Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_open_source_software_dependencies_-_javier_junquera_-_carlos_cilleruelo

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 86 Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_open_source_software_dependencies_-_javier_junquera_-_carlos_cilleruelo (20)

Anzeige

Weitere von RootedCON (20)

Aktuellste (20)

Anzeige

Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_open_source_software_dependencies_-_javier_junquera_-_carlos_cilleruelo

  1. 1. Deceiving software developers through software libraries The day I ruled the world: Cybersecurity Group UAH
  2. 2. $ whoami Javier Junquera Sánchez Cybersecurity researcher & lecturer 2 Carlos Cilleruelo Rodríguez Cybersecurity researcher javier.junquera@uah.es @junquera /in/junquera carlos.cilleruelo@uah.es @carloslannister /in/carlos-cilleruelo/
  3. 3. ProTego https://protego-project.eu/ @protego_project 3 Research and innovation programme under grant agreement No. 826284
  4. 4. Introduction ➔ Rooted 2019 ➔ Homograph attacks ➔ Deep confusables (dataset) 4
  5. 5. Introduction 5
  6. 6. Background ● How many apps have problems with homograph attacks? ● How developer software is dealing with it? ○ IDEs ○ Text Editor ○ Programing languages 6
  7. 7. Background ➔ April 11, 2018 ➔ Still not solved ◆ Whatsapp ◆ Telegram 7
  8. 8. Bounties? 8
  9. 9. Twitter 9
  10. 10. Steam and Facebook 10
  11. 11. 11 IDEs, Text Editors and Terminals
  12. 12. Why developers? 12
  13. 13. Nodemon 13
  14. 14. Nodemon 14
  15. 15. IDEs, Text Editors and Terminals 15
  16. 16. Open Source ● Ok, I can use it in an IDE, but... ● How could I deliver it? ○ Open Source! 16
  17. 17. Homograph libraries 17
  18. 18. pip pip install git+https://github.com/django/django.git@45dfb3641aa4d9828a7c 18
  19. 19. GitLab 19
  20. 20. GitLab 20
  21. 21. Github 21
  22. 22. Package managers 22
  23. 23. Uploading libraries 23
  24. 24. Package creation ➔ NodeJS ◆ package.json 24
  25. 25. Package creation ➔ Python ◆ setup.py 25
  26. 26. Package creation ➔ Python ◆ setup.py 26
  27. 27. Package creation ➔ Python ◆ setup.py 27
  28. 28. Uploading # NEVER USE THIS DEPENDENCY It's a security test A bad copy of {original_name} for testing homographic vulnerabilities. 28
  29. 29. Uploading ● We were testing uploading packages ● But then… 29
  30. 30. Fuzzer ➔ Homographic ➔ Homophonic ➔ Truncation ➔ Permutation ➔ Duplication ➔ Upper/Lower characters ➔ Similar characters ➔ “Advanced” ◆ Spaces ◆ LTR/RTL 30
  31. 31. Fuzzer ➔ change_similar(homográficos,h𝐨mográficos,changing o by b'xf0x9dx90xa8') ➔ homophonic(homofonicos,houmoufounicous,o sounds like ou) ➔ gen_deletions(truncar,tuncar,0, 1) ➔ gen_permutations(permutar,premutar,permuting char at 1) ➔ duplicates(duplicar,dupplicar,2) ➔ gen_case(caselogic,caseloGic,6) ➔ add_spaces(spaces,s<U+180E>paces,inserting space b'xe1xa0x8e' at position 1) ➔ rtl(ltr,<U+202D>rtl,inserting b'e280ad' at position 0) 31
  32. 32. Fuzzer 32 Ok... , so what’s next? :)
  33. 33. Uploading ➔ Let's upload everything ◆ UNICODE not allowed :( ◆ “Spaces not allowed” ◆ But… everything else: ● No limit, no control :) ◆ Remember academia 33
  34. 34. Dependencies selection ● Top 10 ○ PyPI ○ NPM ● Some we consider complicated to write ○ Who t.f. chose psycopg2-binaries? 34
  35. 35. Packages creation You have commited an error installing the dependency `{original_name}`, and have installed `{new_name}`. If `{new_name}` had mailicious code, you would have been pwned. This file has been generated by `{new_name}` for advertising you, and we have no made any change in your system. 35 Fix: you just need to delete the dependency `{new_name}` and install `{original_name}`. {new_name} is part of a research about attack in dependecies names. For more information about it contact javier@junquera.xyz
