SlideShare a Scribd company logo

Secure Coding in Perl

Ian Kluft
Ian Kluft

There's a lot of Perl code out there and more being written all the time. Ian Kluft presented current advice on secure coding in Perl, including language-specific guidelines from the Perl documentation, CMU Software Engineering Institute Perl Coding Standard, Common Weakness Enumeration(CWE) and general advice from OWASP Top 10.

Engineering
1 of 28
Download to read offline
03/04/2021 1 Secure Coding in Perl Silicon Valley Perl March 4, 2021 monthly meeting presented by Ian Kluft San Jose, California
03/04/2021 Secure Coding in Perl by Ian Kluft 2 Why secure coding matters ● Any software or hardware can be under attack today ● True for any and all coding - this presentation applies to Perl ● Vulnerabilities in code often result from carelessness ● We can prevent vulnerabilities by making ourselves aware of ● what to avoid in new code ● what to look for in existing code ● There is a lot of Perl code on servers all over the Internet ● This presentation overviews available Perl security resources
03/04/2021 Secure Coding in Perl by Ian Kluft 3 PERLSEC in the Perl Documentation ● every Perl installation comes with the “perlsec” doc page ● you can read it with the command “perldoc perlsec” ● on Unix/Linux/BSD systems, “man perlsec” reads it as a manual page ● on CPAN: https://metacpan.org/pod/distribution/perl/pod/perlsec.pod ● It’s a good place to start but not the only resource you’ll need ● If you haven’t read it before (or lately), it’s worth a review ● Upcoming slides have an overview of PERLSEC
03/04/2021 Secure Coding in Perl by Ian Kluft 4 PERLSEC: Vulnerability Reporting ● What if you find a security vulnerability in Perl? ● reporting contact address: mailto:perl-security@perl.org ● perlsecpolicy doc page says what is considered a security issue https://metacpan.org/pod/distribution/perl/pod/perlsecpolicy.pod ● The Perl security team’s scope covers ● Perl interpreter ● Perl modules shipped with the interpreter and from the core repository ● CLI tools shipped with the interpreter and from the core repository
03/04/2021 Secure Coding in Perl by Ian Kluft 5 PERLSECPOLICY: Not a Perl core security issue ● Feeding untrusted code to the interpreter ● Stack overflows due to excessive recursion ● Out of memory errors ● Escape from a Safe compartment ● Use of the p and P pack templates ● Stack not reference-counted issues ● Thawing attacker-supplied data with Storable ● Using attacker supplied SDBM_File databases ● Badly encoded UTF-8 flagged scalars ● Issues that exist only in blead, or in a release candidate ● CPAN modules or other Perl project resources ● Emulated POSIX behaviors on Windows systems Contact appropriate authors for non-core modules or other software!
03/04/2021 Secure Coding in Perl by Ian Kluft 6 PERLSECPOLICY: Special cases ● Special cases are described in perlsecpolicy doc page for... ● Regular expressions ● DB_File, ODBM_File, or GDBM_File databases ● Algorithmic complexity attacks
03/04/2021 Secure Coding in Perl by Ian Kluft 7 PERLSECPOLICY: Vulnerability remediation When reporting a vulnerability, see perlsecpolicy to review details on the process. ● Initial contact ● Initial triage ● Issue ID assignment ● Development of patches ● CVE ID assignment ● Pre-release notifications ● Pre-release testing ● Release of fixes and announcements ● Zero-day security issues (vulnerabilities under active attack) ● Credits in vulnerability announcements
03/04/2021 Secure Coding in Perl by Ian Kluft 8 PERLSEC: Security mechanisms and concerns taint mode ● detecting tainted data ● switches on #! line ● in taint mode, @INC ignores environment variables securing $PATH ● also remove IFS CDPATH ENV BASH_ENV protecting programs with licensing terms (serves only as a foundation) Unicode issues - from perlunicode doc page "Security Implications of Unicode" ● malformed UTF-8 ● regex surprises with Unicode ● "Unicode Security Considerations" https://www.unicode.org/reports/tr36 ● "Unicode Security FAQ" http://www.unicode.org/faq/security.html
