SlideShare ist ein Scribd-Unternehmen logo

[CLASS 2014] Palestra Técnica - Jonathan Knudsen

TI Safe
TI Safe

Título da Palestra: Gerenciando um legado de vulnerabilidades em sistemas de controle - Lições aprendidas a partir do Heartbleed e mais

Technologie
1 von 22
Downloaden Sie, um offline zu lesen
MANAGING A LEGACY OF VULNERABILITIES IN CONTROL SYSTEMS LESSONS LEARNED FROM HEARTBLEED AND MORE © 2014 All Rights Reserved 6-­‐Nov-­‐2014 1 @codenomicon Jonathan Knudsen, Principal Security Engineer November 6, 2014
CONTENTS © 2014 All Rights Reserved 6-­‐Nov-­‐2014 2 • Understanding Heartbleed • Managing SoTware VulnerabiliVes • Challenges in ICS • What now?
© 2014 All Rights Reserved 6-­‐Nov-­‐2014 3 understanding heartbleed
TLS HEARTBEAT MESSAGE © 2014 All Rights Reserved 6-­‐Nov-­‐2014 4 Client : Hello, here is a list of cipher suites I can use. Server : Hello, here is the cipher suite I chose from your list. And here's an X.509v3 certificate that contains my public key. Client : Heartbeat: send back my 4 byte message “ABCD”. Server : ABCD Client : [Scrutinizes the certificate, checks to make sure it's signed by a known certificate authority.] Okay, thanks. Here's the premaster secret, encrypted with your public key. The next thing I say to you will be encrypted with the session key. Client : [Encrypted] I'm done with the handshake. Server : [Decrypts the premaster secret using private key, then generates the session key.] The next thing I send will be encrypted. Server : [Encrypted] I'm done with the handshake too. [Client and server exchange encrypted data.]
LIAR LIAR PANTS ON FIRE © 2014 All Rights Reserved 6-­‐Nov-­‐2014 5 Client : Hello, here is a list of cipher suites I can use. Server : Hello, here is the cipher suite I chose from your list. And here's an X.509v3 certificate that contains my public key. Client : Heartbeat: send back my 36 byte message “ABCD”. Server : ABCD....5...t.....[.{.....I_.k.I"].. Client : [Scrutinizes the certificate, checks to make sure it's signed by a known certificate authority.] Okay, thanks. Here's the premaster secret, encrypted with your public key. The next thing I say to you will be encrypted with the session key. Client : [Encrypted] I'm done with the handshake. Server : [Decrypts the premaster secret using private key, then generates the session key.] The next thing I send will be encrypted. Server : [Encrypted] I'm done with the handshake too. [Client and server exchange encrypted data.]
FIND THE BUG © 2014 All Rights Reserved 6-­‐Nov-­‐2014 6 int tls1_process_heartbeat(SSL *s)! {! unsigned char *p = &s->s3->rrec.data[0], *pl;! unsigned short hbtype;! unsigned int payload;! unsigned int padding = 16; /* Use minimum padding */! ! /* Read type and payload length first */! hbtype = *p++;! n2s(p, payload);! pl = p;! ! if (s->msg_callback)! s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,! &s->s3->rrec.data[0], s->s3->rrec.length,! s, s->msg_callback_arg);! ! if (hbtype == TLS1_HB_REQUEST)! {! unsigned char *buffer, *bp;! int r;! ! /* Allocate memory for the response, size is 1 bytes! * message type, plus 2 bytes payload length, plus! * payload, plus padding! */! buffer = OPENSSL_malloc(1 + 2 + payload + padding);! bp = buffer;! ! /* Enter response type, length and copy payload */! *bp++ = TLS1_HB_RESPONSE;! s2n(payload, bp);! memcpy(bp, pl, payload);! bp += payload;! /* Random padding */! RAND_pseudo_bytes(bp, padding);! ! r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);! !
