myth busters open source and security by aseem jakhar
play

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ - PowerPoint PPT Presentation

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break things! things! We $ whoami When not working, we do charity $ whoami When not working, we do charity By breaking products for free :)


  1. Myth Busters Open source and Security By Aseem Jakhar

  2. $ whoami

  3. $ whoami We break break things! things! We

  4. $ whoami ● When not working, we do charity

  5. $ whoami ● When not working, we do charity ● By breaking products for free :) ● Cisco Linksys Wifi router Buffer overflow ● GSM network vulnerabilities in a few Indian Telecom operators ● Apple App store payment bypass ● Linkedin, ubuntu one and many more application vulnerabilities....

  6. $ whoami ● Founder – null - The open security community – Registered Non-profit Organization – 7 chapters – Pune, Bangalore, Hyderabad, Delhi, Mumbai, Chennai and Goa – Monthly Meets in all chapters – Open to all to share and learn – Details http://null.co.in ● Founder - nullcon Security Conference

  7. Disclaimer ● All views and ideas expressed in the presentation are personal and do not reflect that of my employer

  8. Disclaimer ● All views and ideas expressed in the presentation are personal and do not reflect that of my employer. ● For the open source lovers – Please don't take this presentation seriously and request you not kill me after the talk. ● I'm an open source developer and user too!

  9. Agenda ● Why Security? ● Myths ● *nix Vs Windows ● Statistics ● Conclusion ● References

  10. Why Security?

  11. Why Security?

  12. Myths ● Open source fanatics – Open source is secure. *nix OSes have user and file permission by design – Because it is the work of passionate techies the outcome is much better than closed source commercial software ● Closed source/Enterprise fanatics – Open source is a piece of software hacked together by a bunch of enthusiasts without a long term vision and hence insecure and unstable. – Because the source code is available people can find vulnerabilities very easily ● 100% security

  13. I want to play a game

  14. *nix Vs Windows ● When I say *nix I mean only Unix like (open source) operating systems. ● Which one is more secure? ● Lets talk about a few critical problems

  15. Buffer overflow ● Process layout design ● Stack frames hold the instruction pointer (EIP) ● Overwrite the instruction pointer ● Point EIP to a memory location within the program that contains malicious code ● Allows local or remote code execution and hijacking of systems ● *nix or Windows?

  16. Kernel NULL pointer dereference ● Programs can map the address zero as a valid memory location ● If Kernel null pointers can be controlled via a syscall triggered by a malicious program ● Malicious code/data can be stored and used/executed by the kernel ● Privilege escalation ● *nix or windows?

  17. Use after free ● Objects allocated and free()'ed on heap ● Free space previously utilised by valid object can now be allocated for a new allocation request. ● Adjusted requests with malicious code on the same place as previous object allocation. ● If object is used after freeing and the vulnerable code can be triggered, the malicious code will get executed. ● *nix or windows?

  18. Remote process infection ● Windows has CreateRemoteThread API – Function to create a thread within the context of another process on the same system – Actively abused by malware to infect legit processes such as IE – Bypass security restrictions – Stealth

  19. Remote process infection ● Linux? – No such API provided by the OS.

  20. Remote process infection ● Linux? – No such API provided by the OS. – So we created one :-P – Jugaad – remote thread injection kit – Indroid – For Android – Source code https://github.com/aseemjakhar/jugaad

  21. Question ● Question to “Linux is more secure” Bandwagon

  22. Question ● Question to “Linux is more secure” Bandwagon – Android and Security? Who's laughing now – Read at your leisure – http://www.brighthand.com/default.asp? newsID=18414&news=Top+10+Vulnerable+Smart phones+Malware

  23. Statistics ● Used only CVE data ● C ommon V ulnerabilities and E xposures ● http://cve.mitre.org ● Used CVEs from cvedetails.com for quick analysis ● Considered all vulnerabilities instead of year wise ● The recorded data may be less in some cases as it depended on searching with different names. ● Recorded only the vulnerabilities in the core software and not any sub components.

  24. Browser stats Browser CVE comparison 1000 909 900 772 800 736 700 600 500 CVE 400 300 300 200 100 0 Opera Internet Explorer Chrome Firefox Browsers

  25. Operating System stats OS CVE comparison 1050 1004 1000 950 CVE 900 880 850 800 Windows Linux Operating Systems

  26. Database stats Database CVE comparison 450 426 400 350 300 250 CVE 200 186 150 100 50 0 Mysql Oracle Database Software

  27. Conclusion ● Security has nothing to do with the ideology of open and closed source. ● Popularity/usage of the software matters when it comes to finding vulnerabilities. ● A Secure SLDC like process will make your software more secure than it currently is and reduce overall cost for ensuring a good security level and patching. ● More awareness among the developer community and the product management.

  28. References ● CVE data: http://cvedetails.com/ ● Hammer image source: http://commons.wikimedia.org/wiki/File:Claw-hammer.jpg ● Saw movie image source: http://www.wired.com/images_blogs/photos/uncategorized/2008/01/30/saw .jpg ● Karamchand image source: http://www.desidabba.in/wp- content/uploads/kc_800_600.jpg

Recommend


More recommend