debian security team presentation
play

Debian Security Team presentation Yves-Alexis Perez SSTIC 2018 - PowerPoint PPT Presentation

Feb 03, 2023 •376 likes •795 views

Debian Security Team presentation Yves-Alexis Perez SSTIC 2018 Introduction Introduction Debian Security Team presentation SSTIC 2018 1 / 37 corsac debian.org Introduction Who am I? Yves-Alexis Perez (Corsac) ANSSI head of software

  1. Debian Security Team presentation Yves-Alexis Perez SSTIC 2018

  2. Introduction Introduction Debian Security Team presentation SSTIC 2018 1 / 37 corsac ⊕ debian.org

  3. Introduction Who am I? Yves-Alexis Perez (Corsac) ANSSI head of software and hardware architecture lab Mostly interested in low-level security and hardening Debian Security Team presentation SSTIC 2018 2 / 37 Debian developer ▶ team security member ▶ package maintainer ▶ Xfce desktop environment ▶ strongSwan IKE/IPsec daemon ▶ Linux kernel team member corsac ⊕ debian.org

  4. Introduction Embargos SSTIC 2018 Debian Security Team presentation Standard embargoed vulnerability: pcs Meltdown/Spectre KRACK Examples Vulnerabilities Agenda Debian Security Advisory Security frontdesk Workflows Tools Roles People Security team presentation 3 / 37 corsac ⊕ debian.org

  5. Security team presentation Security team presentation Debian Security Team presentation SSTIC 2018 4 / 37 corsac ⊕ debian.org

  6. Security team presentation People People Core team members Other people involved Debian Security Team presentation SSTIC 2018 5 / 37 ▶ ~10 people[1] ▶ ~5 really active ▶ Debian developers and maintainers ▶ Security researchers corsac ⊕ debian.org

  7. Security team presentation Roles SSTIC 2018 Debian Security Team presentation Other interests 6 / 37 Handle security for stable releases What we do ▶ keep watch over security issues in stable/oldstable ▶ issue Debian Security Advisories (DSA) ▶ prepare packages updates ▶ upload to the security archive ▶ send the DSA mail for debian-security-announce@ ▶ coordinate with other teams and developpers ▶ distribution hardening ▶ reduces workload later on corsac ⊕ debian.org

  8. Security team presentation Roles What we don’t do Everything else security related 1. Debian System Administrators, unfortunate acronym collision 2. Debian Accounts Managers 3. Long Term Support Debian Security Team presentation SSTIC 2018 7 / 37 ▶ Debian infrastructure: the other DSA 1 ▶ Debian accounts: DAM 2 and Keyring teams ▶ Debian LTS 3 corsac ⊕ debian.org

  9. Security team presentation Security tracker: https://security-tracker.debian.org/ SSTIC 2018 Debian Security Team presentation Data: useful for automated vulnerability assessment Tools 8 / 37 Communication Frontends ▶ security@debian.org (PGP rsa4096/0x6BAF400B05C3E651 ) ▶ debian-security-announce@lists.debian.org ▶ irc://irc.debian.org/#debian-security ▶ sysadmin/enduser oriented ▶ web interface for browsing ▶ search by package, vulnerability (CVE) or suite ▶ CVE list (raw[2] / json[3]) ▶ OVAL json [4] corsac ⊕ debian.org

  10. Security team presentation Tools SSTIC 2018 Debian Security Team presentation Private git repository sec-private 9 / 37 Public[5] git repository security-tracker Backends ▶ team organization ▶ CVE management ▶ DSA assignment ▶ source for security-tracker website ▶ management of embargoed issues ▶ some internal data corsac ⊕ debian.org

  11. Workflows Workflows Debian Security Team presentation SSTIC 2018 10 / 37 corsac ⊕ debian.org

  12. Workflows Security frontdesk Security frontdesk Contact point for security issues Make sure: Debian Security Team presentation SSTIC 2018 11 / 37 ▶ someone is always present and active ▶ we don’t miss important issues ▶ we distribute the load amongst the team ▶ Anyone can do this, but make sure someone actually does it ▶ nowadays not formally done corsac ⊕ debian.org

