SlideShare une entreprise Scribd logo

Bleeding secrets

Télécharger en tant que PPSX, PDF
Ofer Rivlin, CISSP
Ofer Rivlin, CISSP

This document describes Ofer Rivlin's career path in cybersecurity and his involvement in discovering vulnerabilities. It details his role in identifying the OpenSSL Heartbleed vulnerability in 2014 and describes how it worked. It also outlines the Ticketbleed vulnerability he discovered in 2017 affecting F5 BIG-IP load balancers, which could leak up to 31 bytes of memory and potentially expose secret session keys. The document emphasizes lessons learned around the importance of security reviews, testing, and following standards and best practices in development and product security.

Technologie
1  sur  79
1 Ofer Rivlin Product security lead, Cyberark
AI Dev Dev Team Lead Security Architect Product Security Lead Dev Architect Security Researcher & Architect AI Dev My path
3
4
5
6 This is how it all began…
7 Apr 7, 2014
8 Openssl 0day
9
10
11
12 OpenSSL Heartbeat Client Message Create Message 1 Message Encrypt the Message 2 Message Decrypt the Message 3 Response Includes the client message Create Response 4 Response Encrypt the Message 5 Compare Response with sent Message 6 Server 7 Response Decrypt the Response
13
14
15
16
17
18 What went wrong
19 OpenSSL Heartbeat Client Message Create Message 1 Message Encrypt the Message 2 Message Decrypt the Message 3 Response Includes the client message Create Response 4 Response Encrypt the Message 5 Compare Response with sent Message 6 Server 7 Response Decrypt the Response
20 char *message-payload int payload-length Message Struct Prepare the Response with the Client message Client Server Copies the message data to its memory
21 char *message-payload int payload-length Message Struct Prepare the Response with the Client message Client Server char *pl int payload // pointer to the payload (message data) // the length of the payload
22 char *message-payload int payload-length Message Struct Prepare the Response with the Client message Client Server char *pl int payload buffer = malloc(payload) // allocate memory as the payload length // pointer to the payload (message data) // the length of the payload
23 char *message-payload int payload-length Message Struct HAT 3 Prepare the Response with the Client message Client Server char *pl int payload buffer = malloc(payload) memcpy(buffer, pl, payload) // allocate memory as the payload length // copy the payload into the new allocated memory // pointer to the payload (message data) // the length of the payload 3H
24 char *message-payload int payload-length Message Struct HAT 3 Prepare the Response with the Client message Client Server char *pl int payload buffer = malloc(payload) memcpy(buffer, pl, payload) // allocate memory as the payload length // copy the payload into the new allocated memory // pointer to the payload (message data) // the length of the payload 3H
25 Prepare the Response with the Client message Eve Server char *pl int payload buffer = malloc(payload) memcpy(buffer, pl, payload) // allocate memory as the payload length // copy the payload into the new allocated memory // pointer to the payload (message data) // the length of the payload char *message-payload int payload-length Message Struct HAT 500 Give me all your secrets ! 500H
27
28
29
30 The server sends its secrets to the client
31
32 Worst case scenario ! Cloudfalre had set up a nginx server with a vulnerable version of OpenSSL and challenged the community to steal its private key
33
34 OpenSSL Heartbeat
35 Lessons Learned
36 {review} Review is a responsibility!
37 Macros Bad param names Hardcoded values Misleading names
