37C3 - Writing secure software

Rollback to version 1

0:00 - 0:30

Dear viewer, these subtitles were generated
by a machine via the service YouTube
and therefore are (very) buggy.
If you are capable, please help us to
create good quality subtitles:
https://c3subtitles.de/talk/3028 Thanks!
0:00 - 0:16

[Music]
0:14 - 0:20

um basically textbooks have been written
0:16 - 0:22

about it um countless talks have been uh
0:20 - 0:24

have been Illuminating all of the errors
0:22 - 0:27

of our
0:24 - 0:28

ways um and still all those sucky
0:27 - 0:31

software is out
0:28 - 0:34

there um but
0:31 - 0:37

FIFA over here the hero of our show uh
0:34 - 0:41

has put out has put all of these best
0:37 - 0:44

practices into you know into his work to
0:41 - 0:47

try to create a um secure website he's
0:44 - 0:50

going to show us how it's done so that
0:47 - 0:55

we can all sleep way better at night and
0:50 - 0:58

um um and with that template go back and
0:55 - 1:00

and secure our own software and so with
0:58 - 1:03

that I'm going to hand it right over to
1:00 - 1:03

Fifi give him a round of
1:05 - 1:10

[Applause]
1:13 - 1:18

applause thank you um I have to start
1:15 - 1:20

with an apology because I did submit
1:18 - 1:22

this talk but it was rejected so the
1:20 - 1:24

slides are not at the stage where they
1:22 - 1:26

should be these are our slides for a
1:24 - 1:28

previous version of the talk it contains
1:26 - 1:30

all the material and I tried to update
1:28 - 1:33

it more but that destroyed the flow so
1:30 - 1:35

we we're stuck with it basically um the
1:33 - 1:37

difference was the the audience so while
1:35 - 1:39

I expect more developers here the other
1:37 - 1:43

audience was more and hackers and
1:39 - 1:45

business people so I try to get them
1:43 - 1:48

from where they are and uh the main
1:45 - 1:51

question usually is Are We There Yet
1:48 - 1:53

right so about me you probably probably
1:51 - 1:55

seen this before I'm a code auditor by
1:53 - 1:57

trade I have a small company and
1:55 - 2:02

companies show us their code and I show
1:57 - 2:02

them bugs I find in Indians quite easy
2:02 - 2:06

but before we start I have a small
2:04 - 2:10

celebration to do this actually happened
2:06 - 2:12

just a day before the first time I
2:10 - 2:14

talked about this uh so kasperski
2:12 - 2:15

message they found some mware anded Ed
2:14 - 2:18

diet
2:15 - 2:19

Lipsy which I have written so this is
2:18 - 2:25

like a
2:19 - 2:25

[Applause]
2:27 - 2:31

Knighthood some of the malware people
2:29 - 2:33

know what's good
2:31 - 2:36

so um basically the main question when I
2:33 - 2:38

talk to customers is uh we spend so much
2:36 - 2:40

money on this why isn't it
2:38 - 2:44

working and the the answer is you're
2:40 - 2:47

you're doing it wrong so um I will try
2:44 - 2:50

to show no what exactly is wrong and
2:47 - 2:52

there's a small preface here uh people
2:50 - 2:54

usually say there's no time to do this
2:52 - 2:57

briide and that's just wrong you have
2:54 - 2:59

exactly as much time per day as other
2:57 - 3:00

people who did great things so you can
2:59 - 3:02

do great things too you just just need
3:00 - 3:05

to do
3:02 - 3:07

it so let's play a little warm-up game
3:05 - 3:10

uh it's called how it started how it's
3:07 - 3:12

going so let's have a demo round IBM
3:10 - 3:15

Watson is revolutionizing 10
3:12 - 3:17

Industries and it's going like this
3:15 - 3:20

whatever happened to IBM Watson that's a
3:17 - 3:22

typical pattern in the security industry
3:20 - 3:25

right so here's another one how it
3:22 - 3:28

started revolutionize security with AI
3:25 - 3:30

right we all know where this is
3:28 - 3:34

going right so that's the p
3:30 - 3:35

um let's play it security mind sweeper
3:34 - 3:37

right so uh everybody here probably
3:35 - 3:40

knows who Gartner is they publish
3:37 - 3:41

recommendations and they even have a
3:40 - 3:43

voting section where people can say this
3:41 - 3:45

is the best product in this section
3:43 - 3:47

right so let's look at a few of them and
3:45 - 3:51

see what happened to people who trusted
3:47 - 3:54

Gartner first is a firewall right so how
3:51 - 3:55

it started the number one recommendation
3:54 - 4:02

is for
3:55 - 4:03

net and they have a lot of marketing G
4:02 - 4:05

and if you look how it's going it's not
4:03 - 4:08

going so
4:05 - 4:10

good so let's extend the pattern a bit
4:08 - 4:12

why what happened to me in in this
4:10 - 4:13

regard so I I don't need a firewall I
4:12 - 4:16

don't have any ports open that I need
4:13 - 4:19

blocking right so you don't need this
4:16 - 4:21

strictly speaking you don't need it next
4:19 - 4:24

discipline endpoint protection
4:21 - 4:27

so it started with TRX this is the
4:24 - 4:28

number one recommendation on Gartner I I
4:27 - 4:30

hadn't heard of them there like can make
4:28 - 4:33

a feed joint venture or something thing
4:30 - 4:36

who cares they also have great marketing
4:33 - 4:37

go and then if you look at what happened
4:36 - 4:39

it's
4:37 - 4:43

like they made it
4:39 - 4:45

worse um okay so this didn't apply to me
4:43 - 4:47

either because I don't use snake oil
4:45 - 4:49

let's see the third one password manager
4:47 - 4:52

also very
4:49 - 4:55

popular how it started recommended last
4:52 - 4:55

pass you probably know where this is
4:56 - 5:02

going yeah they got owned and then
5:00 - 5:05

people got
5:02 - 5:07

owned so um you may notice a pattern
5:05 - 5:09

here uh this didn't apply to me because
5:07 - 5:11

I deser a password authentication use
5:09 - 5:15

public key which has been available for
5:11 - 5:16

decades right so small bonus the last
5:15 - 5:20

one to
5:16 - 5:23

FAA uh Gartner recommends Duo which has
5:20 - 5:26

been bought by Cisco but doesn't
5:23 - 5:27

matter so if you look at what Duo does
5:26 - 5:29

your server asks the cloud for
5:27 - 5:30

permission the cloud goes to the
5:29 - 5:33

telephone
5:30 - 5:35

telephone shows a popup you click yes
5:33 - 5:37

and then the cloud tells the server it's
5:35 - 5:39

okay you can let them in if you look
5:37 - 5:41

really closely you can notice the cloud
5:39 - 5:44

doesn't have to do the popup can just
5:41 - 5:47

say sure so this comes pre-owned there
5:44 - 5:49

is no need to hack anything
5:47 - 5:51

here and something many people don't
5:49 - 5:52

realize you don't need two Factor if you
5:51 - 5:53

have public key that's already the
5:52 - 5:55

second
5:53 - 5:58

Factor okay
5:55 - 6:01

so yeah let's skip over this briefly
5:58 - 6:02

Splunk is the the recommend option here
6:01 - 6:06

and they make the organization more
6:02 - 6:06

resilient um unless you install
6:08 - 6:12

[Applause]
6:15 - 6:21

it okay um so this one is dear to my
6:18 - 6:22

heart because um people start arguing
6:21 - 6:25

about whether to install patches and
6:22 - 6:28

which patch to install first and it used
6:25 - 6:30

to be simple you you look for problems
6:28 - 6:31

then you install the patches and then it
6:30 - 6:33

a bit more
6:31 - 6:36

complicated and the result is this right
6:33 - 6:40

