I'm stealing API keys from your site - here's how

Clickbait, fear-mongering and plagiarism with some very practical take-aways

I have a dump of your prod DB - here's how

Clickbait, fear-mongering and plagiarism with some very practical take-aways

Using external libraries and application security

A "better safe than sorry" story inspired by a great medium post

whoami

Jacek Królikowski

@nietaki

Let's talk security

What's a vulnerability?

https://en.wikipedia.org/wiki/Vulnerability_(computing)

A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy

What vulnerabilities we look for

Cross-Site Request Forgery
SQL injection
Denial of Service
infrastructure access control
...just bugs in code

Let's talk about libraries

Adopting a library

What did you do, David?!

The Github code looked clean
The hex package contained extra code with an exploit
David didn't check his deps/
The exploit didn't activate outside of prod
The exploit gave the attacker control over the app

Isn't that easy to detect?

No extra exported functions
No performance penalty
Nothing in the logs
No extra named processes / supervision trees
Doesn't happen in dev/test
Doesn't happen during your working hours (!)

Why I think this is important

(trust, but verify)

Are we screwed?!

not necessarily...

Where is the problem?

What can we do?

Stop using external libraries 👎👎👎
Regularly read all our dependencies 👎👎
Get dependencies directly from git 👎
Force hex.pm to do the verification for us 👎
"Impound" all your dependencies 😐
Static analysis of dependencies 😶
Something else? 🤔

$$ \stackrel{?}{=} $$

Introducing...

What does Hoplon do?

Reads project's dependencies (mix.lock, mix.exs)

For each dependency:

Queries hex.pm to see where the code lives
Clones the repository with the code
Finds the relevant commit (tags, heuristics)
diffs deps/<dependency> with the repo contents
parses and validates the diffs

Hoplon tasks

```
$ mix hoplon.check
```
```
$ mix hoplon.diff <dependency>
```

$ mix hoplon.absolve <dependency> <comment>

Let's see it in action

David's project: nietaki/suffixer
library with a hidden exploit: nietaki/evil_left_pad
exploit's payload on gist
Agenda
- deploy to heroku
- ```
mix hoplon.check
```
- investigate corrupt libraries
- add hoplon it to CI

What's the catch?

No Windows support
Brand new project - might be fragile
outstanding features
- umbrella projects support
- locking down github urls
- recognising "hidden" branches
- ...
...but we already use it

Thank you!

Bonus ⬇

Bonus: anatomy of the exploit

Spawning evil in a separate process
- making sure there's only one
Checking if there's anyone looking
Fetching and compiling payload
- Only do it on new payloads
All potentially failing code wrapped in a try..rescue for stealth

I'm stealing API keys from your site - here's how

Clickbait, fear-mongering and plagiarism with some very practical take-aways

I have a dump of your prod DB - here's how

Clickbait, fear-mongering and plagiarism with some very practical take-aways

Using external libraries and application security

A "better safe than sorry" story inspired by a great medium post

whoami

Jacek Królikowski

@nietaki

Let's talk security

What's a vulnerability?

What vulnerabilities we look for

Let's talk about libraries

Adopting a library

What did you do, David?!

Isn't that easy to detect?

Why I think this is important

Are we screwed?!

not necessarily...

Where is the problem?

What can we do?

$$ \stackrel{?}{=} $$

Introducing...

What does Hoplon do?

Hoplon tasks

Let's see it in action

What's the catch?

Thank you!

Bonus: anatomy of the exploit

Links