Friday, March 18, 2005

Hardened Ubuntu officially Hardened Ubuntu

Nobody had a laptop or projector at BaltoLUG this tuesday, so I didn't manage to give my presentation there. Next month I will try again, April 19 guys. :) I also might pick up The Art of Intrusion and The Art of Deception, just nice books to have (even though I hate reading).

You may have noticed I've been fairly obsessed with Ubuntu Linux. I was a Hardened Gentoo user originally, learning all the internals of the hardening effort and seeing that the project was good. Hardened Gentoo is still a very nice project, and a very usable product, run by a competent team.

Later I moved on to Ubuntu Linux and discussed hardening with them, with favorable results. A little communication with the Hardened Debian project brought these two together, and collaboration has been happening with them since. Once these two met, I just sat back and watched, gently nudging and throwing my input in but for the most part I'm all talk and no action.

But action happens anyway. Martin Pitt soon released security-hardened kernels for Ubuntu, using GrSecurity. Discussing this move with him, I found that he considers PaX to be easily deployed and maintained. As Martin is a major player in Ubuntu's security team, it is likely that Ubuntu will soon support PaX and GrSecurity.

Martin's hardened kernels missed for Hoary (5.04); and lucky too, as Hoary supports Linux 2.6.10. PaX has a serious bug before 2.6.11, for which Martin dumped his hardened kernel repositories to prevent users from installing an exploitable kernel. It's too close to release time for Ubuntu developers to be generating and maintaining experimental, unsupported packages, especially kernels; we'll likely see some 2.6.11 hardened kernels after Hoary's release.

And of course, recently Hardened Ubuntu was started, a fork of Hardened Debian. The Hardened Debian team, working with the Ubuntu Linux team, now is officially targetting Ubuntu as a primary development platform. The Hardened Debian lead is projecting that the 5.11 release of Ubuntu this September will definitely be fully hardened; although this is still unofficial.

No planning has been done for Hoary+1's official goals, so the hardened effort could potentially become the primary driving force for the next release of Ubuntu. Of course, everyone is invited to come join the technical board meetings to push for this. As I said, no official statements have been made; you could make a difference. :)

Recently I looked at Bastille and found much of it to be really nice. In order to support the security hardening efforts, I've recommended the creation of an Ubuntu Linux Security Center to control many of the things Bastille offers in a better interface, as well as PaX, GrSecurity, and Stack Smash Protection. I of course think this is a great idea; and I know the Ubuntu developers could create a really great UI for it.

So there you have it. Nothing official yet, but look forward to the September 2005 release, 5.11 Ubuntu Linux. The wheels are in motion; and if nothing jams them, we should see a fresh, user-friendly desktop Linux fortress distribution. This will be a major step forward; the efforts of projects such as Adamantix and Hardened Gentoo will finally come to fruition as the Hardened Debian team carries their work into the mainstream, user-targetted distributions. It will be beautiful.

Monday, March 07, 2005

Firewalls aren't so magic

A recent post on Slashdot brings the LAND attack, an attack from eight (8) years ago in which a connection is initiated to a service with a SYN packet with the source and destination IP address set to the server's address. These attacks cause the server to infinitely loop and become nonresponsive for 15-30 second. Repeted attack can prove to be a fairly effective DoS.

In response, the current work-around according to the SecurityFocus vulnerability entry is to enable a host firewall to stop any and all connections to open ports. The vulnerability is fixed in all operating systems except Windows, affecting versions from Windows 95 up to and including Windows 2003 Server and Windows XP Service Pack 2. The users of Slashdot apparently think that firewalls are "basic security" and somehow mitigate this problem in its entirety.

Firewalls are not magic. They only allow an administrative control over the configuration of misbehaved services that bind to undesirable interfaces, or at the very best allow finegrained administrative control over what network ranges can connect to a port. If the connection is legitimate, or at least legitimate in the eyes of the firewall, the packets make it through.

More pertainently, Windows is now immediately not suitable for running an Internet-facing Web server on. As an example, Microsoft's Web site is running on Windows. Using one of the LAND exploits targetted at port 80, any user can take out Microsoft's main Web site with a light weight and effective Denial of Service.

