software vulnerabilities and developing threat mitigations at Microsoft

inforouter V8.0 Server & Client Requirements

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Computer Security: Principles and Practice

Software Vulnerability Exploitation Trends. Exploring the impact of software mitigations on patterns of vulnerability exploitation

HP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training

Java-Web-Security Anti-Patterns

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

Complete Patch Management

Microsoft Windows Apple Mac OS X

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Software Development: The Next Security Frontier

Microsoft Windows Apple Mac OS X

Intershop 7 System Requirements Sheet

Background. How much does EMET cost? What is the license fee? EMET is freely available from Microsoft without material cost.

SNOW LICENSE MANAGER (7.X)... 3

Protecting Your Organisation from Targeted Cyber Intrusion

Modern Binary Exploitation Course Syllabus

90% of data breaches are caused by software vulnerabilities.

Red Hat. By Karl Wirth

Designing and Coding Secure Systems

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Redline Users Guide. Version 1.12

Developing Secure Software in the Age of Advanced Persistent Threats

Sichere Webanwendungen mit Java

Cyber Exploits: Improving Defenses Against Penetration Attempts

CA Client Automation

Lumension Endpoint Management and Security Suite

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Medical Device Security Health Group Digital Output

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Effects of Memory Randomization, Sanitization and Page Cache on Memory Deduplication

Securing Secure Browsers

PI Server Security Best Practice Guide Bryan Owen Cyber Security Manager OSIsoft

Enterprise Application Security Program

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

Custom Penetration Testing

Developing secure software A practical approach

Remote Access Services Apple Macintosh - Installation Guide

LoadRunner and Performance Center v11.52 Technical Awareness Webinar Training

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

SNOW LICENSE MANAGER (7.X)... 3

Nessus Agents. October 2015

Publicly trusted certification authorities (CAs) confirm signers identities and bind their public key to a code signing certificate.

CPA SECURITY CHARACTERISTIC SECURE VOIP CLIENT

Code Estimation Tools Directions for a Services Engagement

Session ID: Session Classification:

DEVELOPING SECURE SOFTWARE

Testing Control Systems

Bridging the Gap - Security and Software Testing. Roberto Suggi Liverani ANZTB Test Conference - March 2011

Secure Development LifeCycles (SDLC)

Penetration Testing with Kali Linux

Kaspersky Endpoint Security 10 for Windows. Deployment guide

Supported Platforms HPE Vertica Analytic Database. Software Version: 7.2.x

Some Anti-Worm Efforts at Microsoft. Acknowledgements

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Application Security Testing How to find software vulnerabilities before you ship or procure code

Guidance Regarding Skype and Other P2P VoIP Solutions

Reverse Engineering and Computer Security

Usable Crypto: Introducing minilock. Nadim Kobeissi HOPE X, NYC, 2014

HP Fortify application security

OPEN SOURCE SECURITY

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

The Hacker Strategy. Dave Aitel Security Research

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Casper Suite. Security Overview

Patch Management Solutions Test

CPA SECURITY CHARACTERISTIC MIKEY-SAKKE SECURE VOIP GATEWAY

Hardware and Asset Management Program

Operating System Security

RIA DEVELOPMENT OPTIONS - AIR VS. SILVERLIGHT

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

A Best Practice Approach to Third Party Patching

Information Security Attack Tree Modeling for Enhancing Student Learning

Implementation Vulnerabilities in SSL/TLS

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Tutorial on Smartphone Security

Developing A Successful Patch Management Process

CPA SECURITY CHARACTERISTIC ENTERPRISE MANAGEMENT OF DATA AT REST ENCRYPTION

Patch and Vulnerability Management Program

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

Security Evaluation CLX.Sentinel

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Transcription:

AppSecUSA New York City 2013

ME? Simón Roses Femerling Founder & CEO, VULNEX www.vulnex.com Blog: www.simonroses.com Twitter: @simonroses Former Microsoft, PwC, @Stake DARPA Cyber Fast Track award on software security project Black Hat, RSA, OWASP, SOURCE, AppSec, DeepSec, TECHNET

BIG THANKS! DARPA Cyber Fast Track (CFT) Mudge The fine folks at BIT SYSTEMS

TALK OBJECTIVES Secure development Verification technologies Assess software security posture

AGENDA 1. Secure Development: Verification 2. BinSecSweeper 3. Case Studies & Demos 4. Conclusions

1. SECURE DEVELOPMENT: VERIFICATION MS SDL This phase involves a comprehensive effort to ensure that the code meets the security and privacy tenets established in the previous phases. Software Assurance Maturity Model (SAMM) Verification is focused on the processes and activities related to how an organization checks and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities.

