[CLASS 2014] Palestra Técnica - Jonathan Knudsen
-
Upload
ti-safe-seguranca-da-informacao -
Category
Technology
-
view
108 -
download
1
description
Transcript of [CLASS 2014] Palestra Técnica - Jonathan Knudsen
6-‐Nov-‐2014 © 2014 All Rights Reserved
1
@codenomicon
Jonathan Knudsen, Principal Security Engineer November 6, 2014
MANAGING A LEGACY OF VULNERABILITIES IN CONTROL SYSTEMS LESSONS LEARNED FROM HEARTBLEED AND MORE
6-‐Nov-‐2014 © 2014 All Rights Reserved
2
• Understanding Heartbleed • Managing SoTware VulnerabiliVes • Challenges in ICS • What now?
CONTENTS
6-‐Nov-‐2014 © 2014 All Rights Reserved
3
understanding heartbleed
6-‐Nov-‐2014 © 2014 All Rights Reserved
4
Client : Hello, here is a list of cipher suites I can use.
Server : Hello, here is the cipher suite I chose from your list. And here's an X.509v3 certificate that contains my public key.
Client : Heartbeat: send back my 4 byte message “ABCD”.
Server : ABCD
Client : [Scrutinizes the certificate, checks to make sure it's signed by a known certificate authority.] Okay, thanks. Here's the premaster secret, encrypted with your public key. The next thing I say to you will be encrypted with the session key.
Client : [Encrypted] I'm done with the handshake.
Server : [Decrypts the premaster secret using private key, then generates the session key.] The next thing I send will be encrypted.
Server : [Encrypted] I'm done with the handshake too.
[Client and server exchange encrypted data.]
TLS HEARTBEAT MESSAGE
6-‐Nov-‐2014 © 2014 All Rights Reserved
5
Client : Hello, here is a list of cipher suites I can use.
Server : Hello, here is the cipher suite I chose from your list. And here's an X.509v3 certificate that contains my public key.
Client : Heartbeat: send back my 36 byte message “ABCD”.
Server : ABCD....5...t.....[.{.....I_.k.I"]..
Client : [Scrutinizes the certificate, checks to make sure it's signed by a known certificate authority.] Okay, thanks. Here's the premaster secret, encrypted with your public key. The next thing I say to you will be encrypted with the session key.
Client : [Encrypted] I'm done with the handshake.
Server : [Decrypts the premaster secret using private key, then generates the session key.] The next thing I send will be encrypted.
Server : [Encrypted] I'm done with the handshake too.
[Client and server exchange encrypted data.]
LIAR LIAR PANTS ON FIRE
6-‐Nov-‐2014 © 2014 All Rights Reserved
6
int tls1_process_heartbeat(SSL *s)! {! unsigned char *p = &s->s3->rrec.data[0], *pl;! unsigned short hbtype;! unsigned int payload;! unsigned int padding = 16; /* Use minimum padding */!! /* Read type and payload length first */! hbtype = *p++;! n2s(p, payload);! pl = p;!! if (s->msg_callback)! s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,! &s->s3->rrec.data[0], s->s3->rrec.length,! s, s->msg_callback_arg);!! if (hbtype == TLS1_HB_REQUEST)! {! unsigned char *buffer, *bp;! int r;!! /* Allocate memory for the response, size is 1 bytes! * message type, plus 2 bytes payload length, plus! * payload, plus padding! */! buffer = OPENSSL_malloc(1 + 2 + payload + padding);! bp = buffer;! ! /* Enter response type, length and copy payload */! *bp++ = TLS1_HB_RESPONSE;! s2n(payload, bp);! memcpy(bp, pl, payload);! bp += payload;! /* Random padding */! RAND_pseudo_bytes(bp, padding);!! r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);!!
FIND THE BUG
6-‐Nov-‐2014 © 2014 All Rights Reserved
7
int tls1_process_heartbeat(SSL *s)! {! unsigned char *p = &s->s3->rrec.data[0], *pl;! unsigned short hbtype;! unsigned int payload;! unsigned int padding = 16; /* Use minimum padding */!! /* Read type and payload length first */! hbtype = *p++;! n2s(p, payload);! pl = p;!! if (s->msg_callback)! s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,! &s->s3->rrec.data[0], s->s3->rrec.length,! s, s->msg_callback_arg);!! if (hbtype == TLS1_HB_REQUEST)! {! unsigned char *buffer, *bp;! int r;!! /* Allocate memory for the response, size is 1 bytes! * message type, plus 2 bytes payload length, plus! * payload, plus padding! */! buffer = OPENSSL_malloc(1 + 2 + payload + padding);! bp = buffer;! ! /* Enter response type, length and copy payload */! *bp++ = TLS1_HB_RESPONSE;! s2n(payload, bp);! memcpy(bp, pl, payload);! bp += payload;! /* Random padding */! RAND_pseudo_bytes(bp, padding);!! r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);!!