FIND THE BUG © 2014 All Rights Reserved 6-­‐Nov-­‐2014 7 int tls1_process_heartbeat(SSL *s)! {! unsigned char *p = &s->s3->rrec.data[0], *pl;! unsigned short hbtype;! unsigned int payload;! unsigned int padding = 16; /* Use minimum padding */! ! /* Read type and payload length first */! hbtype = *p++;! n2s(p, payload);! pl = p;! ! if (s->msg_callback)! s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,! &s->s3->rrec.data[0], s->s3->rrec.length,! s, s->msg_callback_arg);! ! if (hbtype == TLS1_HB_REQUEST)! {! unsigned char *buffer, *bp;! int r;! ! /* Allocate memory for the response, size is 1 bytes! * message type, plus 2 bytes payload length, plus! * payload, plus padding! */! buffer = OPENSSL_malloc(1 + 2 + payload + padding);! bp = buffer;! ! /* Enter response type, length and copy payload */! *bp++ = TLS1_HB_RESPONSE;! s2n(payload, bp);! memcpy(bp, pl, payload);! bp += payload;! /* Random padding */! RAND_pseudo_bytes(bp, padding);! ! r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);! ! payload is the length reported by the client Allocate a buffer with the claimed size Copy payload bytes
© 2014 All Rights Reserved 6-­‐Nov-­‐2014 8 IMPACT • h_p://heartbleed.com • Serious vulnerability in OpenSSL 1.0.1 – 1.0.1f, and 1.0.2beta • Wandered the wild from March 2012 unVl April 2014 • Found independently by Codenomicon and Neel Mehta of Google security team (who first reported it to OpenSSL) • We were working on staged responsible vulnerability disclosure with CERT.FI when OpenSSL went public. We published our Q&A. • By the numbers: • Apache & NGINX have about 60% market share according to NetcraT. Most of these likely using OpenSSL for TLS/SSL. • 630 of top 10k sites vulnerable on April 8th, 750k globally h_ps://github.com/musalbas/heartbleed-­‐masstest/
HOW DO WE FIND THE NEXT HEARTBLEED? © 2014 All Rights Reserved 6-­‐Nov-­‐2014 9 1. Be_er tesVng 2. Be_er tesVng 3. Be_er tesVng • Builders, use a secure development life cycle • Buyers, test more thoroughly and demand be_er products
© 2014 All Rights Reserved 6-­‐Nov-­‐2014 10 managing soTware vulnerabiliVes
© 2014 All Rights Reserved 6-­‐Nov-­‐2014 11 DOES THIS SOFTWARE MAKE MY ATTACK SURFACE LOOK FAT?
SOFTWARE VULNERABILITIES © 2014 All Rights Reserved 6-­‐Nov-­‐2014 12 • Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes • To improve security, find and fix as many vulnerabiliVes as you can • You will never find all of them • Using resources efficiently puts you ahead of the curve
HUMAN HUNTERS © 2014 All Rights Reserved 6-­‐Nov-­‐2014 13 • Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes
WHERE MACHINES CAN HELP © 2014 All Rights Reserved 6-­‐Nov-­‐2014 14 • Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes
AUTOMATED VULNERABILITY TOOLS © 2014 All Rights Reserved 6-­‐Nov-­‐2014 15 • Source code analysis • You need the source code • False posiVves • StaVc binary analysis • Find libraries, vulnerabiliVes, licenses • Fuzz tesVng • Can be black box tesVng • Be_er to use various target instrumentaVon tools: Asan, Valgrind memcheck, etc. • Add behavior analysis: this is how we found Heartbleed
© 2014 All Rights Reserved 6-­‐Nov-­‐2014 16 challenges in ics
IT’S ALL SOFTWARE © 2014 All Rights Reserved 6-­‐Nov-­‐2014 17 • Pre_y much the same problems as everywhere else • Up unVl now, an industry focused on funcVonality • Now everything is going on IP networks • Network was perceived as trustworthy • Can’t trust the network, remote a_acks are relaVvely easy • Long product lifeVmes • Patching is expensive and difficult • Makes security and robustness even more important
ICS PROTOCOLS – DEFENSICS TEST SUITES © 2014 All Rights Reserved 6-­‐Nov-­‐2014 18 • 61850/GOOSE/SV • 61850/MMS client • 61850/MMS server • 60870-­‐5-­‐104 client • 60870-­‐5-­‐104 server • DNP3 client • DNP3 server • CIP Ethernet/IP • Modbus master • Modbus slave • Profinet DCP server (PLC) • And >260 more… • HTTP • TLS • IPv4 / IPv6 • SSH2 • XML • …
© 2014 All Rights Reserved 6-­‐Nov-­‐2014 19 what now?
WHAT NOW? © 2014 All Rights Reserved 6-­‐Nov-­‐2014 20 • Builders must adopt a secure development life cycle • Security is part of every phase: design, implementaVon, tesVng, release • Use automated tools whenever possible • Buyers: • Ask for more from your builders • Specific types of tesVng • For example: Fuzz Tes*ng Maturity Model (h_p://www.codenomicon.com/Tmm/) • Verify using available tools • Binary analysis • Fuzzing
© 2014 All Rights Reserved 6-­‐Nov-­‐2014 21 thank you Jonathan Knudsen Principal Security Engineer jonathan@codenomicon.com
[CLASS 2014] Palestra Técnica - Jonathan Knudsen

