entropy gradient reversal
play

Entropy Gradient Reversal Or: How we survived CVE-2008-0166 Kees - PowerPoint PPT Presentation

Jan 04, 2024 •239 likes •796 views

Entropy Gradient Reversal Or: How we survived CVE-2008-0166 Kees Cook Matt Zimmerman Opsen 2014-04-22 May 2008 why do you have my key? Fix it quick! openssl (0.9.8g-9) unstable; urgency=high [ Christoph Martin ] * Include updated

  1. Entropy Gradient Reversal Or: How we survived CVE-2008-0166 Kees Cook Matt Zimmerman Opsen 2014-04-22

  2. May 2008

  3. “why do you have my key?”

  4. Fix it quick! openssl (0.9.8g-9) unstable; urgency=high [ Christoph Martin ] * Include updated debconf translations (closes: #473477, #461597, #461880, #462011, #465517, #475439) [ Kurt Roeckx ] * ssleay_rand_add() really needs to call MD_Update() for buf. -- Kurt Roeckx <kurt@roeckx.be> Wed, 07 May 2008 20:32:12 +0200

  5. “Time to release an advisory”

  6. “hold on just a tick…”

  7. Relevant to your interests From: Florian Weimer <fw@deneb.enyo.de> To: vendor-sec@lst.de Subject: [vendor-sec] Broken openssl in Debian Date: Thu, 08 May 2008 01:52:17 +0200 Debian ships a bogus modification of OpenSSL which disables proper seeding of the PRNG (the patch to crypto/rand/md_rand.c). The issue is already semi-public, thanks to an uncoordinated upload by the maintainer. This should only affect Debian-derived distros.

  8. Bank holiday Monday

  9. Meanwhile, downstream...

  11. Cast of characters ● Kees Cook, Ubuntu security team (on vacation in Canada) ● Jamie Strandboge, Ubuntu security team ● Colin Watson, Debian/Ubuntu OpenSSH maintainer ● Matt Zimmerman, Ubuntu CTO ● Florian Weimer, Red Hat Product Security Team ● James Troup, Debian/Canonical

  12. Test case /* gcc -o omfg omfg.c -lcrypto */ #include <openssl/rand.h> #include <stdio.h> int main() { unsigned char data[128]; unsigned i; RAND_bytes(data, 128); for (i = 0; i < 128; ++i) printf("%08X", (unsigned)data[i]); puts(""); } $ for i in $(seq 1 1000000); do ./omfg; done | sort -u | wc -l 32003 <- this number should be 1000000

  13. Sources of “entropy” ● process ID ● CPU endianness Find some alternate endian machines and LD_PRELOAD “getpid”: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/openssh- blacklist/trusty/view/head:/generate-blacklist.sh

  14. It gets worse ● All SSH keys generated by this code ● All SSL certificates generated by this code ● All OpenVPN certificates generated by this code

  17. Response plan “This is outstandingly bad. At the very least, we need to: 1- fix it (patch is trivial) 2- educate people that they need to regenerate their keys and certs 3- generate the list of "weak keys" and refuse to use them for SSH 4- hope no one has packet captures from weak SSL connections 5- hope the world doesn't burn 6- find out if places like cacert.org (and others) are using Debian-derived openssl 7- pray we are not brutally lampooned”

  18. Choosing the lesser evil

  19. May 13 2008

  21. Updating your system: 1. Install the security updates Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases). If you are using such keys for user authentication, they will immediately stop working and will need to be replaced (see step 3). OpenSSH host keys can be automatically regenerated when the OpenSSH security update is applied. The update will prompt for confirmation before taking this step. 2. Update OpenSSH known_hosts files The regeneration of host keys will cause a warning to be displayed when connecting to the system using SSH until the host key is updated in the known_hosts file. The warning will look like this: [...] 3. Check all OpenSSH user keys The safest course of action is to regenerate all OpenSSH user keys, except where it can be established to a high degree of