1. OPENSAMM

1. MICROSOFT SDL

1. IT S ABOUT SAVING MONEY!

1. OTHER VERIFICATION TOOLS Microsoft BinScope http://www.microsoft.com/enus/download/details.aspx?id=11910 RECX Binary Assurance for Windows http://www.recx.co.uk/products/exeaudit.p hp ErrataSec Looking Glass http://blog.erratasec.com/search/label/look ingglass#.uodwxj2dn9a

1. BINSCOPE

1. CURRENT VERIFICATION TOOLS Platform specific Windows: BinScope, Looking Glass & Binary Assurance Linux: checksec.sh and custom scripts Limited set of checks Check for defenses but what about: Compiler used External libs used Malware You name it Not easy to extend

1. BINARY INTELLIGENCE File Information Size Hash Timestamp Compiler Name Version Security Mitigations DEP ASLR Stack Cookies Vulnerabilities Unsafe API Weak Crypto

2. WHY BINSECSWEEPER? BinSecSweeper is VULNEX binary security verification tool to ensure applications have been built in compliance with Application Assurance best practices The goal for BinSecSweeper is a tool: Developers can use to verify their output binaries are safe after compilation and before releasing their products IT security pros to scan their infrastructure to identify binaries with weak security defenses or vulnerabilities. BinSecSweeper is a cross platform tool (works on Windows and Linux) and can scan different file formats: PE and ELF.

2. FEATURES 100% open source Easy to use Cross-platform works on Windows & Linux Scans Windows (PE) and Unix (ELF) files for security checks Configurable Extensible by plugins Reporting

2. BINSECSWEEPER IN ACTION (I)

2. BINSECSWEEPER IN ACTION (II)

2. CURRENT WINDOWS CHECKS CHECK DESCRIPTION Address space layout randomization (ASLR) Stack Cookies (GS) HotPatch Compatible with Data Execution Prevention (NXCOMPAT) Checks if binary has opted the ASLR. Link with /DYNAMICBASE Verifies if binary was compiled with Stack Cookies protection. Compile with /GS Checks if binary is prepared for hot patching. Compile with /hotpatch Validates if binary has opted hardware Data Execution Prevention (DEP). Link with /NXCOMPAT Structured Exception Handling (SEH) Checks if binary was linked with SafeSEH. Link with /SAFESEH Abobe Malware Classifier Visual Studio Compiler Fingerprinting Analyzes binary for malware behavior using machine learning algorithms Identifies if binary was compiled with Visual Studio and version (2008, 2010 & 2012)

2. CURRENT LINUX CHECKS CHECK Fortify Source Never execute (NX) Position Independent Code (PIE) RELocation Read-Only (RELRO) Stack Canary DESCRIPTION Checks if binary was compiled with buffer overflow protection (bounds checking). Compile with D_FORTIFY_SOURCE=X Verifies if binary was compiled with NX to reduce the area an attacker can use to perform arbitrary code execution. Checks if binary was compiled with PIE to protects against "return-to-text" and generally frustrates memory corruption attacks. Compile with fpie -pie Validates if binary was compiled with RELRO (partial/full) to harden data sections. Compile with z,relro,-z,now Checks if binary was compiled with stack protector to protect against stack overflows. Compile with fstackprotector

2. PLUGIN EXAMPLE: TEST PLUGIN

2. PLUGIN EXAMPLE: WINDOWS ASLR

2. PLUGIN EXAMPLE: LINUX FORTIFY_SOURCE

2. REPORTING

2. BINSECSWEEPER: WHAT S NEXT More plugins: Windows, Linux, etc. Mobile Malware Backdoors Compilers Packers Metrics panel Diff across product / versions

2. BINSECSWEEPER: WHERE? Download BinSecSweeper software from www.vulnex.com

3. TIME FOR SOME ACTION Case Study I: Verify your own software Case Study II: Software Security Posture, ACME inc Case Study III: Browser Security Comparison

3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE Is your in-house software following a secure development framework? Is your software being checked for: 1. Compiled with a modern compiler? 2. Security defenses enabled for Windows or Linux? 3. No malware included in product? 4. Using external libraries (DLL, etc.) and what is their security?

3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE BinSecSweeper can verify that product (used by development teams): What Visual Studio version has been used? (Windows Only) (MS SDL) What defenses have been enabled?: Windows Stack Cookies ASLR DEP SAFESEH HotPacthing Linux Stack Canary NX Fortify Source PIE RELRO Will audit all files in the project? Program security posture: will it Pass / Fail?

3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC Do IT know the security posture of all software? You can assess your vendors Now you know where EMET is needed!

3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC VLC SKYPE itunes Dropbox

3. CASE STUDY III: BROWSER SECURITY COMPARISON Let s assess browser security posture Chrome Firefox Internet Explorer Opera Safari Only checked on Windows, but will be interesting to do same exercise in other OS

3. CASE STUDY III: BROWSER SECURITY COMPARISON BROWSER AUDIT FILES FILE Compiler GS ASLR DEP SAFESEH HotPatch Chrome 75 chrome.exe VS 2010 / 360 Firefox 28 firefox.exe VS 2010 / 11 Internet Explorer 18 iexplore.exe? / 5 Opera 14 opera.exe VS 2010 / 16099 Safari 48 safari.exe VS 2008 / 2

4. VERIFYING SOFTWARE SECURITY POSTURE MATTERS! Binaries contain a lot of information! The security posture of the software developed by you is important: Security improves Quality Branding (show you care about security) How is the security posture of software vendors you use?

4. BINSECSWEEPER: CALL TO ARMS How can the software be improved? What checks do you need? What metrics do you need? Contact: research@vulnex.com

4. REFERENCES Linux Security Features (Ubuntu) https://wiki.ubuntu.com/security/featu res Visual Studio Compiling Options http://msdn.microsoft.com/enus/library/9s7c9wdw.aspx

4. Q&A Thanks! @simonroses / @vulnexsl www.vulnex.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information