seth15-linux.log

Session Start: Sun Dec 15 16:49:29 2002 Session Ident: #linux * Logging #linux to 'logs\#linux.log' * fernand0 has joined #linux fernand0 re * sarnold sets mode: +o fernand0 MJesus hi garoeda.... you have maill fernand0 well.... fernand0 Our next speaker is Seth Arnold. fernand0 He is a security researcher and expert from the US. fernand0 He is working at fernand0 Wirex, and he is involved in the development of the Immunix Distribution. fernand0 He has been also involved in the organization of this conference. fernand0 Withoy him have no doubt that this conference would have been very different (and not better) fernand0 /withoy/whitout/ fernand0 He is going to talk about an interesting proyect about security-auditing fernand0 open source code: "Sardonix: making the most of our open source" fernand0 Thanks to him for preparing his talk about this interesting topic, and to fernand0 all of you for comming here. fernand0 Mr. Arnold.... sarnold thanks fernand0 :) sarnold i'd like to point out that questions and comments should go in #Qc sarnold feel free to ask them at any time :) sarnold i'd like to thank garoeda and Arador for translating into dutch and spanish on the fly for me. how cool. :) sarnold i'd liketo first start out by saying sarnold that I don't mean disrespect to RMS when I talk of Open SOurce sarnold i think he says many good things, even if they are ocasionnaly irratating :) sarnold but I don't mean anything specific by "open source" vs "free software" sarnold that out of the way... sarnold there is quote, "with enough eyes, all bugs are shallow" sarnold it has been attributed to both eric s raymond and linus torvalds sarnold maybe both have said it :) sarnold but the problem is, there _aren't_ enough eyes sarnold most of the software we use and rely on in the open source community hasn't been properly audited sarnold much of it was just written for fun by enthusiasts sarnold which is wonderful -- except, programmers make mistakes sarnold and without an infrastructure in place to try to correct those mistakes, serious security flaws can result sarnold there are _some_ organized auditing projects, such as the OpenBSD project, Solar Designer's Openwall project, and SuSE and Caldera security teams sarnold however, caldera and suse's security teams have changed drastically recently .. they no longer get as much time to audit as they used it sarnold < tarzeau:#qc> and debian? and the hurd? sarnold tarzeau: debian has an active security team; to my knowledge, they are primarily response-oriented -- getting the package maintainers into the loop with security fixes sarnold tarzeau: to my knowledge, the hurd project doesn't audit anything. maybe they do. I don't know. sarnold < rene:#qc> and microsoft? :) sarnold rene: microsoft's growing move towards C# could mean they have serious security advantages over time sarnold rene: but microsoft's biggest problem is that they have immense complexity to deal with sarnold rene: anyway, microsoft can afford to hire thousands upon thousands of programmers to just read source code and find vulnerabilities .. maybe they even hired a few specifically for that purpose in their latest security push sarnold rene: the open source community cannot afford to hire dozens of programmers to check each other's work sarnold which gets us back to sardonix! :) sarnold the strength of the open source community is that so many people take pride and ownership in the programs we use every day sarnold <i'm going to take a bit of a break for translators..> sarnold < fernand0:#qc> there is another problem: auditing code is not easy sarnold fernand0 got this exactly correct. sarnold programmers have been taught over years to use unsafe programming methods sarnold and many errors are very subtle sarnold however, when someone like al viro takes a look at source code, _any source code_, for about five minutes, he tends to find exploitable flaws sarnold al viro is unique, but not necessarily in a fashion that can't be taught sarnold that anyone can find bugs so quickly means we have a ways to go sarnold we need a method of encouraging people to find bugs sarnold and do so in a method that does not involve piles of money sarnold my boss, crispin cowan, has been impressed with slashdot for years sarnold most especially, how people spend a _lot_ of time trying to earn "karma points" in their postings sarnold people go out of their way to write useful and inciteful comments, because they will get moderated up, and thier consistent history of useful postings is advertised, if you will sarnold so, my boss thought, "lets try to get these 'karma whores' to audit software, too!" sarnold sardonix was born. sarnold the idea is simple: make a repository for storing security audits sarnold tie the audits closely to the auditors, and we can produce scores on how well various auditors work sarnold by coming up with a suitable scoring function, we should be able to help encourage auditors to look at software and _be precise_ in their audits sarnold < rene:#qc> sarnold: to open-sourec specifically I believe there is also