Empfohlen

"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
Rahul Mohandas
 
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterMaterials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Dan Gunter
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 

Empfohlen

"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
Rahul Mohandas
 
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan GunterMaterials Project Validation, Provenance, and Sandboxes by Dan Gunter
Materials Project Validation, Provenance, and Sandboxes by Dan Gunter
Dan Gunter
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
grecsl
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
Andrew McNicol
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals
Aruba, a Hewlett Packard Enterprise company
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 

Weitere ähnliche Inhalte

Was ist angesagt?

BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 

Was ist angesagt? (20)

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at Notacon on April 12, 2014
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat v18 || Linear time shellcode detection using state machines and opera...
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 

Ähnlich wie [CLASS 2014] Palestra Técnica - Jonathan Knudsen

Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 

Ähnlich wie [CLASS 2014] Palestra Técnica - Jonathan Knudsen (20)

Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleed
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
 
Wireless LAN Security Fundamentals #AirheadsConf Italy
Wireless LAN Security Fundamentals #AirheadsConf ItalyWireless LAN Security Fundamentals #AirheadsConf Italy
Wireless LAN Security Fundamentals #AirheadsConf Italy
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
computer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentationcomputer-security-and-cryptography-a-simple-presentation
computer-security-and-cryptography-a-simple-presentation
 
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3
 
Securing your Rails application
Securing your Rails applicationSecuring your Rails application
Securing your Rails application
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
06 protocols2
06 protocols206 protocols2
06 protocols2
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 

Mehr von TI Safe

Retrospectiva
RetrospectivaRetrospectiva
Retrospectiva
TI Safe
 

Mehr von TI Safe (20)

CLASS 2022 - Luiz Fernando Roth e Matheus Tourinho - Ataques Cibernéticos a A...
CLASS 2022 - Luiz Fernando Roth e Matheus Tourinho - Ataques Cibernéticos a A...CLASS 2022 - Luiz Fernando Roth e Matheus Tourinho - Ataques Cibernéticos a A...
CLASS 2022 - Luiz Fernando Roth e Matheus Tourinho - Ataques Cibernéticos a A...
 
CLASS 2022 - Júlio Omori (COPEL) e Tânia Marques (consultora independente) - ...
CLASS 2022 - Júlio Omori (COPEL) e Tânia Marques (consultora independente) - ...CLASS 2022 - Júlio Omori (COPEL) e Tânia Marques (consultora independente) - ...
CLASS 2022 - Júlio Omori (COPEL) e Tânia Marques (consultora independente) - ...
 
CLASS 2022 - Rodrigo Riella (Lactec) e Claudio Hermeling (TI Safe) - A impor...
CLASS 2022 - Rodrigo Riella (Lactec) e Claudio Hermeling (TI Safe) - A impor... CLASS 2022 - Rodrigo Riella (Lactec) e Claudio Hermeling (TI Safe) - A impor...
CLASS 2022 - Rodrigo Riella (Lactec) e Claudio Hermeling (TI Safe) - A impor...
 
CLASS 2022 - Thiago Branquinho (TI Safe) - Como implementar e certificar um S...
CLASS 2022 - Thiago Branquinho (TI Safe) - Como implementar e certificar um S...CLASS 2022 - Thiago Branquinho (TI Safe) - Como implementar e certificar um S...
CLASS 2022 - Thiago Branquinho (TI Safe) - Como implementar e certificar um S...
 
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
 
CLASS 2022 - Eduardo Valério (Ternium) - Uma década de cibersegurança em OT, ...
CLASS 2022 - Eduardo Valério (Ternium) - Uma década de cibersegurança em OT, ...CLASS 2022 - Eduardo Valério (Ternium) - Uma década de cibersegurança em OT, ...
CLASS 2022 - Eduardo Valério (Ternium) - Uma década de cibersegurança em OT, ...
 
CLASS 2022 - Felipe Jordão (Palo Alto Networks) - Boas práticas de operações ...
CLASS 2022 - Felipe Jordão (Palo Alto Networks) - Boas práticas de operações ...CLASS 2022 - Felipe Jordão (Palo Alto Networks) - Boas práticas de operações ...
CLASS 2022 - Felipe Jordão (Palo Alto Networks) - Boas práticas de operações ...
 