38 Audit Syslog
39 Security & Open Source
40 Feb 8, 2017
41
42
43 Hello & Session ID use session key Done Okay Done Encrypted communication using session key Check if Session IDs are equal Session ID use session key Done Check if Session ID is okay ID=e7 ID=e7 ID=e7 ID=e7 Resume TLS Session ID Session Key e7 e5 a8 79 dd 33 a2 d4 Session ID Session Key e7 e5 a8 79
44 Hello & Session ID use session key Done Okay Done Encrypted communication using session key Check if Session IDs are equal Session ID use session key Done Check if Session ID is okay ID=a5 ID=a5ID=a5 ID=a5 Resume TLS With Ticket Session Key Encrypted STEK Client generated! session ticket encryption key
45
46 The Ticketbleed Story Railgun agent Edge Server Cloudflare customer with F5 BIG-IP LB has issues with their TLS connection TLS
47 The Ticketbleed Story Railgun agent Edge Server TLS
48 Try to Resume TLS FATAL!
49 Hello & Session ID Check if Session IDs are equal Session ID use session key Done Check if Session ID is okay ID=e2 ID=e2ID=e2 ID=e2 Encrypted Client generated ID! Resume TLS With Ticket STEKSession Key session ticket encryption key
50 Session ID debugging RG 16 bytes
51 Session ID debugging RG 16 bytes F5 32 bytes
52 Session ID debugging RG 16 bytes F5 32 bytes That's... Memory! F5 always return 32 bytes Potential of 31 bytes of sensitive data leak (Heartbleed ~ 64KB)
53 F5 vulnerable products: Advanced Firewall Manager Application Security Manager (WAF) Access Policy Manager
54 Lessons Learned
55 Design & Code Review
56 Dynamic Analysis & Fuzzing
57 Feb 17, 2017
58 https://googleprojectzero.blogspot.com/
59
60
61
62
63 if ( ++p pe ) goto eof_handler; == /* end of a buffer (file)? */ /* p = current character */ /* pe = character at end of buffer (file) */
64 if ( ++p pe ) goto eof_handler; ==>= Pointer may jump past the end of the buffer  buffer overrun /* end of a buffer (file)? */ /* p = current character */ /* pe = character at end of buffer (file) */
65 <script> <script# Read text until end-of-tag character If found '>' great! parse this tag --p; goto check-if-eof If found unexpected char log "error" goto check-if-eof check-if-eof: if ( ++p == pe ) stop > pe pe # *p - current character *pe - character at end of buffer (eof in this case) Memory eof
66 pe <script> Read text until end-of-tag character If found '>' great! parse this tag --p; goto check-if-eof If found unexpected char log "error" goto check-if-eof check-if-eof: if ( ++p == pe ) stop *p - current character *pe - character at end of buffer (eof in this case) Memory eof
67 Memory<script# Read text until end-of-tag character If found '>' great! parse this tag --p; goto check-if-eof If found unexpected char log "error" goto check-if-eof check-if-eof: if ( ++p == pe ) stop pe *p - current character *pe - character at end of buffer (eof in this case) Continue… ? X eof
68 <script# Read text until end-of-tag character If found '>' great! parse this tag --p; goto check-if-eof If found unexpected char log "error“ --p; goto check-if-eof check-if-eof: if ( ++p >= pe ) stop *p - current character *pe - character at end of buffer (eof in this case) Memory eof
69 Lessons Learned
70 Code Review
71 Unit Testing Testing the extreme cases
72 Summary
73 Summary TLS TLS Security Services
74 Summary
75 Summary TLS TLS Security Services
76 Summary TLS TLS Security Services
77 Summary TLS TLS Security Services X X
78 Conclusions increase the attack surface! Security products like any other products
79 Conclusions ▪Follow standards & best practices ■ Design & Code Review ■ Audit logs ■ Clear secrets from memory ■ Test: Unit Test, Static & Dynamic, PT, and more. ■ Etc.
80 Thank You!

