Software Security : From school to reality and back!

Software Security

From school to reality and back!

#outline

* terminology

* hacker-hats

* From school

* tools

* competitions

* progress

* references

Programing ?

* Program :

Transformation of question / task to math-logic problem

* Code :

Smart calculator based on sequences of reads and writes

* Performance

how smart you build logic of your calculator

hacker

http://en.wikipedia.org/wiki/Hacker

Hacker (term), is a term used in computing that can describe several types of persons

1. Hacker (computer security) someone who seeks and exploits weaknesses in a computer system or computer network2. Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment3. Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities

vulnerability

http://en.wikipedia.org/wiki/Vulnerability_(computing)

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.[1] To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface

exploitation

http://en.wikipedia.org/wiki/Exploit_(computer_security)

An exploit (from the English verb to exploit, meaning "using something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause *UNINTENDED OR UNANTICIPATED BEHAVIOR* to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.

Exploitation [??? guys]

▪ Hunt vulnerabilities– Write fuzzers, checkers, support tools …– Use 0days for their own reasons, cyber weapons,

spying..

▪ Invent / copy methodologies– Misuse hole in protection mechanism for attack!– Do 0day business with 3rd party– Keep their research private

What ??? do

Exploitation [good guys]

▪ Hunt vulnerabilities– Write fuzzers, checkers, support tools …– Report to vendors & Cooperate on fix

▪ Invent new methodologies– To uncover weakness of current protection

mechanism– Cooperate on effective mitigations– Share research with community for faster

improvement

What good guys do

CALC … Seriously ?!

Attack chain

• Social engineering

• VulnerabilityAttack vector :

• Killing 0days proactive solution!

Prevent to automatic install

malware • Cure after-effects

Dissecting malware

If proactive fails

Targeted attack here won already!

Aftermath

Low hanging fruits

Poping calcs

Good luck …

... It is all about bugs ...

▪ We are humans and making mistakes

▪ Many bugs in code, especially in large codebase

▪ OS introduce many defensive mechanism for effective mitigating techniques for exploiting bugs

▪ What every programmer should know– Algorithms– Designs problems & principles– CPU & Memory (& at least basic understanding of your compiler)– vulnerability classes– mitigation techniques– auditing tools

Algorithms [RP, Tvorba efekt. algo.]

▪ Most of times you will not re-implement binary trees, fibonaci heaps, flow algo …

▪ But Algorithmic thinking helps you to find a way how to effective solve given problems

▪ It learns you out-of-box thinking

▪ BUT, Can also push you to the corners!

▪ Always keep in mind : PERFORMANCE > SECURITY is very *very* bad idea

▪ First think about design, later optimize!

https://www.topcoder.com/community/data-science/data-science-tutorials/

Design [Programovanie (3)]

▪ OOP is very effective way to build complex systems

▪ Reuse code, modularity, abstraction

▪ Keep clean code, descriptive naming, simple one purpose functions

▪ Keep focus on language features, and its newest development!

▪ Design patterns can help /show you generalization of problem

▪ But design patterns are *not* solution for everything

▪ Think about design patterns and use them when it is appropriate

▪ Good design leads to easier maintance, refactoring & reviewhttps://sourcemaking.com/design_patterns http://www.stroustrup.com/C++11FAQ.html

MEMORY & CPU [Principy pocitacov]

▪ Understand memory & cpu– How are data stored– Instructions – assembler▪ X86, arm

▪ Understand “program->compiler->assembly”– Variables– Functions– Loops & calls

https://www.recurse.com/blog/5-learning-c-with-gdb https://www.recurse.com/blog/7-understanding-c-by-learning-assembly

http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html

SAT Solvers [FOJA, Algebra]

▪ Magic Blackbox with right answer – Boolean Satisfiability Problem

▪ Based on Boolean algebra

▪ NP-complete , but some optimalization used

▪ Appropriate & smart formulation of problem (part of problem), helps in fuzzers and explotation as well

▪ Competition of sat solvers!

http://www.quarkslab.com/dl/StHack2015-Dynamic-Behavior-Analysis-using-Binary-Instrumentation-Jonathan-Salwan.pdf

https://github.com/0vercl0k/z3-playground/blob/master/hackingweek-reverse400_z3.py

http://en.wikipedia.org/wiki/Boolean_satisfiability_problem http://www.satcompetition.org/

bugs & bugs

http://www.sublimetext.com/ http://en.wikipedia.org/wiki/Buffer_overflow

CODE : Bubble sort ?

http://www.vim.org/ https://inguma.eu/projects/bokken

VULNERABILITY Bubble sort !

