Your SlideShare is downloading. ×
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Os Cook
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Os Cook

1,127

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,127
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Theme created by Sakari Koivunen and Henrik Omma Released under the LGPL license.
  • Transcript

    • 1. Security For Human Beings
        • Protecting Ubuntu
        • http://outflux.net/oscon/07/security.odp
        • Kees Cook
        • [email_address]
        • [email_address]
        • http://outflux.net/blog/
        • OSCON 2007
    • 2. Hello...
        • My name is Kees (pronounced “Case”).
        • I work for Canonical and
        • try to keep Ubuntu secure.
        • http://ubuntu.com/
        • Also an Inkscape developer:
        • http://inkscape.org/
        • And a kernel.org admin
        • (just try and guess the URL to that one!)
    • 3. I Love Hacking!
      • security research == curiosity
      • 2600 Magazine is great for the curious
      • DefCon is even better
        • “most hostile network in the world”
        • http://defcon.org/
        • Capture the Flag
        • Lock-picking contest
        • WiFi Shoot-out
        • and so much more
    • 4. Day-in-the-life protecting Ubuntu
      • find new vulnerabilities
        • check mailing lists, new CVEs
        • perform code-audits
      • triage vulnerabilities (high, med, low, not)
      • while (sort-by-priority(unpatched_vulns))
        • find or develop patch
        • test patch
        • publish new package
          • http://www.ubuntu.com/usn/
    • 5. What is a vulnerability?
      • A bug with special characteristics
      • Someone can make your stuff do stuff you didn't want your stuff doing...
      • Denial of service
      • Crossing privilege/trust boundaries
        • gaining unauthorized access
        • reading someone else's information
        • changing someone else's information
    • 6. Software Abuse
      • Cross-site scripting (XSS)
      • SQL injection
      • Cross-site request forgery (CSRF)
      • Shell injection
      • Stack overflows
      • Heap (and integer) overflows
      • Format string attacks
      • /tmp races
      • ...
    • 7. Vulnerability Mitigation
      • Warty: no-open-ports-by-default
        • some exceptions, e.g. DHCP client
      • Dapper:
        • de-root-ification (notably CUPS)
        • stack randomization (linux kernel 2.6.15)
      • Edgy: stack overflow protection
        • gcc 4.1's -fstack-protector
      • Feisty: heap overflow protection
        • glibc 2.5's heap link checking
        • library randomization (linux kernel 2.6.20)
    • 8. Vulnerability Mitigation
      • Gutsy:
        • Mandatory access control (if attacker gains control, they can't do anything else)
        • ASLR hiding (/proc/$pid/maps privacy)
      • Future:
        • -D_FORTIFY_SOURCE=2
        • -pie
        • -relro
        • kernel stack protection
        • misc bits of GRsecurity
    • 9. Paranoid Web Coding
      • Filter input -- and output too (avoid XSS)
      • GET is for information, POST is for changes (avoid CSRF)
      • Use SQL bindings (avoid injection)
      • Use Model-View-Controller frameworks
        • Perl: Catalyst
        • PHP: Smarty
        • Python: Django
        • Ruby: Rails
    • 10. Language Agnostic Paranoia
      • Call system() with an array, not a string
      • Use safe temporary files (race, access)
      • Keep unencrypted credentials off the network, off disk, and even out of memory
      • Use SSL only with certificate authorities
        • clients: get a CA list!
        • servers: get a CA! http://cacert.org/
      • Abort only if absolutely required (DoS)
    • 11. Paranoid C
      • No
        • strcpy, sprintf, tmpnam, mktemp, gets, strcat
      • Yes
        • strncpy, snprintf, mkstemp, fgets
      • When handling a string with the *printf functions, always use “%s”, never the string directly.
      • Memory allocation: are you sure you really know how much you were given?
    • 12. Paranoid Testing
      • Write a test that fails, then write code
      • Wine project has great docs on testing
      • Most languages have frameworks
        • Python: python-unit
        • Perl: Test::More
        • C++: CxxTest
        • C: plenty, but, I, uh, haven't used any
      • Fuzzy input
    • 13. Researching Security
      • White-box
        • Show me the source!
      • Black-box
        • How does it behave?
      • Grey-box
        • Surprise! both at once!
      • Thinking to the future
        • worms, PTRACE, sudo
    • 14. Disclosure and Response
      • Vulnerability reporting styles
        • full disclosure (“hey everyone!”)
        • coordinated disclosure (“hey upstream!”)
      • Upstream response styles
        • ignorant/defensive/antagonistic
        • indifferent/dead air
        • helpful/thankful
          • future-only
          • stable release patches
    • 15. Security Community
      • Common Vulnerabilities and Exposures
        • http://cve.mitre.org/cve/
        • The central list of all known security bugs
      • [email_address] private mailing list
        • OSS distributor coordination
      • Researchers, hackers, you name it
        • full-disclosure mailing list
        • bugtraq mailing list
        • http://seclists.org/
    • 16. Recommended Reading
      • Books
        • Secure Programming Cookbook for C and C++ by Viega, Messier
        • The Art of Software Security Assessment by Dowd, McDonald, Schuh
      • Blogs
        • Web: http://ha.ckers.org/blog
        • Community: http://www.matasano.com/log
    • 17. Recommended Tools
      • Virtualization
        • VMWare, Xen, Qemu
      • Firefox extensions
        • TamperData, Firebug
      • Forensics
        • wireshark, foremost
      • Beware tool-targeted attacks
        • escape your virtualization guest, hijack your JavaScript interpreter, and overflow your sniffer...
    • 18. Questions?
        • Kees Cook
        • [email_address]
        • [email_address]
        • http://outflux.net/blog/

    ×