another problem. sometimes when I find a bug, I end up not reporting it, bacause I was fixing it myself (I have the source after all ...) then get too far into that, reqrite loads, get stuck halfway, and drop it sarnold rene: yeah, there is that problem. sarnold rene: though maybe the simple solution is for you to report the bug to someone else first, and _then_ try to patch it up. :) sarnold rene: that way, if you produce a patch, it will be a tested patch (always a bonus), and people will more readily welcome your bug reports in the future :) sarnold < jose_n:#qc> does sardonix also score vendors? ie "-1: not responsive" or "+5: rapid response, worked closely with community to develop a fix." sarnold jose_n: not currently; to be brutally honest, the scoring doesn't work at all yet :) sarnold jose_n: we had plans of scoring specific software programs with respect to their bug histories, though sarnold jose_n: the idea is, slashdot's karma system is almost entirely automatic. we'd like sardonix to be entirely automated .. scoring based on response times would complicate matters a bit, but is probably worth investigating. :) sarnold < docelic:#qc> There should a lot of effort be put into advising existing/new programmers how to write new code with at least basic security aspects in mind (in addition to just working on fixing bugs someone made who-knows-when in the past). sarnold docelic: i wholeheartedly agree. my own education experience shows me that security issues are going almost completely untouched in the school system. sarnold docelic: one of my own professors was befuddled to see a race condition in action -- imagine if she were to be programming software that could possible accept untrusted input? the result wouldn't be good. sarnold docelic: as jose_n points out, this isn't for a lack of resources -- it is because, in part, the computer software industry is dominated by features more than reliability. sarnold docelic: so, teaching programmers to write code quickly has been more important than teaching programmers to program correctly. sarnold docelic: with the expected consequences. :) sarnold < fernand0:#qc> there is another problem: auditing code is not easy sarnold fernand0 may not have known this when he said it (maybe he did :) but proving code does not have security flaws is an unsolvable problem sarnold it has been proven that ensuring code won't have faults in it is isomorphic (the same problem as) to solving the Turing Halting problem sarnold < riel:#qc> sarnold: one problem I am seeing is that people copy code with security bugs from books and online examples. Do you know of any effort to audit educational material for security bugs ? sarnold riel, i don't know of any projects; they would be difficult under any circumstance, as there are hundreds of programming books with depressingly large (and obvious) security flaws in them sarnold i enjoy reading unix books from the mid eighties, and it is pretty depressing to see them using functions unsafely .. and practically every page of one (popular) book I own is riddled with security flaws sarnold riel: both jose_n and I have spotted flaws in code examples in linux magazines; we both wrote with our complaints to the editors, but that was hardly a concerted effort. :) sarnold < fork:#qc> wasn't that Stevens paying for pointing out for errors in his books? sarnold fork: I don't recall stevens specifically paying for errors; knuth offered a reward of $2.56 per bug found to the first person to report a bug, however. :) I doubt anyone actually _Cashed_ those checks though. :) (translators: checks == cheques) sarnold given that auditing software is difficult, no one auditor will find all bugs; so we need to encourage _many_ people to audit software, and hope that together, we can find most of them sarnold and, part of sardonix is the research aspect: see if we _can_ encourage people to audit software by providing the proverbial carrot, and hope people "karma whore" themselves to the cause :) sarnold < docelic:#qc> concerning the bugs in online examples and/or books... maybe some people would gather around sardonix to volunteer to audit the code intended for publishing.. [...] sarnold docelic: that is a great idea. I think we should get in contact with the large publishing firms and see what we can do. :) sarnold < tarzeau:#qc> sometimes secure programming isn't that important... sarnold < tarzeau:#qc> or it's not easy to have the border between secure and buggy sarnold tarzeau: Iván Arce, of CORE-SDI has a wonderful philosophy: "reliability is when programs do what they should; security is when programs do what they should, and nothing else" sarnold tarzeau: and, you're right, that some classes of software don't really need to be made secure sarnold tarzeau: games are one popular example sarnold tarzeau: however, many systems have been compromised by games -- either trojan horses that install new root-level accounts when run by a system administrator, or whose "high scores" file can be used to exploit the system sarnold tarzeau: some games, such as quake, can run on a network -- and