that's a famous podcast in in German uh
6:36 - 6:42

it's about municipality who got owned by
6:40 - 6:44

by ransomware and then had to call the
6:42 - 6:46

Army for
6:44 - 6:48

help and what you should do I'm having
6:46 - 6:49

this for completeness install all
6:48 - 6:52

patches immediately but that's a
6:49 - 6:55

separate talk right so um you may notice
6:52 - 6:56

a pattern here the it security industry
6:55 - 6:59

recommends something and if you do it
6:56 - 7:01

you're [ __ ] so don't do it um in case
6:59 - 7:04

you can't read this this says snake
7:01 - 7:07

repellent granules and then there's a
7:04 - 7:07

snake sleeping next to
7:08 - 7:12

it right so um if we can trust the
7:11 - 7:15

recommendations of the industry what
7:12 - 7:17

shall we do and um so I had a lot of
7:15 - 7:20

time on my hands because I didn't have
7:17 - 7:21

to clean up after crappy it security
7:20 - 7:24

industry recommendations so what that
7:21 - 7:27

what did I do with my
7:24 - 7:31

time and uh I decided I need a Blog uh
7:27 - 7:33

some time ago now um and I started
7:31 - 7:34

thinking what do I need and it's
7:33 - 7:38

actually not that much I could have just
7:34 - 7:39

shown basically static content a little
7:38 - 7:42

search function would be good but it's
7:39 - 7:45

optional um I didn't need comments for
7:42 - 7:48

legal reasons because people start
7:45 - 7:50

posting like uh links to maware or
7:48 - 7:52

whatever I don't want that um I don't
7:50 - 7:54

need that right so the first version was
7:52 - 7:56

actually really easy it was a small
7:54 - 7:59

standard web server and I had the the
7:56 - 8:00

blog entries a static HTML files one
7:59 - 8:02

file per month it was actually really
8:00 - 8:05

easy if you want to search you just can
8:02 - 8:07

ask Google and limit it to my site so
8:05 - 8:09

posting was also easy had a little
8:07 - 8:13

script that uh I could run on the server
8:09 - 8:15

and I just ssh in and SSH I trust for
8:13 - 8:17

authentication so there's no new attack
8:15 - 8:20

surface I have that anyway and this is a
8:17 - 8:23

great design it's secure it's simple
8:20 - 8:25

there's low risk it's also high
8:23 - 8:28

performance but you couldn't do a talk
8:25 - 8:30

about it at the CCC right so it's too
8:28 - 8:32

boring so I started to produce risk in
8:30 - 8:32

my
8:34 - 8:38

setup so the first idea was I had
8:36 - 8:41

written a small web server I could just
8:38 - 8:44

implement the blog in the web server
8:41 - 8:47

because you know it's my code anyway um
8:44 - 8:49

but that has downsides if the the blog
8:47 - 8:51

is running in the web server then it can
8:49 - 8:53

access all the memory of the web server
8:51 - 8:55

in particular it can see the TLs private
8:53 - 8:58

key and that I don't want people to
8:55 - 9:01

extract right so it can't be a module in
8:58 - 9:03

the web server
9:01 - 9:05

and the the obvious solution is it the
9:03 - 9:08

it has to run in a different user ID on
9:05 - 9:10

on Linux I'm using Linux or but any any
9:08 - 9:12

Unix or Windows would be the same
9:10 - 9:14

basically it runs in a different user ID
9:12 - 9:16

and then if you if you take over the
9:14 - 9:18

process of the blog because there's some
9:16 - 9:19

bug in it you couldn't access the the
9:18 - 9:22

TLs
9:19 - 9:23

key and while I did that the industry
9:22 - 9:25

was doing
9:23 - 9:27

this that's like the running gag of this
9:25 - 9:29

talk I show all kinds of interesting
9:27 - 9:30

things the industry did and then show
9:29 - 9:33

what I did
9:30 - 9:35

in that time right so um next question
9:33 - 9:38

where's the content I could just have
9:35 - 9:39

files on disk like static HTML as before
9:38 - 9:42

but I think that's not professional
9:39 - 9:43

enough right so for a good CCC talk you
9:42 - 9:45

need to be more
9:43 - 9:47

professional also for a different
9:45 - 9:51

project I had just written an elabs
9:47 - 9:53

server so I decided to reuse it and uh
9:51 - 9:54

while I did that the industry did this I
9:53 - 9:56

I took this photo at the airport of
9:54 - 9:58

Jerusalem so this is an actual ad it's
9:56 - 10:00

not photoshopped right it's for north of
9:58 - 10:03

gramman which is a um
10:00 - 10:07

military contractor and it's about full
10:03 - 10:07

spectrum cyber across all
10:07 - 10:12

domains so why would I write my own elab
10:09 - 10:15

server mostly because it's small and um
10:12 - 10:18

because I'm an auditor by trade I know
10:15 - 10:21

that if you want a chance to actually
10:18 - 10:22

audit the code it needs to be small
10:21 - 10:24

because that's a limited resource the
10:22 - 10:27

time you can spend on auditing code
10:24 - 10:30

right so postgress is a common SQL
10:27 - 10:32

database uh slapd is the the open Lup
10:30 - 10:35

implementation of the server and Tiny
10:32 - 10:37

Lup is mine and you see it's much slower
10:35 - 10:37

uh much
10:38 - 10:44

smaller yeah so there was more to this
10:41 - 10:44

ad campaign I collected a few funny
10:44 - 10:52

images right so um if someone manages to
10:49 - 10:55

hack the blog CGI or whatever module I
10:52 - 10:57

use to to have connect the blog to the
10:55 - 11:00

web server they can open any file that
10:57 - 11:03

the blog can read right the uid can read
11:00 - 11:06

so um I should probably do something
11:03 - 11:08

about that that was the next step and
11:06 - 11:09

the industry was starting to think about
11:08 - 11:10

vulnerability
11:09 - 11:13

[Music]
11:10 - 11:14

management so there is a mechanism on
11:13 - 11:17

Unix on Linux I did a separate talk
11:14 - 11:19

about that uh on the last Congress it's
11:17 - 11:21

called Secom and Secom can it's like a
11:19 - 11:24

firewall for CS calls so I can use
11:21 - 11:27

seccom to block open the open CIS which
11:24 - 11:30

is used to open files um but if I have
11:27 - 11:32

to use open myself
11:30 - 11:33

then um I can't block it right so what
11:32 - 11:36

you do about that for example my blog
11:33 - 11:38

calls local time which converts unix's
11:36 - 11:40

time into the local time zone and for
11:38 - 11:45

that it opens a file containing the
11:40 - 11:47

description of the uh system time zone
11:45 - 11:49

and that's that calls open right so if I
11:47 - 11:52

just disabled the open system call from
11:49 - 11:55

my blog then it couldn't do the time
11:52 - 11:58

translation and uh this is actually an
11:55 - 12:00

old problem that also uh applies to set
11:58 - 12:03

ID programs and has has applied to them
12:00 - 12:06

for decades so what you can do is you
12:03 - 12:09

can reorganize your code so before you
12:06 - 12:12

block or before you drop privileges
12:09 - 12:14

generally speaking you do uh the open
12:12 - 12:17

calls in this in this example um and
12:14 - 12:19

then you disable open and then you look
12:17 - 12:21

at the the data provided by the attacker
12:19 - 12:24

because if the attacker or any untrusted
12:21 - 12:26

source is trying to hack you it is via
12:24 - 12:28

data it gives you right it's the the
12:26 - 12:29

environment is compromised so you look
