[CLASS 2014] Palestra Técnica - Jonathan Knudsen

6-‐Nov-‐2014 © 2014 All Rights Reserved

1

@codenomicon

Jonathan Knudsen, Principal Security Engineer November 6, 2014

MANAGING A LEGACY OF VULNERABILITIES IN CONTROL SYSTEMS LESSONS LEARNED FROM HEARTBLEED AND MORE


2

•  Understanding Heartbleed •  Managing SoTware VulnerabiliVes •  Challenges in ICS •  What now?

CONTENTS


3

understanding heartbleed


4

Client : Hello, here is a list of cipher suites I can use.

Server : Hello, here is the cipher suite I chose from your list. And here's an X.509v3 certificate that contains my public key.

Client : Heartbeat: send back my 4 byte message “ABCD”.

Server : ABCD

Client : [Scrutinizes the certificate, checks to make sure it's signed by a known certificate authority.] Okay, thanks. Here's the premaster secret, encrypted with your public key. The next thing I say to you will be encrypted with the session key.

Client : [Encrypted] I'm done with the handshake.

Server : [Decrypts the premaster secret using private key, then generates the session key.] The next thing I send will be encrypted.

Server : [Encrypted] I'm done with the handshake too.

[Client and server exchange encrypted data.]

TLS HEARTBEAT MESSAGE


5

Client : Hello, here is a list of cipher suites I can use.

Server : Hello, here is the cipher suite I chose from your list. And here's an X.509v3 certificate that contains my public key.

Client : Heartbeat: send back my 36 byte message “ABCD”.

Server : ABCD....5...t.....[.{.....I_.k.I"]..

Client : [Scrutinizes the certificate, checks to make sure it's signed by a known certificate authority.] Okay, thanks. Here's the premaster secret, encrypted with your public key. The next thing I say to you will be encrypted with the session key.

Client : [Encrypted] I'm done with the handshake.

Server : [Decrypts the premaster secret using private key, then generates the session key.] The next thing I send will be encrypted.

Server : [Encrypted] I'm done with the handshake too.

[Client and server exchange encrypted data.]

LIAR LIAR PANTS ON FIRE


6

int tls1_process_heartbeat(SSL *s)! {! unsigned char *p = &s->s3->rrec.data[0], *pl;! unsigned short hbtype;! unsigned int payload;! unsigned int padding = 16; /* Use minimum padding */!! /* Read type and payload length first */! hbtype = *p++;! n2s(p, payload);! pl = p;!! if (s->msg_callback)! s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,! &s->s3->rrec.data[0], s->s3->rrec.length,! s, s->msg_callback_arg);!! if (hbtype == TLS1_HB_REQUEST)! {! unsigned char *buffer, *bp;! int r;!! /* Allocate memory for the response, size is 1 bytes! * message type, plus 2 bytes payload length, plus! * payload, plus padding! */! buffer = OPENSSL_malloc(1 + 2 + payload + padding);! bp = buffer;! ! /* Enter response type, length and copy payload */! *bp++ = TLS1_HB_RESPONSE;! s2n(payload, bp);! memcpy(bp, pl, payload);! bp += payload;! /* Random padding */! RAND_pseudo_bytes(bp, padding);!! r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);!!

FIND THE BUG


7

int tls1_process_heartbeat(SSL *s)! {! unsigned char *p = &s->s3->rrec.data[0], *pl;! unsigned short hbtype;! unsigned int payload;! unsigned int padding = 16; /* Use minimum padding */!! /* Read type and payload length first */! hbtype = *p++;! n2s(p, payload);! pl = p;!! if (s->msg_callback)! s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,! &s->s3->rrec.data[0], s->s3->rrec.length,! s, s->msg_callback_arg);!! if (hbtype == TLS1_HB_REQUEST)! {! unsigned char *buffer, *bp;! int r;!! /* Allocate memory for the response, size is 1 bytes! * message type, plus 2 bytes payload length, plus! * payload, plus padding! */! buffer = OPENSSL_malloc(1 + 2 + payload + padding);! bp = buffer;! ! /* Enter response type, length and copy payload */! *bp++ = TLS1_HB_RESPONSE;! s2n(payload, bp);! memcpy(bp, pl, payload);! bp += payload;! /* Random padding */! RAND_pseudo_bytes(bp, padding);!! r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);!!