any user on the network could send quake some poorly formatted input and cause it to execute other code sarnold tarzeau: even though some programs don't need to be programmed securely, if they accept _ANY_ input from sources not completely trusted, they need to be programmed with security in mind. sarnold < Borja:#qc> In fact, gaming machines could become an excellent army of zombies for a DoS being easy targets. sarnold Borja: yes :) which is why even games need to be programmed with security in mind sarnold tarzeau: in general, just being a defensive programmer is all that is required to write secure software sarnold tarzeau: the mindset should be, with every function, "how could this go wrong if someone was being a smartass?" sarnold < tarzeau:#qc> i find it not critical if software isn't secure which would cause death/harm to human or other lifeforms sarnold < blackkoal:#qc> define security in application as you understood sarnold software that is critical to one person is trivially unimportant to someone else sarnold and, in general, open source software tends to not be used in aircraft fly-by-wire systems, or hospital life support systems sarnold and, one of the values of open source software is that the people who have to rely on it can perform their own security audits sarnold i think at this point, i've been talking about auditing in the abstract long enough sarnold i hope i've made the point that software auditing is an important aspect of software development in general sarnold and we hope to discover through the sardonix project whether the "karma whore" effect can help encourage people to perform auditing sarnold (as my boss says, "that is why it is called 'research'". :) sarnold < Borja:#qc> Anyway, I don't think auditing is the main point. sarnold < Borja:#qc> Software should be stronger by design. sarnold < rene:#qc> sarnold: sorry for being clueless, but what is this "karma whore" stuff? sarnold rene: karma whore -- slashdot poster effect of people going out of their way to write useful comments .. just for recognition! sarnold borja: the chap who wrote "The mythical man month" classifies bugs into two categories sarnold borja: "incidental" and "intrinsic" sarnold Borja: incidentle bugs are the buffer overflows and printf bugs of the world -- bugs that might be able to be mitigated by using different toolsets (such as type-safe languages: java, ml, haskell, etc) sarnold Borja: intrinsic bugs are are those introduced by the sheer complexity of software sarnold Borja: such bugs tend to make headlines frequently, "yet another outlook virus", "yet another IE security bug collected out of three non-problems" sarnold Borja: auditing can discover both classes: solar designer's xinetd audit (100KB+ of patch!) was both incidental and intrinsic bugs sarnold Borja: but finding the intrinsic bugs takes more work .. hence the need for better education. sarnold and, speaking of education, I thought this talk might be interesting if I mentioned some of the common (incidental) flaws that are introduced into software sarnold the most popular form of security problem is the Buffer Overflow sarnold this is made especially easy in C because strings are represented as null-terminated character arrays sarnold so, very simple (and often-used) code such as the following allows an attacker complete control over the program: sarnold char buf[MAX]; sarnold strcpy(buf, input); sarnold depending on the length of the character array in 'input', a malicious person could overflow the "buf" buffer; this could over write nearby variables, or return addresses, or other program elements sarnold this piece should be re-written to either ensure that only MAX-1 characters of input are copied into buf, or abort if input is too long sarnold (using strncpy, strlcpy, or strlen) sarnold < rene:#qc> strlcpy? sarnold rene: strlcpy was introduced by the openbsd project as a replacement for strncpy .. which has inconsistent semantics. sarnold < blackkoal:#qc> another question: is there anywhere a website how to write clean code (i mean with clean and good comments, ...? especially how to write comments) sarnold blackkoal: there is a list of resources available here: https://sardonix.org/Auditing_Resources.html sarnold blackkoal: as for writing comments, the short rule is "don't describe what your code does; that should be obvious. describe _why_ your code does what it does." sarnold the next most common type of security flaw is the "printf" bug sarnold for many years, people assumed printf was a 'safe' function sarnold but, in the spring/summer of 2000, someone pointed out that printf has a method that allows writing to memory sarnold and _MANY_ programs allow malicious input to supply format strings sarnold so code that looks like this: sarnold printf(foo); is likely vulnerable to misuse sarnold it should be re-written printf("%s", foo); sarnold there are more complex problems with printf as well, but they are best discussed in a forum specific to printf problems (such as KF's INFOSEC presentation a few months ago) sarnold another common class of errors is the filesystem