12:28 - 12:32

at what kind of uh elements in the
12:29 - 12:34

environment are attacker supplied and
12:32 - 12:36

before you look at a single bite in them
12:34 - 12:38

you do all the dangerous stuff if you
12:36 - 12:42

can right so in this case I call local
12:38 - 12:45

time once before I drop the open CIS
12:42 - 12:48

call and then my lipy will cach the the
12:45 - 12:50

time zone data and the next time I call
12:48 - 12:52

it after I have looked at the attacker
12:50 - 12:54

supplied code there is no need to call
12:52 - 12:58

open right so that's a major advantage
12:54 - 13:02

of Secom over similar Technologies like
12:58 - 13:04

SE Linux where where the all the the the
13:02 - 13:07

the um prohibitions on CIS calls are
13:04 - 13:09

applied to the whole process so there is
13:07 - 13:10

this is an example and you should make
13:09 - 13:12

use of it you should look at your
13:10 - 13:14

process and you can see if you have the
13:12 - 13:16

source code at least you can see which
13:14 - 13:19

parts do I need to do before I can drop
13:16 - 13:21

Privileges and you move them up right so
13:19 - 13:25

that's what I
13:21 - 13:28

did um this is actually uh a mockup from
13:25 - 13:30

the Estonian cyber security
13:28 - 13:35

Center so this is
13:30 - 13:38

real okay so um next thought so let's
13:35 - 13:41

say someone hacks the blog uh module and
13:38 - 13:42

someone else uses the same module but
13:41 - 13:44

supplies a
13:42 - 13:46

password right this is a common problem
13:44 - 13:48

in website in websites there's some kind
13:46 - 13:51

of login something you get maybe a
13:48 - 13:53

session token or whatever um and if
13:51 - 13:56

someone manages to take over the the
13:53 - 13:59

middleware or like the server component
13:56 - 14:01

they can see uh all other connections
13:59 - 14:03

too if they are handled by the same
14:01 - 14:06

process right that's a that's a major
14:03 - 14:09

problem um and you can do something
14:06 - 14:12

about it so that's the good news
14:09 - 14:15

here uh and in in my example it led to
14:12 - 14:18

me using CGI instead of fast CGI which
14:15 - 14:21

is fast CGI is a newer version of CGI
14:18 - 14:24

and the idea with fast CGI is that you
14:21 - 14:27

don't spawn a new process for every
14:24 - 14:30

request but you have like a Unix domain
14:27 - 14:32

socket or another socket to a fast CGI
14:30 - 14:36

process and that opens maybe a threat
14:32 - 14:38

per request or something but um usually
14:36 - 14:39

in fast CGI you try to handle the
14:38 - 14:42

requests in the same process and then
14:39 - 14:45

you can use that process to cach data so
14:42 - 14:48

there's a perf advantage to using fast
14:45 - 14:51

CGI but for security reasons um I don't
14:48 - 14:53

I don't use fast CGI so I can't do
14:51 - 14:54

caching right so that's a major downside
14:53 - 14:57

and you would expect the block to be
14:54 - 14:59

really really slow in the end um so
14:57 - 15:02

first thing I need to use CGI instead of
14:59 - 15:06

fast CGI and secondly you could still
15:02 - 15:08

use debug apis so if you use GDB or
15:06 - 15:11

another debugger to to look at another
15:08 - 15:13

process they use an API called p trce u
15:11 - 15:17

but that's a CIS call so I can use set
15:13 - 15:20

comp to disallow pce if I do those two
15:17 - 15:22

and the attacker takes over a Blog
15:20 - 15:24

process all they can see is the data
15:22 - 15:27

they Supply themselves right that's a
15:24 - 15:27

major
15:27 - 15:32

advantage Okay so Ina is actually in U
15:30 - 15:34

agency which I find really disturbing
15:32 - 15:38

because they're burning lots of taxpayer
15:34 - 15:40

money anyway so let's assume um the
15:38 - 15:43

attacker can hack my blog they can still
15:40 - 15:45

circumvent any access control I do in
15:43 - 15:49

the blog so for example if I have an
15:45 - 15:51

admin site or some login site part of
15:49 - 15:54

the website um and it's handled through
15:51 - 15:56

the same program and the access control
15:54 - 15:59

is done in the blog CGI and someone
15:56 - 16:04

manages to hack my blog CGI they could
15:59 - 16:06

just skip that so um it's really hard to
16:04 - 16:08

do access restrictions that can be
16:06 - 16:10

circumvented if you do them in your own
16:08 - 16:13

code so the solution is not do it in
16:10 - 16:16

your own code um I don't do any access
16:13 - 16:19

restriction in the blog I do it in the
16:16 - 16:21

elab server so if you connect to my blog
16:19 - 16:22

and Supply a password then the blog
16:21 - 16:24

doesn't know if the password is right or
16:22 - 16:26

not right there's an an an for example
16:24 - 16:28

there's an interface where you can add
16:26 - 16:29

new block entries or you can edit an old
16:28 - 16:31

one and for you need to supply
16:29 - 16:33

credentials but the block CGI doesn't
16:31 - 16:35

know if they are right or not it opens
16:33 - 16:37

the connections to the elab server with
16:35 - 16:41

that credential and then the elab server
16:37 - 16:45

says yes or no so since we uh removed
16:41 - 16:47

access to the P SS uh and the the
16:45 - 16:48

processes are isolated from each other
16:47 - 16:50

that means there is nothing to
16:48 - 16:53

circumvent here so if someone hacks my
16:50 - 16:55

blog the only Advantage uh they get is
16:53 - 16:56

they can do the exact same stuff they
16:55 - 17:00

could do before basically they can just
16:56 - 17:02

talk to the L server
17:00 - 17:04

okay so I'm starting to get into uh
17:02 - 17:07

James Bond territory here right with the
17:04 - 17:09

attacks they getting more
17:07 - 17:11

convoluted right so the industry started
17:09 - 17:13

doing threat intelligence feeds which
17:11 - 17:16

are useless don't spend money on those
17:13 - 17:19

okay so let's say the attacker hacked my
17:16 - 17:22

blog and then went to my tiny UB and now
17:19 - 17:24

is attacking tiny elab then they can
17:22 - 17:26

watch other logins because tiny Elder
17:24 - 17:29

handles connections from other instances
17:26 - 17:31

of the blog too right so the same
17:29 - 17:33

problem we had before we just moved the
17:31 - 17:36

gold post a little and we need to
17:33 - 17:38

prevent this and the the obvious
17:36 - 17:42

solution is to do the same thing we did
17:38 - 17:45

with the blog um we have one process of
17:42 - 17:49

the elab server per request and then we
17:45 - 17:51

just allow P Trace right so now you
17:49 - 17:53

can't watch even if you get code
17:51 - 17:55

execution inside the elab server you
17:53 - 17:59

can't watch what passwords other people
17:55 - 18:01

use you can still see okay does some
17:59 - 18:04

[ __ ] again you can still see the
18:01 - 18:06

password in the UB store right so the
18:04 - 18:08

elab server has to has a version of the
18:06 - 18:11

password to authenticate against and the
18:08 - 18:13

industry practice best practice is to
18:11 - 18:14

use salted hashers so the password is
18:13 - 18:17

not actually in the
18:14 - 18:20

store still if someone manages to attack
18:17 - 18:22

tiny elab through the blog they can
