[foreword]
New technology application and new business form may bring new security problems. These potential risks are worth studying and preventing in advance by the enterprise security team. It is a passionate and challenging job to study these new security problems, and it can also excite everyone who loves security technology. However, the research work is always forward-looking and easy to be divorced from the enterprise reality Sometimes it will get into trouble or even fail to produce for a long time. So, how to make the enterprise's safety research work look up to the stars and down to earth?
This paper is a summary of the author's ideas, thoughts, practices and experiences in the construction and operation of the research team, Tencent blade team. Welcome to discuss it together.
[stones from other mountains]
We take the famous Tencent security Cohen laboratory as an example to try to analyze its development. The reason why Cohen was chosen is that its reputation and status fully meet the requirements of the first-class security research team in the industry, and it is worthy of its name; secondly, we have established a deep friendship with its leader, Wushi (the serious loopholes that Wushi reported to us more than ten years ago directly promoted the establishment of Tencent's security announcement mechanism), and we are very familiar with Cohen lab.
Cohen lab, formerly known as the keen team, has been focusing on client-side vulnerability mining, and has found vulnerabilities of major manufacturers including Microsoft, Google and apple. Keen team's reputation is pwn2own, an international loophole competition held in zdi: since 2013, keen team has been the absolute main force of pwn2own, and once won the title of "master of PWN". Later, some members of the keen team joined Tencent security to set up the Cohen Laboratory (Cohen is the transliteration of keen), Wushi served as the director (technical level T5, one of the few T5 gods in Tencent's technical channel), and the other part was led and developed by the bullfrog. The famous domestic hacker competition geekpwn was held by the keen team.
Wushi once said that the choice of research direction of Cohen laboratory is based on three "can't" principles: can we continuously improve the core competence; can we affect an industry or business; can we help the current business. These three principles are to combine the research work with the practice so as to put the knowledge into practice and guide Cohen laboratory to win.
So let's look at what Cohen lab has done:
Participate in international hacker competition pwn2own, hacker conference blackhat, all kinds of CTF competitions (under the understanding of Tencent EEE team), Tencent international security technology summit tensec, tctf, etc., and continuously improve brand influence for the company's business
The research in the field of mobile security is mainly IOS jailbreak and Android root, which lays the core competitiveness in the field of mobile security and feeds back the business (kingroot)
Research and crack Tesla and BMW, explore the security risks of the Internet of vehicles, and then develop the security business of the Internet of vehicles, to help Tencent's industrial Internet layout
Conduct in-depth cooperation with the internal security team, such as supporting the internal security system with mobile security capabilities (Tencent's internal diamond terminal security audit system integrates Cohen's capabilities), Jointly Implementing Industrial Internet security projects, jointly holding conferences / internal CTF competitions, etc
...
We can see that the research work of Cohen laboratory follows three "can't" guidelines, and also ensures that the research of the laboratory can not only jump out of the current perspective and layout the future, but also output performance in combination with business needs. Of course, the author's insight is not as good as Wushi's great God thought, just because it's in my hands, and readers have the right to listen to it.
Of course, Tencent security has another Xuanwu laboratory led by the T5 God tombkeeper (known as TK leader), Zhanlu laboratory led by yuange (yuan GE), the top vulnerability excavation expert, and Yunding laboratory led by killer, the founder of the anti-virus expert super patrol, which are very worthy of learning. Please forgive me for missing out.
[thinking discussion]
After learning the advanced cases, let's go back and summarize our thoughts.
First of all, we need to figure out what the goal of the security research team is.
The security research team must conduct pre research on new technology and new trends based on the actual business situation, find security risks in advance and output solutions. The "combination of business reality" here is very important. As the security research team of the enterprise, we must closely follow the actual needs of the enterprise business to make the research work useful. Some research projects are too unrealistic (or too advanced), and even if there are results, the final results can not be implemented in a few years, they can only be shelved. Basic research is another matter.
Because the research team often breaks away from the goal of the engineering team or even has no KPI itself, it is easy to go into the situation of self entertainment, just like a runaway wild horse, which finally breaks away from the actual needs of the enterprise. At this time, it needs three "can't" principles similar to Cohen to judge whether the research direction is worthy of investment.
for instance.
Now, the industry's conventional way to show security strength is to compare the number of vulnerability acknowledgments from large manufacturers (such as Microsoft, Google, Apple) and the number of speeches at international security conferences (such as black hat, Defcon), publish technical articles and security tools. The goal of showing the security strength is to improve the influence. On the surface, each manufacturer just brushes a thank-you list. On the deep level, each team will realize the influence through various channels. The final goal here needs to be considered.
The author has seen a small enterprise's security team, when there are still many blind spots in its own security construction, continue to send articles and tools to the outside world to brush the influence, which obviously belongs to the East.
For the research team, the job responsibility itself is the exploration of new fields, and it is difficult to have quantitative indicators, so it is not appropriate to use the traditional KPI method to carry out performance appraisal. Without KPI, it seems to be too far fetched. OKR method can be used to formulate and decompose objectives, and it has been proved that OKR can more stimulate the creativity of the team. Readers who are interested in OKR method search by themselves, which will not be discussed here.
