OpenSSL rands (fork-safe)

•

4 j'aime•3,053 vues

defcon-russia talk about OpenSSL fork-safe vulns.

Technologie Spirituel

OpenSSL rands
(fork-safe)
By @ONsec_Lab
Sep 15, 2013

@ONsec_lab
● Security auditors
● Since 2009 year
● Web, sex and rock’
n’roll
http://lab.onsec.ru
/whoami

premise
http://emboss.github.
io/blog/2013/08/21/openssl-
prng-is-not-really-fork-safe/
OpenSSL PRNG Is Not (Really)
Fork-safe
Aug 21st, 2013
Martin Boblet used Eric
Wong’s issues

premise
● About Ruby OpenSSL wrapper (OpenSSL::
Random)
● OpenSSL PRNG must be initialized in the
parent before we fork the child processes
● Every child starts out with exactly the same
PRNG
● PID is the only thing process-specific that is
fed to the PRNG algorithm when requesting
random bytes

premise

Debian!

But...
● Debian guys commented MD_Update call
with UNINITIALISED variable
● We believe that they did the right thing ;)

non-Debian systems
● Vulnerability exists in all system (Debian and
non-Debian also)
● Exploitation possibility depends only from
end-point code (application, not OpenSSL)
● There are two different places for buf:
○ Stack
○ Heap
● Let’s try to hack it!

stack-based PoC (all OS)
https://github.com/ONsec-Lab/Rand-
attacks/blob/master/openssl-1.c
from different
calls to the same
==
from different
stack states to
the same!

heap-based PoC (all OS)
https://github.com/ONsec-Lab/Rand-
attacks/blob/master/openssl-2.c
malloc
allocates
nulled
memory
page

other attacks
● i.e. PHP initialize RAND after fork
● But classic attacks way still available
○ Keep-Alive -> rands on same PID
○ Brute seed by rands
○ Predict rand by seed + offset
● What about entropy of OpenSSL RAND?
○ 128 bytes * 20 (GID*UID) * 32k (PID)
○ Not so little :(

just recommend!
http://lwn.net/Articles/281918/ [2008]
http://research.swtch.com/openssl [2008]
http://mjos.fi/doc/secadv_prng.txt [2001]
Do not be afraid names and brands, such as
OpenSSL

OpenSSL rands (fork-safe)
The end.
follow us:
http://lab.onsec.ru
@ONsec_lab twitter

Contenu connexe

Similaire à OpenSSL rands (fork-safe)

Thoughts on how Internet Standards - HTTP, TCP/IP, WiFi, Bonjour - can be used in conjunction with Semantic Web technologies to create the Internet of Things. The emphasis of this document is the home / LAN, hence "The Intranet of Things", but the broad themes are universally applicable. Things that are up in the air are marked in read. Everything IMO. Also see http://iotdb.org - a work in progress.

Building Blocks for the Internet of Things @ Home

Building Blocks for the Internet of Things @ Home

Building Blocks for the Internet of Things @ Home

From HTML5 to Hardware - Simonyi Conference Budapest April 15

From HTML5 to Hardware - Simonyi Conference Budapest April 15

From HTML5 to Hardware - Simonyi Conference Budapest April 15

Continuous Integration of Mobile Apps with Docker and Appium

Continuous Integration of Mobile Apps with Docker and Appium

Continuous Integration of Mobile Apps with Docker and Appium

AppSec & OWASP Top 10 Primer By Matt Scheurer (@c3rkah) Cincinnati, Ohio Date: 03/21/2019 Momentum Developer Conference Sharonville Convention Center #momentumdevcon Abstract: Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP). Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).

AppSec & OWASP Top 10 Primer

AppSec & OWASP Top 10 Primer

AppSec & OWASP Top 10 Primer

ThreatReel Podcast

Hacking Vulnerable Websites to Bypass Firewalls

Hacking Vulnerable Websites to Bypass Firewalls

Hacking Vulnerable Websites to Bypass Firewalls

Introduction to Node.js

Introduction to Node.js

Introduction to Node.js

Lessons I Learned While Scaling to 5000 Puppet Agents

Lessons I Learned While Scaling to 5000 Puppet Agents

Lessons I Learned While Scaling to 5000 Puppet Agents

Technology First 16th Annual Ohio Information Security Conference OISC 2019 #OISC19 The OWASP Top 10 & AppSec Primer By Matt Scheurer (@c3rkah) Dayton, Ohio Date: 03/13/2019 Abstract: Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP). Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).