18:20 - 18:25

extract the hashes and try to crack them
18:22 - 18:28

but since I'm the only one adding users
18:25 - 18:32

I can control the password complexity so
18:28 - 18:35

good luck frood forcing that
18:32 - 18:35

right
18:35 - 18:39

okay so uh this is actually a real
18:38 - 18:42

problem not not for my blog specifically
18:39 - 18:43

but for other web services or services
18:42 - 18:45

that are reachable from the internet
18:43 - 18:47

what if an attacker doesn't want to
18:45 - 18:50

steal my data but it wants to encrypt
18:47 - 18:54

them so the ransomware what can you do
18:50 - 18:56

about that and um my idea was to make
18:54 - 18:58

the data store read only so the UB
18:56 - 19:01

server has a data store that contains
18:58 - 19:03

all the blog entries and let's read only
19:01 - 19:05

to the add up process you can only read
19:03 - 19:08

from it and if you want to write to it
19:05 - 19:10

for example to add a new entry it gets
19:08 - 19:11

appended to a second file which I call
19:10 - 19:14

the
19:11 - 19:16

journal so SQL databases have a similar
19:14 - 19:18

concept and they use it to to roll back
19:16 - 19:19

transactions I can do the same thing
19:18 - 19:22

it's basically a log
19:19 - 19:25

file and that means um all the
19:22 - 19:27

differences from the last time the store
19:25 - 19:29

was created the Ron store all the
19:27 - 19:32

differences are sequentially in the log
19:29 - 19:34

file in the journal so that that the
19:32 - 19:36

performance gets worse the bigger the
19:34 - 19:39

journal gets so every now and then I
19:36 - 19:42

need to combine the readon part and the
19:39 - 19:44

journal to a new bigger readon part and
19:42 - 19:44

I do that
19:45 - 19:50

manually um because tiny elab couldn't
19:48 - 19:51

do it because I didn't allow tiny elab
19:50 - 19:55

to write the store right that was part
19:51 - 19:57

of the security here and uh so um with
19:55 - 19:59

set comp I can just disable whole CIS
19:57 - 20:01

calls I can also install filters so I
19:59 - 20:04

can say open is allowed but only if you
20:01 - 20:06

use o append o append in the open sis
20:04 - 20:09

call on Unix means every right you do to
20:06 - 20:13

this uh descriptor is automatically
20:09 - 20:16

added to the end so I know if someone
20:13 - 20:19

manages to to access the tiny Elda
20:16 - 20:21

binary and can write to my journal then
20:19 - 20:22

the only place the changes can show up
20:21 - 20:25

is at the end and that's actually a
20:22 - 20:27

really good good thing to have because
20:25 - 20:30

it means if someone hacks me and adds
20:27 - 20:33

junk to my blog I can only remove at the
20:30 - 20:35

end and I'm good again compare that to a
20:33 - 20:38

usual SQL database um if someone wrote
20:35 - 20:41

to the database you need to in to to
20:38 - 20:43

play a backup uh in to restore backup
20:41 - 20:46

because they could have changed anything
20:43 - 20:47

anywhere right so but tiny adup doesn't
20:46 - 20:49

even have file system level permissions
20:47 - 20:51

to change anything in the store so I can
20:49 - 20:53

re re uh sleep
20:51 - 20:56

soundly yeah the industry spent money on
20:53 - 20:56

cyber security mesh
20:56 - 21:00

architecture right so the journal
20:59 - 21:02

integration has to be done by me
21:00 - 21:05

manually out of band so it's not
21:02 - 21:09

something an automated process does um I
21:05 - 21:10

do it manually and when I'm doing it um
21:09 - 21:13

because it's not that much data it's
21:10 - 21:15

like for a week or two I can just read
21:13 - 21:16

it again and see if something doesn't
21:15 - 21:19

look
21:16 - 21:21

right this may not be available to all
21:19 - 21:23

other scenarios but uh you have to
21:21 - 21:25

realize if you have bigger data it's
21:23 - 21:27

usually not all the data that's big most
21:25 - 21:30

of it is usually static and readon and
21:27 - 21:33

then you have some logs that are or you
21:30 - 21:35

know billing data that grows and grows
21:33 - 21:38

but usually there's part of the data and
21:35 - 21:41

this is the the part with the you know
21:38 - 21:44

um uh identifying information personally
21:41 - 21:46

identifying information or you know Bill
21:44 - 21:48

billing details that stuff is usually
21:46 - 21:51

small and mostly static and you could
21:48 - 21:51

use this strategy for that
21:53 - 21:59

too well yeah
21:56 - 22:02

okay so the attack can still write
21:59 - 22:04

garbage to my blog that's still not good
22:02 - 22:07

right but since all they can do is a pen
22:04 - 22:09

to the journal I can use my text editor
22:07 - 22:12

open the journal and truncate at some
22:09 - 22:14

point and then I get all my data back
22:12 - 22:16

till the point where they started puting
22:14 - 22:19

the blog right this is still bad but
22:16 - 22:21

it's it's a very good position to be in
22:19 - 22:24

if there's an uh emergency because you
22:21 - 22:26

can basically investigate calmly first
22:24 - 22:30

you turn off right AIS then you you
22:26 - 22:33

delete the vandalism and the journal and
22:30 - 22:35

um you know you haven't lost anything
22:33 - 22:37

because if you want to delete an entry
22:35 - 22:39

in the blog you could do that too but
22:37 - 22:41

that means at the end of the journal you
22:39 - 22:43

append a statement saying delete this
22:41 - 22:46

record and I can just remove that and I
22:43 - 22:49

get the record back right so there's no
22:46 - 22:51

way for someone vandalizing my blog to U
22:49 - 22:53

damage any data that was in it before
22:51 - 22:56

all they can do is a pen junk at the end
22:53 - 22:58

and I can live with that right this is
22:56 - 23:01

this is should be the guiding thought
22:58 - 23:03

between any security you do um if
23:01 - 23:06

someone hacks you you will be in a very
23:03 - 23:08

stressful position the boss will be
23:06 - 23:10

behind you breathing down your neck are
23:08 - 23:13

We Done Yet is it fixed and you want to
23:10 - 23:15

have as little to do as possible at that
23:13 - 23:17

time you want to to move all the stress
23:15 - 23:19

to before you get hacked because then
23:17 - 23:23

you have more
23:19 - 23:25

time okay the industry did other things
23:23 - 23:28

again
23:25 - 23:31

um so what if the attacker doesn't write
23:28 - 23:33

garbage to the journal but writes some
23:31 - 23:35

exploit to the journal that the next
23:33 - 23:39

tiny El up instance that reads the
23:35 - 23:41

journal gets compromised
23:39 - 23:43

by that is a
23:41 - 23:47

possibility and that would be
23:43 - 23:49

bad so agreed that there still a problem
23:47 - 23:51

but uh realize how Preposterous the
23:49 - 23:54

scenario is so we are talking about an
23:51 - 23:57

attacker who found stable zero day in
23:54 - 24:00

the blog and then used that and another
23:57 - 24:02

stable zero day in tiny ad up to write
24:00 - 24:06

to the journal and then have the
24:02 - 24:09

third uh third zero day to compromise
24:06 - 24:11

the the journal passing code so I mean
24:09 - 24:13

yes it is still a problem but we reduced