As for desktop Windows machines, they generally hold a number of open ports for netbios and RPC. From inside the local network, these machines must be able to communicate with eachother and with themselves to be used effectively. Any remote exploit to enter a network, including social engineering (worms in e-mail and all flavors of viruses and trojans), can be used to take the network down. Networks with Windows-based file servers are made up of many hosts which each have the ability now to single handedly take down the file server.

In many situations, it is very difficult or even impossible to prevent a LAND packet from penetrating the defenses of a network. If the attack comes from within the network, or if it is aimed at a node which must host services to the outside world, then there is a 100% chance of success for LAND attacks on Windows machines. Because of this, firewalls cannot be relied upon as a cure for this and many other attacks.

Other attacks that can evade the firewall include most likely 99% or more of typical desktop network traffic. Desktop computers are very promiscuous on the Internet and connect out to instant messaging, chat, and Web services to get data from the outside world. This data always comes through the firewall, and can be used for an attack to inject code such as worms into a machine remotely. These situations can not be protected with a firewall because that would require disabling access to these services entirely.

Firewalls have their uses, but they're very, very minimal compared to the amount of faith people put into them. Firewalls can only stop connections aimed at specific destination addresses; it is possible in many situations for spoofed packets to penetrate a firewall allowing certain traffic and blocking other traffic on an interface. Firewalls do not protect servers from anyone who can connect to them, and they do not protect "legitimate" outgoing connections from fetching illegitimate data. A high-quality, up-to-date reactive content filter is most similar to most peoples' view of firewalls, and even that won't stop everything.

Saturday, March 05, 2005

PaX changing hands

Due to a spectacular fuckup, PaX will be changing hands on April 1, 2005. The GrSecurity team will be picking up the PaX code base after then.

A little background, PaX and GrSecurity are each run by one developer, in reality. "The PaX Team" is made up of a single anonymous entity who took the initiative in 2000 to create what may very well be capable of stopping over half of security exploits before they occur. The same person has been maintaining PaX since its initial release in October, 2000, four and a half years ago.

The potential impact can't be measured yet. Brad Spengler isn't exactly clueless; however, there is stil the considerable loss of the PaX lead developer. Eric Steven Raymond made the accurate observation that creative minds are a valuable, limited resource and shouldn't be wasted. While handing off PaX is in itself not potentially disasterous, the permenant loss of a mind as creative as its original developer is mournful.

While specific details are yet unreleased, the PaX vulnerability is a bug in the VMA mirroring implemented in September, 2002 (there's a typo in the announcement that says 2003). This mirroring is used to allow random placement of fixed position code (RANDEXEC) and the second NX emulation method on x86 (SEGMEXEC). Implementations using the original and improved PAGEEXEC method without the affected methods compiled into the kernel are not vulnerable.

There have been new versions of PaX and GrSecurity released to cover the bug. There hasn't been a PaX release since 2.6.7; GrSecurity has been using experimental ports that only the inner circle surrounding the projects are privy to directly. At this time, the newly released patches are a required critical security update, and so official PaX patches have been released for Linux 2.6.11. Please upgrade to 2.6.11 with the new PaX or GrSecurity ASAP.

Friday, March 04, 2005

Blogging in Real Life

I will be speaking at BaltoLUG on Thursday, March 15. Originally I didn't want to do it; but this is a good public speaking opportunity and would look very nice on my resume. I may even give the speech a few more times and refine it afterwards.

I've been working on a paper for my presentation, from which I will be taking my major talking points. I will be distributing the paper at BaltoLUG in electronic form; limited paper copies will be available, most likely one circulating around for general consumption.

I'll try to get BaltoLUG to host the paper from the presentation, and possibly an OpenOffice Impress presentation of my talking points, after the talk. No promises, but I may be able to do some social engineering and convince them to host it; after all, it'd be interesting to have something to show for the content of past meetings.

Something interesting, but not confirmed yet, Brandon Hale, better known as tseng of Hardened Gentoo may attend the meeting. Hale will also be giving a talk at the CPLUG Security Conference about advanced memory protections in Linux using PaX and hardened toolchains. He will also be covering OpenWRT.

I won't be blogging much for a bit, though I may have something interesting to say tomorrow. Be sure to tune in tomorrow, you'll want to see this post when it's made; and make sure you upgrade GrSecurity right now.