Post on 12-Jul-2015
Monitoring repositories for FUN and PROFIT
@snyff [_]
About me
● Security consultant (C.T.O.) working for Securus Global in Melbourne
● PentesterLab (.com): ○ cool/awesome (web) *free* training/exercises ○ real life scenario
Disclaimer
● No code is going to be released today
● No repositories were harmed duringthe preparation of this talk
● I worked on Web and Open Source projects● I worked on commits without using the entire
project's source code
Why work on commits?
● Corporate development:○ Cannot review all projects anymore○ Nice to have a “what to check today” ○ Sort commits by criticality○ Detect backdoors
● Agile development:○ The code changes every day○ Can’t rely on one time code review anymore○ Current approach: daily scan
Why work on commits?
● You have vulnerabilities:○ Detect patches affecting your bugs○ Detect changes to sensitive functions
Why work on commits?
● You want vulnerabilities ($$):○ Detect new features with dangerous functions○ Detect changes to sensitive functions
Why work on commits?
● You want bugs (lulz):○ Get bugs few hours before the patch is available○ Get a list of bad practices examples○ Detect silent patching
What's a repository?
● Developers
● Files
● Commits
● And all of these are constantly moving...
Developers
● Main developer(s):○ Add features○ Fix bugs
● Cosmetic committer(s):○ Change comments (fix typo)○ Change designs of the website○ Change indentation○ Add documentation
● External people○ Do a bit of everything
Files
● README/LICENSE files
● Templates, HTML, CSS
● Images
● Code:○ Libraries○ Installation code○ "normal" code
Commits
● Developer's name
● Code changes:○ Changes: diff○ Files changed○ Number of deletion/addition
● Date/Time of the commit
● Message
Examples of projects monitored
Stats (on the last 5000 commits)
● Commits per week:○ anywhere between 20 and 180 (phpmyadmin) per
week○ 40 commits per week seems to be the average for
"normal/interesting" projects
● Authors:○ between 1 and 140
● Average commit: 200 lines (insertions+deletions)
Goals...
Goals: counterexample
Goals: example
Goals: example
Goals: example
Filtering...
Filtering files
● General approach:○ images○ css○ README
● Framework based:○ tests (interesting to keep for some projects)○ database migration/creation script
● Project based files○ deployment○ installation files
Filtering developers
● For a given project find the "cosmetic developers"
● Don't get me wrong they are not useless, they just do things i don't care about
Results
● Around 5-10% of commits have nothing to do with code...
● You can divide the size of most other commits by 2-3 if you ignore noise (files/comments/...):○ new code with test cases○ modification in comments○ ...
Classification
Data mining
● Take your samples (commits)○ Extract a vector from each sample○ Classify each sample
● From a training set, learn to classify the data
● Apply what you learned:○ to the same training set after splitting it (cross-
validation) ○ to new samples
Data mining
● training set: [1,2,3,0,10,220 ] -> bugfix [2,4,3,0,1,0 ] -> boring [2,5,3,3,1,1 ] -> boring [20,1,0,100,0,10 ] -> new bug
● testing:[23,0,1,90,0,15 ] -> ???