03/04/2021 Secure Coding in Perl by Ian Kluft 9 PERLSEC: Algorithmic complexity attacks ● Hash algorithm ● Perl 5.18 (2013) and above are considered hardened for hash collision attacks ● Perl does not guarantee any ordering of hash keys ● hash key ordering changes sometimes between releases ● Regular expressions ● Regex engine is not resistant to denial of service (DoS) attacks ● don’t feed unsanitized strings to the regex compiler ● Sorting ● Perl 5.8 (2002) switched from quicksort to mergesort to prevent DoS attacks
03/04/2021 Secure Coding in Perl by Ian Kluft 10 PERLSEC: Pros and cons of using sudo Any setting of user or group ID is a place to direct extra security attention! Benefits of sudo ● sanitizes execution environment ● avoids shebang race condition ● more convenient than set-id scripts Drawbacks of sudo ● sudo sets real uid/gid ● Perl can’t detect it was run by sudo ● won’t automatically turn on taint ● use -T option to control taint in scripts launched by sudo
03/04/2021 Secure Coding in Perl by Ian Kluft 11 Static analysis tools for Perl ● Perl::Critic https://metacpan.org/pod/Perl::Critic ● PerlTidy https://metacpan.org/pod/perltidy ● Padre IDE http://padre.perlide.org/ Do you have others to suggest?
03/04/2021 Secure Coding in Perl by Ian Kluft 12 SEI CERT Perl Coding Standard ● A project of Carnegie Mellon University (CMU) Software Engineering Institute (SEI) ● SEI hosts Secure Coding standards for C, C++, Perl, Oracle and Android ● Each standard is a community-based group effort ● The Perl standard was last updated in 2018 ● The Perl community should take this as a hint it needs more volunteers https://wiki.sei.cmu.edu/confluence/display/perl/SEI+CERT+Perl+Coding+Standard
03/04/2021 Secure Coding in Perl by Ian Kluft 13 SEI CERT Perl Coding Standard (cont’d) ● The standard is organized into rules (mandatory) and recommendations ● 8 subject areas ● Input Validation and Data Sanitization (IDS) ● Declarations and Initialization (DCL) ● Expressions (EXP) ● Integers (INT) ● Strings (STR) ● Object-Oriented Programming (OOP) ● File Input and Output (FIO) ● Miscellaneous (MSC)
03/04/2021 Secure Coding in Perl by Ian Kluft 14 Input Validation and Data Sanitization (IDS) Rules ● IDS30-PL. Exclude user input from format strings ● IDS31-PL. Do not use the two-argument form of open() ● IDS32-PL. Validate any integer that is used as an array index ● IDS33-PL. Sanitize untrusted data passed across a trust boundary ● IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter ● IDS35-PL. Do not invoke the eval form with a string argument Recommendations ● IDS00-PL. Canonicalize path names before validating them ● IDS01-PL. Use taint mode while being aware of its limitations
03/04/2021 Secure Coding in Perl by Ian Kluft 15 Declarations and Initialization (DCL) Rules ● DCL30-PL. Do not import deprecated modules ● DCL31-PL. Do not overload reserved keywords or subroutines ● DCL33-PL. Declare identifiers before using them Recommendations ● DCL00-PL. Do not use subroutine prototypes ● DCL01-PL. Do not reuse variable names in subscopes ● DCL02-PL. Any modified punctuation variable should be declared local ● DCL03-PL. Do not read a foreach iterator variable after the loop has completed ● DCL04-PL. Always initialize local variables ● DCL05-PL. Prohibit Perl4 package names
03/04/2021 Secure Coding in Perl by Ian Kluft 16 Expressions (EXP) Rules ● EXP30-PL. Do not use deprecated or obsolete functions or modules ● EXP31-PL. Do not suppress or ignore exceptions ● EXP32-PL. Do not ignore function return values ● EXP33-PL. Do not invoke a function in a context for which it is not defined ● EXP34-PL. Do not modify $_ in list or sorting functions ● EXP35-PL. Use the correct operator type for comparing values ● EXP37-PL. Do not use the one-argument form of select()