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
 
CLASS 2022 - Roberto Engler Jr. (IBM) - Gestão e monitoramento de alto nível ...
CLASS 2022 - Roberto Engler Jr. (IBM) - Gestão e monitoramento de alto nível ...CLASS 2022 - Roberto Engler Jr. (IBM) - Gestão e monitoramento de alto nível ...
CLASS 2022 - Roberto Engler Jr. (IBM) - Gestão e monitoramento de alto nível ...
 
CLASS 2022 - Maiko Oliveira (Microsoft) - Convergência TO E TI, proteção tota...
CLASS 2022 - Maiko Oliveira (Microsoft) - Convergência TO E TI, proteção tota...CLASS 2022 - Maiko Oliveira (Microsoft) - Convergência TO E TI, proteção tota...
CLASS 2022 - Maiko Oliveira (Microsoft) - Convergência TO E TI, proteção tota...
 
Vitor Sena e Daniel Quintão (Gerdau) - Projeto, implantação, gestão e monitor...
Vitor Sena e Daniel Quintão (Gerdau) - Projeto, implantação, gestão e monitor...Vitor Sena e Daniel Quintão (Gerdau) - Projeto, implantação, gestão e monitor...
Vitor Sena e Daniel Quintão (Gerdau) - Projeto, implantação, gestão e monitor...
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
CLASS 2022 - Júlio Cezar de Oliveira (Hitachi Energy) - Cibersegurança na era...
CLASS 2022 - Júlio Cezar de Oliveira (Hitachi Energy) - Cibersegurança na era...CLASS 2022 - Júlio Cezar de Oliveira (Hitachi Energy) - Cibersegurança na era...
CLASS 2022 - Júlio Cezar de Oliveira (Hitachi Energy) - Cibersegurança na era...
 
CLASS 2022 - Denis Sousa, Abner Bueno e Eduardo Pontes (Norte Energia) - Anál...
CLASS 2022 - Denis Sousa, Abner Bueno e Eduardo Pontes (Norte Energia) - Anál...CLASS 2022 - Denis Sousa, Abner Bueno e Eduardo Pontes (Norte Energia) - Anál...
CLASS 2022 - Denis Sousa, Abner Bueno e Eduardo Pontes (Norte Energia) - Anál...
 
CLASS 2022 - Nycholas Szucko (Nozomi Networks) - Antifragilidade Cibernética ...
CLASS 2022 - Nycholas Szucko (Nozomi Networks) - Antifragilidade Cibernética ...CLASS 2022 - Nycholas Szucko (Nozomi Networks) - Antifragilidade Cibernética ...
CLASS 2022 - Nycholas Szucko (Nozomi Networks) - Antifragilidade Cibernética ...
 
CLASS 2022 - Gustavo Merighi (Energisa) e Alessandro Moretti (Thales) - O Des...
CLASS 2022 - Gustavo Merighi (Energisa) e Alessandro Moretti (Thales) - O Des...CLASS 2022 - Gustavo Merighi (Energisa) e Alessandro Moretti (Thales) - O Des...
CLASS 2022 - Gustavo Merighi (Energisa) e Alessandro Moretti (Thales) - O Des...
 
CLASS 2022 - Marcelo Branquinho (TI Safe) - Ameaças Modernas e Ataques às red...
CLASS 2022 - Marcelo Branquinho (TI Safe) - Ameaças Modernas e Ataques às red...CLASS 2022 - Marcelo Branquinho (TI Safe) - Ameaças Modernas e Ataques às red...
CLASS 2022 - Marcelo Branquinho (TI Safe) - Ameaças Modernas e Ataques às red...
 
Webinar cci por que nao se deve contratar so cs de ti hibridos para proteg...
Webinar cci por que nao se deve contratar so cs de ti hibridos para proteg...Webinar cci por que nao se deve contratar so cs de ti hibridos para proteg...
Webinar cci por que nao se deve contratar so cs de ti hibridos para proteg...
 
