AppSecUSA New York City 2013. ME? Simón Roses Femerling Founder & CEO, VULNEX www.vulnex.comwww.vulnex.com Blog: www.simonroses.comwww.simonroses.com.

Slides:

Advertisements

Similar presentations

Patch Management Patch Management in a Windows based environment

Advertisements

Software Assurance Maturity Model

05/11/2001 CPT week Natalia Ratnikova, FNAL 1 Software Distribution in CMS Distribution unitFormContent Version of SCRAM managed project.

Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

By Hiranmayi Pai Neeraj Jain

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

12 November 2009 Bryan Sullivan Senior Security Program Manager, Microsoft SDL.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

FUNDAMENTAL PRACTICES FOR SECURE SOFTWARE DEVELOPMENT SAFECode Oct Presented by Hema Neelima.

Security & Exploitation

Advanced Security Center Overview Northern Illinois University.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Measuring Security Best Practices with OpenSAMM Alan Jex SnowFROC 2013.

Software Engineering Modern Approaches

Virtual techdays INDIA │ 9-11 February 2011 Security Discussion: Ask the Experts M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation Anirudh.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Developer TECH REFRESH 15 Junho 2015 #pttechrefres h Strategies for Developing Cross-Platform Applications Dinis Vieira.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Microsoft Security Development Lifecycle

©2007 · Georges Merx and Ronald J. NormanSlide 1 Chapter 13 Java on Various Computer Platforms.

Secure Operating Systems Lesson C: Linux Security Features.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

Presentation Name / 1 Visual C++ Builds and External Dependencies NAME.

Security Development Life Cycle Baking Security into Development September 2010.

Retina Network Security Scanner

Wireless and Mobile Security

Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.

Mantra – Security Framework Free and Open Source Browser based Security Framework.

The OWASP Foundation OWASP Mantra - An Introduction Prepared By -Team Mantra-

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Dilip Dwarakanath.  The topic I’m about to present was taken from a paper titled “Apple iOS 4 Security Evaluation” written by Dino A Dai Zovi.  Dino.

Java – in context Main Features From Sun Microsystems ‘White Paper’

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

VMM Based Rootkit Detection on Android

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.

Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

And Off-Season Storage

Chapter 6: Securing the Cloud

Did your feature got in, out or planned?

CSC 495/583 Topics of Software Security Stack Overflows (2)

CSC 495/583 Topics of Software Security Return-oriented programming

The Microsoft® Security Development Lifecycle (SDL)

A System for Protecting the Integrity of Virtual Function Tables

Software Security.

.NET and .NET Core Foot View of .NET Pan Wuming 2017.

11/23/2018 3:03 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

FUNDAMENTAL PRACTICES FOR

Working with Linux Libraries in Delphi

Running C# in the browser

Presentation transcript:

AppSecUSA New York City 2013

ME? Simón Roses Femerling Founder & CEO, VULNEX Blog: Former Microsoft, DARPA Cyber Fast Track award on software security project Black Hat, RSA, OWASP, SOURCE, AppSec, DeepSec, TECHNET

BIG THANKS! DARPA Cyber Fast Track (CFT) Mudge The fine folks at BIT SYSTEMS

TALK OBJECTIVES Secure development Verification technologies Assess software security posture

AGENDA 1.Secure Development: Verification 2.BinSecSweeper 3.Case Studies & Demos 4.Conclusions

1. SECURE DEVELOPMENT: VERIFICATION MS SDL – “This phase involves a comprehensive effort to ensure that the code meets the security and privacy tenets established in the previous phases.” Software Assurance Maturity Model (SAMM) – “Verification is focused on the processes and activities related to how an organization checks and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities.”

1. OPENSAMM

1. MICROSOFT SDL

1. IT’S ABOUT SAVING MONEY!

1. OTHER VERIFICATION TOOLS Microsoft BinScope us/download/details.aspx?id= us/download/details.aspx?id=11910 RECX Binary Assurance for Windows hp hp ErrataSec Looking Glass ingGlass#.UodWXJ2DN9A ingGlass#.UodWXJ2DN9A

1. BINSCOPE

1. CURRENT VERIFICATION TOOLS Platform specific – Windows: BinScope, Looking Glass & Binary Assurance – Linux: checksec.sh and custom scripts Limited set of checks – Check for defenses but what about: Compiler used External libs used Malware You name it… Not easy to extend

1. BINARY INTELLIGENCE Security Mitigations Compiler File Information Vulnerabilities Size Hash Timestamp Name Version DEP ASLR Stack Cookies Unsafe API Weak Crypto

2. WHY BINSECSWEEPER? BinSecSweeper is VULNEX binary security verification tool to ensure applications have been built in compliance with Application Assurance best practices The goal for BinSecSweeper is a tool: – Developers can use to verify their output binaries are safe after compilation and before releasing their products – IT security pros to scan their infrastructure to identify binaries with weak security defenses or vulnerabilities. BinSecSweeper is a cross platform tool (works on Windows and Linux) and can scan different file formats: PE and ELF.