race sarnold this is al viro's speciality :) sarnold this can be something as simple as use of access(2) in a privileged program to determine if file access should be granted in an open call made on behalf of a user sarnold (the use normally goes, if (access("/etc/shadow", S_IWUSR)) open("/etc/passwd", O_WR);) sarnold the problem is that someone could replace the /etc/shadow file inbetween the access(2) and open(2) sarnold this is known as a "time of check to time of use" vulnerability sarnold the solution to this problem is more complex: the use of setuid(2) and setgid(2) and setgroups(2) to ensure the _kernel_ does the checks sarnold linux introduced a neat feature fsuid, that can be used to allow a program to emulate the filesystem privileges of a specific user, without dropping full privs sarnold this was implemented primarily for the nfs daemon, but can be used by other programs, such as sendmail, to ensure delivery of mail is handled properly sarnold other problems with unchecked inputs include the system(3) function sarnold this function runs a command using /bin/sh, so it is extremely powerful and simple to use -- with the caveat that if any input is supplied by a user, one must be careful of shell metacharacters sarnold so, if a user could supply part of the command with input, something like ;rm -rf /; could ruin your day :) sarnold a problem source that few people think of is the environment! sarnold the loader provides functionality allowing libraries to be pre-linked into a program, replacing the system libraries, using LD_PRELOAD. sarnold so, users can even replace functions with functions of their own choosing! sarnold this is mitigated in glibc by cleaning the environment when performing an exec(), but it isn't perfect. sarnold PATH is also popular to abuse; many systems included . (CWD) in the PATH varaible... supplying a /tmp/mail program, one might get lucky if root ever reads his or her mail from /tmp :) sarnold < majeu:#qc> how can one avoid the problems with the LD_PRELOAD, besides compiling statically sarnold there isn't much one can do; LD_PRELOAD is mostly handled by glibc on linux systems, but the problem is indicitive of the special nature of environment varaibles sarnold the other day, I received an email from Steven Christey, of the MITRE CVE project, with a list of security-sensitive coding mistakes .. it was about 60 categories long, and many entries had a dozen or more (12 for translators :) sub-categories sarnold we will put this list on the sardonix website as a guide to help auditors when auditing software; it seems auditors have a fertile field to look through for security problems :) sarnold does anyone have any questions? sarnold < sh0nX:#qc> how much of standard open source utils (like core GNU tools) and such get audited? sarnold sh0nX: not enough. people are still finding vulnerabilities in tar, rm, etc. sarnold sh0nX: i'd like to think 18 years is long enough to get tar and rm stable and bug-free, but .. I guess not. :) sarnold < crispin:#qc> Steven Christey's list is a richer form of the pathology list that sardonix already has. sarnold yes, it should be pointed out that I've only given a sampling of errors :) his list is very long and pretty complete sarnold < sh0nX:#qc> I'd like to see an open source auditing group/consortium sarnold sh0nX: that is rather the hope of sardonix -- by trying to leverage the slashdot "karma whore" effect, we hope we can encourage people to audit software with little more than recognition as payment. :) sarnold < sh0nX:#qc> how about automated tools that look for things sarnold https://sardonix.org/Auditing_Resources.html lists many automated tools that help search for problem code sarnold sh0nX: one downside; finding flaws is turing-difficult. so these tools are at best heuristics. and sometimes the heuristics aren't so good. it is a tradeoff between falsely reporting errors and missing genuine errors sarnold < pflanze:#qc> It would probably be a good idea to use "sandboxing" for applications like browsers, icq or irc clients. sarnold pflanze: yes, you are right, that can help significantly. projects such as LSM (http://lsm.immunix.org) are providing frameworks for security modules in the linux kernel to help enable such sandboxes (TrustedBSD for the FreeBSD fans) sarnold < tarzeau:#qc> does someone know linux se, err selinux? sarnold tarzeau: SELinux's biggest problem, as I see it, is that the amount of complexity in their policies rules is extremely high sarnold tarzeau: that is another tradeoff -- either sandboxes can be very tight and very explicity -- but take a long time to prepare and validate, or they can be simpler and more granular, but simpler to prepare and validate sarnold < pflanze:#qc> Re 'proving code does not have security flaws is an unsolvable problem': It's only unproveable as long as you don't depart from the view that features are more important than correctness. :) sarnold pflanze: well, this has actually been proven to be the case -- determining the security properties of arbitrary programs is impossible sarnold pflanze: for specific programs, you