03/04/2021 Secure Coding in Perl by Ian Kluft 17 Expressions (EXP) Recommendations ● EXP00-PL. Do not return undef ● EXP01-PL. Do not depend on the return value of functions that lack a return statement ● EXP03-PL. Do not diminish the benefits of constants by assuming their values in expressions ● EXP04-PL. Do not mix the early-precedence logical operators with late-precedence logical operators ● EXP06-PL. Do not use an array in an implicit scalar context
03/04/2021 Secure Coding in Perl by Ian Kluft 18 Integers (INT) Rules: ● none Recommendations: ● INT00-PL. Do not prepend leading zeroes to integer literals ● INT01-PL. Use small integers when precise computation is required
03/04/2021 Secure Coding in Perl by Ian Kluft 19 Strings (STR) Rules: ● STR30-PL. Capture variables should be read only immediately after a successful regex match ● STR31-PL. Do not pass string literals to functions expecting regexes Recommendations ● none
03/04/2021 Secure Coding in Perl by Ian Kluft 20 Object-Oriented Programming (OOP) Rules: ● OOP31-PL. Do not access private variables or subroutines in other packages ● OOP32-PL. Prohibit indirect object call syntax Recommendations: ● OOP00-PL. Do not signify inheritence at runtime
03/04/2021 Secure Coding in Perl by Ian Kluft 21 File Input and Output (FIO) Rules: ● FIO30-PL. Use compatible character encodings when performing network or file I/O Recommendations: ● FIO00-PL. Do not use bareword file handles ● FIO01-PL. Do not operate on files that can be modified by untrusted users
03/04/2021 Secure Coding in Perl by Ian Kluft 22 Miscellaneous (MSC) Rules: ● MSC30-PL. Do not use comma to separate statements ● MSC31-PL. Do not embed global statements ● MSC32-PL. Do not provide a module's version value from outside the module Recommendations: ● MSC00-PL. Detect and remove dead code ● MSC01-PL. Detect and remove unused variables ● MSC02-PL. Run programs with full warnings and strict checking
03/04/2021 Secure Coding in Perl by Ian Kluft 23 Common Weakness Enumeration (CWE) ● Community-maintained database of known causes of vuilnerabilities ● Think of it as a lessons learned knowledge base ● It’s huge ● It covers many languages including Perl https://cwe.mitre.org/
03/04/2021 Secure Coding in Perl by Ian Kluft 24 Common Weakness Enumaeraion (CWE) links ● Top 25 Most Dangerous Software Weaknesses https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html ● - Weaknesses Addressed by the SEI CERT Perl Coding Standard https://cwe.mitre.org/data/definitions/1178.html ● and many others – have a looke around
03/04/2021 Secure Coding in Perl by Ian Kluft 25 ● OWASP Top 10 Web Application Security Risks ● Maintained by OWASP Open Web Application Security Project ● list updated occasionally on multiple-year cycle ● 2017 edition is current as of March 2021 ● Not specific to any programming language ● Specific to web applications ● often applicable to networking beyond just web applications https://owasp.org/www-project-top-ten/ https://owasp.org/www-project-top-ten/2017/
03/04/2021 Secure Coding in Perl by Ian Kluft 26 OWASP Top 10 ● A1:2017-Injection ● A2:2017-Broken Authentication ● A3:2017-Sensitive Data Exposure ● A4:2017-XML External Entities (XXE) ● A5:2017-Broken Access Control ● A6:2017-Security Misconfiguration ● A7:2017-Cross-Site Scripting (XSS) ● A8:2017-Insecure Deserialization ● A9:2017-Using Components with Known Vulnerabilities ● A10:2017-Insufficient Logging & Monitoring
03/04/2021 Secure Coding in Perl by Ian Kluft 27 Conclusion ● These were some useful resources for ● writing new code ● maintaining existing code ● code reviews ● There are many more resources out there ● Remember: implementing security costs less the earlier you bring it into the development process ● It can be very difficult or impossible to add it if it was not considered early enough in a project
03/04/2021 Secure Coding in Perl by Ian Kluft 28 Q&A Questions? Recommendations? Discussion?

