Trends in Open Source Security FOSDEM 2013 Florian Weimer - - PowerPoint PPT Presentation

trends in open source security
SMART_READER_LITE
LIVE PREVIEW

Trends in Open Source Security FOSDEM 2013 Florian Weimer - - PowerPoint PPT Presentation

Oct 30, 2023 146 likes •466 views

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis 2 TRENDS IN OPEN

slide-1
SLIDE 1

Trends in Open Source Security

FOSDEM 2013 Florian Weimer ‹fweimer@redhat.com› Red Hat Product Security Team 2013-02-02

slide-2
SLIDE 2

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 2

Overview

  • Vulnerability tracking
  • Tool-chain hardening
  • Distribution-wide defect analysis
slide-3
SLIDE 3

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 3

CVE-based vulnerability tracking

  • http://cve.mitre.org/
  • CVE-2013-0156
  • CVE assignment alerts distributions
  • Works well for public issues
  • oss-security mailing list and Kurt Seifried
  • Many vendors also assign CVE identifiers
slide-4
SLIDE 4

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 4

Version-based vulnerability tracking

  • For each branch, note the minimum fixed version
  • Very complicated, with subtle corner cases
  • Tied to a version numbering scheme and branching

model

slide-5
SLIDE 5

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 5

Version-based tracking for CVE-2013-0156

CVE-2013-0156 (active_support/core_ext/hash/conversions.rb in Ruby on Rails before ...)

  • rails 2.3.14.1 (bug #697722; high)

[squeeze] - rails 2.3.5-1.2+squeeze4.1

  • ruby-activesupport-2.3 2.3.14-5 (bug #697789)
  • ruby-activesupport-3.2 3.2.6-5 (bug #697790)
  • ruby-extlib 0.9.15-3 (bug #697895)
  • libextlib-ruby <removed> (bug #697895)
slide-6
SLIDE 6

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 6

Example packages for CVE-2013-0156

  • - rails 2.3.14.1 (bug #697722; high)

[squeeze] - rails 2.3.5-1.2+squeeze4.1

  • Fixed package versions
  • 2:2.3.14.2 (testing/wheezy)
  • 2.3.5-1.2+squeeze6 (stable/squeeze)
  • Unfixed package versions:
  • 2.3.11-0.1 (testing/wheezy)
  • 2.3.5-1.2+squeeze1 (stable/squeeze)
  • Can be used to rate the packages on a system
slide-7
SLIDE 7

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 7

Vulnerability tracking with tracker bugs

  • bugzilla.redhat.com entry with the CVE as an alias
  • Will be made public after disclosure
  • Extensive metadata in the “Whiteboard” field
  • This tracker bug depends on product-specific bugs
  • Lots of automation, relying on Bugzilla features
  • Uploads to Fedora post information in the Bzs
  • Rather different from version-based tracking
slide-8
SLIDE 8

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 8

Tracker bugs example: CVE-2013-0156

  • https://bugzilla.redhat.com/show_bug.cgi?id=892870

has these dependencies:

  • Fedora bug: 893281
  • Fedora EPEL bug: 847202
  • Red Hat OpenShift Enterprise internal bugs
  • Tied to RHSA-2013:0153-1
  • Red Hat Subscription Asset Manager internal bugs
  • Tied to RHSA-2013:0154-1
  • Red Hat CloudForms bugs
  • Tied to RHSA-2013:0155-1
slide-9
SLIDE 9

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 9

Vulnerability tracking requirements

  • Ubuntu, Gentoo, OpenSuSE etc. use similar schemes
  • Most upstreams provide critical information
  • Analysis in their security advisory or bug tracker
  • Links to individual patches/commits
  • Otherwise, it has to be reverse engineered
  • Time-consuming, better spend on patch review/testing
  • Distributions publish isolated security patches
  • Related discussions on the public oss-security list
slide-10
SLIDE 10

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 10

Cross-distro information sharing opportunities

  • Package names and versioning schemes differ
  • Encoding of upstream versions differs
  • CVE ↔packages mapping could be shared
  • Application for Common Platform Enumeration (CPE)?
slide-11
SLIDE 11

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 11

Public version control repositories

Please publish your security patches in a publicly accessible version control repository as separate commits! There is really no point in hiding this information. (Not a trend yet—let's hope it does not turn into one.)

slide-12
SLIDE 12

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 12

Toolchain hardening

slide-13
SLIDE 13

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 13

Toolchain hardening

  • Probabilistic countermeasures against code execution
  • Make the program crash, not run code
  • These bugs still need fixing!
slide-14
SLIDE 14

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 14

Toolchain hardening

  • Address space layout randomization
  • Non-executable stack, heap
  • malloc/free hardening against direct exploitation of

double-free bugs

  • -fstack-protector (stack canaries, if enabled)
  • Compiler warnings (errors for format strings)
  • operator new[] hardening
  • New feature in GCC 4.8
  • Backported to Fedora 18
slide-15
SLIDE 15