OISC 2019 - The OWASP Top 10 & AppSec Primer

OISC 2019 - The OWASP Top 10 & AppSec Primer

OISC 2019 - The OWASP Top 10 & AppSec Primer

ThreatReel Podcast

CMS_HELL (1)

Similaire à OpenSSL rands (fork-safe) (9)

Building Blocks for the Internet of Things @ Home

Building Blocks for the Internet of Things @ Home

Building Blocks for the Internet of Things @ Home

From HTML5 to Hardware - Simonyi Conference Budapest April 15

From HTML5 to Hardware - Simonyi Conference Budapest April 15

From HTML5 to Hardware - Simonyi Conference Budapest April 15

Continuous Integration of Mobile Apps with Docker and Appium

Continuous Integration of Mobile Apps with Docker and Appium

Continuous Integration of Mobile Apps with Docker and Appium

AppSec & OWASP Top 10 Primer

AppSec & OWASP Top 10 Primer

AppSec & OWASP Top 10 Primer

Hacking Vulnerable Websites to Bypass Firewalls

Hacking Vulnerable Websites to Bypass Firewalls

Hacking Vulnerable Websites to Bypass Firewalls

Introduction to Node.js

Introduction to Node.js

Introduction to Node.js

Lessons I Learned While Scaling to 5000 Puppet Agents

Lessons I Learned While Scaling to 5000 Puppet Agents

Lessons I Learned While Scaling to 5000 Puppet Agents

OISC 2019 - The OWASP Top 10 & AppSec Primer

OISC 2019 - The OWASP Top 10 & AppSec Primer

OISC 2019 - The OWASP Top 10 & AppSec Primer

CMS_HELL (1)

Plus de Ivan Novikov

How to hack. Cyprus meetup

How to hack. Cyprus meetup

How to hack. Cyprus meetup

In the past two years, companies all over the world spent $157 billion on information security products. For comparison, the total expenses of the state government of New York amounted to $150.7 billion in 2016. Just for our amusement, let's imagine a silver bullet with a cost comparable to information security expenses. It would weigh 302.5 tons since silver costs $515.70 per kilogram (actual price on the day this article was written)! Therefore, it is either a really heavy bullet the size of a 10-story building, or it isn't made of silver. I could continue hypothesizing about potential raw materials for such a bullet, but I'd rather discuss the reasons behind such a state of affairs. In short, it is unclear what needs to be protected and from what. I will elaborate on these two problems below.

Where is my silver bullet?!

Where is my silver bullet?!

Where is my silver bullet?!

Data normalization weaknesses

Data normalization weaknesses

Data normalization weaknesses

Lie to Me: Bypassing Modern Web Application Firewalls

Lie to Me: Bypassing Modern Web Application Firewalls

Lie to Me: Bypassing Modern Web Application Firewalls

Distributed computing in browsers as client side attack

Distributed computing in browsers as client side attack

Distributed computing in browsers as client side attack

Yandex rewards. ONsec experience

Yandex rewards. ONsec experience

Yandex rewards. ONsec experience

SSRF workshop

Plus de Ivan Novikov (7)

How to hack. Cyprus meetup

How to hack. Cyprus meetup

How to hack. Cyprus meetup

Where is my silver bullet?!

Where is my silver bullet?!

Where is my silver bullet?!