Recommandé

Realtime Communication Techniques with PHP
Realtime Communication Techniques with PHPRealtime Communication Techniques with PHP
Realtime Communication Techniques with PHP
WaterSpout
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Alexis Von Glasow
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
William Lee
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
Giovanni Bechis
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
Zhi Guan
 
OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)
Shteryana Shopova
 
Socket programming with php
Socket programming with phpSocket programming with php
Socket programming with php
Elizabeth Smith
 

Recommandé

Realtime Communication Techniques with PHP
Realtime Communication Techniques with PHPRealtime Communication Techniques with PHP
Realtime Communication Techniques with PHP
WaterSpout
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Alexis Von Glasow
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
William Lee
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
Giovanni Bechis
 
Crypto With OpenSSL
Crypto With OpenSSLCrypto With OpenSSL
Crypto With OpenSSL
Zhi Guan
 
OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)
Shteryana Shopova
 
Socket programming with php
Socket programming with phpSocket programming with php
Socket programming with php
Elizabeth Smith
 
Openssl
OpensslOpenssl
Openssl
psychesnet Hsieh
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!
Philippe M. Chiasson
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
WordPress Performance Tuning
WordPress Performance TuningWordPress Performance Tuning
WordPress Performance Tuning
Javier Arturo Rodríguez
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
Giovanni Bechis
 
Docker: please contain your excitement
Docker: please contain your excitementDocker: please contain your excitement
Docker: please contain your excitement
johnnnl
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
Yiwei Ma
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Http3 fullstackfest-2019
Http3 fullstackfest-2019Http3 fullstackfest-2019
Http3 fullstackfest-2019
Daniel Stenberg
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PROIDEA
 
Computer Security
Computer SecurityComputer Security
Computer Security
Aristotelis Kotsomitopoulos
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
wonyong hwang
 
Camping: Going off the Rails with Ruby
Camping: Going off the Rails with RubyCamping: Going off the Rails with Ruby
Camping: Going off the Rails with Ruby
Eleanor McHugh
 
Automatic Sound Signals Quality Estimation Integration
Automatic Sound Signals Quality Estimation IntegrationAutomatic Sound Signals Quality Estimation Integration
Automatic Sound Signals Quality Estimation Integration
willemvandrunen
 
Rust Hack
Rust HackRust Hack
Rust Hack
Viral Parmar
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security
David Blevins
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
Basic NLP with Python and NLTK
Basic NLP with Python and NLTKBasic NLP with Python and NLTK
Basic NLP with Python and NLTK
Francesco Bruni
 
Redis学习笔记
Redis学习笔记Redis学习笔记
Redis学习笔记
yongboy
 
Juggling Chainsaws: Perl and MongoDB
Juggling Chainsaws: Perl and MongoDBJuggling Chainsaws: Perl and MongoDB
Juggling Chainsaws: Perl and MongoDB
David Golden
 
Tips
TipsTips
Tips
mclee
 

Contenu connexe

Tendances

Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
Yiwei Ma
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PROIDEA
 
Automatic Sound Signals Quality Estimation Integration
Automatic Sound Signals Quality Estimation IntegrationAutomatic Sound Signals Quality Estimation Integration
Automatic Sound Signals Quality Estimation Integration
willemvandrunen
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security
David Blevins
 
Redis学习笔记
Redis学习笔记Redis学习笔记
Redis学习笔记
yongboy
 

Tendances (20)

Openssl
OpensslOpenssl
Openssl
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
WordPress Performance Tuning
WordPress Performance TuningWordPress Performance Tuning
WordPress Performance Tuning
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
Docker: please contain your excitement
Docker: please contain your excitementDocker: please contain your excitement
Docker: please contain your excitement
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Http3 fullstackfest-2019
Http3 fullstackfest-2019Http3 fullstackfest-2019
Http3 fullstackfest-2019
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
 
Camping: Going off the Rails with Ruby
Camping: Going off the Rails with RubyCamping: Going off the Rails with Ruby
Camping: Going off the Rails with Ruby
 
Automatic Sound Signals Quality Estimation Integration
Automatic Sound Signals Quality Estimation IntegrationAutomatic Sound Signals Quality Estimation Integration
Automatic Sound Signals Quality Estimation Integration
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
Basic NLP with Python and NLTK
Basic NLP with Python and NLTKBasic NLP with Python and NLTK
Basic NLP with Python and NLTK
 
Redis学习笔记
Redis学习笔记Redis学习笔记
Redis学习笔记
 

Similaire à Bleeding secrets

Tips
TipsTips
Tips
mclee
 
iPhone Lecture #1
iPhone Lecture #1iPhone Lecture #1
iPhone Lecture #1
Jaehyeuk Oh
 
Big Data, Data Lake, Fast Data - Dataserialiation-Formats
Big Data, Data Lake, Fast Data - Dataserialiation-FormatsBig Data, Data Lake, Fast Data - Dataserialiation-Formats
Big Data, Data Lake, Fast Data - Dataserialiation-Formats
Guido Schmutz
 
Win pcap filtering expression syntax
Win pcap filtering expression syntaxWin pcap filtering expression syntax
Win pcap filtering expression syntax
Vota Ppt
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
NYversity
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
Aleksandr Yampolskiy
 