  13. Workflows Security frontdesk Duties Day to day routine Distributed amongst the team Debian Security Team presentation SSTIC 2018 12 / 37 ▶ watch over the mail alias and process incoming requests ▶ watch over oss-sec and distros (private) lists, external sources ▶ add private issues to the private git repository ▶ add public issues to the security-tracker ( data/CVE/list ) ▶ process External check ▶ submit bug reports for public issues to the BTS ▶ add new DSA-worthy issues to the list ( dsa-needed.txt ) corsac ⊕ debian.org

  14. Workflows MITRE, vendors/upstream etc. SSTIC 2018 Debian Security Team presentation Add enough information to the tracker to facilitate work later on Security frontdesk Post processing TODO entries External check What is it? 13 / 37 ▶ automated script ▶ runs once a day ▶ finds newly assigned CVEs from various sources ▶ adds them to data/CVE/list with TODO tag ▶ is it against a Debian package? ▶ is the affected version in a Debian supported release? ▶ what is the severity? ▶ are there external sources of information? corsac ⊕ debian.org

  15. Workflows Debian Security Advisory SSTIC 2018 Debian Security Team presentation Usually 9. DSA mail is sent 8. package is released to the security mirror network 7. package is built by the buildbots 6. package is uploaded to security-master 5. package is built locally 4. patch is applied against package in supported suites 3. fix is identified 2. CVE is assigned (helpful, not required) Releasing a DSA[6] 14 / 37 1. vulnerability is identified ▶ work is shared between team members ▶ some steps can be done externally corsac ⊕ debian.org

  16. Vulnerabilities Vulnerabilities Debian Security Team presentation SSTIC 2018 15 / 37 corsac ⊕ debian.org

  17. Vulnerabilities simple private vulnerability SSTIC 2018 Debian Security Team presentation Three major types of vulnerability complex private vulnerability 16 / 37 public vulnerability (vast majority) ▶ reported via oss-sec, public bug or commit ▶ fix already known or developped in the open ▶ integrated in Debian as soon as possible ▶ usually no rush ▶ multiple codebases ▶ multiple vendors ▶ protocol vulnerability ▶ hardware vulnerability corsac ⊕ debian.org

  18. Vulnerabilities Embargos SSTIC 2018 Debian Security Team presentation High profile examples 17 / 37 Embargos Usage ▶ vulnerability not known publically ( under embargo ) ▶ only small circle of people know about it ▶ give some time to developers to find a fix ▶ coordinated date for publication ▶ everybody publish at the same time ▶ all users protected ▶ ROCA (Debian not affected) ▶ KRACK (wpa) ▶ Meltdown/Spectre (Linux, hypervisors, microcode) corsac ⊕ debian.org

  19. Vulnerabilities Embargos In practice Embargos have many drawbacks Limit usage as much as possible Debian Security Team presentation SSTIC 2018 18 / 37 ▶ fix availability delayed ▶ few people aware mean fix might not be optimal or even broken ▶ indefinite embargo problem (hide stuff below the carpet) ▶ leak problem ▶ for simple vulnerabilities ▶ short duration corsac ⊕ debian.org

  20. Vulnerabilities Embargos Operating system distribution security contact lists linux-distros@vs.openwall.org [7] Debian Security Team presentation SSTIC 2018 19 / 37 ▶ restricted list for open-source distributions (Linux and *BSD) ▶ successor to vendors-sec ▶ maintained by Openwall with help from distributions ▶ anyone can report a vulnerability privately ▶ strict policy (14 days max embargo, 7 days preferred) corsac ⊕ debian.org

