►
From YouTube: Secure Code Development and Lessons Learned from etcd Security Audit - Sahdev Zala & Hitoshi Mitake
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Secure Code Development and Lessons Learned from etcd Security Audit - Sahdev Zala, IBM & Hitoshi Mitake, Indeed
When it comes to the importance of writing secure code, it gets a unanimous vote. This is even more important for an open code. Checking the security of your code needs manual steps as well use of automated tools. As project maintainers for the etcd project, we recently led a third party security audit of etcd code. In this talk, we will share our experience of what are the common areas in code that get overlooked and pose a security risk from general weaknesses to critical threats. We will also provide a walk-through of security vulnerabilities that were reported from the audit work.
A
Hello,
everyone
welcome
to
this
talk,
this
recording
for
secure
code
development
and
lessons
learned
from
hd
security
edit.
My
name
is
sadio
zala.
I
am
a
senior
software
engineer
at
ibm
and
in
context
of
this
stock
I
am
one
of
the
fcd
project
maintainer
and
I
have
hitoshi
mitake
with
me.
He
is
a
site
reliability
engineer
at
indeed,
and
he
is
also
one
of
the
project
manager
for
the
lcd.
A
All
right
so
in
this
talk
we
basically
will
briefly
cover.
You
know
a
couple
of
the
best
practices
like
identifying
the
you
know
areas
where
you
should
be
paying
more
attention.
As
far
as
security
of
your
project,
your
software
is
concerned,
we'll
talk
about
code
analysis
and
you
know,
then
we
will
have
mitaki
talk
about
that's
the
security
model.
We'll
talk
about
some
of
the
vulnerabilities
examples
that
you
know
we.
A
They
are
real
life,
examples
that
we
run
while
doing
the
cd
security
audit
and
then
we'll
talk
about.
You
know
working
with
github
to
publish
series
and
then
we'll
conclude
the
talk.
We
will
not
go
into
the
you
know.
The
full
software
development
life
cycle
and
security
will
pretty
much.
You
know.
Focus
on
the
coding
aspect
in
other
things
are
out
of
scope
for
this
talk,
so
all
right.
So
there
are
a
couple
of
things
that
we
really
want
to
emphasize
here.
A
You
know,
as
far
as
these
secure
coding
practices
are
concerned,
the
first
one
is,
you
know,
identify
you
know,
high
securities
areas
right
that
you
want
to
pay
a
special
attention
and
you
know
how
do
you
do
that?
Well
refer
to
your
project
architecture,
right,
your
software
architecture,
that
will
help
you
to
identify
those
areas
where
you
know
that
it
needs
a
special
attention
and
we'll
talk
more
about
those
checklists
in
the
next
slide.
A
A
You
know
apply
so
that
in
future
you
can
prevent
any
any
any
of
these
issues
that
you
ran
into
it
as
part
of
your
code
review,
and
then
you
know,
depending
on
your
project,
depending
on
your
software,
you
may
want
to
plan
on
on.
You
know
publishing
the
cves
right.
You
may
not
need
you
may
so
you
decided,
but
cbe
is
they
help
you?
A
You
know
typically
to
disclose
any
security
flows
with
your
software
publicly
right.
It
helps
the
consumer
of
your
software,
your
project,
to
stay
relevant
all
right,
so
you
know
the
things
will
talk.
They
apply
to.
You
know
pretty
much
any
development
environments.
You
know
any
programming
language
that
you
are
using,
but
for
this
talk
we
will
use
you
know
golang
and
the
lcd
project
as
an
example.
A
Okay,
all
right,
so
I
mentioned
earlier
that
it's
very
important
to
identify
the
the
areas
that
you
think
are
you
know
critical
crucial
for
your
project
security
right.
So
here
is
list
of
some
of
some
of
these
areas
right.
You
can
have
more
than
what
I'm
gonna
mention
here,
but
these
are
some
things
that
you
definitely
want
to
keep
in
mind.
While
you,
you
know,
worry
about
the
security
of
your
your
project,
your
software,
your
application.
A
So,
as
you
know,
the
first
steps,
for
you
know
security
or
software
security
is,
you
know
it
starts
with
authentication
right
so
for
external
users
for
internal
users,
you
know,
regardless
make
sure
you
have
a
a
good
authentication
method
in
place
right
and
then
you
know
you
are
doing
a
lot
of
things
like
you
know
not
just
accepting
any
password
right.
