debian security team presentation
play

Debian Security Team presentation Yves-Alexis Perez SSTIC 2018 - PowerPoint PPT Presentation

Debian Security Team presentation Yves-Alexis Perez SSTIC 2018 Introduction Introduction Debian Security Team presentation SSTIC 2018 1 / 37 corsac debian.org Introduction Who am I? Yves-Alexis Perez (Corsac) ANSSI head of software


  1. Debian Security Team presentation Yves-Alexis Perez SSTIC 2018

  2. Introduction Introduction Debian Security Team presentation SSTIC 2018 1 / 37 corsac ⊕ debian.org

  3. Introduction Who am I? Yves-Alexis Perez (Corsac) ANSSI head of software and hardware architecture lab Mostly interested in low-level security and hardening Debian Security Team presentation SSTIC 2018 2 / 37 Debian developer ▶ team security member ▶ package maintainer ▶ Xfce desktop environment ▶ strongSwan IKE/IPsec daemon ▶ Linux kernel team member corsac ⊕ debian.org

  4. Introduction Embargos SSTIC 2018 Debian Security Team presentation Standard embargoed vulnerability: pcs Meltdown/Spectre KRACK Examples Vulnerabilities Agenda Debian Security Advisory Security frontdesk Workflows Tools Roles People Security team presentation 3 / 37 corsac ⊕ debian.org

  5. Security team presentation Security team presentation Debian Security Team presentation SSTIC 2018 4 / 37 corsac ⊕ debian.org

  6. Security team presentation People People Core team members Other people involved Debian Security Team presentation SSTIC 2018 5 / 37 ▶ ~10 people[1] ▶ ~5 really active ▶ Debian developers and maintainers ▶ Security researchers corsac ⊕ debian.org

  7. Security team presentation Roles SSTIC 2018 Debian Security Team presentation Other interests 6 / 37 Handle security for stable releases What we do ▶ keep watch over security issues in stable/oldstable ▶ issue Debian Security Advisories (DSA) ▶ prepare packages updates ▶ upload to the security archive ▶ send the DSA mail for debian-security-announce@ ▶ coordinate with other teams and developpers ▶ distribution hardening ▶ reduces workload later on corsac ⊕ debian.org

  8. Security team presentation Roles What we don’t do Everything else security related 1. Debian System Administrators, unfortunate acronym collision 2. Debian Accounts Managers 3. Long Term Support Debian Security Team presentation SSTIC 2018 7 / 37 ▶ Debian infrastructure: the other DSA 1 ▶ Debian accounts: DAM 2 and Keyring teams ▶ Debian LTS 3 corsac ⊕ debian.org

  9. Security team presentation Security tracker: https://security-tracker.debian.org/ SSTIC 2018 Debian Security Team presentation Data: useful for automated vulnerability assessment Tools 8 / 37 Communication Frontends ▶ security@debian.org (PGP rsa4096/0x6BAF400B05C3E651 ) ▶ debian-security-announce@lists.debian.org ▶ irc://irc.debian.org/#debian-security ▶ sysadmin/enduser oriented ▶ web interface for browsing ▶ search by package, vulnerability (CVE) or suite ▶ CVE list (raw[2] / json[3]) ▶ OVAL json [4] corsac ⊕ debian.org

  10. Security team presentation Tools SSTIC 2018 Debian Security Team presentation Private git repository sec-private 9 / 37 Public[5] git repository security-tracker Backends ▶ team organization ▶ CVE management ▶ DSA assignment ▶ source for security-tracker website ▶ management of embargoed issues ▶ some internal data corsac ⊕ debian.org

  11. Workflows Workflows Debian Security Team presentation SSTIC 2018 10 / 37 corsac ⊕ debian.org

  12. Workflows Security frontdesk Security frontdesk Contact point for security issues Make sure: Debian Security Team presentation SSTIC 2018 11 / 37 ▶ someone is always present and active ▶ we don’t miss important issues ▶ we distribute the load amongst the team ▶ Anyone can do this, but make sure someone actually does it ▶ nowadays not formally done corsac ⊕ debian.org

  13. Workflows Security frontdesk Duties Day to day routine Distributed amongst the team Debian Security Team presentation SSTIC 2018 12 / 37 ▶ watch over the mail alias and process incoming requests ▶ watch over oss-sec and distros (private) lists, external sources ▶ add private issues to the private git repository ▶ add public issues to the security-tracker ( data/CVE/list ) ▶ process External check ▶ submit bug reports for public issues to the BTS ▶ add new DSA-worthy issues to the list ( dsa-needed.txt ) corsac ⊕ debian.org

  14. Workflows MITRE, vendors/upstream etc. SSTIC 2018 Debian Security Team presentation Add enough information to the tracker to facilitate work later on Security frontdesk Post processing TODO entries External check What is it? 13 / 37 ▶ automated script ▶ runs once a day ▶ finds newly assigned CVEs from various sources ▶ adds them to data/CVE/list with TODO tag ▶ is it against a Debian package? ▶ is the affected version in a Debian supported release? ▶ what is the severity? ▶ are there external sources of information? corsac ⊕ debian.org