Recommended

Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
BUD17-TR01: Philosophy of Open Source
BUD17-TR01: Philosophy of Open SourceBUD17-TR01: Philosophy of Open Source
BUD17-TR01: Philosophy of Open SourceLinaro
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsRiscure
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 

Recommended

Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
BUD17-TR01: Philosophy of Open Source
BUD17-TR01: Philosophy of Open SourceBUD17-TR01: Philosophy of Open Source
BUD17-TR01: Philosophy of Open SourceLinaro
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsRiscure
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Securing the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversSecuring the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversWithTheBest
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration EnergySec
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools iiSyaiful Ahdan
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse EngineeringSatria Ady Pradana
 
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTAndrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTCodemotion
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Introduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationIntroduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationSamsung Open Source Group
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 

More Related Content

What's hot

IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Securing the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversSecuring the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversWithTheBest
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration EnergySec
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools iiSyaiful Ahdan
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse EngineeringSatria Ady Pradana
 
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTAndrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTCodemotion
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Introduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationIntroduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationSamsung Open Source Group
 

What's hot (20)

IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Securing the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank ChaversSecuring the Internet of Things - Hank Chavers
Securing the Internet of Things - Hank Chavers
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools ii
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
 
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOTAndrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
Andrea De Gaetano - An Adventure with ESP8266 firmwares and IOT
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
 
Introduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential CollaborationIntroduction to Linux-wpan and Potential Collaboration
Introduction to Linux-wpan and Potential Collaboration
 

Similar to Secure Coding in Perl

Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
TSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesTSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesMikal Villa
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overviewLinaro
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Porion a new Build Manager
Porion a new Build ManagerPorion a new Build Manager
Porion a new Build ManagerStephane Carrez
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerBob Killen
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfnicerussianpainter
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLinaro
 
AWSug.nl meetup 190612 - DevCfnSecOps
AWSug.nl meetup 190612 - DevCfnSecOpsAWSug.nl meetup 190612 - DevCfnSecOps
AWSug.nl meetup 190612 - DevCfnSecOpsMartijn van Dongen
 
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI ConvergenceDAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergenceinside-BigData.com
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platformOpenDaylight
 
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedCiso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedPriyanka Aash
 

Similar to Secure Coding in Perl (20)

Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Pyongyang Fortress
Pyongyang FortressPyongyang Fortress
Pyongyang Fortress
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
TSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniquesTSC Summit #3 - Reverse engineering and anti debugging techniques
TSC Summit #3 - Reverse engineering and anti debugging techniques
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overview
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
Porion a new Build Manager
Porion a new Build ManagerPorion a new Build Manager
Porion a new Build Manager
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security
 
IPsec on Mikrotik
IPsec on MikrotikIPsec on Mikrotik
IPsec on Mikrotik
 
Fosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdfFosdem_Using_SELinux_with_container_runtimes.pdf
Fosdem_Using_SELinux_with_container_runtimes.pdf
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to EmbeddedLAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
 
AWSug.nl meetup 190612 - DevCfnSecOps
AWSug.nl meetup 190612 - DevCfnSecOpsAWSug.nl meetup 190612 - DevCfnSecOps
AWSug.nl meetup 190612 - DevCfnSecOps
 
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI ConvergenceDAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
DAOS - Scale-Out Software-Defined Storage for HPC/Big Data/AI Convergence
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
 
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleedCiso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
Ciso platform-annual-summit-2014-antti-karjalainen-dicoverer-of-heartbleed
 

More from Ian Kluft

"#AprilFools Hijinks" at SVPerl April 2021 meeting
"#AprilFools Hijinks" at SVPerl April 2021 meeting"#AprilFools Hijinks" at SVPerl April 2021 meeting
"#AprilFools Hijinks" at SVPerl April 2021 meetingIan Kluft
 
New Perl module Container::Buildah - SVPerl presentation
New Perl module Container::Buildah - SVPerl presentationNew Perl module Container::Buildah - SVPerl presentation
New Perl module Container::Buildah - SVPerl presentationIan Kluft
 
Best Practices for Recovering Rocket & Balloon Payloads
Best Practices for Recovering Rocket & Balloon PayloadsBest Practices for Recovering Rocket & Balloon Payloads
Best Practices for Recovering Rocket & Balloon PayloadsIan Kluft
 
