Myth Busters Open source and Security By Aseem Jakhar $ whoami $ - - PowerPoint PPT Presentation

Myth Busters Open source and Security By Aseem Jakhar

$ whoami

$ whoami

We We break break things! things!

$ whoami

• When not working, we do charity

$ whoami

• When not working, we do charity
• By breaking products for free :)
• Cisco Linksys Wifi router Buffer overflow
• GSM network vulnerabilities in a few Indian

Telecom operators

• Apple App store payment bypass
• Linkedin, ubuntu one and many more application

vulnerabilities....

$ whoami

• Founder – null - The open security community

– Registered Non-profit Organization – 7 chapters – Pune, Bangalore, Hyderabad, Delhi,

Mumbai, Chennai and Goa

– Monthly Meets in all chapters – Open to all to share and learn – Details http://null.co.in

• Founder - nullcon Security Conference

Disclaimer

• All views and ideas expressed in the

presentation are personal and do not reflect that of my employer

Disclaimer

• All views and ideas expressed in the

presentation are personal and do not reflect that of my employer.

• For the open source lovers – Please don't take

this presentation seriously and request you not kill me after the talk.

• I'm an open source developer and user too!

Agenda

• Why Security?
• Myths
• *nix Vs Windows
• Statistics
• Conclusion
• References

Why Security?

Why Security?

Myths

• Open source fanatics

– Open source is secure. *nix OSes have user and file permission by

design

– Because it is the work of passionate techies the outcome is much

better than closed source commercial software

• Closed source/Enterprise fanatics

– Open source is a piece of software hacked together by a bunch of

enthusiasts without a long term vision and hence insecure and unstable.

– Because the source code is available people can find vulnerabilities

very easily

• 100% security

I want to play a game

*nix Vs Windows

• When I say *nix I mean only Unix like (open

source) operating systems.

• Which one is more secure?
• Lets talk about a few critical problems

Buffer overflow

• Process layout design
• Stack frames hold the instruction pointer (EIP)
• Overwrite the instruction pointer
• Point EIP to a memory location within the

program that contains malicious code

• Allows local or remote code execution and

hijacking of systems

• *nix or Windows?

Kernel NULL pointer dereference

• Programs can map the address zero as a valid

memory location

• If Kernel null pointers can be controlled via a

syscall triggered by a malicious program

• Malicious code/data can be stored and

used/executed by the kernel

• Privilege escalation
• *nix or windows?

Use after free

• Objects allocated and free()'ed on heap
• Free space previously utilised by valid object can now be

allocated for a new allocation request.

• Adjusted requests with malicious code on the same

place as previous object allocation.

• If object is used after freeing and the vulnerable code

can be triggered, the malicious code will get executed.

• *nix or windows?

Remote process infection

• Windows has CreateRemoteThread API

– Function to create a thread within the context of

another process on the same system

– Actively abused by malware to infect legit

processes such as IE

– Bypass security restrictions – Stealth

Remote process infection

• Linux?

– No such API provided by the OS.

Remote process infection

• Linux?

– No such API provided by the OS. – So we created one :-P – Jugaad – remote thread injection kit – Indroid – For Android – Source code

https://github.com/aseemjakhar/jugaad

Question

• Question to “Linux is more secure”

Bandwagon

Question

• Question to “Linux is more secure”

Bandwagon

– Android and Security? Who's laughing now – Read at your leisure –

http://www.brighthand.com/default.asp? newsID=18414&news=Top+10+Vulnerable+Smart phones+Malware

Statistics

• Used only CVE data
• Common Vulnerabilities and Exposures
• http://cve.mitre.org
• Used CVEs from cvedetails.com for quick analysis
• Considered all vulnerabilities instead of year wise
• The recorded data may be less in some cases as it

depended on searching with different names.

• Recorded only the vulnerabilities in the core software

and not any sub components.

Browser stats

Opera Internet Explorer Chrome Firefox 100 200 300 400 500 600 700 800 900 1000 300 736 772 909

Browser CVE comparison

Browsers CVE

Operating System stats

Windows Linux 800 850 900 950 1000 1050 880 1004

OS CVE comparison

Operating Systems CVE

Database stats

Mysql Oracle 50 100 150 200 250 300 350 400 450 186 426

Database CVE comparison

Database Software CVE

Conclusion

• Security has nothing to do with the ideology of open

and closed source.

• Popularity/usage of the software matters when it

comes to finding vulnerabilities.

• A Secure SLDC like process will make your software

more secure than it currently is and reduce overall cost for ensuring a good security level and patching.

• More awareness among the developer community

and the product management.

References

• CVE data: http://cvedetails.com/
• Hammer image source:

http://commons.wikimedia.org/wiki/File:Claw-hammer.jpg

• Saw movie image source:

http://www.wired.com/images_blogs/photos/uncategorized/2008/01/30/saw .jpg

• Karamchand image source: http://www.desidabba.in/wp-

content/uploads/kc_800_600.jpg