Task 4 The key is hardcoded in the provided source DES enc.pdf
Task 4 The key is hardcoded in the provided source DES enc.pdfTask 4 The key is hardcoded in the provided source DES enc.pdf
Task 4 The key is hardcoded in the provided source DES enc.pdf
abcfootcare
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpc
Johnny Pork
 

Similaire à Bleeding secrets (20)

Juggling Chainsaws: Perl and MongoDB
Juggling Chainsaws: Perl and MongoDBJuggling Chainsaws: Perl and MongoDB
Juggling Chainsaws: Perl and MongoDB
 
Tips
TipsTips
Tips
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
iPhone Lecture #1
iPhone Lecture #1iPhone Lecture #1
iPhone Lecture #1
 
Unix And Shell Scripting
Unix And Shell ScriptingUnix And Shell Scripting
Unix And Shell Scripting
 
Fluentd unified logging layer
Fluentd unified logging layerFluentd unified logging layer
Fluentd unified logging layer
 
Apidays Paris 2023 - Forget TypeScript, Choose Rust to build Robust, Fast and...
Apidays Paris 2023 - Forget TypeScript, Choose Rust to build Robust, Fast and...Apidays Paris 2023 - Forget TypeScript, Choose Rust to build Robust, Fast and...
Apidays Paris 2023 - Forget TypeScript, Choose Rust to build Robust, Fast and...
 
Big Data, Data Lake, Fast Data - Dataserialiation-Formats
Big Data, Data Lake, Fast Data - Dataserialiation-FormatsBig Data, Data Lake, Fast Data - Dataserialiation-Formats
Big Data, Data Lake, Fast Data - Dataserialiation-Formats
 
005. FILE HANDLING.pdf
005. FILE HANDLING.pdf005. FILE HANDLING.pdf
005. FILE HANDLING.pdf
 
Win pcap filtering expression syntax
Win pcap filtering expression syntaxWin pcap filtering expression syntax
Win pcap filtering expression syntax
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Streams, sockets and filters oh my!
Streams, sockets and filters oh my!Streams, sockets and filters oh my!
Streams, sockets and filters oh my!
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
Application Logging in the 21st century - 2014.key
Application Logging in the 21st century - 2014.keyApplication Logging in the 21st century - 2014.key
Application Logging in the 21st century - 2014.key
 
Ngrep commands
Ngrep commandsNgrep commands
Ngrep commands
 
Task 4 The key is hardcoded in the provided source DES enc.pdf
Task 4 The key is hardcoded in the provided source DES enc.pdfTask 4 The key is hardcoded in the provided source DES enc.pdf
Task 4 The key is hardcoded in the provided source DES enc.pdf
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpc
 
Chef - industrialize and automate your infrastructure
Chef - industrialize and automate your infrastructureChef - industrialize and automate your infrastructure
Chef - industrialize and automate your infrastructure
 

Plus de Ofer Rivlin, CISSP

Plus de Ofer Rivlin, CISSP (6)

Zk bug bounty
Zk bug bountyZk bug bounty
Zk bug bounty
 
Ofer rivlin BGU - department seminar
Ofer rivlin BGU - department seminarOfer rivlin BGU - department seminar
Ofer rivlin BGU - department seminar
 
Security architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlinSecurity architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlin
 
Android's security architecture
Android's security architectureAndroid's security architecture
Android's security architecture
 
Connected cars - the security challenge: Vehicles, Networks & Protocols
Connected cars - the security challenge: Vehicles, Networks & ProtocolsConnected cars - the security challenge: Vehicles, Networks & Protocols
Connected cars - the security challenge: Vehicles, Networks & Protocols
 
How to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal MethodsHow to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal Methods
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Bleeding secrets