Retrospectiva
RetrospectivaRetrospectiva
Retrospectiva
 
Pacote TI Safe ONS Ready v1
Pacote TI Safe ONS Ready v1Pacote TI Safe ONS Ready v1
Pacote TI Safe ONS Ready v1
 

Kürzlich hochgeladen

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

[CLASS 2014] Palestra Técnica - Jonathan Knudsen

  • 1. MANAGING A LEGACY OF VULNERABILITIES IN CONTROL SYSTEMS LESSONS LEARNED FROM HEARTBLEED AND MORE © 2014 All Rights Reserved 6-­‐Nov-­‐2014 1 @codenomicon Jonathan Knudsen, Principal Security Engineer November 6, 2014
  • 2. CONTENTS © 2014 All Rights Reserved 6-­‐Nov-­‐2014 2 • Understanding Heartbleed • Managing SoTware VulnerabiliVes • Challenges in ICS • What now?
  • 3. © 2014 All Rights Reserved 6-­‐Nov-­‐2014 3 understanding heartbleed
  • 4. TLS HEARTBEAT MESSAGE © 2014 All Rights Reserved 6-­‐Nov-­‐2014 4 Client : Hello, here is a list of cipher suites I can use. Server : Hello, here is the cipher suite I chose from your list. And here's an X.509v3 certificate that contains my public key. Client : Heartbeat: send back my 4 byte message “ABCD”. Server : ABCD Client : [Scrutinizes the certificate, checks to make sure it's signed by a known certificate authority.] Okay, thanks. Here's the premaster secret, encrypted with your public key. The next thing I say to you will be encrypted with the session key. Client : [Encrypted] I'm done with the handshake. Server : [Decrypts the premaster secret using private key, then generates the session key.] The next thing I send will be encrypted. Server : [Encrypted] I'm done with the handshake too. [Client and server exchange encrypted data.]
  • 5. LIAR LIAR PANTS ON FIRE © 2014 All Rights Reserved 6-­‐Nov-­‐2014 5 Client : Hello, here is a list of cipher suites I can use. Server : Hello, here is the cipher suite I chose from your list. And here's an X.509v3 certificate that contains my public key. Client : Heartbeat: send back my 36 byte message “ABCD”. Server : ABCD....5...t.....[.{.....I_.k.I"].. Client : [Scrutinizes the certificate, checks to make sure it's signed by a known certificate authority.] Okay, thanks. Here's the premaster secret, encrypted with your public key. The next thing I say to you will be encrypted with the session key. Client : [Encrypted] I'm done with the handshake. Server : [Decrypts the premaster secret using private key, then generates the session key.] The next thing I send will be encrypted. Server : [Encrypted] I'm done with the handshake too. [Client and server exchange encrypted data.]
  • 6. FIND THE BUG © 2014 All Rights Reserved 6-­‐Nov-­‐2014 6 int tls1_process_heartbeat(SSL *s)! {! unsigned char *p = &s->s3->rrec.data[0], *pl;! unsigned short hbtype;! unsigned int payload;! unsigned int padding = 16; /* Use minimum padding */! ! /* Read type and payload length first */! hbtype = *p++;! n2s(p, payload);! pl = p;! ! if (s->msg_callback)! s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,! &s->s3->rrec.data[0], s->s3->rrec.length,! s, s->msg_callback_arg);! ! if (hbtype == TLS1_HB_REQUEST)! {! unsigned char *buffer, *bp;! int r;! ! /* Allocate memory for the response, size is 1 bytes! * message type, plus 2 bytes payload length, plus! * payload, plus padding! */! buffer = OPENSSL_malloc(1 + 2 + payload + padding);! bp = buffer;! ! /* Enter response type, length and copy payload */! *bp++ = TLS1_HB_RESPONSE;! s2n(payload, bp);! memcpy(bp, pl, payload);! bp += payload;! /* Random padding */! RAND_pseudo_bytes(bp, padding);! ! r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);! !
  • 7. FIND THE BUG © 2014 All Rights Reserved 6-­‐Nov-­‐2014 7 int tls1_process_heartbeat(SSL *s)! {! unsigned char *p = &s->s3->rrec.data[0], *pl;! unsigned short hbtype;! unsigned int payload;! unsigned int padding = 16; /* Use minimum padding */! ! /* Read type and payload length first */! hbtype = *p++;! n2s(p, payload);! pl = p;! ! if (s->msg_callback)! s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,! &s->s3->rrec.data[0], s->s3->rrec.length,! s, s->msg_callback_arg);! ! if (hbtype == TLS1_HB_REQUEST)! {! unsigned char *buffer, *bp;! int r;! ! /* Allocate memory for the response, size is 1 bytes! * message type, plus 2 bytes payload length, plus! * payload, plus padding! */! buffer = OPENSSL_malloc(1 + 2 + payload + padding);! bp = buffer;! ! /* Enter response type, length and copy payload */! *bp++ = TLS1_HB_RESPONSE;! s2n(payload, bp);! memcpy(bp, pl, payload);! bp += payload;! /* Random padding */! RAND_pseudo_bytes(bp, padding);! ! r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);! ! payload is the length reported by the client Allocate a buffer with the claimed size Copy payload bytes