  22. certainty that the key was generated on an unaffected system. 4. Regenerate any affected user keys Check whether your key is affected by running the ssh-vulnkey OpenSSH keys used for user authentication must be manually tool, included in the security update. By default, ssh-vulnkey regenerated, including those which may have since been will check the standard location for user keys (~/.ssh/id_rsa, transferred to a different system after being generated. ~/.ssh/id_dsa and ~/.ssh/identity), your authorized_keys file New keys can be generated using ssh-keygen, e.g.: (~/.ssh/authorized_keys and ~/.ssh/authorized_keys2), and the $ ssh-keygen system's host keys (/etc/ssh/ssh_host_dsa_key and Generating public/private rsa key pair. /etc/ssh/ssh_host_rsa_key). Enter file in which to save the key (/home/user/.ssh/id_rsa): To check all your own keys , assuming they are in the standard Enter passphrase (empty for no passphrase): locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity): Enter same passphrase again: $ ssh-vulnkey Your identification has been saved in /home/user/.ssh/id_rsa. To check all keys on your system : Your public key has been saved in /home/user/.ssh/id_rsa.pub. $ sudo ssh-vulnkey -a The key fingerprint is: To check a key in a non-standard location : 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 user@host $ ssh-vulnkey /path/to/key 5. Update authorized_keys files (if necessary) If ssh-vulnkey says "Unknown (no blacklist information)", Once the user keys have been regenerated, the relevant public then it has no information about whether that key is affected. keys must be propagated to any authorized_keys files on If in doubt, destroy the key and generate a new one. remote systems. Be sure to delete the affected key.

  26. Details USN-612-3 addressed a weakness in OpenSSL certificate and keys generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS, multi-client/server mode, and specifying a user or group which caused OpenVPN to not start when using valid SSL certificates. It was also found that openssl-vulnkey from openssl-blacklist would fail when stderr was not available. This caused OpenVPN to fail to start when used with applications such as NetworkManager. This update fixes these problems. We apologize for the inconvenience.

  27. May 14 2008

  36. How did we get here?

  37. 20 months earlier…

  38. How did we get here?

  39. How did we get here? Debian package maintainer, openssl

  40. How did we get here? “If it helps with debugging, I'm in favor of removing them ” - Ulf Möller, OpenSSL contributor “use -DPURIFY” - Geoff Thorpe, Member, OpenSSL development team “So yes I think not using the uninitialized memory [...] helps valgrind.” - Marco Roeland, some dude on the internet

  41. How did we get here? openssl (0.9.8b-1) unstable; urgency=low * libssl0.9.8.postinst: The check to see if something was installed wasn't working. * New upstream release * libssl0.9.8.postinst: Add workaround to find the name of the init - New functions added (EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free), bump shlibs. script for proftpd and dovecot. - CA.pl/CA.sh now calls openssl ca with -extensions v3_ca, setting CA:TRUE * libssl0.9.8.postinst: Use invoke-rc.d when it's available. instead of FALSE. * Change Standards-Version to 3.7.0: - CA.pl/CA.sh creates crlnumber now. (Closes: #347612) - Make use of invoke-rc.d * Run debconf-updatepo, which really already was in the 0.9.8a-8 version * Add comment to README.Debian that rc5, mdc2 and idea have been as it was uploaded. disabled (since 0.9.6b-3) (Closes: #362754) * Add Galician debconf translation. Patch from * Don't add uninitialised data to the random number generator. This stop Jacobo Tarrio <jtarrio@trasno.net> (Closes: #361266) valgrind from giving error messages in unrelated code. * libssl0.9.8.postinst makes uses of bashisms (local variables) (Closes: #363516) so use #!/bin/bash * Put the FAQ in the openssl docs. * libssl0.9.8.postinst: Call set -e after sourcing the debconf * Add russian debconf translations from Yuriy Talakan <yt@amur.elektra.ru> script. (Closes #367216) * libssl0.9.8.postinst: Change list of service that may need to be restarted: -- Kurt Roeckx <kurt@roeckx.be> Thu, 4 May 2006 20:40:03 +0200 - Replace ssh by openssh-server - Split postgresql in postgresql-7.4 postgresql-8.0 postgresql-8.1 - Add: dovecot-common bind9 ntp-refclock ntp-simple openntpd clamcour fetchmail ftpd-ssl proftpd proftpd-ldap proftpd-mysql proftpd-pgsql

