Security For Human Beings <ul><ul><li>Protecting Ubuntu </li></ul></ul><ul><ul><li>http://outflux.net/oscon/07/security.od...
Hello... <ul><ul><li>My name is Kees (pronounced “Case”). </li></ul></ul><ul><ul><li>I work for Canonical and </li></ul></...
I Love Hacking! <ul><li>security research == curiosity </li></ul><ul><li>2600 Magazine  is great for the curious </li></ul...
Day-in-the-life protecting Ubuntu <ul><li>find new vulnerabilities </li></ul><ul><ul><li>check mailing lists, new CVEs </l...
What is a vulnerability? <ul><li>A bug with special characteristics </li></ul><ul><li>Someone can make your stuff do stuff...
Software Abuse <ul><li>Cross-site scripting (XSS) </li></ul><ul><li>SQL injection </li></ul><ul><li>Cross-site request for...
Vulnerability Mitigation <ul><li>Warty: no-open-ports-by-default </li></ul><ul><ul><li>some exceptions, e.g. DHCP client <...
Vulnerability Mitigation <ul><li>Gutsy: </li></ul><ul><ul><li>Mandatory access control (if attacker gains control, they ca...
Paranoid Web Coding <ul><li>Filter input -- and output too (avoid XSS) </li></ul><ul><li>GET is for information, POST is f...
Language Agnostic Paranoia <ul><li>Call system() with an array, not a string </li></ul><ul><li>Use safe temporary files (r...
Paranoid C <ul><li>No </li></ul><ul><ul><li>strcpy, sprintf, tmpnam, mktemp, gets, strcat </li></ul></ul><ul><li>Yes </li>...
Paranoid Testing <ul><li>Write a test that fails, then write code </li></ul><ul><li>Wine project has great docs on testing...
Researching Security <ul><li>White-box </li></ul><ul><ul><li>Show me the source! </li></ul></ul><ul><li>Black-box </li></u...
Disclosure and Response <ul><li>Vulnerability reporting styles </li></ul><ul><ul><li>full disclosure (“hey everyone!”) </l...
Security Community <ul><li>Common Vulnerabilities and Exposures </li></ul><ul><ul><li>http://cve.mitre.org/cve/ </li></ul>...
Recommended Reading <ul><li>Books </li></ul><ul><ul><li>Secure Programming Cookbook for C and C++  by Viega, Messier </li>...
Recommended Tools <ul><li>Virtualization </li></ul><ul><ul><li>VMWare, Xen, Qemu </li></ul></ul><ul><li>Firefox extensions...
Questions? <ul><ul><li>Kees Cook </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </l...
Upcoming SlideShare
Loading in...5
×

Os Cook

1,135

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,135
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Theme created by Sakari Koivunen and Henrik Omma Released under the LGPL license.
  • Os Cook