PiFlash: Linux utility to flash SD cards for Raspberry Pi computers
PiFlash: Linux utility to flash SD cards for Raspberry Pi computersPiFlash: Linux utility to flash SD cards for Raspberry Pi computers
PiFlash: Linux utility to flash SD cards for Raspberry Pi computersIan Kluft
 
Code Generation in Perl
Code Generation in PerlCode Generation in Perl
Code Generation in PerlIan Kluft
 
Aerospace applications of Perl
Aerospace applications of PerlAerospace applications of Perl
Aerospace applications of PerlIan Kluft
 
Command Line Arguments with Getopt::Long
Command Line Arguments with Getopt::LongCommand Line Arguments with Getopt::Long
Command Line Arguments with Getopt::LongIan Kluft
 
Geographic Computation in Perl
Geographic Computation in PerlGeographic Computation in Perl
Geographic Computation in PerlIan Kluft
 
Black Rock Desert Impact Theory
Black Rock Desert Impact TheoryBlack Rock Desert Impact Theory
Black Rock Desert Impact TheoryIan Kluft
 
Exception Handling in Perl
Exception Handling in PerlException Handling in Perl
Exception Handling in PerlIan Kluft
 
Geographic Computation in Perl
Geographic Computation in PerlGeographic Computation in Perl
Geographic Computation in PerlIan Kluft
 
Stratofox Aerospace Tracking Team presentation at Space Access 2013
Stratofox Aerospace Tracking Team presentation at Space Access 2013Stratofox Aerospace Tracking Team presentation at Space Access 2013
Stratofox Aerospace Tracking Team presentation at Space Access 2013Ian Kluft
 
Pacificon 200905
Pacificon 200905Pacificon 200905
Pacificon 200905Ian Kluft
 

More from Ian Kluft (13)

"#AprilFools Hijinks" at SVPerl April 2021 meeting
"#AprilFools Hijinks" at SVPerl April 2021 meeting"#AprilFools Hijinks" at SVPerl April 2021 meeting
"#AprilFools Hijinks" at SVPerl April 2021 meeting
 
New Perl module Container::Buildah - SVPerl presentation
New Perl module Container::Buildah - SVPerl presentationNew Perl module Container::Buildah - SVPerl presentation
New Perl module Container::Buildah - SVPerl presentation
 
Best Practices for Recovering Rocket & Balloon Payloads
Best Practices for Recovering Rocket & Balloon PayloadsBest Practices for Recovering Rocket & Balloon Payloads
Best Practices for Recovering Rocket & Balloon Payloads
 
PiFlash: Linux utility to flash SD cards for Raspberry Pi computers
PiFlash: Linux utility to flash SD cards for Raspberry Pi computersPiFlash: Linux utility to flash SD cards for Raspberry Pi computers
PiFlash: Linux utility to flash SD cards for Raspberry Pi computers
 
Code Generation in Perl
Code Generation in PerlCode Generation in Perl
Code Generation in Perl
 
Aerospace applications of Perl
Aerospace applications of PerlAerospace applications of Perl
Aerospace applications of Perl
 
Command Line Arguments with Getopt::Long
Command Line Arguments with Getopt::LongCommand Line Arguments with Getopt::Long
Command Line Arguments with Getopt::Long
 
Geographic Computation in Perl
Geographic Computation in PerlGeographic Computation in Perl
Geographic Computation in Perl
 
Black Rock Desert Impact Theory
Black Rock Desert Impact TheoryBlack Rock Desert Impact Theory
Black Rock Desert Impact Theory
 
Exception Handling in Perl
Exception Handling in PerlException Handling in Perl
Exception Handling in Perl
 
Geographic Computation in Perl
Geographic Computation in PerlGeographic Computation in Perl
Geographic Computation in Perl
 
Stratofox Aerospace Tracking Team presentation at Space Access 2013
Stratofox Aerospace Tracking Team presentation at Space Access 2013Stratofox Aerospace Tracking Team presentation at Space Access 2013
Stratofox Aerospace Tracking Team presentation at Space Access 2013
 
Pacificon 200905
Pacificon 200905Pacificon 200905
Pacificon 200905
 

Recently uploaded

GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningmisbanausheenparvam
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 

Recently uploaded (20)

GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learning
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 

Secure Coding in Perl

  • 1. 03/04/2021 1 Secure Coding in Perl Silicon Valley Perl March 4, 2021 monthly meeting presented by Ian Kluft San Jose, California
  • 2. 03/04/2021 Secure Coding in Perl by Ian Kluft 2 Why secure coding matters ● Any software or hardware can be under attack today ● True for any and all coding - this presentation applies to Perl ● Vulnerabilities in code often result from carelessness ● We can prevent vulnerabilities by making ourselves aware of ● what to avoid in new code ● what to look for in existing code ● There is a lot of Perl code on servers all over the Internet ● This presentation overviews available Perl security resources
  • 3. 03/04/2021 Secure Coding in Perl by Ian Kluft 3 PERLSEC in the Perl Documentation ● every Perl installation comes with the “perlsec” doc page ● you can read it with the command “perldoc perlsec” ● on Unix/Linux/BSD systems, “man perlsec” reads it as a manual page ● on CPAN: https://metacpan.org/pod/distribution/perl/pod/perlsec.pod ● It’s a good place to start but not the only resource you’ll need ● If you haven’t read it before (or lately), it’s worth a review ● Upcoming slides have an overview of PERLSEC
  • 4. 03/04/2021 Secure Coding in Perl by Ian Kluft 4 PERLSEC: Vulnerability Reporting ● What if you find a security vulnerability in Perl? ● reporting contact address: mailto:perl-security@perl.org ● perlsecpolicy doc page says what is considered a security issue https://metacpan.org/pod/distribution/perl/pod/perlsecpolicy.pod ● The Perl security team’s scope covers ● Perl interpreter ● Perl modules shipped with the interpreter and from the core repository ● CLI tools shipped with the interpreter and from the core repository
  • 5. 03/04/2021 Secure Coding in Perl by Ian Kluft 5 PERLSECPOLICY: Not a Perl core security issue ● Feeding untrusted code to the interpreter ● Stack overflows due to excessive recursion ● Out of memory errors ● Escape from a Safe compartment ● Use of the p and P pack templates ● Stack not reference-counted issues ● Thawing attacker-supplied data with Storable ● Using attacker supplied SDBM_File databases ● Badly encoded UTF-8 flagged scalars ● Issues that exist only in blead, or in a release candidate ● CPAN modules or other Perl project resources ● Emulated POSIX behaviors on Windows systems Contact appropriate authors for non-core modules or other software!
  • 6. 03/04/2021 Secure Coding in Perl by Ian Kluft 6 PERLSECPOLICY: Special cases ● Special cases are described in perlsecpolicy doc page for... ● Regular expressions ● DB_File, ODBM_File, or GDBM_File databases ● Algorithmic complexity attacks
  • 7. 03/04/2021 Secure Coding in Perl by Ian Kluft 7 PERLSECPOLICY: Vulnerability remediation When reporting a vulnerability, see perlsecpolicy to review details on the process. ● Initial contact ● Initial triage ● Issue ID assignment ● Development of patches ● CVE ID assignment ● Pre-release notifications ● Pre-release testing ● Release of fixes and announcements ● Zero-day security issues (vulnerabilities under active attack) ● Credits in vulnerability announcements
  • 8. 03/04/2021 Secure Coding in Perl by Ian Kluft 8 PERLSEC: Security mechanisms and concerns taint mode ● detecting tainted data ● switches on #! line ● in taint mode, @INC ignores environment variables securing $PATH ● also remove IFS CDPATH ENV BASH_ENV protecting programs with licensing terms (serves only as a foundation) Unicode issues - from perlunicode doc page "Security Implications of Unicode" ● malformed UTF-8 ● regex surprises with Unicode ● "Unicode Security Considerations" https://www.unicode.org/reports/tr36 ● "Unicode Security FAQ" http://www.unicode.org/faq/security.html
  • 9. 03/04/2021 Secure Coding in Perl by Ian Kluft 9 PERLSEC: Algorithmic complexity attacks ● Hash algorithm ● Perl 5.18 (2013) and above are considered hardened for hash collision attacks ● Perl does not guarantee any ordering of hash keys ● hash key ordering changes sometimes between releases ● Regular expressions ● Regex engine is not resistant to denial of service (DoS) attacks ● don’t feed unsanitized strings to the regex compiler ● Sorting ● Perl 5.8 (2002) switched from quicksort to mergesort to prevent DoS attacks
  • 10. 03/04/2021 Secure Coding in Perl by Ian Kluft 10 PERLSEC: Pros and cons of using sudo Any setting of user or group ID is a place to direct extra security attention! Benefits of sudo ● sanitizes execution environment ● avoids shebang race condition ● more convenient than set-id scripts Drawbacks of sudo ● sudo sets real uid/gid ● Perl can’t detect it was run by sudo ● won’t automatically turn on taint ● use -T option to control taint in scripts launched by sudo
  • 11. 03/04/2021 Secure Coding in Perl by Ian Kluft 11 Static analysis tools for Perl ● Perl::Critic https://metacpan.org/pod/Perl::Critic ● PerlTidy https://metacpan.org/pod/perltidy ● Padre IDE http://padre.perlide.org/ Do you have others to suggest?
  • 12. 03/04/2021 Secure Coding in Perl by Ian Kluft 12 SEI CERT Perl Coding Standard ● A project of Carnegie Mellon University (CMU) Software Engineering Institute (SEI) ● SEI hosts Secure Coding standards for C, C++, Perl, Oracle and Android ● Each standard is a community-based group effort ● The Perl standard was last updated in 2018 ● The Perl community should take this as a hint it needs more volunteers https://wiki.sei.cmu.edu/confluence/display/perl/SEI+CERT+Perl+Coding+Standard
  • 13. 03/04/2021 Secure Coding in Perl by Ian Kluft 13 SEI CERT Perl Coding Standard (cont’d) ● The standard is organized into rules (mandatory) and recommendations ● 8 subject areas ● Input Validation and Data Sanitization (IDS) ● Declarations and Initialization (DCL) ● Expressions (EXP) ● Integers (INT) ● Strings (STR) ● Object-Oriented Programming (OOP) ● File Input and Output (FIO) ● Miscellaneous (MSC)
  • 14. 03/04/2021 Secure Coding in Perl by Ian Kluft 14 Input Validation and Data Sanitization (IDS) Rules ● IDS30-PL. Exclude user input from format strings ● IDS31-PL. Do not use the two-argument form of open() ● IDS32-PL. Validate any integer that is used as an array index ● IDS33-PL. Sanitize untrusted data passed across a trust boundary ● IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter ● IDS35-PL. Do not invoke the eval form with a string argument Recommendations ● IDS00-PL. Canonicalize path names before validating them ● IDS01-PL. Use taint mode while being aware of its limitations
  • 15. 03/04/2021 Secure Coding in Perl by Ian Kluft 15 Declarations and Initialization (DCL) Rules ● DCL30-PL. Do not import deprecated modules ● DCL31-PL. Do not overload reserved keywords or subroutines ● DCL33-PL. Declare identifiers before using them Recommendations ● DCL00-PL. Do not use subroutine prototypes ● DCL01-PL. Do not reuse variable names in subscopes ● DCL02-PL. Any modified punctuation variable should be declared local ● DCL03-PL. Do not read a foreach iterator variable after the loop has completed ● DCL04-PL. Always initialize local variables ● DCL05-PL. Prohibit Perl4 package names
  • 16. 03/04/2021 Secure Coding in Perl by Ian Kluft 16 Expressions (EXP) Rules ● EXP30-PL. Do not use deprecated or obsolete functions or modules ● EXP31-PL. Do not suppress or ignore exceptions ● EXP32-PL. Do not ignore function return values ● EXP33-PL. Do not invoke a function in a context for which it is not defined ● EXP34-PL. Do not modify $_ in list or sorting functions ● EXP35-PL. Use the correct operator type for comparing values ● EXP37-PL. Do not use the one-argument form of select()