  43. What happened? ● A subtle bug was discovered ● A well-meaning developer attempted to fix it ● They sought a trusted opinion about their patch ○ ...and seemed to receive it ● An even more subtle bug was introduced ○ There was just enough entropy to obscure the issue ● A long time passed! ● A lot of people had a bad day^Wweek^Wlife

  44. It could have been worse ● The issue could have become public before fixes were available ● A Debian advisory was almost released several days earlier, without key blacklists and other critical components ● It could have happened in upstream OpenSSL

  45. Post hoc

  46. Criticism “My issue is that it was committed to a public repository five days before an advisory was issued. Only a single attacker has to notice that and realise its import in order to start exploiting vulnerable systems – and I will be surprised if that has not happened.” - Ben Laurie, Member, OpenSSL core team

  47. Criticism

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
ITC Reversal and RCM 24 th June 2020 Webinar, CTC CA Naresh Sheth CA Sanket Shah ITC Reversal

ITC Reversal and RCM 24 th June 2020 Webinar, CTC CA Naresh Sheth CA Sanket Shah ITC Reversal

GST for Real Estate ITC Reversal and RCM 24 th June 2020 Webinar, CTC CA Naresh Sheth CA Sanket Shah ITC Reversal under Rule 42 Projects completed till 31 st March 2019 Reversal applicable only in the year of completion or for full project

396 views • 25 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Basic concepts on magnetization reversal (1) Static properties : coherent reversal and beyond

Basic concepts on magnetization reversal (1) Static properties : coherent reversal and beyond

Basic concepts on magnetization reversal (1) Static properties : coherent reversal and beyond Stanislas ROHART Laboratoire de Physique des Solides Universit Paris Sud and CNRS Orsay, France Introduction: Hysteresis loop Manipulation of a

754 views • 38 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
State of Collaboration Check Reversal (AC 230) Workshop 1 1 AC-230 THE SALARY REVERSAL &amp;

State of Collaboration Check Reversal (AC 230) Workshop 1 1 AC-230 THE SALARY REVERSAL &amp;

State of Collaboration Check Reversal (AC 230) Workshop 1 1 AC-230 THE SALARY REVERSAL &amp; EXCHANGE PROCESS KEVIN CZMYR 2 2 What is an AC-230? Used to return salary checks for employees who have not earned their full salary due to:

1.88k views • 79 slides
Gradient for Cross-Entropy Loss with Sigmoid For a single example ( x , y ): K

Gradient for Cross-Entropy Loss with Sigmoid For a single example ( x , y ): K

Gradient for Cross-Entropy Loss with Sigmoid For a single example ( x , y ): K L 1 L y k log k ( x ) + (1 y k ) log k ( x ) k =1 s l 1 L s l + 2 w l ij 2 m l =1 i =1

912 views • 50 slides
CR Li-Yau Gradient Estimate and Perelman Entropy Formulae Shu-Cheng Chang National Taiwan

CR Li-Yau Gradient Estimate and Perelman Entropy Formulae Shu-Cheng Chang National Taiwan

CR Li-Yau Gradient Estimate and Perelman Entropy Formulae Shu-Cheng Chang National Taiwan University The 10th Pacic Rim Geometry Conference Osaka-Fukuoka, Part I, Dec. 1-5, 2011 The 10th Pacic Rim Geometry Conference O Shu-Cheng Chang

561 views • 52 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides
Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute of Communication Engineering National Taipei University Chapter Outline Chap. 2 Entropy, Relative Entropy, and Mutual Information 2.1 Entropy 2.2

752 views • 51 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides
ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF CHEMISTRY AND BIOCHEMISTRY, BYU, PROVO, UT 84602, POPOVIC.PASA@GMAIL.COM Thermodynamic entropy - S (J/K) At T=0K ideal crystal imperfect

560 views • 21 slides
The median problem for the reversal distance in circular bacterial genomes E. Ohlebusch, M.I.