24:11 - 24:15

the risk
24:13 - 24:18

significantly uh and that is what I'm
24:15 - 24:21

trying to to tell you here uh it's not
24:18 - 24:23

it's not all or nothing it's good enough
24:21 - 24:25

if you can half the
24:23 - 24:29

risk that's already very important and
24:25 - 24:32

you should do it so as much as you can
24:29 - 24:34

uh slice off the risk the better the
24:32 - 24:37

better off you will be if something
24:34 - 24:40

happens right because the smaller the
24:37 - 24:42

code is that is still attackable the
24:40 - 24:44

more you can audit it and be sure it's
24:42 - 24:47

good you show it to your friends and
24:44 - 24:49

they can audit it too uh and and you
24:47 - 24:50

need to save yourself that time because
24:49 - 24:53

it happens every now and then that I get
24:50 - 24:55

to get to see the whole code base and
24:53 - 24:56

the usual code base for commercial
24:55 - 25:00

products is like gigabytes of source
24:56 - 25:02

code nobody can read that like I'm I'm
25:00 - 25:05

good I'm not that
25:02 - 25:07

good so um this is a good place to be in
25:05 - 25:11

I think right so the industry was
25:07 - 25:13

selling dos mitigation sure whatever so
25:11 - 25:16

what happens if someone attacks the web
25:13 - 25:19

server that is still a big
25:16 - 25:23

problem um and it's
25:19 - 25:24

actually uh it it's a full damage right
25:23 - 25:26

that's the worst that can happen if
25:24 - 25:28

someone manages to attack the web server
25:26 - 25:31

they can see all traffic coming through
25:28 - 25:32

they can look inside TLS secured
25:31 - 25:34

connections and they can sniff all the
25:32 - 25:37

passwords so that's really
25:34 - 25:40

bad unfortunately there is not too much
25:37 - 25:45

you can do about that
25:40 - 25:46

um you could do uh um a separation so
25:45 - 25:48

this is something people have been
25:46 - 25:49

talking about for a while open S AG is
25:48 - 25:52

doing this they moved the dangerous
25:49 - 25:55

crypto stuff in a second process and use
25:52 - 25:56

sandboxing to lock down that process uh
25:55 - 25:58

that could be done but nobody has done
25:56 - 26:01

it for open SSL yet so so open SSL
25:58 - 26:03

doesn't support that um my web server
26:01 - 26:05

also supports embed TLS they don't
26:03 - 26:07

support that too so I I could spend time
26:05 - 26:09

on that and I've been actually um
26:07 - 26:11

spending some time already but it's not
26:09 - 26:13

it's not ready yet but this would be a
26:11 - 26:16

good way to reduce the risk and you may
26:13 - 26:19

notice that the the tools I'm using to
26:16 - 26:21

reduce risks are actually just a handful
26:19 - 26:23

there's not it's not you know it's not
26:21 - 26:26

witchcraft I'm I'm not inventing new
26:23 - 26:28

ways to look at things I'm doing the
26:26 - 26:30

same thing again I'm identifying the
26:28 - 26:33

part of the code that's dangerous and
26:30 - 26:35

then I think about how I can make that
26:33 - 26:37

part smaller maybe put it in a different
26:35 - 26:39

process lock it down so we need to do
26:37 - 26:42

the same thing with the web server
26:39 - 26:47

obviously um but it's an ongoing
26:42 - 26:50

process yeah so again whatever um why
26:47 - 26:51

haven't I done that yet uh so in my web
26:50 - 26:53

server you can it's a build time
26:51 - 26:55

decision if you want SSL support or not
26:53 - 26:58

and you can see the binary is
26:55 - 26:59

significantly bigger if you have SSL and
26:58 - 27:01

I'm showing you this because it means
26:59 - 27:05

the the bulk of the attack surface is
27:01 - 27:07

the SSL code it's not my code so if I if
27:05 - 27:10

I can put the SSL code in a different
27:07 - 27:12

process they still need to see the the
27:10 - 27:14

private key because that's what TLS
27:12 - 27:16

needs the private key otherwise it can't
27:14 - 27:18

do the crypto so the bug of the attack
27:16 - 27:20

surface would still have access to the
27:18 - 27:21

key I can still do it because there
27:20 - 27:25

might be bucks in my code and not the
27:21 - 27:28

SSL code but that's just 5% of the of
27:25 - 27:30

the overall attack surface so um
27:28 - 27:32

it I will probably do it at some point
27:30 - 27:36

but it's I don't expect miracles from it
27:32 - 27:39

bugs and open SSL will kill kill me
27:36 - 27:39

there's not much I can do about
27:41 - 27:46

that okay so I know what you're
27:47 - 27:52

thinking what about colel
27:50 - 27:55

bugs so I looked at a few of the recent
27:52 - 27:57

kernel bugs and it turns out that they
27:55 - 28:00

usually apply to SSS that are rarely
27:57 - 28:02

used in regular programs and uh because
28:00 - 28:05

I'm blocking all the CIS calls I don't
28:02 - 28:07

really need none of them apply to me
28:05 - 28:11

right and this is a this is a pattern
28:07 - 28:12

with Colonel bugs um uh there is a a
28:11 - 28:16

project called
28:12 - 28:20

Sandstorm um that also uses p trce and
28:16 - 28:23

and Secom tracing to reduce the csol U
28:20 - 28:25

surface and then puts regular Services
28:23 - 28:28

into a Sandbox for for web services and
28:25 - 28:30

they uh evaded all kinds of of Kernel
28:28 - 28:33

bucks just because of that so this is
28:30 - 28:34

like a zero effort thing because
28:33 - 28:37

obviously if you have a list of CIS
28:34 - 28:38

calls you'd use a white list and you you
28:37 - 28:40

have a list of things you are
28:38 - 28:43

explicitely low and the rest is is
28:40 - 28:45

disabled not the other way around right
28:43 - 28:47

so none of the usual kernel bugs apply
28:45 - 28:50

to me um because of the the seom stuff I
28:47 - 28:52

already do so kernel bugs aren't as big
28:50 - 28:54

of a problem as you might think at least
28:52 - 28:56

I still have them if I haven't patched
28:54 - 28:59

but you can't get to them via the
28:56 - 29:01

blog so I have a small confession to
28:59 - 29:05

make uh I'm a bit of a troll and that
29:01 - 29:07

applies to this project as well so um I
29:05 - 29:11

use the worst programming
29:07 - 29:13

language I used C right so I'm trolling
29:11 - 29:14

the security people and then I'm
29:13 - 29:16

trolling the Java people who have been
29:14 - 29:17

saying you should use multi-threading
29:16 - 29:20

for performance and not have one process
29:17 - 29:24

per request so I'm doing actually two
29:20 - 29:26

fork and xx per request um I'm trolling
29:24 - 29:29

the database people I don't have any
29:26 - 29:30

caching I don't have connection pool TOs
29:29 - 29:32

and the perf people too because I'm
29:30 - 29:35

still faster than most of the regular
29:32 - 29:37

Solutions so there is no there's really
29:35 - 29:40

no downside if you if you architect your
29:37 - 29:42

software to use this kind of thing um it
29:40 - 29:44

will be slower than other ways to do it
29:42 - 29:48

but most other software isn't as fast
29:44 - 29:50

anyway so there's enough Headway that
29:48 - 29:52

you can use to do security instead of
29:50 - 29:55

performance you will still be
29:52 - 29:58

faster so let's recap the the
29:55 - 30:01

methodology I used um first I make a