I
have
some
validations
there
password
length,
and
you
know
that
kind
of
things
and
the
the
follow-up
step
is
authorizations
right.
A
So
once
user
get
authenticated,
you're
just
making
sure
that
they
only
have
access
where
they
are
authorized
right.
So
you
know
using
like
a
role
based
access
control,
tls
certificates.
You
want
to
make
sure
that
you
have
a
encrypted
communication
right
and
you
don't
allow
the
monkey
in
the
middle
interface
input
or
data
validations.
You
know
when
it
did
all
input
parameters
right.
You
know
data
type
length
range,
whatever
you
can
think
of.
Do
the
proper
validation
right
file
permissions.
It's
another
important
area.
A
A
We
will
actually
show
you
an
example
later
in
this
talk,
error
handling,
that's
another
important
idea
for
the
overall
health,
the
security
of
the
project
or
software.
So
make
sure
that
you
know
accidentally
you're
not
leaking
any
information
that
can
help.
You
know.
Hacks
attackers
write,
for
example,
the
password
and
then
locking
right
anything
that
you
think
can
helpful
towards
identifying
any
security
issues.
You
know
alerts
right,
you,
you
should
be
logging
it.
A
You
know
that
can
help
you
with
the
auditing
purpose
later
on,
like
where
the
request
is
coming
from.
Who
is
sending
the
request
right
data
exposure
to
make
sure
that
you
are
not
exposing
any
sensitive
data?
So
keep
that
in
mind-
and
you
know
the
last
but
not
least
is
if
you
are
using
a
third
party
tools,
then
make
sure
you
know
you
you,
you
use
their
latest
release
right
and
you
keep
buying
any
cve,
advisories.
Okay,
all
right,
so
code.
A
So
when
you
talk
about
automated
tools,
you
know
you
have.
You
know
either
going
to
use
the
static
tools
right
that
can
prevent.
You
know
you
know
mistakes
that
can
you
know,
if
not
directly,
maybe
indirectly
impact
your
security
off
code
right.
So,
for
example,
like
variable
shadowing,
you
know
the
unreachable
code
right,
so
I'm
sure
you
know
most
programming
languages.
They
have
tools
specific
the
language
right
for
go.
You
have
actually
a
whole
list
of
tools
available.
A
I
have
provided
link
here
how
you
can
take
a
look
to
see
the
whole
list,
but,
like
you
know,
those
like
go
wait,
static
check.
You
should
be
using
and
then
dynamic
tools
right,
so
like
fuzzer
right
that
can
help
you
find
bugs
by
you
know
they
by
automatically
injecting
randomly
injecting
data
and-
and
you
know,
find
you
know
different
kinds
of
bugs
based
on
their
the
injection
data
injection.
A
The
second
thing
is
manual
code
review.
You
know,
tools
are
great.
They
can
take
a
look
at
the
code
automatically.
You
know
and
and
point
out
to
the
possible
issues,
but
definitely
a
human
needs
to
verify
those
issues
right
and
make
sure
they
are
the
real
issues,
and
you
know
also
the
development
team.
They
should
be.
A
You
know
doing
the
thorough
code
review
of
all
the
areas
we
talked
about
right
and
make
sure
that
it
looks
good
to
them
right
and
keep
in
mind
that
there's
no
alternative
to
you
know
manual
code
review
right.
That
is
critically
important,
all
right.
So
you
know
with
that.
You
know
before
we
talk
more
about
a
cd
security
model
before
we
talk
about
some
of
the
examples
of
the
vulnerabilities
that
we
ran
into
as
part
of
the
audit
right
and,
and
you
know
how
we
address
them.
A
Let
me
just
briefly
mention
about
lcd.
You
might
already
know
it
right
that
hd
is
an
open
source
distributed
qle
store
it,
you
know,
provides
you
consistency
and
high
availability
and
it
is
used
to
store
critical
data
of
a
distributed
system.
So,
for
example,
kubernetes
store
all
its
cluster
data
in
hcd.
A
A
B
Okay,
let
me
introduce
the
security
model,
opacity,
it's
the
clients
and
it's.
These
servers
communicate
with
jrpc
over
tcp.
It's
also
possible
to
use
grpc
proxy
for
multiplexing
at
the
clients.
Etsy
servers
use
a
specialized
http
protocol
named
after
http,
and
the
tcp
connections
used
for
jrpc
and
http
protocols
are
encrypted
and
authenticated
with
trls.
