trends in open source security
play

Trends in Open Source Security FOSDEM 2013 Florian Weimer - PowerPoint PPT Presentation

Oct 30, 2023 •146 likes •462 views

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis 2 TRENDS IN OPEN

  1. Trends in Open Source Security FOSDEM 2013 Florian Weimer ‹fweimer@redhat.com› Red Hat Product Security Team 2013-02-02

  2. Overview ● Vulnerability tracking ● Tool-chain hardening ● Distribution-wide defect analysis 2 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  3. CVE-based vulnerability tracking ● http://cve.mitre.org/ ● CVE-2013-0156 ● CVE assignment alerts distributions ● Works well for public issues ● oss-security mailing list and Kurt Seifried ● Many vendors also assign CVE identifiers 3 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  4. Version-based vulnerability tracking ● For each branch, note the minimum fixed version ● Very complicated, with subtle corner cases ● Tied to a version numbering scheme and branching model 4 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  5. Version-based tracking for CVE-2013-0156 CVE-2013-0156 (active_support/core_ext/hash/conversions.rb in Ruby on Rails before ...) - rails 2.3.14.1 (bug #697722; high) [squeeze] - rails 2.3.5-1.2+squeeze4.1 - ruby-activesupport-2.3 2.3.14-5 (bug #697789) - ruby-activesupport-3.2 3.2.6-5 (bug #697790) - ruby-extlib 0.9.15-3 (bug #697895) - libextlib-ruby <removed> (bug #697895) 5 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  6. Example packages for CVE-2013-0156 ● - rails 2.3.14.1 (bug #697722; high) [squeeze] - rails 2.3.5-1.2+squeeze4.1 ● Fixed package versions ● 2:2.3.14.2 (testing/wheezy) ● 2.3.5-1.2+squeeze6 (stable/squeeze) ● Unfixed package versions: ● 2.3.11-0.1 (testing/wheezy) ● 2.3.5-1.2+squeeze1 (stable/squeeze) ● Can be used to rate the packages on a system 6 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  7. Vulnerability tracking with tracker bugs ● bugzilla.redhat.com entry with the CVE as an alias ● Will be made public after disclosure ● Extensive metadata in the “Whiteboard” field ● This tracker bug depends on product-specific bugs ● Lots of automation, relying on Bugzilla features ● Uploads to Fedora post information in the Bzs ● Rather different from version-based tracking 7 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  8. Tracker bugs example: CVE-2013-0156 ● https://bugzilla.redhat.com/show_bug.cgi?id=892870 has these dependencies: ● Fedora bug: 893281 ● Fedora EPEL bug: 847202 ● Red Hat OpenShift Enterprise internal bugs ● Tied to RHSA-2013:0153-1 ● Red Hat Subscription Asset Manager internal bugs ● Tied to RHSA-2013:0154-1 ● Red Hat CloudForms bugs ● Tied to RHSA-2013:0155-1 8 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  9. Vulnerability tracking requirements ● Ubuntu, Gentoo, OpenSuSE etc. use similar schemes ● Most upstreams provide critical information ● Analysis in their security advisory or bug tracker ● Links to individual patches/commits ● Otherwise, it has to be reverse engineered ● Time-consuming, better spend on patch review/testing ● Distributions publish isolated security patches ● Related discussions on the public oss-security list 9 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  10. Cross-distro information sharing opportunities ● Package names and versioning schemes differ ● Encoding of upstream versions differs ● CVE ↔packages mapping could be shared ● Application for Common Platform Enumeration (CPE)? 10 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  11. Public version control repositories Please publish your security patches in a publicly accessible version control repository as separate commits! There is really no point in hiding this information. (Not a trend yet—let's hope it does not turn into one.) 11 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  12. Toolchain hardening 12 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  13. Toolchain hardening ● Probabilistic countermeasures against code execution ● Make the program crash, not run code ● These bugs still need fixing! 13 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  14. Toolchain hardening ● Address space layout randomization ● Non-executable stack, heap ● malloc / free hardening against direct exploitation of double- free bugs ● -fstack-protector (stack canaries, if enabled) ● Compiler warnings (errors for format strings) ● operator new[] hardening ● New feature in GCC 4.8 ● Backported to Fedora 18 14 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  15. Toolchain hardening: FORTIFY_SOURCE ● GCC provides access to array sizes using __builtin_object_size ● In cases where this is possible ● GNU libc passes length to wrapper functions ● GNU libc disables %n in writable format strings 15 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  16. Unused hardening opportunities ● 32 bit ● Do not use prelink ● Randomization of