The second is to figure out the organizational structure of the research team.
The author thinks that the safety research team should be separated from the daily operation of the engineering team, combined with the actual development needs of the business, be able to study and research a new field in a pure and fast way, and guide the engineering team to layout new fields through the research results. In short, the research team is responsible for discovering new safety risks, proposing solutions and proof of concept, and then handing them over to the engineering team for implementation.
Why do you want to leave the engineering team, so that the research team's goal can be more pure and will not be affected by other matters, so you can focus on doing research and have more output, but also can easily enter new fields.
Next comes the talent.
Professional ability and interest are indispensable. Professional people are very important, especially for the breakthrough safety research team, it can be said that the professional ability of people directly determines the success or failure of things. Therefore, we need to recruit talents who have or have the potential to have this ability according to the classification of professional ability in the field to be studied. At the same time, most of the time, the research work is very boring, and interest is the main factor that can persist for a long time.
When the time and the place are favorable, the rest will be given to time. To respect the objective law, research work can not be accelerated simply by increasing human investment. For example, the research on the safety of smart speakers that we have done has taken a full year, that is to say, most of the time in a year may not have any output, and the team mentality is good. We should not only be able to sit on the bench, but also be able to resist the spotlight.
[blade's previous life]
Tencent Security Center (now Security Platform Department) has been carrying out security research for a long time. However, at the beginning of the establishment of the Department, there were fewer personnel, and the main work was still in emergency fire fighting, so the security research work was all part-time or personal interest.
Even though the conditions are so hard, people's persistence and interest in security remain unchanged (this is Faith). In that year, a number of good research results emerged: Blazing angel's file free, process free, Port Free "three no" VBS Trojan horse, Apple's virtual parsing and JavaScript execution of online horse detection technology, mango's host configuration security baseline, and lake2's flash CSRF (please allow me to boast and boast) In the end, these achievements have been transformed into new systems and strategies, some of which are still running.
After upgrading the center to a department, the key work is to build the basic security system. The security research work is still part-time or personal interest, and the number of security personnel has been improved. During this period, the research results are relatively rich.
The research involves Android, IOS, GSM, pseudo base station, RFID, USB, NFC, byod security, etc. the prototype of the terminal security audit system "King Kong" has been completed, and the anti-theft brush wallet and secure USB data cable with independent intellectual property rights have been customized by Huaqiangbei's merchants. Of course, there were a group of experts behind them at that time: firewings (CCG member, Tencent game mobile security director), professional debt (meituan basic security director), cradmin, xti9er (coauthored with ayazreo, advanced guide to Internet enterprise security), riusksk (quange, coauthor, vulnerability War: Essentials of software vulnerability analysis), gmxp, Nicky (TSRC famous white hat) ), blast (author of "white hat talks about browser security"), Peter, boss Gong, xbalien, monster, poppey, dragonltx, asky, fan Shao, do9yg, kimyok, wolf, Zhuliang
(anti theft brush wallet)
In addition to the above, in 2014, you obviously felt that smart devices would explode, so at the beginning, you also had more research on the security of smart devices. Some well-known intelligent devices have been cracked by us one by one. All kinds of car access cameras in our building have been cracked, such as entering a deserted place, and the money in the meal card overflows (as a white hat, it is natural to strictly follow the law and only test). In addition, the group also participated in the 14-15 year hackers' Cracking contest geekpwn, demonstrating and cracking a series of intelligent devices on site, including UAVs, smart sockets, smart ovens, mobile POS machines, Bluetooth locks, and smart cameras.
Based on these research results, the team extracted the security development experience of smart devices and formulated the company's "smart device security development specification". At that time, the team also conducted security evaluation on the smart devices that Tencent was exploring, such as Tencent Lubao, Tangfu, xiaoq robot, wechat album, smart speaker, etc., and promptly repaired the security loopholes.
[blade this life]
After several rounds, the Department finally set up a full-time safety research team, which can really break away from the project and concentrate on research. The research team does not set KPIs, adopts a new OKR management method, and also focuses on exploring the security issues in several new fields, such as aiot, mobile terminals, blockchain, virtualization security, trusted computing, etc., in combination with the actual needs of the business. Generally, the research project is expected to see the output within half a year to two years.
After a period of accumulation, the young people did not fail to live up to the expectations, and the power broke out. Blade has the ability to exploit large-scale manufacturers (such as Google, apple, Amazon, Qualcomm), and also made its debut in international security conferences such as blackhat, Defcon, hitb, cansecwest. There are five issues of blade on the black hat & Defcon that ended not long ago. Together with brother team Cohen and Xuanwu, they have covered 11 issues. They are not only the domestic enterprises with the most topics shortlisted, but also the historical record of the number of domestic issues shortlisted.