  15. Workflows Debian Security Advisory SSTIC 2018 Debian Security Team presentation Usually 9. DSA mail is sent 8. package is released to the security mirror network 7. package is built by the buildbots 6. package is uploaded to security-master 5. package is built locally 4. patch is applied against package in supported suites 3. fix is identified 2. CVE is assigned (helpful, not required) Releasing a DSA[6] 14 / 37 1. vulnerability is identified ▶ work is shared between team members ▶ some steps can be done externally corsac ⊕ debian.org

  16. Vulnerabilities Vulnerabilities Debian Security Team presentation SSTIC 2018 15 / 37 corsac ⊕ debian.org

  17. Vulnerabilities simple private vulnerability SSTIC 2018 Debian Security Team presentation Three major types of vulnerability complex private vulnerability 16 / 37 public vulnerability (vast majority) ▶ reported via oss-sec, public bug or commit ▶ fix already known or developped in the open ▶ integrated in Debian as soon as possible ▶ usually no rush ▶ multiple codebases ▶ multiple vendors ▶ protocol vulnerability ▶ hardware vulnerability corsac ⊕ debian.org

  18. Vulnerabilities Embargos SSTIC 2018 Debian Security Team presentation High profile examples 17 / 37 Embargos Usage ▶ vulnerability not known publically ( under embargo ) ▶ only small circle of people know about it ▶ give some time to developers to find a fix ▶ coordinated date for publication ▶ everybody publish at the same time ▶ all users protected ▶ ROCA (Debian not affected) ▶ KRACK (wpa) ▶ Meltdown/Spectre (Linux, hypervisors, microcode) corsac ⊕ debian.org

  19. Vulnerabilities Embargos In practice Embargos have many drawbacks Limit usage as much as possible Debian Security Team presentation SSTIC 2018 18 / 37 ▶ fix availability delayed ▶ few people aware mean fix might not be optimal or even broken ▶ indefinite embargo problem (hide stuff below the carpet) ▶ leak problem ▶ for simple vulnerabilities ▶ short duration corsac ⊕ debian.org

  20. Vulnerabilities Embargos Operating system distribution security contact lists linux-distros@vs.openwall.org [7] Debian Security Team presentation SSTIC 2018 19 / 37 ▶ restricted list for open-source distributions (Linux and *BSD) ▶ successor to vendors-sec ▶ maintained by Openwall with help from distributions ▶ anyone can report a vulnerability privately ▶ strict policy (14 days max embargo, 7 days preferred) corsac ⊕ debian.org

  21. Examples Examples Debian Security Team presentation SSTIC 2018 20 / 37 corsac ⊕ debian.org

  22. Examples KRACK KRACK Standard embargoed vulnerability Key Reinstallation attacks[8] Debian Security Team presentation SSTIC 2018 21 / 37 ▶ coordination with community (upstream, researchers...) ▶ fix preparation ▶ coordinated release ▶ multiple vulnerabilities in the WPA protocol ▶ discovered by Mathy Vanhoef (imec-DistriNet, KU Leuven) ▶ involves multiple vendors (access points and clients) ▶ in Debian: wpa source package (wpa_supplicant and hostapd) corsac ⊕ debian.org

  23. Examples KRACK Timeline 28/08 initial contact from CERT 10/10 second contact from CERT 10/10 upstream contact on the restricted distribution list 10/10 contact wpa upstream and Debian maintainers 16/10 announcement and fixes publication 01/11 paper presentation at ACM CCS Debian Security Team presentation SSTIC 2018 22 / 37 corsac ⊕ debian.org

  24. Examples KRACK Initial contact (28/08/2017) Summary coordination done by CERT.org full details, paper and proof of concept in the notification Debian Security Team presentation SSTIC 2018 23 / 37 corsac ⊕ debian.org

  25. Examples KRACK Initial contact (28/08/2017) Summary Debian Security Team presentation SSTIC 2018 23 / 37 ▶ coordination done by CERT.org ▶ full details, paper and proof of concept in the notification corsac ⊕ debian.org

  26. Examples KRACK Upstream contact (10/10/2017) Summary from Jouni Malinen, upstream author of wpa sent to the distribution list (open-source distributions) details about the protocol vulnerabilities impact on hostapd and wpa_supplicant on various platforms patches for various branches later resent to oss-sec[9] (per distros list policy) Debian Security Team presentation SSTIC 2018 24 / 37 corsac ⊕ debian.org

  27. Examples KRACK Upstream contact (10/10/2017) Summary Debian Security Team presentation SSTIC 2018 24 / 37 ▶ from Jouni Malinen, upstream author of wpa ▶ sent to the distribution list (open-source distributions) ▶ details about the protocol vulnerabilities ▶ impact on hostapd and wpa_supplicant on various platforms ▶ patches for various branches ▶ later resent to oss-sec[9] (per distros list policy) corsac ⊕ debian.org

Recommend


More recommend