program start address (PIE) ● BIND_NOW global offset table (GOT) protection ● -fwrapv (deterministic integer overflow) ● -fstack-check 16 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  17. Stack checking ● alloca argument allows arbitrary stack pointer adjustment ● -fcheck-stack has considerable code size impact ● Some assembly required ● Use stack boundary provided by split stacks 17 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  18. Subscript checking for operator[] ● Affects std::vector , std::string , std::array ● vec[i] ● C++ standard gives permission for bounds checking ● Library-only change has performance impact ● Further research needed ● Interim workaround: use vec .at(i) 18 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  19. Hardening and performance ● There is a trade-off ● Real-world attack data enables objective decisions effective new attack ineffective 19 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  20. More far-reaching changes ● Improving memory safety for C/C++ ● Bounded pointers/array slices ● Garbage collection ● __attribute__ annotations ● Vtable dispatch changes (for C++) ● Ranges instead of iterators (for C++) ● Library consolidation ● FLOSS-specific secure coding guidelines ● Better APIs? 20 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  21. Changing the game ● A bunch of new system programming languages ● Go, LuaJIT, Rust ● And a few older ones: Ada, Haskell, Java, Ocaml ● Incremental conversion requires deep embedding ● No kernel threads, no changes to signal handlers ● Isolated language run-time states ● This is an implementation issue. ● At the moment, only Ada and LuaJIT qualify 21 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  22. Vulnerabilities and side effects ● CVE-2013-0243: tls-extra certificate validation ● Haskell is a real programming language now! ● The vulnerability is in imperative code. ● But it could have been pure/side-effect-free. ● Vulnerabilities are not necessarily side effects. 22 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  23. Distribution-wide defect analysis 23 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  24. Static analysis ● Year 2012 for Red Hat Enterprise Linux 6 ● ~600 changes (“errata”) in 340 source packages ● Before/after comparison for every errata ● Matches so far: ● CVE-2012-3547 (freeradius) ● Error handling improvements in PostgreSQL ● Actual bug for psacct (837621), unixODBC (628909) 24 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  25. Fedora static analysis efforts ● mock-with-analysis ● “Firehose” exchange format ● https://fedoraproject.org/wiki/StaticAnalysis 25 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  26. Global analysis assistance ● Analysis of an entire distribution, not a single package ● Source code search engines ● http://codesearch.debian.net ● Search for “ YAML\.load ” 26 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  27. Global analysis asssistence ● ELF symbol databases ● https://github.com/vdanen/rq/ ● https://github.com/fweimer/symboldb/ ● Simpler to set up than source code indexing ● Full power of PostgreSQL 27 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  28. Uses for symbol databases ● Joins and anti-joins point to potential vulnerabilities ● “billion laughs” denial of service with Expat ● Program calls XML_ParserCreate , but not XML_SetEntityDeclHandler ● Privilege escalation via unsafe environment access ● DSO defines PAM or NSS entry points and ● DSO calls getenv or calls a function in a library which calls getenv (perhaps indirectly) 28 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  29. Improved tools for global analysis ● More detailed data than ELF symbols ● Debugging information ● Compiled binaries after disassembly ● Java, Python, … support ● Dynamic languages will need heuristics 29 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  30. Improved tools for global analysis ● Efficient search for function calls with certain arguments ● umask(0) ● curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, 1L) ● realpath(path, buffer) where buffer is not NULL ● ELF symbols could locate binaries ● Disassembly could extract function arguments 30 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  31. Conclusion ● Let's try to fix alloca . ● Static analysis and code search engines are exciting. Questions? And: Please share your version control repository! 31 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Top Open Source Language Trends for 2019 ActiveState Webinar Open Source Language Trends 2019

Top Open Source Language Trends for 2019 ActiveState Webinar Open Source Language Trends 2019

Top Open Source Language Trends for 2019 ActiveState Webinar Open Source Language Trends 2019 Panelists Bart Copeland Jeff Rouse CEO &amp; President VP Product ActiveState ActiveState Open Source Language Trends 2019 Housekeeping

