Adam Cecchetti - Security is A Snapshot in Time - So How Do We Keep Up?

so thank you for the introduction thank you for all spent for all of you spending a bit of time with me here today very briefly I'm Adam cicchetti founder CEO of daijobu security also the founder and chairman of peach fuzzer which is the company we rolled out to do the product is Asian of the peach fuzz in framework which is open-source very briefly about daijobu security where seattle-based company we've been operating since 2010 we've done hundreds of application and hardware penetration assessments specifically in the areas of web crypto crypto currencies IOT and infrastructure time is undefeated no matter how fast you make your processes no matter how much you reduce your gait delay no matter how much you've time you

spend on making something more efficient time is the finite resource which you never get more of the wall clock keeps on ticking and there's nothing that you can do to stop it timer roads all things what was once state of the art or the state of defense the pinnacle of technology from whether you're looking at it from a offensive or defensive perspective if you add a little bit of time to it it'll roads and eventually becomes a ruin and this is no different for the systems that we look at today recently I've been getting kind of a sense of deja vu if you rewind 20 years so here a lot of people that will start

to say the tubes are on fire we have a problem with the networks I mean just secure our networks to rewind 15 years ago that we talked about applications whether it was desktop applications server applications saying the desktops are on fire we need to secure these things 10 years ago it was the web the entire world is on fire as we start to plug more things in five years ago was the cloud and recently with the Internet of Things our pants are on fire and when I originally wrote this slide was like maybe that's a bit of a stretch and then Samsung went ahead and made a phone that exploded in your pocket so I was like all right so maybe my

epiphany here is not so far-fetched Thank You Samsung so the problem is big the first step to recovery is always the hardest but awareness doesn't cure cancer obviously as we create more systems and time continues to go on we have some of the same problems over and over again the cool thing about this is though is that if you're an attacker you can't just gin up a security problem in someone else's system you have to find the problem it has to exist there already the individuals that built the system have to have created it at some point you cannot create a security problem in someone else's system which gives it these very interesting properties that means the number of

security vulnerabilities out there is finite now that's not to be saying that new systems aren't being built every day and constructed however at the same time that gives them some very interesting properties security issues are inherited computers are very good at copying things well the security problem from one library to the next one that what configuration to the next is no different here it's very easy to get a security problem being inherited from one system to the next like a bad fruitcake being passed from one relative down on to the other they're plentiful the fence helps and but for the last 20 years we've been doing mostly as a research community kicking over more rocks saying there's more problems in

more places and we're finding more things faster than we have the ability in many cases to kind of keep up they're random the future is asymmetrically secure we've gotten very good at securing certain kinds of systems operating systems browsers and certain other pieces but you start to add the web Internet of Things and cloud and that we start have to start this process all over again and finally there polymorphic the tools that we use to construct our systems eventually become security problems themselves JTAG being a debug a debugger but also potentially a backdoor and other logging and infrastructure become the same thing so if we want to fix this problem at scale we're gonna have to start thinking

a little bit differently and there's occasionally this idea that we should just give up and monitor and mitigate everything that there is absolutely no possible way for us to ever keep an attacker out of a system or make defensible systems and I say we shouldn't start thinking that way we should can you think and a bit differently but not so differently that we throw in the towel so let's take a look at the last sixty years or so of computer systems somewhere around the 70s we took a whole bunch of hard copy and shoved it into mainframes effectively taking distributed data from multiple sources and putting it into a centralized system shortly after that we started to push

this data out into individual pcs through the 80s into the 90s back into web and email resent realizing it reproach distributing out through social networks resent realizing it into the cloud and redistributing it currently into the Internet of Things so if you look at this cadence if you look at this clock about every 10 years we kind of have this pulse of we put either centralized or decentralized the data in different places and along with it follows the users users use dumb terminals on mainframes the PCs to email and the way that their actions happen creates new data and some of that data lingers in the Eddie's and places of where it's left over from previous usage

models security in effect is a snapshot in time the snapshot in time is that snapshot where the system designers and where the system builders decided to make it so you take a set of libraries you put it into some binaries you put it on a set of systems you push it out and that snapshot can be very easy to end up in not where you're currently at so there's a very interesting point along that graph which is around 1995 in 1995 attackers are effectively unstoppable the closer the snapshot to 1995 the harder it is to defend so let's talk about that for a second in 1995 there was absolutely no memory defenses like DEP ASLR stack cookies or

some of the other things we kind of take for granted today there was no patching and the patching that was out there was focused on reliability and availability not security issues there was little to no security awareness and there was the default scope or the default attack surface installed for every single system that you would propagate out so you would set up a new you know PC you set up a new server and you will get everything turned on by default so the closer the clock looks like what we did in 1995 the harder it is to defend which effectively means if you're trying to defend systems that have a snapshot that looks like 95 you're going up

