software security : from school to reality and back!
TRANSCRIPT
Software Security
From school to reality and back!
#outline
* terminology
* hacker-hats
* From school
* tools
* competitions
* progress
* references
Programing ?
* Program :
Transformation of question / task to math-logic problem
* Code :
Smart calculator based on sequences of reads and writes
* Performance
how smart you build logic of your calculator
hacker
http://en.wikipedia.org/wiki/Hacker
Hacker (term), is a term used in computing that can describe several types of persons
1. Hacker (computer security) someone who seeks and exploits weaknesses in a computer system or computer network2. Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment3. Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities
vulnerability
http://en.wikipedia.org/wiki/Vulnerability_(computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.[1] To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface
exploitation
http://en.wikipedia.org/wiki/Exploit_(computer_security)
An exploit (from the English verb to exploit, meaning "using something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause *UNINTENDED OR UNANTICIPATED BEHAVIOR* to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.
Exploitation [??? guys]
▪ Hunt vulnerabilities– Write fuzzers, checkers, support tools …– Use 0days for their own reasons, cyber weapons,
spying..
▪ Invent / copy methodologies– Misuse hole in protection mechanism for attack!– Do 0day business with 3rd party– Keep their research private
What ??? do
Exploitation [good guys]
▪ Hunt vulnerabilities– Write fuzzers, checkers, support tools …– Report to vendors & Cooperate on fix
▪ Invent new methodologies– To uncover weakness of current protection
mechanism– Cooperate on effective mitigations– Share research with community for faster
improvement
What good guys do
CALC … Seriously ?!
Attack chain
• Social engineering
• VulnerabilityAttack vector :
• Killing 0days proactive solution!
Prevent to automatic install
malware • Cure after-effects
Dissecting malware
If proactive fails
Targeted attack here won already!
Aftermath
Low hanging fruits
Poping calcs
Good luck …
... It is all about bugs ...
▪ We are humans and making mistakes
▪ Many bugs in code, especially in large codebase
▪ OS introduce many defensive mechanism for effective mitigating techniques for exploiting bugs
▪ What every programmer should know– Algorithms– Designs problems & principles– CPU & Memory (& at least basic understanding of your compiler)– vulnerability classes– mitigation techniques– auditing tools
Algorithms [RP, Tvorba efekt. algo.]
▪ Most of times you will not re-implement binary trees, fibonaci heaps, flow algo …
▪ But Algorithmic thinking helps you to find a way how to effective solve given problems
▪ It learns you out-of-box thinking
▪ BUT, Can also push you to the corners!
▪ Always keep in mind : PERFORMANCE > SECURITY is very *very* bad idea
▪ First think about design, later optimize!
https://www.topcoder.com/community/data-science/data-science-tutorials/
Design [Programovanie (3)]
▪ OOP is very effective way to build complex systems
▪ Reuse code, modularity, abstraction
▪ Keep clean code, descriptive naming, simple one purpose functions
▪ Keep focus on language features, and its newest development!
▪ Design patterns can help /show you generalization of problem
▪ But design patterns are *not* solution for everything
▪ Think about design patterns and use them when it is appropriate
▪ Good design leads to easier maintance, refactoring & reviewhttps://sourcemaking.com/design_patterns http://www.stroustrup.com/C++11FAQ.html
MEMORY & CPU [Principy pocitacov]
▪ Understand memory & cpu– How are data stored– Instructions – assembler▪ X86, arm
▪ Understand “program->compiler->assembly”– Variables– Functions– Loops & calls
https://www.recurse.com/blog/5-learning-c-with-gdb https://www.recurse.com/blog/7-understanding-c-by-learning-assembly
http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html
SAT Solvers [FOJA, Algebra]
▪ Magic Blackbox with right answer – Boolean Satisfiability Problem
▪ Based on Boolean algebra
▪ NP-complete , but some optimalization used
▪ Appropriate & smart formulation of problem (part of problem), helps in fuzzers and explotation as well
▪ Competition of sat solvers!
http://www.quarkslab.com/dl/StHack2015-Dynamic-Behavior-Analysis-using-Binary-Instrumentation-Jonathan-Salwan.pdf
https://github.com/0vercl0k/z3-playground/blob/master/hackingweek-reverse400_z3.py
http://en.wikipedia.org/wiki/Boolean_satisfiability_problem http://www.satcompetition.org/
bugs & bugs
http://www.sublimetext.com/ http://en.wikipedia.org/wiki/Buffer_overflow
CODE : Bubble sort ?
http://www.vim.org/ https://inguma.eu/projects/bokken
VULNERABILITY Bubble sort !