29:58 - 30:03

list of all the attacks I can think of
30:01 - 30:04

and this means concrete attacks so what
30:03 - 30:07

could happen and what would what would
30:04 - 30:09

be the problem then right and then I
30:07 - 30:12

think for every item on the list I
30:09 - 30:14

consider how to prevent this can I
30:12 - 30:16

prevent this uh what what I need to do
30:14 - 30:18

and then I do it right so that's easy
30:16 - 30:20

it's like this the fine man problem
30:18 - 30:23

solving algorithm in spirit and this
30:20 - 30:26

process is called threat modeling it's
30:23 - 30:27

it's like a it's dirty word because it
30:26 - 30:29

sounds like there's effort involved and
30:27 - 30:31

nobody wants to do it but it's really
30:29 - 30:33

it's easy it's just these these steps
30:31 - 30:34

you you look at your software you
30:33 - 30:36

consider all the ways it could be
30:34 - 30:38

attacked and then you consider what you
30:36 - 30:40

could do to prevent the attack or in
30:38 - 30:41

some cases you can't prevent the attack
30:40 - 30:44

and then you say well that's the risk I
30:41 - 30:47

have to live with right so that's called
30:44 - 30:50

threat moding you should try it it's
30:47 - 30:53

awesome and um you saw that I'm trying
30:50 - 30:55

to optimize something here I go for a
30:53 - 30:58

specific Target in this case I want as
30:55 - 31:00

little code as possible
30:58 - 31:03

um the more code there is the more bugs
31:00 - 31:05

there will be that's an a very old uh
31:03 - 31:07

Insight from I think it was originally
31:05 - 31:09

in IBM study and they basically found
31:07 - 31:10

that the number of bugs in code is a
31:09 - 31:13

function of the lines of code in the
31:10 - 31:15

code so there's a little more to it but
31:13 - 31:18

basically it's true so and it's not just
31:15 - 31:20

any code I want to have less of um if
31:18 - 31:22

the code is dangerous I particularly
31:20 - 31:25

want to have less of it and the the most
31:22 - 31:27

important category to to make smaller is
31:25 - 31:30

the the code that enforces security
31:27 - 31:32

guarantees so like one security
31:30 - 31:33

guarantee would be you can't log in if
31:32 - 31:35

you don't have the right password right
31:33 - 31:39

so the code that checks that I wanted to
31:35 - 31:41

be as small as possible um one or two
31:39 - 31:43

lines of code if if I can manage it and
31:41 - 31:45

then it's obvious if it if it's wrong or
31:43 - 31:48

not the more complex the code is the
31:45 - 31:49

less less easy would it be to see if
31:48 - 31:51

it's correct or not and that's what you
31:49 - 31:54

want in the end you want to be sure the
31:51 - 31:55

code is correct so how far did I get
31:54 - 31:57

it's actually pretty amazing I think um
31:55 - 32:01

you can write an elabs server in five
31:57 - 32:04

,000 lines of code the blog is 3.5 lines
32:01 - 32:07

of kilo lines of code um plus the Ed
32:04 - 32:09

client Library plus zet lip um but I'm
32:07 - 32:11

only using zet lip to compress not to
32:09 - 32:14

decompress so most attack scenarios
32:11 - 32:16

doesn't don't apply to to my usage of Z
32:14 - 32:19

Li um and the web server is also pretty
32:16 - 32:21

slow if you only look at the HTTP code
32:19 - 32:24

unfortunately uh it also contains the
32:21 - 32:26

SSL Library which is orders of magnitude
32:24 - 32:28

more than my code and that's how you
32:26 - 32:32

want it you want the biggest risk not to
32:28 - 32:35

be in the new code but in an old code
32:32 - 32:36

that someone else already audited if you
32:35 - 32:39

can manage it right so this is the
32:36 - 32:41

optimization strategy try to have as
32:39 - 32:43

little dangerous code as possible sounds
32:41 - 32:45

like a no-brainer but if you look at
32:43 - 32:47

modern software development you will
32:45 - 32:50

find out they do the exact opposite pull
32:47 - 32:53

in as many Frameworks as as they
32:50 - 32:56

can so this strategy is called TCB
32:53 - 32:57

minimization you should try it and I
32:56 - 33:01

gave a talk about it already it's
32:57 - 33:05

actually pretty easy so um I told you
33:01 - 33:08

what I did to the to the blog to uh uh
33:05 - 33:10

diminish the danger that can be done uh
33:08 - 33:12

if someone manages to take it over and
33:10 - 33:15

this is actually part of the TCB
33:12 - 33:18

minimization process so the blog was a
33:15 - 33:21

high risk area and then I took away
33:18 - 33:24

Privileges and removed exess checks and
33:21 - 33:26

in the end even if I give you remote
33:24 - 33:28

code execution in the blog process you
33:26 - 33:31

can't do anything you couldn't do before
33:28 - 33:34

right so it's no longer part of the TCB
33:31 - 33:36

the TCB is the part that uh enforces
33:34 - 33:37

security guarantees which the block CGI
33:36 - 33:39

doesn't
33:37 - 33:41

anymore so that's what you want to do
33:39 - 33:44

you want to end up in the smallest TCB
33:41 - 33:47

you can possibly manage and uh every
33:44 - 33:49

step on the way is good so no step is
33:47 - 33:52

too small right if you can shave off
33:49 - 33:55

even a little routine do
33:52 - 33:57

it this is the minimization part of TCB
33:55 - 34:00

minimization right I could I was able to
33:57 - 34:04

remove the block from the TCB tiny El up
34:00 - 34:05

still still has a risk so I I you saw
34:04 - 34:07

the threat model if someone manages to
34:05 - 34:09

take over tiny El up they can read the
34:07 - 34:11

hashes and try to crack them that's
34:09 - 34:15

still bad um but I can live with it
34:11 - 34:17

right uh if they vandalize the block I
34:15 - 34:20

can undo the damage without going to the
34:17 - 34:22

tape Library so that's
34:20 - 34:24

good if you compare that to the industry
34:22 - 34:27

standard you you will find that my
34:24 - 34:29

Approach is much better um usually in
34:27 - 34:31

the industry you see platform decisions
34:29 - 34:33

done by management not by the techies
34:31 - 34:35

and um it's untroubled by expertise or
34:33 - 34:38

risk analysis and you you get a
34:35 - 34:40

diffusion of responsibility because if
34:38 - 34:42

you even if you try to find out who's
34:40 - 34:43

responsible for anything you find uh
34:42 - 34:45

well it's that team over there but we
34:43 - 34:47

don't really know and then you find out
34:45 - 34:48

the team dissolved last week and it's
34:47 - 34:51

really
34:48 - 34:55

horrible and brand new we have ai tools
34:51 - 34:55

which is also a diffusion of
34:55 - 34:59

responsibility and then you get people
34:57 - 35:01

arguing well it's so bad it can't get
34:59 - 35:03

any worse let's go to the cloud where
35:01 - 35:07

obviously it gets worse
35:03 - 35:09

immediately so I prefer my way um I
35:07 - 35:11

think in the end it's important to
35:09 - 35:13

realize that the the lack of security
35:11 - 35:16

you may have in your projects right now
35:13 - 35:18

is self-imposed there is no guy with a
35:16 - 35:20

shotgun behind you
35:18 - 35:24

threatening you can do it you just have
35:20 - 35:26

to start right so this is self-imposed
35:24 - 35:29

