trends in open source security
play

Trends in Open Source Security FOSDEM 2013 Florian Weimer - PowerPoint PPT Presentation

Oct 30, 2023 •146 likes •462 views

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis 2 TRENDS IN OPEN

  1. Trends in Open Source Security FOSDEM 2013 Florian Weimer ‹fweimer@redhat.com› Red Hat Product Security Team 2013-02-02

  2. Overview ● Vulnerability tracking ● Tool-chain hardening ● Distribution-wide defect analysis 2 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  3. CVE-based vulnerability tracking ● http://cve.mitre.org/ ● CVE-2013-0156 ● CVE assignment alerts distributions ● Works well for public issues ● oss-security mailing list and Kurt Seifried ● Many vendors also assign CVE identifiers 3 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  4. Version-based vulnerability tracking ● For each branch, note the minimum fixed version ● Very complicated, with subtle corner cases ● Tied to a version numbering scheme and branching model 4 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  5. Version-based tracking for CVE-2013-0156 CVE-2013-0156 (active_support/core_ext/hash/conversions.rb in Ruby on Rails before ...) - rails 2.3.14.1 (bug #697722; high) [squeeze] - rails 2.3.5-1.2+squeeze4.1 - ruby-activesupport-2.3 2.3.14-5 (bug #697789) - ruby-activesupport-3.2 3.2.6-5 (bug #697790) - ruby-extlib 0.9.15-3 (bug #697895) - libextlib-ruby <removed> (bug #697895) 5 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  6. Example packages for CVE-2013-0156 ● - rails 2.3.14.1 (bug #697722; high) [squeeze] - rails 2.3.5-1.2+squeeze4.1 ● Fixed package versions ● 2:2.3.14.2 (testing/wheezy) ● 2.3.5-1.2+squeeze6 (stable/squeeze) ● Unfixed package versions: ● 2.3.11-0.1 (testing/wheezy) ● 2.3.5-1.2+squeeze1 (stable/squeeze) ● Can be used to rate the packages on a system 6 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  7. Vulnerability tracking with tracker bugs ● bugzilla.redhat.com entry with the CVE as an alias ● Will be made public after disclosure ● Extensive metadata in the “Whiteboard” field ● This tracker bug depends on product-specific bugs ● Lots of automation, relying on Bugzilla features ● Uploads to Fedora post information in the Bzs ● Rather different from version-based tracking 7 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  8. Tracker bugs example: CVE-2013-0156 ● https://bugzilla.redhat.com/show_bug.cgi?id=892870 has these dependencies: ● Fedora bug: 893281 ● Fedora EPEL bug: 847202 ● Red Hat OpenShift Enterprise internal bugs ● Tied to RHSA-2013:0153-1 ● Red Hat Subscription Asset Manager internal bugs ● Tied to RHSA-2013:0154-1 ● Red Hat CloudForms bugs ● Tied to RHSA-2013:0155-1 8 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  9. Vulnerability tracking requirements ● Ubuntu, Gentoo, OpenSuSE etc. use similar schemes ● Most upstreams provide critical information ● Analysis in their security advisory or bug tracker ● Links to individual patches/commits ● Otherwise, it has to be reverse engineered ● Time-consuming, better spend on patch review/testing ● Distributions publish isolated security patches ● Related discussions on the public oss-security list 9 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  10. Cross-distro information sharing opportunities ● Package names and versioning schemes differ ● Encoding of upstream versions differs ● CVE ↔packages mapping could be shared ● Application for Common Platform Enumeration (CPE)? 10 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  11. Public version control repositories Please publish your security patches in a publicly accessible version control repository as separate commits! There is really no point in hiding this information. (Not a trend yet—let's hope it does not turn into one.) 11 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  12. Toolchain hardening 12 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  13. Toolchain hardening ● Probabilistic countermeasures against code execution ● Make the program crash, not run code ● These bugs still need fixing! 13 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  14. Toolchain hardening ● Address space layout randomization ● Non-executable stack, heap ● malloc / free hardening against direct exploitation of double- free bugs ● -fstack-protector (stack canaries, if enabled) ● Compiler warnings (errors for format strings) ● operator new[] hardening ● New feature in GCC 4.8 ● Backported to Fedora 18 14 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  15. Toolchain hardening: FORTIFY_SOURCE ● GCC provides access to array sizes using __builtin_object_size ● In cases where this is possible ● GNU libc passes length to wrapper functions ● GNU libc disables %n in writable format strings 15 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  16. Unused hardening opportunities ● 32 bit ● Do not use prelink ● Randomization of program start address (PIE) ● BIND_NOW global offset table (GOT) protection ● -fwrapv (deterministic integer overflow) ● -fstack-check 16 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  17. Stack checking ● alloca argument allows arbitrary stack pointer adjustment ● -fcheck-stack has considerable code size impact ● Some assembly required ● Use stack boundary provided by split stacks 17 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  18. Subscript checking for operator[] ● Affects std::vector , std::string , std::array ● vec[i] ● C++ standard gives permission for bounds checking ● Library-only change has performance impact ● Further research needed ● Interim workaround: use vec .at(i) 18 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  19. Hardening and performance ● There is a trade-off ● Real-world attack data enables objective decisions effective new attack ineffective 19 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  20. More far-reaching changes ● Improving memory safety for C/C++ ● Bounded pointers/array slices ● Garbage collection ● __attribute__ annotations ● Vtable dispatch changes (for C++) ● Ranges instead of iterators (for C++) ● Library consolidation ● FLOSS-specific secure coding guidelines ● Better APIs? 20 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  21. Changing the game ● A bunch of new system programming languages ● Go, LuaJIT, Rust ● And a few older ones: Ada, Haskell, Java, Ocaml ● Incremental conversion requires deep embedding ● No kernel threads, no changes to signal handlers ● Isolated language run-time states ● This is an implementation issue. ● At the moment, only Ada and LuaJIT qualify 21 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  22. Vulnerabilities and side effects ● CVE-2013-0243: tls-extra certificate validation ● Haskell is a real programming language now! ● The vulnerability is in imperative code. ● But it could have been pure/side-effect-free. ● Vulnerabilities are not necessarily side effects. 22 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  23. Distribution-wide defect analysis 23 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  24. Static analysis ● Year 2012 for Red Hat Enterprise Linux 6 ● ~600 changes (“errata”) in 340 source packages ● Before/after comparison for every errata ● Matches so far: ● CVE-2012-3547 (freeradius) ● Error handling improvements in PostgreSQL ● Actual bug for psacct (837621), unixODBC (628909) 24 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  25. Fedora static analysis efforts ● mock-with-analysis ● “Firehose” exchange format ● https://fedoraproject.org/wiki/StaticAnalysis 25 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  26. Global analysis assistance ● Analysis of an entire distribution, not a single package ● Source code search engines ● http://codesearch.debian.net ● Search for “ YAML\.load ” 26 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  27. Global analysis asssistence ● ELF symbol databases ● https://github.com/vdanen/rq/ ● https://github.com/fweimer/symboldb/ ● Simpler to set up than source code indexing ● Full power of PostgreSQL 27 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  28. Uses for symbol databases ● Joins and anti-joins point to potential vulnerabilities ● “billion laughs” denial of service with Expat ● Program calls XML_ParserCreate , but not XML_SetEntityDeclHandler ● Privilege escalation via unsafe environment access ● DSO defines PAM or NSS entry points and ● DSO calls getenv or calls a function in a library which calls getenv (perhaps indirectly) 28 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  29. Improved tools for global analysis ● More detailed data than ELF symbols ● Debugging information ● Compiled binaries after disassembly ● Java, Python, … support ● Dynamic languages will need heuristics 29 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  30. Improved tools for global analysis ● Efficient search for function calls with certain arguments ● umask(0) ● curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, 1L) ● realpath(path, buffer) where buffer is not NULL ● ELF symbols could locate binaries ● Disassembly could extract function arguments 30 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

