java/scala lab 2016. Владимир Гарбуз: Написание безопасного...

WRITING SECURE CODEIN JAVA

Vladimir Garbuz

Problem summary

Problem summary

Problem summary

Problem summary

Problem summary Developers are NOT responsible for

security bugs! Well, almost

Absolute most security issues are due to design! Either a vulnerable one Or an incomplete one – which makes the

developers decide what and how should be implemented

Object deserialization

https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications

Lack of web security configurations

X-Frame-Options Content Security Policy HTTP Strict Transport Security HTTP Public Key Pinning

Sessions - Cookie security flags HTTPOnly flag Secure flag Cookie scope - Domain

domain better not be set than set liberally to a domain

e.g. domain=server.com gives the cookie to subdomains It shouldn’t, but thanks to the RFC 2109 and 6265

circle-jerk… Cookie scope - Path

path must include only the webapp for which the cookie is

Sessions – Session fixation http://whatever.com/login.jsp?

jsessionid=E85FAC04E331FFCA55549B10B7C7A4FA

Session token in URL – bad, bad practice! It will also appear in server logs, browser

history, proxies, etc…

Decisions based on untrusted data

&admin=true Invisible/disabled controls Data MIME type Forced navigation to ID

Integer wrap-around

Race conditions Easy to create, hard to spotConsider following pseudocode:X = X + 10Thread 1 and 2 (T1 and T2) execute it:

15 != 25

Vulnerable components used Libraries and frameworks

OWASP Dependency Check BlackDuck

Vulnerable software

Input validation

Make it a universal component! used throughout the application, not ad-hoc

Random

Always use CSPRNG! “Oh please, what’s the difference?”

Random Popular PRNG named RANDU Dots as (x,y) and (x,y,z) – all fall in 15 3D

planes!

Random CSPRNG sequence attractor analysis

Random Windows 98 PRNG attractor analysis

RandomHacking Java’s Random(): predicting the

future Linear Congruential PRNG:seed = (seed * multiplier + addend) mod (2 ^ precision) Has 48 bits of state, but discloses only 32 at a time

e.g. nextInt() The remaining 16 bits are easily bruteforcible on

modern PCs:

RandomHacking Java’s Random(): peeking into the

past Long story short, one bit at a time we unwind the

changes a previous seed would’ve had on the current number And can do so recursively as far back as we wishUSE SECURE RANDOM

Vulnerable crypto EXP – export crypto

DES RC4

MD4 MD5 – yes, fully broken since 2007, stop using it! SHA-1

“Oh please, we’ve used MD5 forever and it’s been ok!”

Cryptographic hashWhat’s similar for these 3 images?..

Their MD5 hash!And a freely available tool HashClash was used!

Cryptographic hashMD5 Chosen prefix collisions

Cryptographic hashPassword storage

Never store passwords for verification in the clear

Use salts with hashes to fight rainbow tables Never use clear hash functions to hash

passwords Yep! Go for a key derivation function!

PBKDF2 scrypt bcrypt

Setting up SSL/TLS Do TLS the right way! Yay or nay?

ECDHE-RSA-AES256-GCM-SHA256 Yay!

ECDHE-RSA-RC4-SHA Nay!

EXP-RC4-MD5 Nay nay nay!!!

Questions and Discussion

Skype: vigarbuz