FIND THE BUG
payload is the length reported by the client
Allocate a buffer with the claimed size
Copy payload bytes
6-‐Nov-‐2014 © 2014 All Rights Reserved
8
IMPACT
• h_p://heartbleed.com • Serious vulnerability in OpenSSL 1.0.1 – 1.0.1f, and 1.0.2beta • Wandered the wild from March 2012 unVl April 2014 • Found independently by Codenomicon and Neel Mehta of
Google security team (who first reported it to OpenSSL) • We were working on staged responsible vulnerability disclosure
with CERT.FI when OpenSSL went public. We published our Q&A. • By the numbers: • Apache & NGINX have about 60% market share according to NetcraT. Most of these likely using OpenSSL for TLS/SSL.
• 630 of top 10k sites vulnerable on April 8th, 750k globally h_ps://github.com/musalbas/heartbleed-‐masstest/
6-‐Nov-‐2014 © 2014 All Rights Reserved
9
1. Be_er tesVng 2. Be_er tesVng 3. Be_er tesVng
• Builders, use a secure development life cycle • Buyers, test more thoroughly and demand be_er products
HOW DO WE FIND THE NEXT HEARTBLEED?
6-‐Nov-‐2014 © 2014 All Rights Reserved
10
managing soTware vulnerabiliVes
6-‐Nov-‐2014 © 2014 All Rights Reserved
11
DOES THIS SOFTWARE MAKE MY ATTACK SURFACE LOOK FAT?
6-‐Nov-‐2014 © 2014 All Rights Reserved
12
• Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes
• To improve security, find and fix as many vulnerabiliVes as you can • You will never find all of them • Using resources efficiently puts you ahead of the curve
SOFTWARE VULNERABILITIES
6-‐Nov-‐2014 © 2014 All Rights Reserved
13
• Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes
HUMAN HUNTERS
6-‐Nov-‐2014 © 2014 All Rights Reserved
14
• Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes
WHERE MACHINES CAN HELP
6-‐Nov-‐2014 © 2014 All Rights Reserved
15
• Source code analysis • You need the source code • False posiVves
• StaVc binary analysis • Find libraries, vulnerabiliVes, licenses
• Fuzz tesVng • Can be black box tesVng • Be_er to use various target instrumentaVon tools: Asan, Valgrind memcheck, etc. • Add behavior analysis: this is how we found Heartbleed
AUTOMATED VULNERABILITY TOOLS
6-‐Nov-‐2014 © 2014 All Rights Reserved
16
challenges in ics
6-‐Nov-‐2014 © 2014 All Rights Reserved
17
• Pre_y much the same problems as everywhere else
• Up unVl now, an industry focused on funcVonality • Now everything is going on IP networks • Network was perceived as trustworthy • Can’t trust the network, remote a_acks are relaVvely easy
• Long product lifeVmes • Patching is expensive and difficult • Makes security and robustness even more important
IT’S ALL SOFTWARE
6-‐Nov-‐2014 © 2014 All Rights Reserved
18
• 61850/GOOSE/SV • 61850/MMS client • 61850/MMS server • 60870-‐5-‐104 client • 60870-‐5-‐104 server • DNP3 client • DNP3 server • CIP Ethernet/IP • Modbus master
• Modbus slave • Profinet DCP server (PLC)
• And >260 more… • HTTP • TLS • IPv4 / IPv6 • SSH2 • XML • …
ICS PROTOCOLS – DEFENSICS TEST SUITES
6-‐Nov-‐2014 © 2014 All Rights Reserved
19
what now?
6-‐Nov-‐2014 © 2014 All Rights Reserved
20
• Builders must adopt a secure development life cycle • Security is part of every phase: design, implementaVon, tesVng, release • Use automated tools whenever possible
• Buyers: • Ask for more from your builders • Specific types of tesVng • For example: Fuzz Tes*ng Maturity Model (h_p://www.codenomicon.com/Tmm/)
• Verify using available tools • Binary analysis • Fuzzing
WHAT NOW?
6-‐Nov-‐2014 © 2014 All Rights Reserved
21
thank you
Jonathan Knudsen Principal Security Engineer [email protected]