against terminators there's not really a good chance of you winning put slightly different you wouldn't March this army today you would not take rifle rifle men in close order formation onto a field of battle and expect good results the second they came up against modern attack it would be immediately decimated by automatic or mid wear heavy weapons very similarly you wouldn't March this army in 21 17 not to say the brave men and women of our armed forces don't do an incredible job there's just too much time for them to catch up on there's too many things that have changed their attack model their defense model was done in the past so how do we get to

having systems shipping in 2017 that look like we're trying to defend them in 2002 here's an example of a recent binary that we looked at that was compiled and shipped in 2016 had a library the last time it was touched or updated was from 2011 another library from 2006 which had another library baked into it from 2005 finally the oldest piece of code inside of it was from 2002 the last time someone updated it so here's a modern binary being compiled and shipped with modern standards in 2016 and the point in time which is trying to defend it as is actually in 2002 so there was immediately a ton of bugs inside of it so here's an example of going back all

the way to 1995 and 2017 here's a piece of firmware we recently looked at it was compiled in 2016 from a reference implementation built in 2005 built on of another piece of firmware from 2006 baked together from a library from tooth to 2005 all built on protocols from 1995 this system is effectively indefensible even though it's being shipped and pushed out in 2007 16 because we're looking at it from 1995 but enough doom and gloom for a second let's talk about how awesome computers are right computers don't let you do anything they do anything modern touring machines are the reason that we have a distributed global network whose primary purpose is delivers cats on small embedded devices

that is us and general computation is good it enabled a revolution in the way we process information at the same time it didn't come with some of the things that we really decided along the way that we needed there's no reliability no availability no security as a result we had to bolt on multiple layers of complexity at every single stage when we wanted one of these things the more complexity the more opportunities for an attacker to find an issue the more opportunities for an attacker to find an issue the more possibility of a side effect in the system that wasn't predicted exploitation whether you're writing a modern exploit or a mic slick from 1995 is simply stacking up side effects in a

programmatic matter exploitation is programming with side effects set a little bit simpler but don't get me wrong the side effects are awesome they manifest themselves in all kinds of interesting ways and we have conferences like this and all around the world to sit down and sometimes literally discuss one individual side effect in one system and how interesting that is from us in a general computation standpoint we're at this very interesting and odd juncture mobile Zita world the same way that PC did user habits are starting to shift again we're putting producing and consuming data in a distributed manner for the things that aren't on your mobile phone the web ate the rest of the world in API manner which meant

everything at this point is becoming distributed as a result we have these very strange pockets where user data flows and kind of lingers into the eddies in different places for those of us that still care about general computation we're left to run unknown kernel and firmware exploits on our phone so we can actually use as a general Turing machine again effectively jailbreaking the thing and blowing a hole in the only security the mobile device provides us which is do not run unsigned untrusted code occasionally it kind of pops up into the meme meme verse of the ecosystem that we should stop putting things on the internet and my response to this is is you should stop

telling water to be wet because you'll have better luck with that it is free to put another computer on the Internet it costs you nothing to add another device to a corporate network or a home network and to a certain point to a certain threshold it is free to put a Pentium Pro inside of literally any we can put a Pentium Pro and a mop today and it costs us $0 in four years it is free to put an iPhone one and literally everything and why is this it's because of the inverse of Moore's Law everyone its rim is very familiar with Moore's law Moore's law very simply states that every 18 months the number of

transistors doubles and we get general computation allowing us to revolutionize the world to have the fast CPU so we can deliver cats through our faces instantaneously today however this may have created this industry but the inverse of Moore's law is that every 18 months the cost of a transistor halves in the inverse of Moore's laws what is going to change the face of the earth so if we take a look at the number of transistors in a Pentium Pro in 1995 that cost 1,000 u.s. dollars and you apply the inverse of Moore's law to it putting a Pentium Pro in every single thing is free today and every day in the future putting an iPhone in everything in the

near future or adding a first generation worth of iPhone transistors to absolutely everything is $4 and 2018 and free in 2022 if you want to put that slightly differently adding Wi-Fi GSM Bluetooth GPU CPU storage sound and an interface is free for every single device in 2022 it costs literally the engineering time because the transistor cost is free at that point which is awesome the internet finally showed up the thing we've been waiting for the thing that got us into this like the cyberpunk future is finally here I think that is amazing that means the amount of air gap between our lives every single day is shrinking a little bit more and more and frankly I'm ready let's go like plug me