Data normalization weaknesses

Data normalization weaknesses

Data normalization weaknesses

Lie to Me: Bypassing Modern Web Application Firewalls

Lie to Me: Bypassing Modern Web Application Firewalls

Lie to Me: Bypassing Modern Web Application Firewalls

Distributed computing in browsers as client side attack

Distributed computing in browsers as client side attack

Distributed computing in browsers as client side attack

Yandex rewards. ONsec experience

Yandex rewards. ONsec experience

Yandex rewards. ONsec experience

SSRF workshop

Dernier

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

MINDCTI Revenue Release Quarter One 2024

MINDCTI Revenue Release Quarter One 2024

MINDCTI Revenue Release Quarter One 2024

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

FWD Group - Insurer Innovation Award 2024

FWD Group - Insurer Innovation Award 2024

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Data Cloud, More than a CDP by Matt Robison

Data Cloud, More than a CDP by Matt Robison

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

DBX First Quarter 2024 Investor Presentation

DBX First Quarter 2024 Investor Presentation

DBX First Quarter 2024 Investor Presentation

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

Why Teams call analytics are critical to your entire business

Why Teams call analytics are critical to your entire business

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Boost Fertility New Invention Ups Success Rates.pdf

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

MINDCTI Revenue Release Quarter One 2024

MINDCTI Revenue Release Quarter One 2024

MINDCTI Revenue Release Quarter One 2024

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

How to Troubleshoot Apps for the Modern Connected Worker

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

GenAI Risks & Security Meetup 01052024.pdf

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Ransomware_Q4_2023. The report. [EN].pdf

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

FWD Group - Insurer Innovation Award 2024

FWD Group - Insurer Innovation Award 2024

FWD Group - Insurer Innovation Award 2024

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

Exploring the Future Potential of AI-Enabled Smartphone Processors

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

MS Copilot expands with MS Graph connectors

Data Cloud, More than a CDP by Matt Robison

Data Cloud, More than a CDP by Matt Robison

Data Cloud, More than a CDP by Matt Robison

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

DBX First Quarter 2024 Investor Presentation

DBX First Quarter 2024 Investor Presentation

DBX First Quarter 2024 Investor Presentation

Why Teams call analytics are critical to your entire business

Why Teams call analytics are critical to your entire business

Why Teams call analytics are critical to your entire business

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

OpenSSL rands (fork-safe)

1. OpenSSL rands (fork-safe) By @ONsec_Lab Sep 15, 2013

2. @ONsec_lab ● Security auditors ● Since 2009 year ● Web, sex and rock’ n’roll http://lab.onsec.ru /whoami

3. premise http://emboss.github. io/blog/2013/08/21/openssl- prng-is-not-really-fork-safe/ OpenSSL PRNG Is Not (Really) Fork-safe Aug 21st, 2013 Martin Boblet used Eric Wong’s issues

4. premise ● About Ruby OpenSSL wrapper (OpenSSL:: Random) ● OpenSSL PRNG must be initialized in the parent before we fork the child processes ● Every child starts out with exactly the same PRNG ● PID is the only thing process-specific that is fed to the PRNG algorithm when requesting random bytes

7. But... ● Debian guys commented MD_Update call with UNINITIALISED variable ● We believe that they did the right thing ;)

8. non-Debian systems ● Vulnerability exists in all system (Debian and non-Debian also) ● Exploitation possibility depends only from end-point code (application, not OpenSSL) ● There are two different places for buf: ○ Stack ○ Heap ● Let’s try to hack it!

9. stack-based PoC (all OS) https://github.com/ONsec-Lab/Rand- attacks/blob/master/openssl-1.c from different calls to the same == from different stack states to the same!

10. heap-based PoC (all OS) https://github.com/ONsec-Lab/Rand- attacks/blob/master/openssl-2.c malloc allocates nulled memory page

11. other attacks ● i.e. PHP initialize RAND after fork ● But classic attacks way still available ○ Keep-Alive -> rands on same PID ○ Brute seed by rands ○ Predict rand by seed + offset ● What about entropy of OpenSSL RAND? ○ 128 bytes * 20 (GID*UID) * 32k (PID) ○ Not so little :(

12. just recommend! http://lwn.net/Articles/281918/ [2008] http://research.swtch.com/openssl [2008] http://mjos.fi/doc/secadv_prng.txt [2001] Do not be afraid names and brands, such as OpenSSL

13. OpenSSL rands (fork-safe) The end. follow us: http://lab.onsec.ru @ONsec_lab twitter