  21. Examples Examples Debian Security Team presentation SSTIC 2018 20 / 37 corsac ⊕ debian.org

  22. Examples KRACK KRACK Standard embargoed vulnerability Key Reinstallation attacks[8] Debian Security Team presentation SSTIC 2018 21 / 37 ▶ coordination with community (upstream, researchers...) ▶ fix preparation ▶ coordinated release ▶ multiple vulnerabilities in the WPA protocol ▶ discovered by Mathy Vanhoef (imec-DistriNet, KU Leuven) ▶ involves multiple vendors (access points and clients) ▶ in Debian: wpa source package (wpa_supplicant and hostapd) corsac ⊕ debian.org

  23. Examples KRACK Timeline 28/08 initial contact from CERT 10/10 second contact from CERT 10/10 upstream contact on the restricted distribution list 10/10 contact wpa upstream and Debian maintainers 16/10 announcement and fixes publication 01/11 paper presentation at ACM CCS Debian Security Team presentation SSTIC 2018 22 / 37 corsac ⊕ debian.org

  24. Examples KRACK Initial contact (28/08/2017) Summary coordination done by CERT.org full details, paper and proof of concept in the notification Debian Security Team presentation SSTIC 2018 23 / 37 corsac ⊕ debian.org

  25. Examples KRACK Initial contact (28/08/2017) Summary Debian Security Team presentation SSTIC 2018 23 / 37 ▶ coordination done by CERT.org ▶ full details, paper and proof of concept in the notification corsac ⊕ debian.org

  26. Examples KRACK Upstream contact (10/10/2017) Summary from Jouni Malinen, upstream author of wpa sent to the distribution list (open-source distributions) details about the protocol vulnerabilities impact on hostapd and wpa_supplicant on various platforms patches for various branches later resent to oss-sec[9] (per distros list policy) Debian Security Team presentation SSTIC 2018 24 / 37 corsac ⊕ debian.org

  27. Examples KRACK Upstream contact (10/10/2017) Summary Debian Security Team presentation SSTIC 2018 24 / 37 ▶ from Jouni Malinen, upstream author of wpa ▶ sent to the distribution list (open-source distributions) ▶ details about the protocol vulnerabilities ▶ impact on hostapd and wpa_supplicant on various platforms ▶ patches for various branches ▶ later resent to oss-sec[9] (per distros list policy) corsac ⊕ debian.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell <msp@debian.org> Introduction

Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell <msp@debian.org> Introduction

Debian KDE-Extras Team Debian KDE-Extras Team Mark Purcell <msp@debian.org> Introduction Introduction The Debian KDE Extras Team maintain a portfolio of extra application packages for Debian GNU/Linux outside the KDE core applications

554 views • 18 slides
Experiences made with the DebConf video-team or the making of http://debian-meetings.debian.net

Experiences made with the DebConf video-team or the making of http://debian-meetings.debian.net

Experiences made with the DebConf video-team or the making of http://debian-meetings.debian.net /pub/debian-meetings/ by Holger Levsen Sydney Linux User Group, January 22 nd 2007 Outline whoami project aims and features software

472 views • 19 slides
Debian Security An overview of features and processes Debian Security Todd Troxell

Debian Security An overview of features and processes Debian Security Todd Troxell

Debian Security An overview of features and processes Debian Security Todd Troxell <ttroxell@debian.org> http://www.debian.org Who is this guy? Debian Security Todd Troxell <ttroxell@debian.org> http://www.debian.org Todd

1.79k views • 149 slides
Debian Anti Harassment Team BoF Laura Arjona Reina Ana Guerrero Lpez DebConf 17, Montreal

Debian Anti Harassment Team BoF Laura Arjona Reina Ana Guerrero Lpez DebConf 17, Montreal

Debian Anti Harassment Team BoF Laura Arjona Reina Ana Guerrero Lpez DebConf 17, Montreal Debian Anti Harassment Team Debian Anti Harassment Team BoF DebConf17 1 / 12 Wiki Page wiki.debian.org/AntiHarassment Debian Anti Harassment Team

431 views • 14 slides
Debian Long Term Support The story of an unusual team By Raphal Hertzog