  31. Conclusion ● Let's try to fix alloca . ● Static analysis and code search engines are exciting. Questions? And: Please share your version control repository! 31 TRENDS IN OPEN SOURCE SECURITY | FOSDEM 2013

Recommend

Top Open Source Language Trends for 2019 ActiveState Webinar Open Source Language Trends 2019

Top Open Source Language Trends for 2019 ActiveState Webinar Open Source Language Trends 2019

Top Open Source Language Trends for 2019 ActiveState Webinar Open Source Language Trends 2019 Panelists Bart Copeland Jeff Rouse CEO &amp; President VP Product ActiveState ActiveState Open Source Language Trends 2019 Housekeeping

373 views • 16 slides
Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief

Blank slide Pressures on Open Source Free Software Trends and Directions Simon Phipps Chief Open Source Officer Sun Microsystems http://www.webmink.net/ Systems Middleware Cloud 3 1 Third Wave? Stallman Software Freedoms Use

1.31k views • 87 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By Sevan Janiyan What is pkgsrc Cross platform packaging system 23 listed platforms in 2015Q3 release notes Strive to keep local changes minimal

563 views • 44 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead Mark is the lead maintainer of Guardr, a suite of modules predicated around Drupal security. He is passionate about architecting systems to solve

812 views • 38 slides
Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015 Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting

718 views • 44 slides
OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System System Overview Purpose To provide a framework for security assessors to correlate and

438 views • 12 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario https://dadario.com.br - - - - - - - - - - - - - - Source: https://blog.ripstech.com/2016/the-state-of-wordpress-security/ [1] Source:

752 views • 71 slides
Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp;

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp;

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp; Sciences Ubani A Balogun &amp; Justin Klein Keane Security Intelligence HECTOR was developed out of a desire to leverage security

751 views • 25 slides
The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

673 views • 64 slides
Collaborative Creation Technology Foresight An Approach to Free and Open Source

Collaborative Creation Technology Foresight An Approach to Free and Open Source

Participatory Free and Open Source GIS in the Web 2.0 Exploring trends in GIS in times of Collaborative Creation Technology Foresight An Approach to Free and Open Source Geospatial Software Web and beyond 2.0 IMG SRC:GNOME

1.2k views • 92 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

My Kind of Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and modular infrastructure built using open source and delivered with: Better quality and security Lower costs No vendor

941 views • 40 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source Software Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2018 Agenda Home automation and smart lightning Open

422 views • 30 slides
mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a vast increase in adoption of open source software solutions across the private enterprise, government associations and organizations, industries.

581 views • 18 slides
Qt and Tizen together can do more Tomasz Olszak Qt, Tizen and Open Source enthusiast Why Qt and

Qt and Tizen together can do more Tomasz Olszak Qt, Tizen and Open Source enthusiast Why Qt and

Qt and Tizen together can do more Tomasz Olszak Qt, Tizen and Open Source enthusiast Why Qt and Tizen? Why Tizen? Desktop Web IVI Security Wearable Open Source Community Store Mobile Tv 3 Why Qt? Web Performance Gui Components

465 views • 24 slides
OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA

OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA

OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA Who are we? Open Source Monitoring Software Results Demonstration Responses Mitigations and conclusion

1.02k views • 45 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides

More recommend