in with its matrix time unless of course you decide to try and live entirely offline and you know at a certain point the transistors become so cheap you can put them in back 1 oh but regardlessly can kind of move on from this idea so technology in my opinion is awesome in five years my self-driving car will have an internet connection which means I can livestream myself from inside of my self-driving car which means that localized people ethics sitting around the world board and trying to monetize their commute will livestream their twitch stream or coding streams to other people sitting in traffic around the world bored just wanting to watch someone else which means we're gonna have people sitting in

traffic watching other people sitting in traffic around the world because we haven't figured out how to like do real traffic yet which is awesome in my opinion you'll end up having like all kinds of entertaining rigs and self-driving vehicles to allow you to kind of do this and being live from you know whatever parking lot you're currently on whether it's i-5 or 420 or whatever might be so good and bad because we got some of the other things kind of coming up something I call the Internet of me I can't wait I can actually wait a minute until my heart has an IP address because it's gonna need firmware updates and of course you need to you know have an app store to

monetize the fact we have IP addressable organs you want to make sure that you know we can get you know the developer community involved in third-party apps pushed here so you know there's a big health kick going on which means you'll have your cardio trainer and you want to make sure that you can live update to Twitter or Instagram or whatever the thing will be in a couple of years and of course those applications will need patched and they will have side effects inside of the systems that are inside of you move brat move fast and break things for IP addressable organs is not something I want I need to figure this one out get this one right that brings

up this interesting concept is which everybody bugs bugs happen to the best and worst there's bugs in some of the most robust systems in the world and frankly it's because they're proof that you did something the world moves forward one little mistake at a time one more thing plugged into the Internet at a time so how do we talk about this to people that are the folks that make the decisions about these things how do we make them understand or help them understand to take the snapshot in a better ways such that they care about security well the fastest way to lose normal deep people is to start with details the buffer can overflow causing

a corruption the pointer which interns referenced by the vtable to cause code to jump to a known locations or a little SLR being compounded to the supporting dll this room knows what I'm talking about maybe a third of you care the password is password everyone in this room knows what I'm talking about no you really care a user can affect the details of user B that's when you start to get people to care what do you mean you can go into my virtual farm and still my virtual sheep I don't want that I mean I really don't like I spent a lot of time on that virtual farm and sometimes the details really truly don't

matter there's certain things that get published there's certain embedded systems there's certain bugs that no matter how much you talk about the details the impact upon our daily lives is negligible so starting there is a road to basically a dead end so how will we as an industry been getting things flowing how have we been talking about this in a certain way that people can understand us well we talk about impact the users bank account can be drained one user cares the company can no longer perform transaction the entire company cares the car performs a j-turn at 60 miles an hour remotely you get a news cycle the plane crashes you get two news cycles for if

they can't find the plane the pacemaker stops and kills somebody two federal agencies and an n number of pacemaker users really care everybody else goes I don't have a pacemaker but that sounds terrible what else is in the next Channel the power plant explodes that's interesting that someone else did it but when did the lights come back on because that's what I really care about I really care about you know that's a nice you lost the power plant when can I turn my toaster back on with an age of infinite scroll this problems been exacerbated because now there's infinite information and infinite other things to take a look to understand to see impacts from Charlie Miller and Chris valasek did

some fantastic work hacking the Jeep two years ago absolutely phenomenal work this is a follow-up article by Alan Greenspan the same person that did that kind of the initial press on it doing a survey of the individuals that had heard about this saying that only one in four Americans that had heard about the fact that a car could be hacked remembered it one year later that is fantastic information to me going the thing that all the people heard could be hacked as a 3,000 pound piece of steel throwing down the road at 60 miles an hour can be suddenly taken over only about one fourth of those folks really oh yeah that's probably gonna that's bad

great so I mean it takes a second for that to kind of catch up the impact only has a splash of a certain duration so I'd like to talk about a concept called Ken for those of you that are nautical individuals in the organ so you may have heard of this word before Ken's a very old word it has Germanic roots and etymology of it is effectively the range of one's sites or one's knowledge it's how far you can see it's found how far you understand something and and for your Ken how far or wide your individually focused and additionally when you're talking about someone else how far and wide or narrow they can see

and where the what they can focus on so here's a common picture that has multiple revealing layers depending on how you focus on it and where it's at this is not ken ken is understanding that you can only see half of this picture that your range of vision that your range of knowledge the way you understand and see the world whether it's from a details and impact perspectives only so wide and that when you have someone else that you're talking to whether it's your Ken in the audience or someone else you're speaking about it's the exact same thing they can only see part of the picture but with our Ken together we can start to see a