The median problem for the reversal distance in circular bacterial genomes E. Ohlebusch, M.I.

Introduction Methods Conclusion The median problem for the reversal distance in circular bacterial genomes E. Ohlebusch, M.I. Abouelhoda, K. Hockel, J. Stallkamp University of Ulm, Germany CPM 2005 The median problem for the reversal

679 views • 31 slides
Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual information f -divergence Mikael Skoglund 1/16 Entropy Over ( R , B ) , consider a discrete RV X with all probability in a countable set X B ,

538 views • 8 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
draft-ietf-dnsext-dnssec-bis-updates-10 Samuel Weiler IETF77, Anaheim 24 March 2010 Samuel

draft-ietf-dnsext-dnssec-bis-updates-10 Samuel Weiler IETF77, Anaheim 24 March 2010 Samuel

Changes Since -09 Path Forward draft-ietf-dnsext-dnssec-bis-updates-10 Samuel Weiler IETF77, Anaheim 24 March 2010 Samuel Weiler draft-ietf-dnsext-dnssec-bis-updates-10 Changes Since -09 Path Forward Changes Since -09 Nested Trust Anchors

743 views • 14 slides
Metaprogramming &amp; JavaScript Object Proxies What is metaprogramming ? Writing programs that

Metaprogramming &amp; JavaScript Object Proxies What is metaprogramming ? Writing programs that

C152 Programming Language Paradigms Prof. Tom Austin, Fall 2014 Metaprogramming &amp; JavaScript Object Proxies What is metaprogramming ? Writing programs that manipulate other programs. JavaScript Proxies Special metaprogramming

594 views • 24 slides
Exploiting model structure to encode transition relations and transition rate matrices

Exploiting model structure to encode transition relations and transition rate matrices

Exploiting model structure to encode transition relations and transition rate matrices Gianfranco Ciardo Department of Computer Science and Engineering University of California, Riverside Supported in part by the National Science Foundation

591 views • 44 slides
Algorithmic Complexity of Correctness Testing in MC-Scheduling Rany Kahil, Dario Socci, Peter

Algorithmic Complexity of Correctness Testing in MC-Scheduling Rany Kahil, Dario Socci, Peter

Algorithmic Complexity of Correctness Testing in MC-Scheduling Rany Kahil, Dario Socci, Peter Poplavko, Saddek Bensalem VERIMAG, University of Grenoble Alpes RTNS18 Kahil et al. (VERIMAG) Correctness Testing in MCS 1 / 27 RTNS18 Our

598 views • 43 slides
From our view From the patients experience Going from patient Patient focus groups

From our view From the patients experience Going from patient Patient focus groups

I.C.U. Can you See Me? I never knew when a doctor was going to come in and do something to me. Crossing the Chasm from the Patients Perspective Patient Della M. Lin, M.D. She seemed very frustrated that she When I asked

277 views • 7 slides
Series, April 12, 2016 Communication Access in the United States: Issues related to Education,

Series, April 12, 2016 Communication Access in the United States: Issues related to Education,

Welcome to USSAACs Webinar Series, April 12, 2016 Communication Access in the United States: Issues related to Education, Healthcare, and Justice Systems Presenters: India Ochs, Esq. &amp; Barbara Collier, SLP Facilitator: Sarah Blackstone

543 views • 33 slides
SA-TIED SEMINAR Tax Revenue Mobilization in SA Depreciation Allowances in South Africa

SA-TIED SEMINAR Tax Revenue Mobilization in SA Depreciation Allowances in South Africa

SA-TIED SEMINAR Tax Revenue Mobilization in SA Depreciation Allowances in South Africa Observations Reviews on effectiveness to tax incentives for investment is mixed, and the need to subject these to CBA and monitoring is widely

316 views • 8 slides

More recommend