helplessness you can actually help
35:26 - 35:29

yourself you just have to start
35:29 - 35:34

right how did we get here this is
35:32 - 35:36

obviously not a good good place to be
35:34 - 35:38

like all the software is crappy and
35:36 - 35:40

there's a few it's not just that people
35:38 - 35:43

are dumb there's a few reasons for that
35:40 - 35:45

so um back in the day you used to have
35:43 - 35:48

bespoke applications that were written
35:45 - 35:50

for a specific purpose and they used the
35:48 - 35:52

waterfall model and you had the
35:50 - 35:56

requirements specification and it was
35:52 - 35:58

lots of bureaucracy and really horrible
35:56 - 36:00

but it also Al meant that you knew what
35:58 - 36:03

the application had be had to be able to
36:00 - 36:06

do so that means you can make sure
36:03 - 36:08

anything else is forbidden if you know
36:06 - 36:10

what the application needs to be able to
36:08 - 36:12

do you can make sure it doesn't do any
36:10 - 36:16

other stuff and that is security if you
36:12 - 36:17

think about it deny everything that the
36:16 - 36:19

application wasn't supposed to be doing
36:17 - 36:22

and then that's what an attacker would
36:19 - 36:25

do if they take over the machine right
36:22 - 36:26

so if you know beforehand what you're
36:25 - 36:29

trying to get to you can actually
36:26 - 36:30

implement privilege even architecturally
36:29 - 36:33

as I've shown
36:30 - 36:36

you now we have more of an Ikea model
36:33 - 36:38

you buy parts that are uh designed by
36:36 - 36:39

their own teams and the teams designing
36:38 - 36:42

the parts don't know what the final
36:39 - 36:44

product will look like right in in some
36:42 - 36:46

cases even you don't know what the final
36:44 - 36:48

product will look like but it's even
36:46 - 36:50

worse if you consider that the the the
36:48 - 36:51

team building the part you make your
36:50 - 36:54

software from doesn't know what it will
36:51 - 36:56

be used for so it has to be as generic
36:54 - 36:58

as possible Right the more it can be
36:56 - 37:01

done with with it the better and that's
36:58 - 37:03

the opposite of security right security
37:01 - 37:05

means understanding what you need to do
37:03 - 37:09

and then disallowing the rest and this
37:05 - 37:11

means be as generic as you can the parts
37:09 - 37:12

are optimized for genericity Gen what's
37:11 - 37:16

the
37:12 - 37:18

name genericism I don't know so they are
37:16 - 37:21

optimized to be as flexible as possible
37:18 - 37:21

and they are chosen by
37:22 - 37:25

flexibility the developer of the part
37:24 - 37:28

usually has no idea what it would used
37:25 - 37:31

for uh and that means you can't do least
37:28 - 37:34

privilege because um you don't know what
37:31 - 37:36

the privilege will be that's least so
37:34 - 37:39

this this is actually a big mess so if
37:36 - 37:40

you use Parts programmed by other people
37:39 - 37:43

you will have to invest extra effort to
37:40 - 37:45

find out what kind of stuff you can make
37:43 - 37:48

it not do because it will definitely be
37:45 - 37:49

able to do more than you need and the
37:48 - 37:52

more you can clamp down the more
37:49 - 37:54

security you will have uh it's even
37:52 - 37:55

worse if you do Agile development
37:54 - 37:58

because then by definition you don't
37:55 - 38:00

know what the end result will be so if
37:58 - 38:01

you don't know that you can't do
38:00 - 38:03

security
38:01 - 38:06

lockdown so another argument why we got
38:03 - 38:08

here is economics of scale so it used to
38:06 - 38:11

be that if you build some kind of device
38:08 - 38:13

that needs to do something like I don't
38:11 - 38:17

know uh a
38:13 - 38:20

microwave then you you find parts and
38:17 - 38:21

you combine the parts and you solder
38:20 - 38:24

them together and then they solve the
38:21 - 38:27

problem but these days uh you don't
38:24 - 38:30

solder parts anymore you assemble from
38:27 - 38:32

pre-made parts and these are usually
38:30 - 38:35

programmable right so a little arm chip
38:32 - 38:37

cost like a tenth of a scent so why use
38:35 - 38:39

a special part if you can use an arm
38:37 - 38:41

chip and then program it but that means
38:39 - 38:43

you still need to use software that
38:41 - 38:45

actually solves the problem the hardware
38:43 - 38:47

is generic and that means the hardware
38:45 - 38:50

can be hacked and this is turning out to
38:47 - 38:53

be a problem right if you had a break in
38:50 - 38:55

in 20 years youo um it it breaked right
38:53 - 38:57

but now it's
38:55 - 38:59

programmable and people have realized
38:57 - 39:01

how bad that is but it is bad right so
38:59 - 39:05

that's that will bite Us in the
39:01 - 39:08

ass oops so um the response from the
39:05 - 39:10

industry has so far been the ostrich
39:08 - 39:13

method basically we we install stuff
39:10 - 39:15

that we know is untrustworthy and so we
39:13 - 39:18

install other stuff on top of it that's
39:15 - 39:21

also untrustworthy and then we call it
39:18 - 39:24

Telemetry or big data and to some risk
39:21 - 39:27

uh logging analysis in in aze or
39:24 - 39:30

whatever uh and in the end the attack
39:27 - 39:32

surface has mushroomed like a nuclear
39:30 - 39:34

explosion right so that's our fault
39:32 - 39:36

nobody has forced us to do this you
39:34 - 39:39

don't need to do this in your own
39:36 - 39:41

projects that's the hopeful message of
39:39 - 39:43

this talk in conclusion if you remember
39:41 - 39:44

nothing else from this talk remember
39:43 - 39:47

that threat modeling is a thing and you
39:44 - 39:48

should try it TCB minimization actually
39:47 - 39:52

helps least privilege is another facet
39:48 - 39:54

of the same thing and if you can uh use
39:52 - 39:56

a pendon data storage you should
39:54 - 39:58

consider it hm blockchain yeah not
39:56 - 40:01

blockchain a pend only data storage it's
39:58 - 40:01

not
40:01 - 40:09

[Applause]
40:09 - 40:13

[Music]
40:11 - 40:15

blockchain so two more you two more
40:13 - 40:18

slides yeah two more slides sorry I'm an
40:15 - 40:20

imposter no problem so the rule of thumb
40:18 - 40:23

should be if if the blog of some
40:20 - 40:26

unwashed hobbyist from the Internet is
40:23 - 40:28

more secure than your it security then
40:26 - 40:30

you should improve your it
40:28 - 40:34

security right that shouldn't
40:30 - 40:35

happen all right so that's all from my
40:34 - 40:38

talk I think we still have time for
40:35 - 40:42

questions do we yes okay awesome okay
40:38 - 40:42

now you can put your hand
40:45 - 40:50

[Applause]
40:47 - 40:51

together so if you want to ask a
40:50 - 40:56

question we have four microphones in the
40:51 - 40:57

room 1 2 3 4 and I'm going to take a a
40:56 - 41:00

question the first first question from
40:57 - 41:02

the internet the internet is saying you
41:00 - 41:03

actually got hacked or can you elaborate
41:02 - 41:06

on what
41:03 - 41:07

happened Yes actually there was an
41:06 - 41:09

incident where someone was able to post
41:07 - 41:11

stuff to my blog and because I had a
41:09 - 41:15