If
our
cluster
follows
a
recommended
configuration,
we
also
have
a
component
named
gateway.
This
is
a
component
which
only
lays
tcp
connections
between
clients
and
servers.
B
And
if
a
user
needs
more
fine-grained
access,
control
keys,
the
3d
provides
artwork-based
authentication
and
authorization
as
an
optional
feature.
With
this
feature,
we
can
grant
permission
to
read
and
or
write
about
specific
gear
range
to
users
from
the
cluster
use.
This
feature
servers
have
two
options
for
authenticating
and
authorizing
users.
One
is
using
authenticate,
jrpc
method.
In
this
case,
clients
invoke
the
method
during
initializing
the
client
plot
object.
B
Information
of
authenticated
user
is
stored
in
a
job
token
returned
by
the
server.
Another
option
is
using
commonly
period
of
trs
certificate.
In
this
case,
no
password-based
authentication
is
required.
This
mechanism
also
supports
limiting
special
administrative
observations.
Like
membership
change,
the
special
user
root
is
the
only
user
which
is
allowed
to
execute
such
applications.
B
B
The
first
example
is
an
issue
related
to
logs
a
cd
has
a
problem
of
inaudible
related
to
failed
authentication
attempts
for
users,
which
can
only
be
used
with
common
name
based
authentication,
as
I
mentioned
earlier,
silly
supports
multiple
user
authentication
mechanisms
for
our
work,
username,
password-based,
upload
and
common
name
of
the
trs
certificate
approach,
especially
for
the
other
one.
It's
only
supposed
to
create
users
which
only
support
commonly
based
authentication,
which
doesn't
support
username,
plus
password-based
approach.
B
B
Next,
I'm
not
sure
the
next
example
is
related
to
gateway
gateway.
There
is
tcp
connection
between
sv
client
and
servo.
The
component
doesn't
validate
acceptance
of
trs
connection
to
its
endpoint.
It
only
checks
tcp
itability
during
initialization,
so
if
the
pain,
if
the
endpoints
are
misconfigured
and
appoint
a
malicious
server
accidentally,
they
can
receive
data
sent
by
the
clients.
If
the
clients
don't
use
tls,
probably
properly
gateway,
is
a
component
which
only
helps
discovery
of
the
cluster
and
doesn't
tell
me
a
tals
connection.
B
B
B
A
A
A
Well,
I
wish
we
were
talking
in
person
and
I
could
see
the
raised
hands.
You
know
besides
mitaki
smiling,
but
we're
recording.
So
I
will
go
ahead
and
show
what's
wrong
here
right
well,
so
the
problem
here
is:
if
the
provided
directory
path
is
already
existing
right,
it's
it's
an
existing
directory,
then
the
maker
all
does
nothing
and
it
returns
new.
A
A
Somebody
could
have
created
that
directory
upfront
with
extra
permissions
there
and
you
know,
with
some
malicious
desire-
and
you
know-
could
hurt
the
the
project
you
know
running
ncd,
eventually
right
so
the
fix
was.
You
know
to
make
sure
that
if
the
directory
exists,
then
it
has
the
desired
permission.
If
not,
then
you
know
we
will
consider
that
as
an
error
case
right.
A
So
that's
how
it
was
fixed
right.
It
was
pretty
quick
fix,
small
fix,
but
could
have
you
know,
security
related
problem,
if
not
handled
so
another
snippet
here,
another
small
snippet,
you
know
we.
We
try
to
put
some
of
the
smaller
issues
here,
so
data
validation
rights.
Remember
I
mentioned
earlier
the
input.
Data
validation
is
very
important
and
you
want
to
basically
validate.
You
know
everything
right.
A
If
you
don't,
then
that
could
hurt
the
running
project
right,
so
the
parts
compaction
retention
function.
Do
you
see
what's
wrong
here?
Any
security
issues?
Well
again,
I
wish
we
had
to
raise
ends,
but
let
me
go
ahead
here.
So
the
problem
here,
as
you
can
see
the
string
conversion
functions
right.
The
written
value
can
be
negative
and
that's
not
an
error
case.
A
The
secret
issue
here
was:
if
someone
you
know
who
has
that
access
right,
that
that
role,
who
could
misconfigure
the
art
of
competition
compaction
retention
by
setting
it
to
negative-
or
you
know,
maybe
accidentally
right,
but
if
it's
set
to
negative
value,
then
you
know
that
could
impact
the
absolute.
You
know
the
process
right.