FIND THE BUG

payload is the length reported by the client

Allocate a buffer with the claimed size

Copy payload bytes


8

IMPACT

•  h_p://heartbleed.com •  Serious vulnerability in OpenSSL 1.0.1 – 1.0.1f, and 1.0.2beta •  Wandered the wild from March 2012 unVl April 2014 •  Found independently by Codenomicon and Neel Mehta of

Google security team (who first reported it to OpenSSL) •  We were working on staged responsible vulnerability disclosure

with CERT.FI when OpenSSL went public. We published our Q&A. •  By the numbers: •  Apache & NGINX have about 60% market share according to NetcraT. Most of these likely using OpenSSL for TLS/SSL.

•  630 of top 10k sites vulnerable on April 8th, 750k globally h_ps://github.com/musalbas/heartbleed-‐masstest/


9

1.  Be_er tesVng 2.  Be_er tesVng 3.  Be_er tesVng

•  Builders, use a secure development life cycle •  Buyers, test more thoroughly and demand be_er products

HOW DO WE FIND THE NEXT HEARTBLEED?


10

managing soTware vulnerabiliVes


11

DOES THIS SOFTWARE MAKE MY ATTACK SURFACE LOOK FAT?


12

•  Design vulnerabiliVes •  ConfiguraVon vulnerabiliVes •  Code vulnerabiliVes

•  To improve security, find and fix as many vulnerabiliVes as you can •  You will never find all of them •  Using resources efficiently puts you ahead of the curve

SOFTWARE VULNERABILITIES


13


HUMAN HUNTERS


14


WHERE MACHINES CAN HELP


15

•  Source code analysis •  You need the source code •  False posiVves

•  StaVc binary analysis •  Find libraries, vulnerabiliVes, licenses

•  Fuzz tesVng •  Can be black box tesVng •  Be_er to use various target instrumentaVon tools: Asan, Valgrind memcheck, etc. •  Add behavior analysis: this is how we found Heartbleed

AUTOMATED VULNERABILITY TOOLS


16

challenges in ics


17

•  Pre_y much the same problems as everywhere else

•  Up unVl now, an industry focused on funcVonality •  Now everything is going on IP networks •  Network was perceived as trustworthy •  Can’t trust the network, remote a_acks are relaVvely easy

•  Long product lifeVmes •  Patching is expensive and difficult •  Makes security and robustness even more important

IT’S ALL SOFTWARE


18

•  61850/GOOSE/SV •  61850/MMS client •  61850/MMS server •  60870-‐5-‐104 client •  60870-‐5-‐104 server •  DNP3 client •  DNP3 server •  CIP Ethernet/IP •  Modbus master

•  Modbus slave •  Profinet DCP server (PLC)

•  And >260 more… •  HTTP •  TLS •  IPv4 / IPv6 •  SSH2 •  XML •  …

ICS PROTOCOLS – DEFENSICS TEST SUITES


19

what now?


20

•  Builders must adopt a secure development life cycle •  Security is part of every phase: design, implementaVon, tesVng, release •  Use automated tools whenever possible

•  Buyers: •  Ask for more from your builders •  Specific types of tesVng •  For example: Fuzz Tes*ng Maturity Model (h_p://www.codenomicon.com/Tmm/)

•  Verify using available tools •  Binary analysis •  Fuzzing

WHAT NOW?


21

thank you

Jonathan Knudsen Principal Security Engineer [email protected]

Technology

[CLASS 2014] Palestra Técnica - Jonathan Knudsen