Extracting a vector
● You can't really say a commit is close to another commit
● You need to generate a vector from each commit to compare them
● Once you have done that, everything else is just magic^W Maths
Extracting a vector: getting data
● Number of lines changed:○ insertion vs deletion
● Number of words changed (--word-diff):○ insertion vs deletion
● Authors:○ rating of authors based on the project's history
■ "fixing" score■ "vulnerability creator" score
○ new developers○ known security researchers
Extracting a vector: getting data
● Number of "dangerous" functions:○ insertion○ deletion
● Number of "filtering" functions:○ insertion○ deletion
● commit date vs author date
● Keywords in the message and in the code
Extracting a vector: getting data
● Files modified:○ already implicated in a bug fix○ already implicated in a vulnerability
Filtering vs Dangerous
● Good list of "dangerous" signatures from graudit:○ https://github.com/wireghoul/graudit/
● Weighting is *really* important:○ echo -> potential XSS -> 1 point○ system -> potential commands execution -> 10
points
● Some functions are in both:○ crypto functions for example○ crypto can be dangerous and but can filter as well
Filtering vs Dangerous
system htmlentities
exec
echo
create_function
preg_replacepreg_replace
intvalbasename
File.basename
open3 popenescape
echo attr_accessible
attr_protectedattr_protected
assert
eval
send
Keywords
SQL injection
Command execTypo
Cross Site Scripting
CVE
Dangerous
CSS rules
CSS selector
Directory traversal
Code executionvulnerability
XSS
Version number
Changelogdescription
Documentation
punctuation
Security
RiskyCSRF
disclosure
Classification
● Fixed bugs:○ learn from dangerous keywords
● New bugs:○ git blame○ read the source code and classify manually
● Potentially interesting new feature:○ read the source code○ can be a new bug
Results
● Vector computation:○ between 15 and 120 minutes for 5000 commits
● Classification:○ less than a minute
● Scoring:○ 90% success rate on bug fix (without using the
message as part of the vector)○ 50/50 between FP and FN on bug fix○ 200 commits down to 5-10 bugs per day
My tool: SANZARU
● Japanese names for tools make you a Ninja ;)
● Ruby based (what else...)
● Data Mining done with Weka (thx Silvio)
SANZARU: virtuous circle
● Made in a way that the more you learn on a project the more effective it gets :)
● Score authors through learning
● Score files through learning
● add functions used by the project
SANZARU: "learning mode"
● take the last 5k commits and give you the list of impacted files and authors with a weight
● still working on finding the initial bug's author but it doesn't really give you more information
SANZARU: configuration fileconfigure({ :path => "/home/snyff/code/rails", :type => :git, :remote => "origin/master", :origin => "https://github.com/rails/rails", :languages => [ :ruby ] })
filter({ :extensions => [ :html, :css, :jpg, :png, :md, :tpl ], :files => ["LICENSE", "*test*"] })
alert({ :keywords => [keywords_default]... })
SANZARU: configuration fileclassify(:authors => { :default => 0,"rafaelmfranca@gmail.com"=>19,"guilleiguaran@gmail.com"=>15,"fxn@hashref.com"=>8, "lrodriguezsanc@gmail.com"=>11,"vijaydev.cse@gmail.com"=>25, .... },
:files => { :default => 0,"activemodel/lib/active_model/mass_assignment_security.rb"=>20, "railties/lib/rails/application.rb"=>17, "actionpack/lib/action_view/helpers/form_helper.rb"=>17, "activerecord/lib/active_record/core.rb"=>17, ...})
SANZARU: "classification mode"
● Using ruby to create all the vectors
● Using weka to classify the data
● Then manual review of the results:○ New features to find security bugs ○ FP for possible silent patching
SANZARU: "daily mode"
● Cron job (every day)○ update all repositories (hasn't been blacklisted by
github...yet), ruby-git is *shit*○ find alerts in new commits○ classify new commits○ give me a nice report with what to read
SANZARU: example of output
Example found this week (not exploitable... yet):
esc_js escapes ' and "... this doesn't
Example found this week:
Example found this morning:
General observations
● Most fixes are:○ small code insertion (less than 10 lines)○ basic line substitution○ easy to detect
● Most new bugs are:○ details...○ really hard to detect statistically○ general approach: read all potentially interesting
commits○ working on important projects make the creation of
bugs far less likely○ it's not going to rain 0dayz...
Possible improvements
● Integrating syntactic analysis:○ regular expression are just not enough○ False alerts are time consuming...
● Retrieve information from external sources:○ bug report○ CVE
● Support for more languages/platforms:○ Objective C libraries and applications?○ Linux kernel?○ ...
Conclusion
● Easy to detect:○ (Silent) Security Fixes○ New features with "interesting" functions
● Not so easy to detect○ New security bugs
● Still worth the time○ if you want bugs○ if you are doing code review to have examples to
learn from or share: vulnerability patterns○ most frustrating thing you can do?
Questions?@snyff
● Have a great Ruxcon● Play the CTF and Lock Picking● Remember to checkout:
○ PentesterLab.com○ @PentesterLab
● Thx to everyone who helped me putting this talk together