As signed numbers can represent NEGATIVE numbers, they lose a range of positive numbers that can only be represented with unsigned numbers of the same size (in bits) because roughly half the possible values are non-positive values (so if an 8-bit is signed, positive unsigned values 128 to 255 are gone while -128 to 127 are present). Unsigned variables can dedicate all the possible values to the positive number range.https://www.visualstudio.com/

en-us/products/visual-studio-community-vs.aspx

EXPLOITATION Bubble sort !

Some of hardening

Stack canaries

Memory allocatio

n randomization

Memory object

separation

DEP

i want exec Those are data

How to Start… tools, competitions …

IDE (+ plugins!) programming environment

• Visual Studio 2013 (community edition)

• Vim

• Sublime

REVERSE ENGENEERING

• bokken

• windbg

• gdb (lldb)

Virtual machine + emulators

• Virtual Box

• Bochsd

• Qemu

Additional tools (win)

• ConEmu (far manager)

• Hiew

• cygwin

Additional tools

• Z3

• Capstone

• Git

• Process explorer

ALGO - COMPETITIONS

CTF - COMPETITIONS

Final words

… advices, references …

SELF – learning

For ever and ever best approach

*DO SPORT*

Keep balanced body and mind

essential for creative ideas ;)

HARDwork

Push 110% to everything in

your life (learning,

sport, work, study, …)

#whoami

* Peter Hlavaty - @zer0mem

* GJH (2004-2008)

* Matfyz (2008-2010)

* ESET (2010-2014)

* KEEN (2014-…)

* Conferences (…)

* Lectures (…)

* Pwn Events (...)

Feel free to ContacT me

I will try to help (with some delay +- :)

tweets

▪ @aionescu

▪ @Ivanlef0u

▪ @K33nTeam

▪ @binitamshah

▪ @taviso

▪ @team509

▪ @mdowd

▪ @d_olex

▪ @grsecurity

▪ @kernelpool

▪ @gynvael

▪ @j00ru

▪ @lcamtuf

▪ @0verl0ck

▪ @matrosov

▪ @vxradius

▪ @trimosx

▪ @solardiz

References - tools

editor: http://www.vim.org/

https://www.visualstudio.com/en-us/products/visual-studio-community-vs.aspx

http://www.sublimetext.com/

re : https://inguma.eu/projects/bokken

http://www.radare.org/r/ http://www.capstone-engine.org/

http://www.windbg.org/ https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).

aspx http://www.gnu.org/software/gdb/

http://lldb.llvm.org/

virtual : https://www.virtualbox.org/ http://bochs.sourceforge.net/ http://wiki.qemu.org/Main_Page

tools: http://www.farmanager.com/ http://www.hiew.ru/ http://conemu.github.io/ https://www.cygwin.com/ https://github.com/Z3Prover/z3 http://rise4fun.com/z3/tutorial http://www.capstone-engine.org/https://github.com/ https://technet.microsoft.com/sk-sk/sysinternals/bb896653

References - events

http://ctf.codegate.org/ https://ctf.0ops.sjtu.cn/

https://legitbs.net/ http://ghostintheshellcode.com/

http://play.plaidctf.com/ https://ctf.dragonsector.pl/

https://github.com/ctfs/write-ups-2015/

http://uva.onlinejudge.org/ https://www.topcoder.com/community/data-science/data-science-tutorials/ https://arena.topcoder.com/#/a/home

http://zenit.edu.sk/ https://www.ksp.sk/ http://people.ksp.sk/~acm/welcome.php