Repelling the Wily Insider

Presented at DEF CON 18 (2010), Aug. 1, 2010, noon (50 minutes).

Working with more than 50 malicious backdoors written over the last 10 years we show how insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. These holes are often put in place for seemingly good reasons to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. However, we'll consider what happens when insiders aren't so pure of heart, including logic bombs and backdoors that allow them to embezzle funds, steal private information, or exact revenge if they become disgruntled. Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss obvious techniques defenders should employ, outline obvious techniques attackers will apply, and the theoretical limits of the problem. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with the head-to-head results of a face-off between modern static analysis and the best backdoors we've come across.

Presenters:

  • Matias Madou - Security Researcher, Fortify Software
    Matias Madou is a security researcher at Fortify's Security Research Group, which is responsible for building security knowledge into Fortify's products. His work focuses on developing new techniques to detect vulnerabilities. Matias holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application. During his Ph.D., he collaborated with top research and industry players in the field of program obfuscation.
  • Jacob West - Security Researcher, Fortify Software
    Jacob West is Director of Security Research at Fortify Software where his team is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks and styles together with knowledge about how real-world systems can fail. Before joining Fortify, Jacob contributed to the development of MOPS, a static analysis tool used to discover security vulnerabilities in C programs. In 2007, he co-authored a book with colleague Brian Chess titled "Secure Programming with Static Analysis." When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

Links:

Similar Presentations: