View analytic
Wednesday, July 29 • 3:15pm - 4:30pm
Jeff Williams: There's a Fox in the Henhouse

Sign up or log in to save this to your schedule and see who's attending!

How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.
This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.
What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.

Wednesday July 29, 2009 3:15pm - 4:30pm
Augustus Ballroom 1-2

Attendees (0)