After a long time of being complacent with my skills, I thought I should up my InfoSec game. I’ve been mainly busy with figuring out how to enhance app security in my work so far. That means I learned how to
- Create role and permission systems,
- Create fail-secure software that is least permissible by default,
- Comply the newest recommendations on enumeration, XSS, CSRF and untrustworthy user input in general.
From time to time I notice that my house is built on a weak fundament. What I particularly lack is deep knowledge of what happens down there in OSI 1-4. While my work has allowed to twiddle with UDP and discover the merits and dangers of UDP-Lite, I have not really had a chance to try to break something on purpose by interacting with applications on such a low level.
Not only that, I think that the more we start laying brick upon brick in this evermore growing information society, the more we keep building leaky abstractions and start engaging in meaningless cargo cult rituals. By this I mean we start implementing certain ‘secure ways’ of implementing apps, not based on first-hand knowledge, but tertiary sources that tell us to do so.
I think a great example of leaky abstractions is a writeup by CloudFlare on DDoS amplification through SSDP. You can be certain that there was more than one badly made Wi-Fi light bulb involved in that incident.
Let’s be concrete here. I’ve identified the following areas where I want to improve my skills and I would like to share them with you. I’ve sorted them by short-term and long-term importance.
Bit-twiddling
Having an understanding of CPU-level handling of information means understanding the foundation of what your computer does. Now, I know how general CPU architectures work and I’ve certainly worked my way through one FPGA course at university and a brilliant book called The Elements of Computing Systems. Nothing says “I understand machines” like dreaming in opcodes.
Here’s what can be learned:
- FPGA Design. Nothing says “I SPEAK BINARY” like pulling off a CPU design. I’m thinking about recreating the processor from Charles Petzold’s book Code. (~100 h)
- Do all 64
xorpdchallenges. (~30 h)
Reverse engineering
I’ve always been interested in challenges like MicroCorruption but have never gotten around to actually finishing them. Furthermore, the Reverse Engineering Challenges by Dennis Yurichev seem interesting.
Here’s how this one goes:
- MicroCorruption (~100 h)
- Reverse Engineering Challenges (~200 h)
App security
I’ve already done two different tracks on OverTheWire and I’ve learned a lot about securing app servers and operating systems. It’s necessary nowadays to understand the full stack, and not only one’s own comfortable territory. The challenges always follow the same format: you have to find the SSH keys or the password for the next stage’s server.
For this one I estimate ~100 h of work.
Applied cryptography
While I have already started the
cryptopals crypto challenges, I’ve never really
finished it. To me, it’s just the right amount of cryptography mixed with
secure app engineering.
For this one the work be another 100 h.
Cryptographic puzzles
This is for anything that does not fit in the other categories. Combinatorics, theoretical CompSci and number theory always play a big role in InfoSec. I want to reserve some time to getting my hands dirty with algorithms and what not. A few resources are interesting to me:
- WeChall has a lot of cryptographic puzzles (~50 h).
- Project Euler is impossible to solve in its entirety, for there is an incredible amount of puzzles. But getting somewhere to solving at least 40 seems like a formidable goal (~100 h).
Open source contributions
Too many open source projects do not receive regular contributions to improve security. Too many web applications (I’m looking at you, PHP) are still vulnerable to the OWASP top 10. Valuable contributions can be easily made. I want to look for an open source project on GitHub, try installing and operating it. Then I look for weaknesses and contribute back patches.
I estimate this amount to around 100 hours of works over 20 weeks.
My method
I plan to pick a topic every week and continue working on it. To write my puzzle solutions, I would like to pick a new language that I’m not yet comfortable with. Haskell comes to my mind here.
Furthermore, I plan to regularly post on this blog and track my progress. I won’t of course disclose the actual solutions I find for puzzles. That would destroy the fun. But writeups with nothing more than vague hints should be acceptable.
Summary
How do we continue from here? I suppose I should keep my dear readers updated on this here blog. I plan to report back in a week from now and let you know about my progress.