Notes de l'éditeur

  1. A talk about certain type of vulnerabilities: the bleed type that enables servers memory to leak This is also an example for how such presentations can be used within the dev org to increase awareness and explain best practices to the dev teams.
  2. Far in the past I was an AI(Artificial Intelligence) developer in a few gaming startups in Israel and then in Canada. Joined SAP back in Israel as a development architect where I started my security career as security researcher and a security architect. In parallel to that I was also a lead developer in an open source project. Today I am leading the product security at Cyberark.
  3. I want to take you to England. The year is 2011 It is New Year's Eve, and 2012 just minutes away
  4. Stephen Henson receives an update code for OpenSSL by Robin Seggelmann. Robin Seggelmann is a respected academic who's an expert in communication and encryption protocols. Stephen Henson, co-founder of OpneSSL and its lead developer till today.
  5. Almost midnight and everyone are partying outside. Stephen Henson reviews the code and submits it.
  6. Moving forward in time, about 2.5 years later
  7. Neel Mehta of Google's security team
  8. considered by many experts to be the worst security bug ever. OpenSSL is one of the internet infrastructure projects and is critical to the functioning of the Internet. (and is the first project to be funded by "Core Infrastructure Initiative" which was initiated due to HB and is sponsored by many companies).
  9. Configurable – run every second or a few minutes
  10. Client: “I am sending you a payload ‘bird’ with 4 letters” Server returns ‘bird’ with 4 letters
  11. Client: “I am sending you a payload ‘hat’ with 500 letters”. Server returns ‘hat’ with 500 letters. The 497 other characters are memory secrets. OpenSSL servers handle connection secrets.
  12. Yahoo server on April 8, 2014, a day after the disclosure, exposed to HB
  13. I am using the original parameter names – very confusing names
  14. Payload-length is completely controlled by the user while there is no check on its value on the server
  15. Eve the evil gets the server’s memory
  16. Linux target machine running nginx ("engine-x") server with the vulnerable OpenSSL version. TLS 1.2 with the best certificate. A user (victim) fills a form with sensitive data and sends that info to the vulnerable server The attacker identifies the machine that is vulnerable to Heartbleed using Nmap (with the ssl-heartbleed script). The attacker manages to get a dump of 64K of memory including this user’s sensitive data using a Python script that exploits the Heartbleed vulnerability
  17. But it gets worse. What can be worse than sending secrets to the client
  18. The challenge opened 2 days after the vuln was published Within a few hours, 2 people managed to download the private key from remote. About 70% of all servers on the internet were exposed to HB (Google, Yahoo, FB, banks, etc.). Did all of our information was compromised?
  19. And it gets even worse still. What can be worse than what we saw so far? About 70% of all servers on the internet were exposed to HB (Google, Yahoo, FB, banks, etc.). Did all of our information was compromised?
  20. We can’t know what was compromised. About 70% of all servers on the internet were exposed to HB (Google, Yahoo, FB, banks, etc.). Did all of our information was compromised?
  21. The reviewer has to reject such code. Hard to read code blocks the reviewer from seeing vulnerabilities.
  22. Audit and syslog that can be connected with alarm systems
  23. Fillipo Valsorda from Cloudflare
  24. Tickets: Server doesn’t cache session info session key is encrypted using a server’s key (STEK – session ticket encryption key, that should be rotated often) Not enable “Perfect Forward Secrecy” (because all previous tickets can be decrypted if STEK is compromised) Because there is no use of Diffie-Hellman. This is fixed in TLS 1.3 by implementing changes in the TLS protocol
  25. Cloudflare: CDN - Content delivery network Speeding the delivery of content of websites with high traffic or global reach (cached and compressed content). CDNs also provide protection from large surges in traffic and can provide other security services.
  26. Every Resume-TLS have failed
  27. Out of sync Don’t follow the communication protocol
  28. F5 BIG-IP products family
  29. 9 days later
  30. Cloudflare: CDN - Content delivery network Speeding the delivery of content of websites with high traffic or global reach (cached and compressed content). CDNs also provide protection from large surges in traffic and can provide other security services.
  31. Anyone sees the problem here?
  32. Anyone sees the problem here?
  33. https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
  34. Direct open connection
  35. CIA triad: Confidentiality, Integrity, and Availability
  36. No security protection at all (MITM, etc) CIA triad: Confidentiality, Integrity, and Availability
  37. CIA triad: Confidentiality, Integrity, and Availability
  38. CIA triad: Confidentiality, Integrity, and Availability