2. FEATURES 100% open source Easy to use Cross-platform works on Windows & Linux Scans Windows (PE) and Unix (ELF) files for security checks Configurable Extensible by plugins Reporting

2. BINSECSWEEPER IN ACTION (I)

2. BINSECSWEEPER IN ACTION (II)

2. CURRENT WINDOWS CHECKS CHECKDESCRIPTION Address space layout randomization (ASLR) Checks if binary has opted the ASLR. Link with /DYNAMICBASE Stack Cookies (GS)Verifies if binary was compiled with Stack Cookies protection. Compile with /GS HotPatchChecks if binary is prepared for hot patching. Compile with /hotpatch Compatible with Data Execution Prevention (NXCOMPAT) Validates if binary has opted hardware Data Execution Prevention (DEP). Link with /NXCOMPAT Structured Exception Handling (SEH)Checks if binary was linked with SafeSEH. Link with /SAFESEH Abobe Malware ClassifierAnalyzes binary for malware behavior using machine learning algorithms Visual Studio Compiler FingerprintingIdentifies if binary was compiled with Visual Studio and version (2008, 2010 & 2012)

2. CURRENT LINUX CHECKS CHECKDESCRIPTION Fortify SourceChecks if binary was compiled with buffer overflow protection (bounds checking). Compile with – D_FORTIFY_SOURCE=X Never eXecute (NX)Verifies if binary was compiled with NX to reduce the area an attacker can use to perform arbitrary code execution. Position Independent Code (PIE)Checks if binary was compiled with PIE to protects against "return-to-text" and generally frustrates memory corruption attacks. Compile with –fPIE -pie RELocation Read-Only (RELRO)Validates if binary was compiled with RELRO (partial/full) to harden data sections. Compile with –z,relro,-z,now Stack CanaryChecks if binary was compiled with stack protector to protect against stack overflows. Compile with –fstack- protector

2. PLUGIN EXAMPLE: TEST PLUGIN

2. PLUGIN EXAMPLE: WINDOWS ASLR

2. PLUGIN EXAMPLE: LINUX FORTIFY_SOURCE

2. REPORTING

2. BINSECSWEEPER: WHAT’S NEXT More plugins: – Windows, Linux, etc. – Mobile – Malware – Backdoors – Compilers – Packers Metrics panel Diff across product / versions

2. BINSECSWEEPER: WHERE? Download BinSecSweeper software from

3. TIME FOR SOME ACTION Case Study I: Verify your own software Case Study II: Software Security Posture, ACME inc Case Study III: Browser Security Comparison

3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE Is your in-house software following a secure development framework? Is your software being checked for: 1.Compiled with a modern compiler? 2.Security defenses enabled for Windows or Linux? 3.No malware included in product? 4.Using external libraries (DLL, etc.) and what is their security?

3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE BinSecSweeper can verify that product (used by development teams): – What Visual Studio version has been used? (Windows Only) (MS SDL) – What defenses have been enabled?: – Will audit all files in the project? Program security posture: will it Pass / Fail? WindowsLinux Stack CookiesStack Canary ASLRNX DEPFortify Source SAFESEHPIE HotPacthingRELRO

3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC Do IT know the security posture of all software? You can assess your vendors… Now you know where EMET is needed!

3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC VLCSKYPE iTunesDropbox

3. CASE STUDY III: BROWSER SECURITY COMPARISON Let’s assess browser security posture – Chrome – Firefox – Internet Explorer – Opera – Safari Only checked on Windows, but will be interesting to do same exercise in other OS

3. CASE STUDY III: BROWSER SECURITY COMPARISON BROWSERAUDIT FILES FILECompilerGSASLRDEPSAFESEHHotPatch Chrome75chrome.exeVS 2010 / 360 Firefox28firefox.exeVS 2010 / 11 Internet Explorer 18iexplore.exe¿? / 5 Opera14opera.exeVS 2010 / Safari48safari.exeVS 2008 / 2

4. VERIFYING SOFTWARE SECURITY POSTURE MATTERS! Binaries contain a lot of information! The security posture of the software developed by you is important: – Security improves Quality – Branding (show you care about security) How is the security posture of software vendors you use?

4. BINSECSWEEPER: CALL TO ARMS – How can the software be improved? – What checks do you need? – What metrics do you need? – Contact:

4. REFERENCES Linux Security Features (Ubuntu) res res Visual Studio Compiling Options us/library/9s7c9wdw.aspx us/library/9s7c9wdw.aspx

4. Q&A 4. Q&A