Thursday, January 27, 2005

Smoke and Mirrors Awareness Day

Today is Smoke and Mirrors Awareness Day! No, not really, but I'd like to point out various pieces of junk that pretend to be secure.

We've already passed over Microsoft's Data Execution Prevention and why it doesn't work without real Address Space Layout Randomization. This is because a simple ret2libc attack can be used to evade normal memory space protections that systems such as DEP and PaX take advantage of. This is why other systems employ ASLR.

Red Hat is also hyping their security. In an earlier post to the LKML, Red Hat has submitted parts of Exec Shield for mainline inclusion, to add ASLR. These patches allow a 64KiB stack base randomization and a 1MiB mmap() base randomization. I pointed out that this is not adequate, because small gaps in the stack can be easily compensated for:

[...]|STACK---STACK---NONONOSHELLCODE STACK---STACK---NONONOSHELLCODE ----------------------^ | -- You jump here in any case.

Brad Spengler of GrSecurity also had a few things to say about this randomization patch pertaining to the extremely short brute-force cycle needed to break it. He also points out the maintainers' complacency with a glibc information leaking bug that they pretend to have fixed even though it's still in the wild. Apparently, though, the bug was fixed; but the fix was never marked as a security update, so many users including some Red Hat developers are likely still affected.

Interestingly enough, this is the same kind of problem OpenBSD has with its stack-gap randomization being easily evadable. The problem may be that they're more interested in confusing attackers than developing real solutions. That's not to say that they don't occasionally get things right.

So what kinds of things are real? Security auditing for one. This is part of the most basic security fundamentals: finding and fixing flaws. Projects such as the Debian Security Audit Project and Gentoo Linux Security Audit exist for this purpose. Packages such as SAL, Flawfinder, and RATS are created for automated auditing.

There are several distributions focused on real security, such as Adamantix and Gentoo. Ubuntu Linux may also be coming this way thanks to the efforts of the Hardened Debian project and, of course, the gracious concern of the Ubuntu lead developers.

The above distributions all use or are planning to use PaX instead of Red Hat's Exec Shield for executable space protections and address space layout randomization.

Adamantix, Hardened Gentoo, and even Ubuntu's experimental security-hardened kernels include GrSecurity to enhance the security of the system by randomizing various information important to attackers such as PIDs and networking intrinsics and obscuring this information from non-privileged users. GrSecurity also hardens chroot() jails to prevent various break-outs, for example by using mknod and mount; and supplies other restrictions to prevent tempfile races.

Adamantix and Hardened Gentoo supply a full PIE and ProPolice protected base. Ubuntu is planning ProPolice for a future release, and will likely also aspire to move to a full PIE executable base.

While Adamantix and Hardened Gentoo are not large community distributions, Ubuntu is a Debian-based distribution aiming at presenting a more user-friendly, desktop-appropriate environment. This makes Ubuntu a portal to the community's eyes to show how to properly assess which security enhancements are appropriate and how to deploy them; and to demonstrate their effectiveness and non-intrusiveness to the user's environment.

As long as this community of related projects works together, continued security development should be expedient and efficient. Unilateral attempts to reinvent all security systems create a confusing environment where individual implementations have their own strengths and weaknesses, and often don't display a clear affinity to one 'best' product. A joint attempt piles all development energy into correcting all flaws in a single effort and enhancing the project, creating the most polished final product possible.


Blogger Gordon said...

Hello, your blog is informative. I have a linux server related website, please visit and hope that it is helpful to you

4:06 PM  
Blogger Joern Lillehagen said...

Hey there John! Liked your blog, especially your post about Smoke and Mirrors Awareness Day. I have a site where you can get more info about Source Code Rights. If that interest you , feel free to take a look at my Source Code Rights site :-)

4:14 AM  
Anonymous Anonymous said...

Why was there no follow on bankruptcy then? The bailout of AIG FP went to (wow power leveling) hedge funds that bound credit swaps on Lehman failing or others betting on rating (wow power leveling) declines. AIG has drained over 100 billion from the government. Which had to go to those who bet on failures and downgrades. Many of whom (power leveling)were hedge funds. I-banks that had offsetting swaps needed the money from the AIG bailout or they would have been caught. Its an (wow powerleveling) insiders game and it takes just a little bit too much time for most people to think (wow gold) through where the AIG 100 billion bailout money went to, hedge funds and players, many of whom hire from the top ranks of DOJ, Fed, Treasury, CAOBO
wow goldwow goldwow goldwow gold CAOBO

9:49 PM  
Blogger office said...

The Tax Return Crack-Up<4>
Realizing he might have dug himself in there,Microsoft Office 2010the general emphasized that Office 2010he had spent some time as a junior Office 2007officer working "very closely Microsoft Officewith the Israeli air force" and that heMicrosoft Office 2007had found that "more cosmopolitan,Office 2007 key liberal version of the Israeli population" Office 2007 downloadto be just chock full Office 2007 Professionalof that sort of "goodwill" necessary Windows 7to give a bunch of land back Microsoft outlook 2010to the Palestinians.

4:12 AM  
Blogger escort said...

Awesome blog Adam!! deneme linki I saw you all in Buffalo and the show was incredible, antalya hotels the best I've ever seen and I can't wait to see the show again in Rochester! It's so great to hear you're having a good time. eskort met you in Cleveland and you seemed so escort ankara If things go my way, I'll be able to catch up with msn show toptan mallar satış sitesi toptancı deneme travesti
derteg deneme escort servisi If you don't know how to spot the difference, just watch any of the Filipinas buying and you'll soon catch on. istanbul jigolo Crab-sexers par excellence, it seems there's nothing these people aren't good at! film izle

12:32 PM  

Post a Comment

<< Home