are right, but even programs that should be small and simple (fingerd comes to mind) have rather poor security records sarnold < pflanze:#qc> i.e. when you are careful from the beginning (like DJB), it should be possible to write 100% secure software. sarnold pflanze: you're right, some diligence on the part of software authors can go a long way towards ensuring good security records sarnold pflanze: with the problems that functionality suffers (e.g., recursive DNS servers should be possible) sarnold unless there are further questions, I'm inclined to call it a presentation :) sarnold thanks everyone :) MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap BorZung plas plas plas plas MJesus clap clap clap clap clap clap clap clap clap clap BorZung plas plas plas plas BorZung plas plas plas plas viZard applause applause applause applause viZard applause applause applause applause krocz CLAP CLAP CLAP viZard applause applause applause applause viZard applause applause applause applause MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap viZard applause applause applause applause fernand0 plas plas plas plas plas plas plas fernand0 plas plas plas plas plas plas plas viZard applause applause applause applause fernand0 plas plas plas plas plas plas plas viZard applause applause applause applause zach clap clap clap clap clap clap clap clap clap clap fernand0 plas plas plas plas plas plas plas pflanze clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap fernand0 plas plas plas plas plas plas plas MJesus clap clap clap clap clap clap clap clap clap clap Arador plas pals pals plas plas plas sarnold MJesus clap clap clap clap clap clap clap clap clap clap Arador plas pals pals plas plas plas sarnold viZard applause applause applause applause Arador plas pals pals plas plas plas sarnold Arador plas pals pals plas plas plas sarnold Arador plas pals pals plas plas plas sarnold garoeda clap clap clap clap clap clap garoeda clap clap clap clap clap clap garoeda clap clap clap clap clap clap garoeda clap clap clap clap clap clap garoeda clap clap clap clap clap clap garoeda clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap garoeda clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap fork clap :) MJesus clap clap clap clap clap clap clap clap clap clap garoeda clap clap clap clap clap clap mjc :-) angelLuis plas plas plas angelLuis plas plas plas angelLuis plas plas plas angelLuis plas plas plas fernand0 plas plas plas plas plas plas plas plas plas plas casanegra clap lcpa lcpa lcpa fernand0 plas plas plas plas plas plas plas plas plas plas viZard sarnold my chubby dubby bro ! :-) vegai läpy läpy läpy angelLuis plas plas plas plas plas plas plas plas angelLuis plas plas plas plas plas plas plas plas casanegra clap clap clap clap clap clap clap clap clap clap clap angelLuis plas plas plas plas plas plas plas plas unimauro EXCELENT unimauro VIVA LA INTERNET sarnold viZard :) unimauro VIVA EL GNU /LINUX OrozZz congrats sarnold ;) casanegra muy bien! mjc sarnold: :) angelLuis sarnold: very good, my congratulations!!! :))) MJesus ¡¡ Hurra sarnold !! MJesus ¡¡ Hurra sarnold !! MJesus ¡¡ Hurra sarnold !! fernand0 congratszZz sarnoldzZz ? fernand0 hehe OrozZz fernand0: :P MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap viZard that´s my bro! MJesus sarnold is the first !! angelLuis jejejeje sarnold thanks to everyone :) thanks especially to my translators, garoedo, arador, viZard, and raul viZard garoeda sarnold grrr, yes, garoeda :) MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap casanegra clap clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap MJesus clap clap clap clap clap clap clap clap clap clap pragma clap clap clap clap clap clap clap clap clap clap alex sarnold: good talk !! MJesus very nice !! angelLuis an hurra for sarnold: ¡¡ Hurra !! Ston perl -e 'print "CLAP "x1000' angelLuis Torero!!! viZard sarnold, see? you wouldn´t have problems to impress some ppl if you want to ;-) MJesus ston :)) sarnold viZard: jejejeje :) Ston perdi la charla pero llegue justo para los aplausos : ) MJesus aplude ! Ston ya :P Ston <Ston> perl -e 'print "CLAP "x1000' Ston xD viZard poor garoeda is doing all the work by himself sh0nX clap clap clap clap clap clap clap sh0nX clap clap clap clap clap clap clap sh0nX clap clap clap clap clap clap clap sh0nX clap clap clap clap clap clap clap raul plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas p raul plas plas plas plas plas plas plas plas plas plas plas plas plas plas gorog wtf? sh0nX clap clap clap clap clap clap clap sh0nX clap clap clap clap clap clap clap sh0nX clap clap clap clap clap clap clap raul plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas plas sarnold gorog: the next presentation is in one hour... Ston sarnold: /exec perl -e 'print "CLAP "x1000' gorog who will be presented by? sarnold gorog: james morris, on the 2.5 kernel cryptographic infrastructure :) gorog it's really fantastic fernand0 Thank you to all for comming, and to Seth Arnold for this interesting talk sh0nX :) Generated by irclog2html.pl 2.1 by Jeff Waugh - find it at freshmeat.net!