  • 8. © 2014 All Rights Reserved 6-­‐Nov-­‐2014 8 IMPACT • h_p://heartbleed.com • Serious vulnerability in OpenSSL 1.0.1 – 1.0.1f, and 1.0.2beta • Wandered the wild from March 2012 unVl April 2014 • Found independently by Codenomicon and Neel Mehta of Google security team (who first reported it to OpenSSL) • We were working on staged responsible vulnerability disclosure with CERT.FI when OpenSSL went public. We published our Q&A. • By the numbers: • Apache & NGINX have about 60% market share according to NetcraT. Most of these likely using OpenSSL for TLS/SSL. • 630 of top 10k sites vulnerable on April 8th, 750k globally h_ps://github.com/musalbas/heartbleed-­‐masstest/
  • 9. HOW DO WE FIND THE NEXT HEARTBLEED? © 2014 All Rights Reserved 6-­‐Nov-­‐2014 9 1. Be_er tesVng 2. Be_er tesVng 3. Be_er tesVng • Builders, use a secure development life cycle • Buyers, test more thoroughly and demand be_er products
  • 10. © 2014 All Rights Reserved 6-­‐Nov-­‐2014 10 managing soTware vulnerabiliVes
  • 11. © 2014 All Rights Reserved 6-­‐Nov-­‐2014 11 DOES THIS SOFTWARE MAKE MY ATTACK SURFACE LOOK FAT?
  • 12. SOFTWARE VULNERABILITIES © 2014 All Rights Reserved 6-­‐Nov-­‐2014 12 • Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes • To improve security, find and fix as many vulnerabiliVes as you can • You will never find all of them • Using resources efficiently puts you ahead of the curve
  • 13. HUMAN HUNTERS © 2014 All Rights Reserved 6-­‐Nov-­‐2014 13 • Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes
  • 14. WHERE MACHINES CAN HELP © 2014 All Rights Reserved 6-­‐Nov-­‐2014 14 • Design vulnerabiliVes • ConfiguraVon vulnerabiliVes • Code vulnerabiliVes
  • 15. AUTOMATED VULNERABILITY TOOLS © 2014 All Rights Reserved 6-­‐Nov-­‐2014 15 • Source code analysis • You need the source code • False posiVves • StaVc binary analysis • Find libraries, vulnerabiliVes, licenses • Fuzz tesVng • Can be black box tesVng • Be_er to use various target instrumentaVon tools: Asan, Valgrind memcheck, etc. • Add behavior analysis: this is how we found Heartbleed
  • 16. © 2014 All Rights Reserved 6-­‐Nov-­‐2014 16 challenges in ics
  • 17. IT’S ALL SOFTWARE © 2014 All Rights Reserved 6-­‐Nov-­‐2014 17 • Pre_y much the same problems as everywhere else • Up unVl now, an industry focused on funcVonality • Now everything is going on IP networks • Network was perceived as trustworthy • Can’t trust the network, remote a_acks are relaVvely easy • Long product lifeVmes • Patching is expensive and difficult • Makes security and robustness even more important
  • 18. ICS PROTOCOLS – DEFENSICS TEST SUITES © 2014 All Rights Reserved 6-­‐Nov-­‐2014 18 • 61850/GOOSE/SV • 61850/MMS client • 61850/MMS server • 60870-­‐5-­‐104 client • 60870-­‐5-­‐104 server • DNP3 client • DNP3 server • CIP Ethernet/IP • Modbus master • Modbus slave • Profinet DCP server (PLC) • And >260 more… • HTTP • TLS • IPv4 / IPv6 • SSH2 • XML • …
  • 19. © 2014 All Rights Reserved 6-­‐Nov-­‐2014 19 what now?
  • 20. WHAT NOW? © 2014 All Rights Reserved 6-­‐Nov-­‐2014 20 • Builders must adopt a secure development life cycle • Security is part of every phase: design, implementaVon, tesVng, release • Use automated tools whenever possible • Buyers: • Ask for more from your builders • Specific types of tesVng • For example: Fuzz Tes*ng Maturity Model (h_p://www.codenomicon.com/Tmm/) • Verify using available tools • Binary analysis • Fuzzing
  • 21. © 2014 All Rights Reserved 6-­‐Nov-­‐2014 21 thank you Jonathan Knudsen Principal Security Engineer jonathan@codenomicon.com