Weitere ähnliche Inhalte
Ähnlich wie [CLASS 2014] Palestra Técnica - Jonathan Knudsen (20)
Kürzlich hochgeladen (20)
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
- 1. MANAGING
A
LEGACY
OF
VULNERABILITIES
IN
CONTROL
SYSTEMS
LESSONS
LEARNED
FROM
HEARTBLEED
AND
MORE
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
1
@codenomicon
Jonathan
Knudsen,
Principal
Security
Engineer
November
6,
2014
- 2. CONTENTS
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
2
• Understanding
Heartbleed
• Managing
SoTware
VulnerabiliVes
• Challenges
in
ICS
• What
now?
- 3. ©
2014
All
Rights
Reserved
6-‐Nov-‐2014
3
understanding
heartbleed
- 4. TLS
HEARTBEAT
MESSAGE
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
4
Client : Hello, here is a list of cipher suites I can use.
Server : Hello, here is the cipher suite I chose from your list. And
here's an X.509v3 certificate that contains my public key.
Client : Heartbeat: send back my 4 byte message “ABCD”.
Server : ABCD
Client : [Scrutinizes the certificate, checks to make sure it's signed by
a known certificate authority.] Okay, thanks. Here's the
premaster secret, encrypted with your public key. The next thing
I say to you will be encrypted with the session key.
Client : [Encrypted] I'm done with the handshake.
Server : [Decrypts the premaster secret using private key, then generates
the session key.] The next thing I send will be encrypted.
Server : [Encrypted] I'm done with the handshake too.
[Client and server exchange encrypted data.]
- 5. LIAR
LIAR
PANTS
ON
FIRE
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
5
Client : Hello, here is a list of cipher suites I can use.
Server : Hello, here is the cipher suite I chose from your list. And
here's an X.509v3 certificate that contains my public key.
Client : Heartbeat: send back my 36 byte message “ABCD”.
Server : ABCD....5...t.....[.{.....I_.k.I"]..
Client : [Scrutinizes the certificate, checks to make sure it's signed by
a known certificate authority.] Okay, thanks. Here's the
premaster secret, encrypted with your public key. The next thing
I say to you will be encrypted with the session key.
Client : [Encrypted] I'm done with the handshake.
Server : [Decrypts the premaster secret using private key, then generates
the session key.] The next thing I send will be encrypted.
Server : [Encrypted] I'm done with the handshake too.
[Client and server exchange encrypted data.]
- 6. FIND
THE
BUG
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
6
int tls1_process_heartbeat(SSL *s)!
{!
unsigned char *p = &s->s3->rrec.data[0], *pl;!
unsigned short hbtype;!
unsigned int payload;!
unsigned int padding = 16; /* Use minimum padding */!
!
/* Read type and payload length first */!
hbtype = *p++;!
n2s(p, payload);!
pl = p;!
!
if (s->msg_callback)!
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,!
&s->s3->rrec.data[0], s->s3->rrec.length,!
s, s->msg_callback_arg);!
!
if (hbtype == TLS1_HB_REQUEST)!
{!
unsigned char *buffer, *bp;!
int r;!
!
/* Allocate memory for the response, size is 1 bytes!
* message type, plus 2 bytes payload length, plus!
* payload, plus padding!
*/!
buffer = OPENSSL_malloc(1 + 2 + payload + padding);!
bp = buffer;!
!
/* Enter response type, length and copy payload */!
*bp++ = TLS1_HB_RESPONSE;!
s2n(payload, bp);!
memcpy(bp, pl, payload);!
bp += payload;!
/* Random padding */!
RAND_pseudo_bytes(bp, padding);!
!
r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);!
!
- 7. FIND
THE
BUG
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
7
int tls1_process_heartbeat(SSL *s)!
{!
unsigned char *p = &s->s3->rrec.data[0], *pl;!
unsigned short hbtype;!
unsigned int payload;!
unsigned int padding = 16; /* Use minimum padding */!
!
/* Read type and payload length first */!
hbtype = *p++;!
n2s(p, payload);!
pl = p;!
!
if (s->msg_callback)!
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,!
&s->s3->rrec.data[0], s->s3->rrec.length,!
s, s->msg_callback_arg);!
!
if (hbtype == TLS1_HB_REQUEST)!
{!
unsigned char *buffer, *bp;!
int r;!
!
/* Allocate memory for the response, size is 1 bytes!
* message type, plus 2 bytes payload length, plus!
* payload, plus padding!
*/!
buffer = OPENSSL_malloc(1 + 2 + payload + padding);!
bp = buffer;!
!
/* Enter response type, length and copy payload */!
*bp++ = TLS1_HB_RESPONSE;!
s2n(payload, bp);!
memcpy(bp, pl, payload);!
bp += payload;!
/* Random padding */!
RAND_pseudo_bytes(bp, padding);!
!
r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);!
