CIRCL
/
PyCIRCLean
mirror of https://github.com/CIRCL/PyCIRCLean
2
0
Fork 0
Code Issues Releases Wiki Activity

Update slides

pull/13/head
Raphaël Vinot 2017-03-10 14:45:00 +01:00
parent ff08dc1353
commit b0224d781a
2 changed files with 58 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
slides/PyCIRCLean/circl-introduction.pdf
View File

Binary file not shown.

111
slides/PyCIRCLean/content.tex
View File

@ -11,6 +11,7 @@
\item Generic way to handle large colections of files \item Generic way to handle large colections of files
\item Generate audit logs \item Generate audit logs
\item Comes with many helpers \item Comes with many helpers
\item Defensive programming
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -23,16 +24,16 @@
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame}[fragile]{Existing modules} \begin{frame}[fragile]{Logging and reporting}
\begin{itemize} \begin{itemize}
\item bin/filecheck.py: Search for active content in the source documents \item Every processing is logged
\item bin/generic.py: Converts documents if possible \item Medatata (filetype, size, name, extension, ...) are kept
\item bin/specific.py: Only copy a specific extension if the mimetype matches \item Any error occuring during the processing is stored
\item bin/pier9.py: Only copy specific extensions (3D softwares) \item WiP: generating a human readable report (Markdown, HTML)
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame}[fragile]{File Check} \begin{frame}[fragile]{Action of the main script}
\begin{itemize} \begin{itemize}
\item Discard known extensions with active content \item Discard known extensions with active content
\item Verifies if the extension corresponds to the mimetype (polyglot files) \item Verifies if the extension corresponds to the mimetype (polyglot files)
@ -45,7 +46,7 @@
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame}[fragile]{File Check} \begin{frame}[fragile]{Plus / Minus}
\begin{itemize} \begin{itemize}
\item Plus \item Plus
\begin{itemize} \begin{itemize}
@ -61,50 +62,6 @@
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame}[fragile]{Generic}
\begin{itemize}
\item Verifies if the extension corresponds to the mimetype (polyglot files)
\item Converts to PDF and then to HTML all documents supported by libreoffice
\item Converts to HTML all PDF files
\item Discards windows executables
\item Unpack archives and process content
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Generic}
\begin{itemize}
\item Plus
\begin{itemize}
\item Very hard to have anything malicious in the output of the converted documents
\end{itemize}
\item Minus
\begin{itemize}
\item Slow
\item Opens the documents to convert (may run malicious code)
\item Many external dependencies
\item Unreliable: fails on 20\% of the documents
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Specific and Pier9}
\begin{itemize}
\item Dedicated to a very specific use
\item Whitelist on extension and/or MimeType
\item Plus
\begin{itemize}
\item Pure python
\item Very fast
\item Most secure
\end{itemize}
\item Minus
\begin{itemize}
\item Only works in a specific case
\item Many false positive
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Implement your own module - FileBase} \begin{frame}[fragile]{Implement your own module - FileBase}
\begin{itemize} \begin{itemize}
\item The default conctructors gets the mime type of the file and initialize the log of the file \item The default conctructors gets the mime type of the file and initialize the log of the file
@ -117,9 +74,57 @@
\begin{frame}[fragile]{Implement your own module - KittenGroomerBase} \begin{frame}[fragile]{Implement your own module - KittenGroomerBase}
\begin{itemize} \begin{itemize}
\item The default constructor cleans the destination directory, starts the general logging and logs the content of the source directory \item The default constructor cleans the destination directory
\item Starts the general logging
\item Iterate through all the files on the src key
\item Has helpers to handle safely the file management \item Has helpers to handle safely the file management
\item Writes the logs files
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame}[fragile]{Implement your own module - GroomerLogger}
\begin{itemize}
\item The default constructor initialize the logfiles
\item Creates a tree representation of the content, computes the hashes
\item Stores the logs for each processed file
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Hardware implementation - RaspberryPi}
\begin{itemize}
\item Standalone device
\item Easy to carry around
\item Not used for anything else
\item Cheap and easy to setup
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Security considerations}
\begin{itemize}
\item Assuming the content might be malicious
\item Parsing is very vulnerable to exploits
\item Unpacking archives and recursion need to stop (halting problem)
\item KISS, default features and ease to update
\item Distrust everything (your code, and other people's code)
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Defensive programing - Questions}
\begin{itemize}
\item How can an attacker interact with the code? With the device?
\item What are the most critical part of the project?
\item How to handle unexpected behavior?
\item What happen if there is an unpatched vulnerability?
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Defensive programing - Remediations}
\begin{itemize}
\item Bare Debian for Raspberry
\item Few dependencies
\item Image read only
\item Code runs as user
\item Small code base
\end{itemize}
\end{frame}