As signed numbers can represent NEGATIVE numbers, they lose a range of positive numbers that can only be represented with unsigned numbers of the same size (in bits) because roughly half the possible values are non-positive values (so if an 8-bit is signed, positive unsigned values 128 to 255 are gone while -128 to 127 are present). Unsigned variables can dedicate all the possible values to the positive number range.https://www.visualstudio.com/
en-us/products/visual-studio-community-vs.aspx
EXPLOITATION Bubble sort !
Some of hardening
Stack canaries
Memory allocatio
n randomization
Memory object
separation
DEP
i want exec Those are data
How to Start… tools, competitions …
IDE (+ plugins!) programming environment
• Visual Studio 2013 (community edition)
• Vim
• Sublime
REVERSE ENGENEERING
• bokken
• windbg
• gdb (lldb)
Virtual machine + emulators
• Virtual Box
• Bochsd
• Qemu
Additional tools (win)
• ConEmu (far manager)
• Hiew
• cygwin
Additional tools
• Z3
• Capstone
• Git
• Process explorer
ALGO - COMPETITIONS
CTF - COMPETITIONS
Final words
… advices, references …
SELF – learning
For ever and ever best approach
*DO SPORT*
Keep balanced body and mind
essential for creative ideas ;)
HARDwork
Push 110% to everything in
your life (learning,
sport, work, study, …)
#whoami
* Peter Hlavaty - @zer0mem
* GJH (2004-2008)
* Matfyz (2008-2010)
* ESET (2010-2014)
* KEEN (2014-…)
* Conferences (…)
* Lectures (…)
* Pwn Events (...)
Feel free to ContacT me
I will try to help (with some delay +- :)
tweets
▪ @aionescu
▪ @Ivanlef0u
▪ @K33nTeam
▪ @binitamshah
▪ @taviso
▪ @team509
▪ @mdowd
▪ @d_olex
▪ @grsecurity
▪ @kernelpool
▪ @gynvael
▪ @j00ru
▪ @lcamtuf
▪ @0verl0ck
▪ @matrosov
▪ @vxradius
▪ @trimosx
▪ @solardiz
References - tools
editor: http://www.vim.org/
https://www.visualstudio.com/en-us/products/visual-studio-community-vs.aspx
http://www.sublimetext.com/
re : https://inguma.eu/projects/bokken
http://www.radare.org/r/ http://www.capstone-engine.org/
http://www.windbg.org/ https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).
aspx http://www.gnu.org/software/gdb/
http://lldb.llvm.org/
virtual : https://www.virtualbox.org/ http://bochs.sourceforge.net/ http://wiki.qemu.org/Main_Page
tools: http://www.farmanager.com/ http://www.hiew.ru/ http://conemu.github.io/ https://www.cygwin.com/ https://github.com/Z3Prover/z3 http://rise4fun.com/z3/tutorial http://www.capstone-engine.org/https://github.com/ https://technet.microsoft.com/sk-sk/sysinternals/bb896653
References - events
http://ctf.codegate.org/ https://ctf.0ops.sjtu.cn/
https://legitbs.net/ http://ghostintheshellcode.com/
http://play.plaidctf.com/ https://ctf.dragonsector.pl/
https://github.com/ctfs/write-ups-2015/
http://uva.onlinejudge.org/ https://www.topcoder.com/community/data-science/data-science-tutorials/ https://arena.topcoder.com/#/a/home
http://zenit.edu.sk/ https://www.ksp.sk/ http://people.ksp.sk/~acm/welcome.php