373 views • 16 slides
Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief Open Source Officer Sun Microsystems http://www.webmink.net/ Systems Middleware Cloud 3 1 Third Wave? Stallman Software Freedoms Use

1.31k views • 87 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By Sevan Janiyan What is pkgsrc Cross platform packaging system 23 listed platforms in 2015Q3 release notes Strive to keep local changes minimal

563 views • 44 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead Mark is the lead maintainer of Guardr, a suite of modules predicated around Drupal security. He is passionate about architecting systems to solve

812 views • 38 slides
Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015 Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting

718 views • 44 slides
OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System System Overview Purpose To provide a framework for security assessors to correlate and

438 views • 12 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario https://dadario.com.br - - - - - - - - - - - - - - Source: https://blog.ripstech.com/2016/the-state-of-wordpress-security/ [1] Source:

752 views • 71 slides
Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp;

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp;

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp; Sciences Ubani A Balogun &amp; Justin Klein Keane Security Intelligence HECTOR was developed out of a desire to leverage security

751 views • 25 slides
The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

673 views • 64 slides
Collaborative Creation Technology Foresight An Approach to Free and Open Source

Collaborative Creation Technology Foresight An Approach to Free and Open Source

Participatory Free and Open Source GIS in the Web 2.0 Exploring trends in GIS in times of Collaborative Creation Technology Foresight An Approach to Free and Open Source Geospatial Software Web and beyond 2.0 IMG SRC:GNOME

1.2k views • 92 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

My Kind of Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and modular infrastructure built using open source and delivered with: Better quality and security Lower costs No vendor

941 views • 40 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
From Overow to Shell From Overow to Shell An Introduction to low-level exploitation An

From Overow to Shell From Overow to Shell An Introduction to low-level exploitation An

From Overow to Shell From Overow to Shell An Introduction to low-level exploitation An Introduction to low-level exploitation Carl Svensson @ Foo Caf, February 2019 Carl Svensson @ Foo Caf, February 2019 1 / 28 1 / 28 Background

619 views • 28 slides
CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework

CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework

CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework http://www.mathcs.richmond.edu/~blawson/cmsc240 Read: Syllabus Chapters 1, 2, 3 of C++ Primer Plus Tutorial: Unix Tutorial for Beginners (Intro, Tutorial 1,

1.18k views • 46 slides
Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 41: a few more %cs would be needed to skip format string part 1 last time: pointer subterfuge pointer subterfuge

1.25k views • 78 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Strings 1 Sharif University of Technology Department of Computer Engineering Input and Output

Strings 1 Sharif University of Technology Department of Computer Engineering Input and Output

Strings 1 Sharif University of Technology Department of Computer Engineering Input and Output Lecture 4 Introduction Until now We have seen strings in printf Our old definition: string is a set of char between

489 views • 34 slides
THE C PROGRAMMING LANGUAGE WHY LEARN C? Compared to other high-level languages Maps almost

THE C PROGRAMMING LANGUAGE WHY LEARN C? Compared to other high-level languages Maps almost

THE C PROGRAMMING LANGUAGE WHY LEARN C? Compared to other high-level languages Maps almost directly into hardware instructions making code potentially more efficient Provides minimal set of abstractions compared to other HLLs HLLs

783 views • 50 slides
Compressing Strings of the Kernel Wolfram Sang Consultant 21.8.2014, LinuxCon14 Wolfram Sang

Compressing Strings of the Kernel Wolfram Sang Consultant 21.8.2014, LinuxCon14 Wolfram Sang

. . Compressing Strings of the Kernel Wolfram Sang Consultant 21.8.2014, LinuxCon14 Wolfram Sang (wsa@the-dreams.de) Compressing Strings of the Kernel 21.8.2014, LinuxCon14 1 / 36 The origin: CEWG project 1 kernel debug messages.

909 views • 44 slides
Building DIFT Systems for Software Security Michael Dalton Computer Systems Laboratory Stanford

Building DIFT Systems for Software Security Michael Dalton Computer Systems Laboratory Stanford

Building DIFT Systems for Software Security Michael Dalton Computer Systems Laboratory Stanford University Research Focus My focus is on softw are attacks Protect apps from malicious input Buffer overflows, XSS, SQL

718 views • 54 slides

More recommend