Tencent's 11 security topics appear in 2019 black hat & def con
The research on the security of the Internet of things is actually the continuation of our previous research on the security of smart devices, that is, the network of smart devices plus the end and cloud. More and more intelligent devices are connected to the Internet, especially those related to physical contact. The harm also ranges from the former virtual property loss to physical damage and even personal safety. It can be predicted that in the future, when IPv6, 5g, edge computing and other new technologies are popularized, the harm of Internet of things device security vulnerabilities will be greater, and the black industry will also spread to this area.
The security problems of the Internet of things mainly come from four aspects: terminal, control end (such as mobile app), communication protocol, cloud, which can never be separated from its origin. Most of them can be solved by traditional security engineers. The newer one is the analysis of hardware, and the introduction of new communication protocols (such as ZigBee, Lora, Nb IOT). Our security engineers also need to constantly In order to remove the chip firmware, Nicky went to the famous Huaqiangbei of Shenzhen to find his teacher Fu to learn welding. Looking for problems in these four aspects can find the loopholes in the implementation. Similarly, taking security precautions against these four aspects can solve most of the loopholes.
Based on this idea, the team found the vulnerability of Google and Amazon smart speakers, and we submitted them to the manufacturer's security team respectively, which has been fixed. At the same time, Xiaomi security center and Huawei psirt also actively invited blade to participate in the security crowd test. It can be seen that large manufacturers attach great importance to the safety of their products, which is a good thing for users. By the way, we can experience Xiaomi's and Huawei's security reward plans, and the conclusion of our experience is pretty good. So far, Tencent's security emergency response center and vulnerability reward plan must also be mentioned.
At the same time, in terms of Pan Internet of things security, we choose intelligent buildings. Near water first, Tencent Binhai building in Shenzhen, Tencent's global headquarters, known as full of black technology, has become our test object. The same security risks found have been repaired by suppliers. Some of our technology accumulation in the field of Internet of things security also relies on Tencent cloud for output to help the industrial Internet.
In recent years, AI is more popular, its application is more extensive, and its security issues are also worthy of attention. AI security problems are mainly divided into two categories: one is the problem of its own algorithm, which is a new problem introduced by new technology. Common problems such as covering an image layer or adding some interference points lead to AI recognition errors; the other is the problem from traditional security, such as memory security when image recognition system processes abnormal images; the other is a new trend, That is, AI technology has been used by the black industry. Now we see that we can use CNN to crack the picture verification code and generate 3D animation through photo simulation to bypass the live authentication.
Google's tensorflow framework is a widely used machine learning framework, because it is widely used. Blade has conducted in-depth research on it. Team member cradmin (who just transferred from the operation of server security system "onion" to blade for research, and then became the technical director) found a defect in tensorflow's processing model file—— As long as the system uses the malicious modification model of hackers, the system will be directly controlled. When we wanted to report the vulnerability to the official, we found that tensorflow had no vulnerability response process, so we also helped the official set up this process and covered its first eight CVEs.
Xinhua News Agency reporter heard that the team found the loophole of artificial intelligence framework, and wanted to interview, so the team had to have a name. The author discussed with gmxp (former technical director, now Huawei cloud security expert) and juju (Operation Director) for a long time, and finally the boss, COOLC, chose the name "blade". Blade in Chinese means blade, which means that the research team can find problems like a sharp knife. You are famous. In the ancient sword inscription, there is a saying: light use of its awn will hurt you if you move it. It's a lethal weapon; if you hide it deeply, it's a sharp weapon if you are ready.
Blockchain is a new field. We conduct security research on blockchain business itself (Tencent's blockchain e-invoice to understand), and also develop a smart contract security audit system.
With the popularity of cloud platform, virtualization security is bound to become an indisputable place for attack and defense. Blade has also rapidly carried out research in this field. It has not only quickly found and repaired the vulnerability of its own cloud platform, but also found the virtual machine escape vulnerability of QEMU / KVM, a widely used open-source virtual platform. This part is still under in-depth study, and you are expected to see the results here soon.
In the new business development, we also enjoy the dividend of the past - when evaluating many new businesses, we find that they are all existing knowledge, such as smart speaker, face payment smart hardware device, wechat car card applet based on NFC Of course, more technical challenges lie ahead.
As Tencent's security team, blade is very aware of the feeling that the manufacturer has been discovered by the outside world (it's almost the same feeling), so we firmly adhere to the responsible vulnerability reporting process, report all the discovered vulnerabilities to the official and assist in the repair, and countless infrastructure leaks such as Magellan, cve-2018-20506, Columbus, xcodeghost, qualpwn that cause the bloody rain of the Internet The holes have been quietly dissolved by the blade - a tribute to countless white hat heroes who silently guard the Internet!
In addition to silently guarding the Internet world, blade also went to the front of the stage to show security risks to non professional technical personnel and ordinary users, enhance everyone's security awareness, and make a contribution to corporate social responsibility and science and Technology (such as participating in Tencent technology week, T-day, code competition and other activities). In this part of work, we also need to thank the public relations, human resources and administrative team for their support.
[postscript]
Pay homage to every just and persistent security technology pursuer.
[appendix]
The first four of lake2's nine corporate safety episodes:
Arms race: DDoS attack protection system construction self research road: ten years of Tencent vulnerability scanning system
To be continued, please look forward to