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 15

Toolchain hardening: FORTIFY_SOURCE

  • GCC provides access to array sizes using

__builtin_object_size

  • In cases where this is possible
  • GNU libc passes length to wrapper functions
  • GNU libc disables %n in writable format strings
slide-16
SLIDE 16

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 16

Unused hardening opportunities

  • 32 bit
  • Do not use prelink
  • Randomization of program start address (PIE)
  • BIND_NOW global offset table (GOT) protection
  • -fwrapv (deterministic integer overflow)
  • -fstack-check
slide-17
SLIDE 17

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 17

Stack checking

  • alloca argument allows arbitrary stack pointer

adjustment

  • -fcheck-stack has considerable code size impact
  • Some assembly required
  • Use stack boundary provided by split stacks
slide-18
SLIDE 18

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 18

Subscript checking for operator[]

  • Affects std::vector, std::string, std::array
  • vec[i]
  • C++ standard gives permission for bounds checking
  • Library-only change has performance impact
  • Further research needed
  • Interim workaround: use vec.at(i)
slide-19
SLIDE 19

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 19

Hardening and performance

  • There is a trade-off
  • Real-world attack data enables objective decisions

ineffective effective new attack

slide-20
SLIDE 20

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 20

More far-reaching changes

  • Improving memory safety for C/C++
  • Bounded pointers/array slices
  • Garbage collection
  • __attribute__ annotations
  • Vtable dispatch changes (for C++)
  • Ranges instead of iterators (for C++)
  • Library consolidation
  • FLOSS-specific secure coding guidelines
  • Better APIs?
slide-21
SLIDE 21

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 21

Changing the game

  • A bunch of new system programming languages
  • Go, LuaJIT, Rust
  • And a few older ones: Ada, Haskell, Java, Ocaml
  • Incremental conversion requires deep embedding
  • No kernel threads, no changes to signal handlers
  • Isolated language run-time states
  • This is an implementation issue.
  • At the moment, only Ada and LuaJIT qualify
slide-22
SLIDE 22

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 22

Vulnerabilities and side effects

  • CVE-2013-0243: tls-extra certificate validation
  • Haskell is a real programming language now!
  • The vulnerability is in imperative code.
  • But it could have been pure/side-effect-free.
  • Vulnerabilities are not necessarily side effects.
slide-23
SLIDE 23

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 23

Distribution-wide defect analysis

slide-24
SLIDE 24

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 24

Static analysis

  • Year 2012 for Red Hat Enterprise Linux 6
  • ~600 changes (“errata”) in 340 source packages
  • Before/after comparison for every errata
  • Matches so far:
  • CVE-2012-3547 (freeradius)
  • Error handling improvements in PostgreSQL
  • Actual bug for psacct (837621), unixODBC (628909)
slide-25
SLIDE 25

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 25

Fedora static analysis efforts

  • mock-with-analysis
  • “Firehose” exchange format
  • https://fedoraproject.org/wiki/StaticAnalysis
slide-26
SLIDE 26

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 26

Global analysis assistance

  • Analysis of an entire distribution, not a single package
  • Source code search engines
  • http://codesearch.debian.net
  • Search for “YAML\.load”
slide-27
SLIDE 27

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 27

Global analysis asssistence

  • ELF symbol databases
  • https://github.com/vdanen/rq/
  • https://github.com/fweimer/symboldb/
  • Simpler to set up than source code indexing
  • Full power of PostgreSQL
slide-28
SLIDE 28

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 28

Uses for symbol databases

  • Joins and anti-joins point to potential vulnerabilities
  • “billion laughs” denial of service with Expat
  • Program calls XML_ParserCreate, but not

XML_SetEntityDeclHandler

  • Privilege escalation via unsafe environment access
  • DSO defines PAM or NSS entry points and
  • DSO calls getenv or calls a function in a library which

calls getenv (perhaps indirectly)

slide-29
SLIDE 29

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 29

Improved tools for global analysis

  • More detailed data than ELF symbols
  • Debugging information
  • Compiled binaries after disassembly
  • Java, Python, … support
  • Dynamic languages will need heuristics
slide-30
SLIDE 30

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 30

Improved tools for global analysis

  • Efficient search for function calls with certain

arguments

  • umask(0)
  • curl_easy_setopt(handle,

CURLOPT_SSL_VERIFYHOST, 1L)

  • realpath(path, buffer) where buffer is not NULL
  • ELF symbols could locate binaries
  • Disassembly could extract function arguments
slide-31
SLIDE 31

TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013 31

Conclusion

  • Let's try to fix alloca.
  • Static analysis and code search engines are exciting.

Questions? And: Please share your version control repository!