Debian Long Term Support The story of an unusual team By Raphal Hertzog

Debian Long Term Support The story of an unusual team By Raphal Hertzog <hertzog@debian.org> Lyon Mini-DebConf / 2015-04-12 Plan of the talk Presentation of the LTS project/team Statistics about the team Current and future

284 views • 26 slides
The Debian Long Term Support Team: Past, Present and Future By Raphal Hertzog

The Debian Long Term Support Team: Past, Present and Future By Raphal Hertzog

The Debian Long Term Support Team: Past, Present and Future By Raphal Hertzog <hertzog@debian.org> DebConf 15 / Heidelberg / 2015-08-15 Plan of the talk Presentation of the LTS project/team Statistics about the team Current

574 views • 26 slides
Mentoring in the Debian Med team Andreas Tille Debian LSM, Montpellier, 8. July 2014 Andreas

Mentoring in the Debian Med team Andreas Tille Debian LSM, Montpellier, 8. July 2014 Andreas

Mentoring in the Debian Med team Andreas Tille Debian LSM, Montpellier, 8. July 2014 Andreas Tille (Debian) Mentoring in the Debian Med team LSM, Montpellier, 8. July 2014 1 / 32 Mentoring of the Month 1 Sponsoring of Blends 2 Sprints 3

920 views • 64 slides
Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20

Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20

Sylvestre Ledru sylvestre@debian.org Lo Cavaill leo+debian@cavaille.net Debian + 20 000 source packages ~13 architectures 3 kernels The biggest database of FLOSS code (?) The Debile Project January, 19th 2014 Sylvestre Ledru

571 views • 25 slides
The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008

The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008

The long road to aka Debian Edu in Debian Lenny main Holger Levsen, February 24 th 2008 Outline Some bits about me Project goals, design & features Debian and Debian Edu Development model and tools Debian Edu Etch

582 views • 36 slides
Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to

Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to

Patterns for Testing Debian Packages Antonio Terceiro terceiro@debian.org A brief intro to Debian CI autopkgtest created back in 2006 (!) 2014: Debian CI launches Goal: provide automated testing for the Debian archive (i.e. run

816 views • 68 slides
Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day

Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day

Custom Debian distributions and Debian derivatives Aigars Mahinovs Debconf 5 Debian Day Definitions Distribution a set of OS kernel and supporting software in a defined format with the possibility of some integration by adjusting

134 views • 12 slides
Distributing T EX and Friends Norbert Preining Jaist T EX Live Team Debian T EX Team Tug

Distributing T EX and Friends Norbert Preining Jaist T EX Live Team Debian T EX Team Tug

Distributing T EX and Friends Norbert Preining Jaist T EX Live Team Debian T EX Team Tug 2013, Tokyo, October 2013 Overview EX Live 2 introduction to T important configuration files infrastructure and package hierarchy

649 views • 52 slides
Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org,

Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org,

Conte udo Como criar um Distribui c ao Personalizada Debian Debian-BR-CDD Distribui c oes Personalizadas Debian Otavio Salvador Enrico Zini otavio@debian.org, enrico@debian.org Congreso Internacional de Software Livre - 2 Edi

532 views • 25 slides
Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos

apoikos@debian.org Running an SME on Debian or Managing Debian across the whole fleet Apollon Oikonomopoulos DebConf16 - Cape Town 2016-07-04 Outline Introduction Installation Configuration management Package management People 2/26

697 views • 27 slides
Debian Derivatives P r e s e n t a t i o n / B o F D e b C o n f 1 6 , C

Debian Derivatives P r e s e n t a t i o n / B o F D e b C o n f 1 6 , C

Debian Derivatives P r e s e n t a t i o n / B o F D e b C o n f 1 6 , C a p e T o w n Debian Derivatives Hctor Orn Martnez <hector.oron@collabora.co.uk> <zumbi@debian.org> Works for Collabora

511 views • 15 slides
Secret Debian Internals Enrico Zini enrico@debian.org 25 February 2007 Enrico Zini