  • 17. 03/04/2021 Secure Coding in Perl by Ian Kluft 17 Expressions (EXP) Recommendations ● EXP00-PL. Do not return undef ● EXP01-PL. Do not depend on the return value of functions that lack a return statement ● EXP03-PL. Do not diminish the benefits of constants by assuming their values in expressions ● EXP04-PL. Do not mix the early-precedence logical operators with late-precedence logical operators ● EXP06-PL. Do not use an array in an implicit scalar context
  • 18. 03/04/2021 Secure Coding in Perl by Ian Kluft 18 Integers (INT) Rules: ● none Recommendations: ● INT00-PL. Do not prepend leading zeroes to integer literals ● INT01-PL. Use small integers when precise computation is required
  • 19. 03/04/2021 Secure Coding in Perl by Ian Kluft 19 Strings (STR) Rules: ● STR30-PL. Capture variables should be read only immediately after a successful regex match ● STR31-PL. Do not pass string literals to functions expecting regexes Recommendations ● none
  • 20. 03/04/2021 Secure Coding in Perl by Ian Kluft 20 Object-Oriented Programming (OOP) Rules: ● OOP31-PL. Do not access private variables or subroutines in other packages ● OOP32-PL. Prohibit indirect object call syntax Recommendations: ● OOP00-PL. Do not signify inheritence at runtime
  • 21. 03/04/2021 Secure Coding in Perl by Ian Kluft 21 File Input and Output (FIO) Rules: ● FIO30-PL. Use compatible character encodings when performing network or file I/O Recommendations: ● FIO00-PL. Do not use bareword file handles ● FIO01-PL. Do not operate on files that can be modified by untrusted users
  • 22. 03/04/2021 Secure Coding in Perl by Ian Kluft 22 Miscellaneous (MSC) Rules: ● MSC30-PL. Do not use comma to separate statements ● MSC31-PL. Do not embed global statements ● MSC32-PL. Do not provide a module's version value from outside the module Recommendations: ● MSC00-PL. Detect and remove dead code ● MSC01-PL. Detect and remove unused variables ● MSC02-PL. Run programs with full warnings and strict checking
  • 23. 03/04/2021 Secure Coding in Perl by Ian Kluft 23 Common Weakness Enumeration (CWE) ● Community-maintained database of known causes of vuilnerabilities ● Think of it as a lessons learned knowledge base ● It’s huge ● It covers many languages including Perl https://cwe.mitre.org/
  • 24. 03/04/2021 Secure Coding in Perl by Ian Kluft 24 Common Weakness Enumaeraion (CWE) links ● Top 25 Most Dangerous Software Weaknesses https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html ● - Weaknesses Addressed by the SEI CERT Perl Coding Standard https://cwe.mitre.org/data/definitions/1178.html ● and many others – have a looke around
  • 25. 03/04/2021 Secure Coding in Perl by Ian Kluft 25 ● OWASP Top 10 Web Application Security Risks ● Maintained by OWASP Open Web Application Security Project ● list updated occasionally on multiple-year cycle ● 2017 edition is current as of March 2021 ● Not specific to any programming language ● Specific to web applications ● often applicable to networking beyond just web applications https://owasp.org/www-project-top-ten/ https://owasp.org/www-project-top-ten/2017/
  • 26. 03/04/2021 Secure Coding in Perl by Ian Kluft 26 OWASP Top 10 ● A1:2017-Injection ● A2:2017-Broken Authentication ● A3:2017-Sensitive Data Exposure ● A4:2017-XML External Entities (XXE) ● A5:2017-Broken Access Control ● A6:2017-Security Misconfiguration ● A7:2017-Cross-Site Scripting (XSS) ● A8:2017-Insecure Deserialization ● A9:2017-Using Components with Known Vulnerabilities ● A10:2017-Insufficient Logging & Monitoring
  • 27. 03/04/2021 Secure Coding in Perl by Ian Kluft 27 Conclusion ● These were some useful resources for ● writing new code ● maintaining existing code ● code reviews ● There are many more resources out there ● Remember: implementing security costs less the earlier you bring it into the development process ● It can be very difficult or impossible to add it if it was not considered early enough in a project
  • 28. 03/04/2021 Secure Coding in Perl by Ian Kluft 28 Q&A Questions? Recommendations? Discussion?