more full picture what reveals multiple things multiple layers multiple different nuances between the two pieces combined so let's get a little more concrete example there Ken I need to move 14,000 plains a day with 300 people in them each or the global economy stops full stop my Ken planes can crash or move in ways that you don't intend if you wire them to the Internet there can customers really don't like to crash my can is less planes move if they crash so how about our combined Ken together is let's make planes that are better and safer in the future we've both learned something if you look back at this it's very often that someone will start with

their own details 14,000 planes 300 people my details they might move in ways that you don't intent the impact crash the thing that we care about that with our ken together we can get to a common ground a common place of interface as a result and both be kind of left thinking for a second like wait a second I think we can figure out how to work together ken is always accepting we is greater than I that by having someone else that you interface having someone else that you interface talk with about the range of your knowledge and the range of their knowledge that the two of you or the multiple of you together have an extended range of just one of

you alone once you have an extended range of vision you can start talking about the impacts and then finally work out the details that really matter to the impacts so how do you know whether or not you're starting to have Ken with another individual well you test for echo you have lost if all you are hearing is your own words coming back if you say something to someone the password policy needs to be updated so it's 14 characters long has a special underscore and whether I'm like yes absolutely that sounds 100% correct a lot of a password policy it's 14 characters long underscore and special characters and whatever they have not understood or if what you're hearing

back is something you already know you haven't extended yourself shared ken is a shared exchange of knowledge and a shared range in part it's actually shared vulnerability because you're literally pointing out someone I'm trying to understand what you're saying I need you to help me to see the place that I cannot see when this doesn't occur you have a sustained echo between two organizations you have the same information either being passed back and forth or you have the same individual saying the same things to each other which is a fast construction of an echo chamber and no one eventually learns anything actually everyone synchronizes on the same message agrees that the policy should be this and we will do

that but nobody really has a way of extending themselves on a decade timeline in any large community this is a slow death because you have no new influences to be able to start to understand the problem in the domain and you do affect have an effect on so don't take my word for it let's take a look at three times that we want our three big winds were firewalls encryption and two-factor off these are all three examples of an extension of Ken I don't want to run Ethernet cable in my house well how about a Wi-Fi network what if it just happens to have an added firewall with it here's a firewall into your home where you have something that

makes your life a little bit better encryption I can't make it to the store today I want to work from home well how about this tunnel it happens to go over TLS and SSL or it goes over encrypted IPSec tunnel don't worry about those details we have hundreds of smart people that sit in rooms on weekends to listen to people talk so we can make sure that that works but how would you like to shop from home sounds good right or how would you like to work from home two-factor authentication the first mass adoption of two-factor authentication was in the world World of Warcraft from MMORPG because people didn't want to rewind the character they had spent 40 hours a week

of their spare time putting back together so thank you gamers so what does that mean we've won the same way that everyone else has we have won when we've made someone's life better when we truly understood what the thing that was impactful in their lives or their organization where they were spending their time and then saying hey here's a better way to do it just happens to be secure ignore that and we'll just kind of sweep under the rug that we just Trojan horse security into your life if you can shift the user behavior to something that's better and simpler and is something that you've been talking about trying to build as part of the future for a long time they

will immediately adopt it it happens like wildfire look at this thing better faster I can get a package to my house in 24 hours I can get you know I can do my online transactions here no problem I don't even have to go into the bank the users will always want to do the thing if you truly understand the user of the organization that wants to do the thing that can starts to follow up pretty fast so how do we keep up as we keep up with three different things details impact and Kent the details are very simple it's what everyone in this room has been doing for a very long time it requires a ridiculous amount of work

to understand all the nitty-gritty pieces of a different of the systems understand where and how they're vulnerable however I will help posit to you I make this hypothesis that there are only four security bugs and all systems that we have ever constructed the first bug is data being interpreted as code this is SQL injection cross-site scripting buffer overflows and a significant number of memory corruption bugs fall into this category take some data the system starts to interpret that data it eventually interprets that as code it jumps to a certain and any place that the Machine can take some data parse it and potentially interpret it as code their security problem waits we have spent a ridiculous

amount of time here looking at this and they can you can spend entire lifetimes mastering just this bug and people have they spent entire careers on one of these bugs or a multiple two of these bugs and so as a result we've made some pretty good gains here we have things like DEP and a SLR and stacked cookies and static analyzers and dynamic analyzers and fuzzers we've done some pretty good work here the second bug is that gamers are always going to came and my first bug it's that data is being interpreted as code and the second bug it's that the logic of the program is not being executed is intended you're taking a different flow through the