Secret Debian Internals Enrico Zini enrico@debian.org 25 February 2007 Enrico Zini

Secret Debian Internals Enrico Zini enrico@debian.org 25 February 2007 Enrico Zini enrico@debian.org Secret Debian Internals BTS Where to find it Source code: bzr branch http://bugs.debian.org/debbugs-source/mainline/ Data on merkel at

370 views • 16 slides
Formal Verification of UML Statecharts with Real-Time Extensions M. Oliver M Alexandre David

Formal Verification of UML Statecharts with Real-Time Extensions M. Oliver M Alexandre David

Formal Verification of UML Statecharts with Real-Time Extensions M. Oliver M Alexandre David oller Wang Yi Uppsala University BRICS Arhus

356 views • 25 slides
Migration From DB2 in a Large Public Setting: Lessons Learned Bal azs B ar any and

Migration From DB2 in a Large Public Setting: Lessons Learned Bal azs B ar any and

Migration From DB2 in a Large Public Setting: Lessons Learned Bal azs B ar any and Michael Banck PGConf.EU 2017 Introduction Federate state ministry in Germany Hosting by states central IT service centre Michael worked as

685 views • 21 slides
Image Head of IT Knowledge Cluster of Excellence Gestaltung An Interdisciplinary Laboratory

Image Head of IT Knowledge Cluster of Excellence Gestaltung An Interdisciplinary Laboratory

Alexander Struck Image Head of IT Knowledge Cluster of Excellence Gestaltung An Interdisciplinary Laboratory How red tape and other obstacles are holding us back 1 Image About Knowledge Gestaltung An Interdisciplinary Laboratory Me

659 views • 7 slides
Voting Machines and Voting Machines and Automotive Software: Automotive Software: Explorations

Voting Machines and Voting Machines and Automotive Software: Automotive Software: Explorations

Voting Machines and Voting Machines and Automotive Software: Automotive Software: Explorations with SMT at Scale Explorations with SMT at Scale Sanjit A. Seshia Sanjit A. Seshia EECS Department EECS Department UC Berkeley UC Berkeley

493 views • 24 slides
DIMACS Workshop on Facing the Themes Invited participants Challenges of Infectious Diseases in

DIMACS Workshop on Facing the Themes Invited participants Challenges of Infectious Diseases in

DIMACS-SACEMA 2006 Aims and Objectives DIMACS Workshop on Facing the Themes Invited participants Challenges of Infectious Diseases in Organizers Africa: The Role of Mathematical Sponsors Summary of Modelling Workshop Future plans

205 views • 19 slides
Hepatitis Advocacy: Understanding Federal Appropriations March 29, 2018 Phone/Audio Option

Hepatitis Advocacy: Understanding Federal Appropriations March 29, 2018 Phone/Audio Option

Hepatitis Advocacy: Understanding Federal Appropriations March 29, 2018 Phone/Audio Option Call-In #: +1 (213) 929-4232 Attendee Access Code: 962-338-217 All attendees are muted. Questions? Questions? Submit questions in the chat box at

865 views • 40 slides
Accelerating Difference Sally Bonneywell VP Coaching, GSK WBECS 2015 What we are going to cover

Accelerating Difference Sally Bonneywell VP Coaching, GSK WBECS 2015 What we are going to cover

Accelerating Difference Sally Bonneywell VP Coaching, GSK WBECS 2015 What we are going to cover today: 1. How we addressed a really tough organisational problem using Coaching - gender imbalance in leadership teams in GSK 2. Why this is an

287 views • 28 slides
Patient Protection and Affordable Care Act (PPACA) Opportunities: Delivery System and Financing

Patient Protection and Affordable Care Act (PPACA) Opportunities: Delivery System and Financing

Patient Protection and Affordable Care Act (PPACA) Opportunities: Delivery System and Financing of Health Care New Mexico Legislative Health and Human Services Committee August 31, 2010 Enrique Martinez-Vidal Vice President, AcademyHealth

1.22k views • 110 slides

More recommend