Mais conteúdo relacionado Semelhante a From an Experience of Vulnerability Reporting (20) From an Experience of Vulnerability Reporting1. https://lepidum.co.jp/ Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.
From an Experience of
Reporting a Vulnerability
- Case of CCS Injection -
Tatsuya HAYASHI (@lef)
Kaoru Maeda (@mad-p)
Lepidum Co. Ltd.
"SSR 2015" (2015/12/15)
2. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Agenda
CCS Injection Vulnerability
How did we find it?
Reporting a Vulnerability
Disclosing a Vulnerability
Lessons Learned
3. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Focus Area | Lepidum
Applied Research and Development
Personal Data, Digital Identity and Privacy
Secure and Safety Software Technology
Web and Internet Technology
De-Facto and Forum Standardization
Keywords:
Personal Data, Trust Framework, Privacy, ID Federation,
Authentication/Authorization, Protocol Specification,
* of Things(IoT, WoT), Software Defined Network,
Autonomic Network, etc...
4. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
CCS INJECTION
VULNERABILITY
5. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
CCS Injection Vulnerability
CVE-2014-0224 (June 2014)
CCS = Change Cipher Spec
Early CCS Attack
http://ccsinjection.lepidum.co.jp/
1. MITM crafts a CCS too early than expected
2. OpenSSL accepts it without necessary validation
3. Cipher Suites changed with uninitialized
parameters
4. MITM can decrypt all the traffic
6. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
How was it found?
Masashi Kikuchi (reporter) thought
Wanted to create a formal verification for that
Peeked into existing implementations
Found a flaw in OpenSSL's validation
Most complex transitions in the
SSL/TLS statemachine:
handle ChangeCipherSpec
7. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Reporter's intial motivation
Everyone competes to hunt bugs. I
want to do it efficiently
Want to use Coq somewhere
Select a suspicious module by
experience
Want a clue to understand code that is
difficult
8. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Reporter's intial motivation
Everyone competes to hunt bugs. I
want to do it efficiently
Want to use Coq somewhere
Select a suspicious module by
experience
Want a clue to understand code that is
difficult
But,
he didn't need
even Coq
9. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
A VULNERABILITY:
REPORTING AND DISCLOSING IT
10. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
To whom should it be reported?
In Japanese or in English?
OpenSSL?CERT?
Correct impact analysis done?
Is our analysis correct, in the first place?
PoC attack
Information control intra company
11. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
After reported...
Prepare against possible 0-day attacks
We could not do anything than just wait for a
response
We could not ask to/discuss with other
organizations
Employees are instructed not to talk about it
We could not believe that "our reporting
process is correct" without an response
12. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
After reported...
Prepare against possible 0-day attacks
We could not do anything than just wait for a
response
We could not ask to/discuss with other
organizations
Employees are instructed not to talk about it
We could not believe that "our reporting
process is correct" without an response
Bitter days
13. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
What we have done: Blog it
Take a new domain (against domain dropping)
Do not place any ads (better trust)
Prepare for high loaded access
Selecting a CDN
Cacheable blog pages
Test that the pages and CDN work, without disclosing
Review how to update the pages
Collect and manage incoming updates
lessons
learned
14. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
What is the right way to disclose it?
No one actually tell us the best practice
Schedule an announcement
Domain name gives a hint about the
vulnerability. DNS settings delayed
ccsinjection.lepidum.co.jp
No rules, no guidelines
Commonsense ⇒ What's that?
lessons
learned
15. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
The day it announced
Disclosure date is told, but not the time
No one (incl. CERT) tells the reporter exactly when the CVE
appears
Inqueries, interviews
Media handling, English support, customers, SNS...
The Guardian, New York Times, etc...
"Proper" interviews and not
Explain to customers what we have done
Fortunately, we had blog pages!
Updates
Catch up with software updates, etc.
Distinguish suggestions from experts and non-experts
16. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
The day it announced
Disclosure date is told, but not the time
No one (incl. CERT) tells the reporter exactly when the CVE
appears
Inqueries, interviews
Media handling, English support, customers, SNS...
The Guardian, New York Times, etc...
"Proper" interviews and not
Explain to customers what we have done
Fortunately, we had blog pages!
Updates
Catch up with software updates, etc.
Distinguish suggestions from experts and non-experts
A whole company work!
Daily job suspended
17. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
FAQ, other things to consider
Why a logo?
"How much did you earned from this?"
Engineers' stresses
Business value
18. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Information control
Avoid unnecessary sense of crisis
Deliver precise information to where necessary
Announce counter measures when they are
ready
19. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Vulnerability disclosure is not easy
Cannot call for a help,
no help comes
We, a geek company, could do it.
We could do it because we are an organization.
20. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Vulnerability disclosure is not easy
Cannot call for a help,
no help comes
We, a geek company, could do it.
We could do it because we are a organization.
But it was
worth doing it!
22. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Vulnerability and Reporting
It comes, even when not prepared
Do it without how-to's nor guidelines
Prepare blog pages
But without disclosing much before the
announcement
Be careful when setting up CDN and DNS
23. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Message: Implementation is the key
Write specifications after implementing it
That way, you should know where pitfalls are
"Handle a complex protocol like TLS with Coq, you might
need an experience of implementing it"
24. Copyright © 2004-2015 Lepidum Co. Ltd. All rights reserved.https://lepidum.co.jp/
Please contact us
https://lepidum.co.jp/ @lepidum @lef @mad-p
mailto:{hayashi,maeda}@lepidum.co.jp