pend only data storage I Shrugged it off
41:11 - 41:17

basically so use use a pendon data
41:15 - 41:19

storage it's it will save your ass at
41:17 - 41:22

some point the problem was a bug in my
41:19 - 41:24

uh Access Control lists I had used some
41:22 - 41:26

some Access Control list in my alab
41:24 - 41:28

server and I had a line in it that I
41:26 - 41:30

should have removed but I forgot to
41:28 - 41:33

remove it and that meant you could post
41:30 - 41:35

without having credentials but um it
41:33 - 41:38

happened and it wasn't bad because my
41:35 - 41:40

architecture prevented damage um as
41:38 - 41:42

people are leaving the room could you
41:40 - 41:45

leave very quietly thank you um
41:42 - 41:47

microphone number one yeah is there a
41:45 - 41:51

second alternative for Windows and Mac
41:47 - 41:53

OS a secure alternative well so
41:51 - 41:56

basically you can do the the principles
41:53 - 42:00

I um I showed in this talk you can do on
41:56 - 42:03

those two so usually you will not be
42:00 - 42:05

hacked because your your Mac OS or
42:03 - 42:07

Windows had a bug I that happens too but
42:05 - 42:09

the bigger problem is that the software
42:07 - 42:12

you wrote had a bug or that you the
42:09 - 42:14

software that you use had a bug so I'm
42:12 - 42:17

I'm trying to tell you Linux isn't uh
42:14 - 42:19

particularly more secure than Windows
42:17 - 42:21

it's just it's basically you can write
42:19 - 42:23

secure software and insecure software on
42:21 - 42:25

any operating system you should still
42:23 - 42:27

use Linux because it has advantages but
42:25 - 42:29

if you apply these Tech techniques to
42:27 - 42:32

your software it will be secure on on
42:29 - 42:34

Mac OS and windows as well right so this
42:32 - 42:36

is not for for end users selecting the
42:34 - 42:37

software if you select software you have
42:36 - 42:40

to trust the
42:37 - 42:42

vendor there's no way around that but if
42:40 - 42:44

you write your own software then you can
42:42 - 42:47

reduce the risk to a point where you can
42:44 - 42:49

live with it and sleep soundly sure is
42:47 - 42:51

there a a technical alternative or
42:49 - 42:53

similar similarity like sa comp for
42:51 - 42:55

Windows and Mac OS so can you drop your
42:53 - 42:58

privileges after you have opened a file
42:55 - 43:00

for example uh uh so for meos I'm not
42:58 - 43:03

sure but I know that that free BSD net
43:00 - 43:05

BSD and open BSD have an an equivalent
43:03 - 43:08

thing I think uh Macos has it too but
43:05 - 43:10

I'm I'm not sure about that for Windows
43:08 - 43:12

there's are sandboxing methods you can
43:10 - 43:13

look at the Chrome source code for
43:12 - 43:16

example they have a Sandbox it's open
43:13 - 43:19

source you can use that to do this kind
43:16 - 43:22

of thing okay thanks so microphone
43:19 - 43:24

number two except down that's gone so
43:22 - 43:27

microphone number three in that
43:24 - 43:29

case this is four I sorry four four yes
43:27 - 43:32

um will your next talk be about writing
43:29 - 43:34

software secure software in Windows and
43:32 - 43:36

if no uh how much assets would you
43:34 - 43:38

request to compensate for all the
43:36 - 43:42

pain
43:38 - 43:46

no it's not a question of
43:42 - 43:48

money okay uh microphone one um have you
43:46 - 43:49

tried removing unnecessary features from
43:48 - 43:52

open
43:49 - 43:55

SSL uh Yes actually I've I've done this
43:52 - 43:57

pretty pretty early but it's still it's
43:55 - 44:00

still much bigger than my code
43:57 - 44:03

so um for example op SSL has support for
44:00 - 44:05

UDP based TLs but there's a lot of
44:03 - 44:07

shared cyers in there you can remove
44:05 - 44:09

ciphers you don't need and and that
44:07 - 44:12

helps a bit but it's still it's the
44:09 - 44:15

biggest part of the web server by far I
44:12 - 44:18

think there was an internet question was
44:15 - 44:22

there no doesn't look like
44:18 - 44:23

yes no yes no no yes okay uh then
44:22 - 44:27

microphone
44:23 - 44:30

four as someone who is uh connected or
44:27 - 44:32

was connected to an industry which has
44:30 - 44:34

programming programmable
44:32 - 44:38

brakes
44:34 - 44:39

um what is your opinion about things
44:38 - 44:42

like
44:39 - 44:44

mizra well well so there are standards
44:42 - 44:45

in the automotive industry for example
44:44 - 44:48

like misra
44:45 - 44:50

to make sure you write better code and
44:48 - 44:53

it's mostly compliance so they give you
44:50 - 44:55

rules like um you shouldn't use
44:53 - 44:57

recursion in your code for example and
44:55 - 44:59

the functions should would be this big
44:57 - 45:02

at at most and this is more I mean it
44:59 - 45:03

will probably help a bit but it's much
45:02 - 45:06

better to to invest in in good
45:03 - 45:09

architecture but you may have noticed I
45:06 - 45:11

I've said I wrote the code in C and I
45:09 - 45:14

said nothing about what I did to make
45:11 - 45:16

sure it's it's good code so that's
45:14 - 45:18

that's a different dimension that's
45:16 - 45:21

orthogonal right
45:18 - 45:22

so follow those standards it will it
45:21 - 45:25

will make your code a bit better
45:22 - 45:27

probably um but it won't solve all the
45:25 - 45:29

problems and I think personally you
45:27 - 45:31

should do both you should make sure or
45:29 - 45:33

try to make sure that there's as little
45:31 - 45:34

bugs as possible in your code there's
45:33 - 45:36

ways to do that I had to talk about that
45:34 - 45:38

too but after you do that you should
45:36 - 45:40

still have these kind of
45:38 - 45:42

architectural guide guard rails that
45:40 - 45:44

keep you on track even if someone
45:42 - 45:46

manages to take over the
45:44 - 45:47

process so now I think there was an
45:46 - 45:51

internet
45:47 - 45:54

question yes uh the internet is asking
45:51 - 45:56

how would it work to like scale This
45:54 - 45:59

truly impressive security architecture
45:56 - 46:01

up for more use cases and more like
45:59 - 46:05

larger theme or would the theme size and
46:01 - 46:09

the feature keep ruin it yes
46:05 - 46:09

so oh no oh
46:09 - 46:16

[Laughter]
46:12 - 46:16

no well I'm
46:25 - 46:28

sorry
46:28 - 46:37

[Music]
46:38 - 46:41

la

Title:: 37C3 - Writing secure software
Description:: more » « less
Video Language:: English
Duration:: 46:39

	Daniel Liberman edited English, British subtitles for 37C3 - Writing secure software
	Daniel Liberman edited English, British subtitles for 37C3 - Writing secure software
	Daniel Liberman edited English, British subtitles for 37C3 - Writing secure software
	Daniel Liberman edited English, British subtitles for 37C3 - Writing secure software

English, British subtitles

Incomplete

Revisions Compare revisions

Revision 4 Edited

Daniel Liberman
Revision 3 Edited

Daniel Liberman
Revision 2 Edited

Daniel Liberman
Revision 1 Uploaded

Daniel Liberman

	Revision Number	Author	Created
	4	Daniel Liberman
	3	Daniel Liberman
	2	Daniel Liberman
	1	Daniel Liberman

37C3 - Writing secure software

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)