program we haven't made a lot of good progress here in automating these types of systems to be able to make logical checks for every condition additionally there's also the metagame which is pushing the clock back as close as you possibly can in 1995 by finding the weakest place in the graph attackers will always go after the weakest point and the weakest point will be at whatever in your infrastructure programs systems whatever it is that looks closest to 1995 unless the motivation versus reward scenario is incredibly high saying I want a bug in modern iOS 11 or I want a bug and Chrome and there's a significant amount of money or motivation behind having that bug either from an

organization perspective or politicals perspective it doesn't matter only in the cases where the reward scenario is that high will they not go for well an attack or not go for the weakest point in time the next one is the secret isn't secret from one has seen the password or we all use the password password one exclamation point and this is secured by most modern policies that you'll see in many IT organizations and many websites that you go to a more secure password by a stronger policy of 16 characters special upper or lower case is actually an SQL injection vector have or one equals one and it is can it is absolutely a valid password by many

modern policies if we're not passing around word jumbles to each other we're passing around bits that we may or may not be able to verify we're entropically created on one machine send them to another machine to have them may or may not correctly entropically verify and use that for another operation many of our NGS and other things still have a lot of work and we're finding a lot of bugs even as recent as the infant on bug and the last one is the thing is in the wrong place and this usually manifests itself isn't the following what is this oh my god this should not be here how did this get here whether it's a system on the wrong side of the

DMZ or a person on the wrong side of a physical security door the thing being in the wrong place is often indefensible because it's outside of the area you were hoping to defend it if the system that you're trying to build looks like 1995 it's impossible to defend it because it's not in 2017 so to master impact you need to be able to start to see the system as a graph the list sorted by time this allows you to understand what matters in the system most and what you can cut out of the system immediately at that point you can start to use the details to break that point in the system and when the system

will not break you change the game by moving the clock so let's talk a little bit about mastering the graph so when you start to see the system of as a graph and you start to label points in this graph whether this is an infrastructure graph a binary graph it doesn't matter it's starting to understand where pieces of this is being constructed and what matters the most you can start applying actions to then update it to get more secure to move more forward in time when you understand what your organization cares about or what you care about you can start to actually spend time and resources in places that deter the most amount of attack or the most time of an attacker

because the attacker of your systems or someone that's an offensive scenario also has a limited amount of time and resources that they can throw in anything waste enough of their time waste enough of their resources make it such that what they're going after isn't valuable to them or your organization and you start to have real impact on their ability to exploit them it's master Ken eyes to know yourself and the ideas and creations that you have put into the world as well as the systems that you care about the most it's asking to understand yourself and others and the impacts to then use to connect yourself to other individuals and organisation's faster at that point

using the details to demonstrate the issues in each of the systems if you start with details you will always lose the individuals that you're trying to extend your can with the interesting thing about Ken is is it as double-edged sword in cooperation it allows you to extend your knowledge and extend your range and understanding in conflict it allows you to immediately find where your opponent is blind where they're blind they cannot defend so if you want the fastest way to go into a system the fastest way to find a massive impact in a system and you understand the can of where someone else is blind and you target that vulnerabilities immediately fall out it doesn't matter about the

details at that point so I would ask you to start testing for EKKO is to step out of the echo chamber from time to time to start going and talking to other individuals either in your organization or at other conferences other places about some of the problems that they have and just listen hear what they care about and understand why it's important to them such that you can go forward and use that as some way to extend your own vision and knowledge and port it to different places see how much you hear back when you start see how much you hear back when you start interacting with them but most importantly see what you didn't have any idea of previously

that little bump and your range of knowledge and understanding is invaluable for reapplying that to other systems so how do we keep up security as a snapshot in time time is ever moving forward well we keep up by understanding the snapshot we need to take understanding what the range of our can is for the systems that we administer are the systems that we look at defend or attack understanding what the impacts in that system are interesting so we know how to spend our time and then finally using the details of the system to either break it or build a better tomorrow building a better tomorrow and ask them to help you adopt it is the

fastest way to defend old systems the fast way to deprecate things make a new user path make a simpler user path make it more secure user path and it will be adopted very simply do you want to keep fighting and pulling yourself away from 1995 or start building the future if you use 10 correctly if you talk to individuals in your organisation correctly and you say I want to build the future and I want to make it awesome there's very little friction to that most of the time so takeaways security is a snapshot in time the second you deploy a system it immediately starts to erode it starts to move backwards on you've towards 1995

that snapshot is part Ken impact in details building a better tomorrow can create a more secure tomorrow if we point towards that and if we extend our cannon to someone else's understanding but it requires us to understand where are we you're blind and not understand other people in the organization's ourselves I hope this talk is extended yours alright thank you [Applause]

you