On May 15–16, a regular meeting of the secure development community
Positive Development User Group was held at the PHDays cybersecurity forum. The two-day program includes 11 reports of varying degrees of hardcore and a round table on static analysis.
Under the cut sharing materials meeting: presentations and video reports.
All presentations separately from the video are available on the Speakerdeck community channel .First day
Opening Address by Vladimir Kochetkov, Positive Technologies
Is it possible to generalize the source code analyzer?
Ivan Kochurkin, Positive TechnologiesThe report discusses various types of code analyzers that accept regular expressions, tokens, parse trees, data flow graphs, and symbolic execution instructions as input. The speaker describes the problems arising from the generalization of each type of analyzer to different programming languages, and offers solutions. It also demonstrates the vulnerabilities and shortcomings that can be found with each approach (for example, goto fail), describes the possibilities of the open source analyzer PT.PM, the ways of its use and development prospects.
Safe development myths and legends
Yuri Shabalin, Swordfish SecurityThe author of the report talks about the main myths and stereotypes that follow the direction of safe development, the main mistakes in planning and launching.
Based on these myths, legends and mistakes, the speaker explains how to approach the alignment of processes, what needs to be considered, how to correctly assess your strengths and correctly launch the process of safe development. The main examples of errors and ways to overcome them include organizational measures, technical means (without specifying vendors), interaction between development and information security, awareness-programs, management of the whole process, performance metrics.
Integrity Security in C ++
Igor Sobinov, security expertThe report is devoted to the issues of ensuring the security of applications in C ++ against attacks on overflow of integer types. We consider typical cases of the occurrence of vulnerabilities associated with this class of attacks, the possible consequences of their operation and methods of protection.
Detection of vulnerabilities in theory and practice, or Why there is no perfect static analyzer
Yaroslav Alexandrov, Alexander Chernov and Ekaterina Troshina, Solar SecurityThe report discusses the basic principles of the static code analyzer, provides a comparative overview of the methods and algorithms underlying modern static analyzers. With concrete examples, it shows how a static analyzer searches for vulnerabilities and answers the question of why there is no ideal static analyzer that works fast, does not give false positives and does not miss the vulnerability. The authors explain how to embed a static analyzer into the development process so that it is efficient in terms of resources and gives qualitative results.
Perfect static analysis
Vladimir Kochetkov, Positive TechnologiesIdeal statanalysis as a tool does not exist. But is there an ideal statistical analysis as a process? What should be the distribution of roles in it between a person and the SAST toolkit? What should be the tools to make it as easy as possible for a person to solve the problem of statistical analysis?
Round table "SAST and its place in the SDLC"
Moderator: Vladimir Kochetkov, Positive Technologies
Participants: Positive Technologies, SolidLab, Mail.ru, Solar Security, PVS-Studio, ISP RAS
Second day
LibProtection: 6 months later
Vladimir Kochetkov, Positive TechnologiesThe speaker talks about the results of the public testing of the library, examines in detail the bypasses and ways to eliminate them, and also presents plans for the development of the library for the current year.
Security Basics of Blockchain Consensus Algorithms
Evangelos Deirmentzoglou, Positive TechnologiesConsensus algorithms are an integral part of any blockchain platform. The report covers the principles of work of such consensus algorithms as Proof of Work (proof of work), Proof of Stake (proof of ownership), Delegated Proof of Stake (delegated confirmation of share) and Proof of Authority (proof of authority). When analyzing the differences of these algorithms, the most common attacks against systems based on these technologies are considered, such as Double-spending, 51% attack, bribe attack, Sibyl attack, Nothing-At-Stake attack and others.
Report in English:
Report in Russian:
Predict random numbers in smart Ethereum contracts.
Arseny Reutov, Positive TechnologiesSmart contracts are used not only for the initial placement of cryptocurrency tokens. In the Solidity language, various lotteries, casinos and card games are available, available to anyone who uses the Ethereum blockchain. The blockchain's autonomy limits the entropy sources for random number generators (RNGs). There is no common library with which developers could create secure RNGs.
It is for this reason that the implementation of its own RNG can create many problems - it is not always possible to implement a safe RNG, which gives attackers the opportunity to predict the result and steal money. The report presents an analysis of blockchain-based smart contracts for the gambling industry. The author of the report demonstrates real examples of incorrect implementation of the RNG and tells you how to identify problems in the RNG and create your own safe generator, taking into account the limitations of the blockchain.
Pitfalls of parameterization and object approach
Vladimir Kochetkov, Positive TechnologiesDoes the use of parameterization tools and the transition to the object model always allow you to effectively solve the problem of ensuring application security? What risks do these approaches entail? Is it possible the emergence of vulnerabilities in the project code when using them? The author of the report answers these questions using concrete examples and real-life cases.
Method Hooking in Android
Alexander Guzenko, TinkoffThe author of the report tells what Method Hooking and Injector are and explains how, knowing these two concepts, apply them to Android and get someone else’s application to do what you need.
How to create a fast WAF. Building a high-performance network traffic analysis system
Mikhail Badin, WallarmDuring the report, the stages of packet processing in WAF, issues of obtaining necessary information from a request, optimization of tokenization processes, filtering on the basis of regular expressions and implementation of behavioral analysis as part of traffic post-processing are considered.
We thank our speakers and participants for a productive meeting!
If you have any questions for the organizers / rapporteurs or a desire to make a presentation at the next PDUG-mitap, write to
pdug@ptsecurity.com .