  36. 36. Telemetry ➔ User profile (Root | Not) ➔ Package manager (pypi | npm) ➔ Original name ➔ Modified name ➔ OS version ➔ Country, ~City (RGPD IP) ◆ It is difficult asking for consent :) 36
  37. 37. 37 And once uploaded… Don’t worry…
  38. 38. 38 00:00
  39. 39. 39 01:00
  40. 40. 40 02:00
  41. 41. 41 03:00
  42. 42. 42 04:00
  43. 43. 43 05:00
  44. 44. 44 06:00
  45. 45. 45 07:00
  46. 46. 46 08:00
  47. 47. 47 09:00
  48. 48. 48 10:00
  49. 49. 49 11:00
  50. 50. 50 12:00
  51. 51. 51 13:00
  52. 52. 52 14:00
  53. 53. 53 15:00
  54. 54. 54 16:00
  55. 55. 55 17:00
  56. 56. 56 18:00
  57. 57. 57 19:00
  58. 58. 58 20:00
  59. 59. 59 21:00
  60. 60. 60 22:00
  61. 61. 61 23:00
  62. 62. 62 > 800 hours
  63. 63. 63 Goodbye ➔ (Delete | Try to delete) the uploaded packages ➔ Shutdown the API ➔ Then, we start to study the obtained data
  64. 64. Fuzzing results 64 node dependency Names generated bootstrap 1449 commander 1068 prop-types 1043 express 868 lodash 811 request 798 moment 758 chalk 595 react 580 async 548 debug 520 python dependency Names generated python-dateutil 1693 botocore 1416 s3transfer 1052 urllib3 1003 requests 950 certifi 947 psycopg2 862 pyyam1 769 pyasn1 600 pip 441 six 361
  65. 65. Infection results 65 Attack type Infections Ratio Truncation 361 43.07% Permutation 281 33.53% Duplication 115 13.72% Homophonic 68 8.11% Similar characters 11 1.31% Upper/Lower characters 2 0.23% Total attacks 838 100%
  66. 66. PyPI infection results 66 Changed name Original name Attack type Downloads pyscopg2 psycopg2 permutation 53 syx six homophonic 44 nump numpy truncation 27 psycopg-binary psycopg2-binary truncation 19 reqeusts requests permutation 18 psycog2 psycopg2 truncation 14 urllib3_ urllib3 spaces 12 pyscopg2-binary psycopg2-binary permutation 12 pycopg2 psycopg2 permutation 12 psycop2-binary psycopg2-binary truncation 11
  67. 67. npm infection results 67 Changed name Original name Attack type Downloads bootstarp bootstrap permutation 35 bootsrap bootstrap truncation 33 bootstap bootstrap truncation 17 expess express truncation 10 exress express truncation 9 wepback-cli webpack-cli homograph 9 bootstra bootstrap truncation 6 moemnt moment permutation 5 bootstrp bootstrap truncation 5 webpac-cli webpack-cli truncation 5
  68. 68. Root? 68
  69. 69. Root vs Non-root installations 69
  70. 70. WTFs ● npm don’t allow deletions ● We receive petitions from packages we didn’t upload successfully... ● Our account has “fans” ○ Systems/enterprises monitoring the repositories 70
  71. 71. WTFs 71 2020-03-05 19:41:17.953363,123.204.x.x,False,pypi,reques ts,requsets,3.8.2 (tags/v3.8.2:7b3ab59, Feb 25 2020, 22:45:29) [MSC v.1916 32 bit (Intel)],Taiwan,Taipei How many mirrors are there? What do they mirror? Who manages them?
  72. 72. Reactions ➔ After a looooooot of time we got banned ➔ 1(,5) Email(s) ➔ Internet questions ◆ Forum ◆ Stackoverflow 72
  73. 73. Reactions 73
  74. 74. Reactions 74
  75. 75. Reactions 75
  76. 76. Reactions ➔ ¡BAN! ◆ After 30 days 76
  77. 77. Report PyPI ➔ Rate-limiting? 77
  78. 78. Report npm 78
  79. 79. Internal Threat Hunting inside npm if dependencies_uploaded > 1000 { sleep(2592000) # 30 days ban() } 79
  80. 80. Demo time! 80
  81. 81. Demo time! 81 Hay video por si acaso... BANEADO
  82. 82. Code in GitLab DEC-DEV-DEP https://gitlab.com/ciberseg-uah/public/dec-dev-dep 82
  83. 83. Conclusions ➔ Repositories don’t care ➔ Developers don’t read ◆ And we are the first 83 sudo apt install <tab> <tab>
  84. 84. Recommendations ➔ Disable code execution (like RubyGems does) ➔ Mandatory with no sudo ◆ PyPI has developed measures ➔ Identify library with also developer name (like Docker Hub) ➔ Limit upload rate ➔ Limit users? 84
  85. 85. Agradecimientos 85 Cybersecurity Group UAH
  86. 86. That’s all folks! javier.junquera@uah.es @junquera /in/junquera carlos.cilleruelo@uah.es @carloslannister /in/carlos-cilleruelo/ 86

×