!
payload
is
the
length
reported
by
the
client
Allocate
a
buffer
with
the
claimed
size
Copy
payload
bytes
- 8. ©
2014
All
Rights
Reserved
6-‐Nov-‐2014
8
IMPACT
• h_p://heartbleed.com
• Serious
vulnerability
in
OpenSSL
1.0.1
–
1.0.1f,
and
1.0.2beta
• Wandered
the
wild
from
March
2012
unVl
April
2014
• Found
independently
by
Codenomicon
and
Neel
Mehta
of
Google
security
team
(who
first
reported
it
to
OpenSSL)
• We
were
working
on
staged
responsible
vulnerability
disclosure
with
CERT.FI
when
OpenSSL
went
public.
We
published
our
Q&A.
• By
the
numbers:
• Apache
&
NGINX
have
about
60%
market
share
according
to
NetcraT.
Most
of
these
likely
using
OpenSSL
for
TLS/SSL.
• 630
of
top
10k
sites
vulnerable
on
April
8th,
750k
globally
h_ps://github.com/musalbas/heartbleed-‐masstest/
- 9. HOW
DO
WE
FIND
THE
NEXT
HEARTBLEED?
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
9
1. Be_er
tesVng
2. Be_er
tesVng
3. Be_er
tesVng
• Builders,
use
a
secure
development
life
cycle
• Buyers,
test
more
thoroughly
and
demand
be_er
products
- 10. ©
2014
All
Rights
Reserved
6-‐Nov-‐2014
10
managing
soTware
vulnerabiliVes
- 11. ©
2014
All
Rights
Reserved
6-‐Nov-‐2014
11
DOES
THIS
SOFTWARE
MAKE
MY
ATTACK
SURFACE
LOOK
FAT?
- 12. SOFTWARE
VULNERABILITIES
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
12
• Design
vulnerabiliVes
• ConfiguraVon
vulnerabiliVes
• Code
vulnerabiliVes
• To
improve
security,
find
and
fix
as
many
vulnerabiliVes
as
you
can
• You
will
never
find
all
of
them
• Using
resources
efficiently
puts
you
ahead
of
the
curve
- 13. HUMAN
HUNTERS
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
13
• Design
vulnerabiliVes
• ConfiguraVon
vulnerabiliVes
• Code
vulnerabiliVes
- 14. WHERE
MACHINES
CAN
HELP
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
14
• Design
vulnerabiliVes
• ConfiguraVon
vulnerabiliVes
• Code
vulnerabiliVes
- 15. AUTOMATED
VULNERABILITY
TOOLS
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
15
• Source
code
analysis
• You
need
the
source
code
• False
posiVves
• StaVc
binary
analysis
• Find
libraries,
vulnerabiliVes,
licenses
• Fuzz
tesVng
• Can
be
black
box
tesVng
• Be_er
to
use
various
target
instrumentaVon
tools:
Asan,
Valgrind
memcheck,
etc.
• Add
behavior
analysis:
this
is
how
we
found
Heartbleed
- 16. ©
2014
All
Rights
Reserved
6-‐Nov-‐2014
16
challenges
in
ics
- 17. IT’S
ALL
SOFTWARE
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
17
• Pre_y
much
the
same
problems
as
everywhere
else
• Up
unVl
now,
an
industry
focused
on
funcVonality
• Now
everything
is
going
on
IP
networks
• Network
was
perceived
as
trustworthy
• Can’t
trust
the
network,
remote
a_acks
are
relaVvely
easy
• Long
product
lifeVmes
• Patching
is
expensive
and
difficult
• Makes
security
and
robustness
even
more
important
- 18. ICS
PROTOCOLS
–
DEFENSICS
TEST
SUITES
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
18
• 61850/GOOSE/SV
• 61850/MMS
client
• 61850/MMS
server
• 60870-‐5-‐104
client
• 60870-‐5-‐104
server
• DNP3
client
• DNP3
server
• CIP
Ethernet/IP
• Modbus
master
• Modbus
slave
• Profinet
DCP
server
(PLC)
• And
>260
more…
• HTTP
• TLS
• IPv4
/
IPv6
• SSH2
• XML
• …
- 19. ©
2014
All
Rights
Reserved
6-‐Nov-‐2014
19
what
now?
- 20. WHAT
NOW?
©
2014
All
Rights
Reserved
6-‐Nov-‐2014
20
• Builders
must
adopt
a
secure
development
life
cycle
• Security
is
part
of
every
phase:
design,
implementaVon,
tesVng,
release
• Use
automated
tools
whenever
possible
• Buyers:
• Ask
for
more
from
your
builders
• Specific
types
of
tesVng
• For
example:
Fuzz
Tes*ng
Maturity
Model
(h_p://www.codenomicon.com/Tmm/)
• Verify
using
available
tools
• Binary
analysis
• Fuzzing
- 21. ©
2014
All
Rights
Reserved
6-‐Nov-‐2014
21
thank
you
Jonathan
Knudsen
Principal
Security
Engineer
jonathan@codenomicon.com