A
A
A
A
So
you
know
we
had
a
couple
functions.
They
were
having
a
misleading
name
again
that
happens
accidentally
and
you
know
something
that
were
not
caught
as
part
of
in
a
good
review.
While
you
know
those
pull
requests
right
and
then
we
had
a
couple
of
you
know:
misleading
documentation,
right
description,
so
you
know
that
that,
as
I
said,
you
know
that
that
ended
up
as
in
three
reported
issues
by
the
auditing
team.
A
So
you
know
the
lack
of
documentations
or
not
enough
coverage
right
or
poor
naming
of
functions.
They
can
create
confusions
right
during
the
code
review
process
and
that
can
impact
productivity
and
it
can
also
mislead
users.
So
you
want
to
keep
in
mind
that
you
know
you
have
a
good
documentations
right.
A
The
other
thing
I
want
to
cover
is,
you
know
before
I
hand
it
over
to
metaki
again
is
this
is
something
we
learned
as
part
of
the
auditing
process.
Right
as,
as
I
mentioned
earlier,
the
cves
are
important
and
you
know
they
can
basically
help
you
to
to.
You
know,
disclose
the
security
flaws
issues
publicly
and
so
that
the
users
of
project
software
stay
relevant.
A
The
process
can
be
confusing,
but
we
learned
during
this
process.
You
know
the
security
audit
process
that
we
can
use
the
relatively
new
features,
which
is
integrated
part
of
github
to
request
and
publish
cvs
and
advisories
right.
So
we
just
tried
that,
and
you
know
we
loved
it.
That
was
easy
to
use,
and
very
you
know
this
can
be
very
handy
for
you
if
your
project
is
hosted
on
github
right
and
you
want
to
publish
advisories-
and
you
know
cves
right,
because
now
everything
you're
doing
is
is
on
github.
A
You
know
you're
not
going
to
like
a
military
websites,
or
you
know
anywhere
else,
to
work
on
cvs
right,
the
publishing
other
stuff.
So
if
you
have
an
admit
admin
access
to
your
github
repo
right,
then
you
you
will
actually
see
under
the
security
tab
and
option
to
you
know
to
draft
security
advisory.
A
A
That
has
been
patched
what
version
should
the
user
of
software
project?
You
know
they
should
upgrade
to
right
and
and
if
there's
any
work
around
so
it
it.
The
template
allows
you
to
put
like
a
good
detail
that
can
help
users
understand
the
cv,
so
we
want
to
mention
because,
as
I
said,
this
is
something
we
learned
as
as
part
of
the
security
audit
process.
Okay
with
that
mitaki
would
you
would
you
like
to
conclude
the
talk.
B
Let
me
conclude
this
talk.
Yeah
writing
security
is
challenging
but
possible
for
the
purpose
of
the
code
review
and
various
tests
and
numbers
two
starting
static,
analyzer
and
further
very
helpful,
and
also,
although
it
costs
time
and
budget.
Somebody
audit
is
helpful
for
checking
the
status
of
the
project
and
also
making
documentation
and
walking
is
difficult.
It's
not
trivial
at
all,
and
creating
and
publishing
cds
with
github
is
easy.
Let's
utilize,
the
future
for
managing
security
issues
and
also
less
popular
features,
can
use
also
problems.
B
A
Let
me
this
is
the
last
slide
we
have
so
we
want
to
thank
you.
You
know
many
folks
here
all
the
contributors
of
that
city,
all
the
mentors
right,
especially
wanna,
thanks
siang
li
yoli,
jingy
and
brandon
philippe
they
are
maintainers
and
they
were,
you
know
integrated
part
of
you
know,
working
with
the
security
issues
that
that
we
resolved
that
came
out
of
the
lcd
security
audit.
We
wanna
thank
cncf
for
sponsoring
the
the
audits
are
going
to
thanks
trail
of
bits
for
conducting
the
audits.
A
They
have
great
materials.
You
know
blog
post
right.
That
can
be
like
a
really
big
good
learning
resource
for
security,
understanding,
the
security
of
the
project.
We
want
to
thank
owasp.
We
have
a
lot
of
good
practices
and
other
materials,
so
we
did
refer
them
those
materials.
We
definitely
thank
our
employer,
ibm
and
indeed-
and
thank
you
all
of
you
who
are
watching
this
video
all
right
well,
thank
you.
So
much
with
that,
I
think
we
will
end
the
thought
mitaki.
That
sounds
good.