    1. 1. Security For Human Beings <ul><ul><li>Protecting Ubuntu </li></ul></ul><ul><ul><li>http://outflux.net/oscon/07/security.odp </li></ul></ul><ul><ul><li>Kees Cook </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>http://outflux.net/blog/ </li></ul></ul><ul><ul><li>OSCON 2007 </li></ul></ul>
    2. 2. Hello... <ul><ul><li>My name is Kees (pronounced “Case”). </li></ul></ul><ul><ul><li>I work for Canonical and </li></ul></ul><ul><ul><li>try to keep Ubuntu secure. </li></ul></ul><ul><ul><li>http://ubuntu.com/ </li></ul></ul><ul><ul><li>Also an Inkscape developer: </li></ul></ul><ul><ul><li>http://inkscape.org/ </li></ul></ul><ul><ul><li>And a kernel.org admin </li></ul></ul><ul><ul><li>(just try and guess the URL to that one!) </li></ul></ul>
    3. 3. I Love Hacking! <ul><li>security research == curiosity </li></ul><ul><li>2600 Magazine is great for the curious </li></ul><ul><li>DefCon is even better </li></ul><ul><ul><li>“most hostile network in the world” </li></ul></ul><ul><ul><li>http://defcon.org/ </li></ul></ul><ul><ul><li>Capture the Flag </li></ul></ul><ul><ul><li>Lock-picking contest </li></ul></ul><ul><ul><li>WiFi Shoot-out </li></ul></ul><ul><ul><li>and so much more </li></ul></ul>
    4. 4. Day-in-the-life protecting Ubuntu <ul><li>find new vulnerabilities </li></ul><ul><ul><li>check mailing lists, new CVEs </li></ul></ul><ul><ul><li>perform code-audits </li></ul></ul><ul><li>triage vulnerabilities (high, med, low, not) </li></ul><ul><li>while (sort-by-priority(unpatched_vulns)) </li></ul><ul><ul><li>find or develop patch </li></ul></ul><ul><ul><li>test patch </li></ul></ul><ul><ul><li>publish new package </li></ul></ul><ul><ul><ul><li>http://www.ubuntu.com/usn/ </li></ul></ul></ul>
    5. 5. What is a vulnerability? <ul><li>A bug with special characteristics </li></ul><ul><li>Someone can make your stuff do stuff you didn't want your stuff doing... </li></ul><ul><li>Denial of service </li></ul><ul><li>Crossing privilege/trust boundaries </li></ul><ul><ul><li>gaining unauthorized access </li></ul></ul><ul><ul><li>reading someone else's information </li></ul></ul><ul><ul><li>changing someone else's information </li></ul></ul>
    6. 6. Software Abuse <ul><li>Cross-site scripting (XSS) </li></ul><ul><li>SQL injection </li></ul><ul><li>Cross-site request forgery (CSRF) </li></ul><ul><li>Shell injection </li></ul><ul><li>Stack overflows </li></ul><ul><li>Heap (and integer) overflows </li></ul><ul><li>Format string attacks </li></ul><ul><li>/tmp races </li></ul><ul><li>... </li></ul>
    7. 7. Vulnerability Mitigation <ul><li>Warty: no-open-ports-by-default </li></ul><ul><ul><li>some exceptions, e.g. DHCP client </li></ul></ul><ul><li>Dapper: </li></ul><ul><ul><li>de-root-ification (notably CUPS) </li></ul></ul><ul><ul><li>stack randomization (linux kernel 2.6.15) </li></ul></ul><ul><li>Edgy: stack overflow protection </li></ul><ul><ul><li>gcc 4.1's -fstack-protector </li></ul></ul><ul><li>Feisty: heap overflow protection </li></ul><ul><ul><li>glibc 2.5's heap link checking </li></ul></ul><ul><ul><li>library randomization (linux kernel 2.6.20) </li></ul></ul>
    8. 8. Vulnerability Mitigation <ul><li>Gutsy: </li></ul><ul><ul><li>Mandatory access control (if attacker gains control, they can't do anything else) </li></ul></ul><ul><ul><li>ASLR hiding (/proc/$pid/maps privacy) </li></ul></ul><ul><li>Future: </li></ul><ul><ul><li>-D_FORTIFY_SOURCE=2 </li></ul></ul><ul><ul><li>-pie </li></ul></ul><ul><ul><li>-relro </li></ul></ul><ul><ul><li>kernel stack protection </li></ul></ul><ul><ul><li>misc bits of GRsecurity </li></ul></ul>
    9. 9. Paranoid Web Coding <ul><li>Filter input -- and output too (avoid XSS) </li></ul><ul><li>GET is for information, POST is for changes (avoid CSRF) </li></ul><ul><li>Use SQL bindings (avoid injection) </li></ul><ul><li>Use Model-View-Controller frameworks </li></ul><ul><ul><li>Perl: Catalyst </li></ul></ul><ul><ul><li>PHP: Smarty </li></ul></ul><ul><ul><li>Python: Django </li></ul></ul><ul><ul><li>Ruby: Rails </li></ul></ul>
    10. 10. Language Agnostic Paranoia <ul><li>Call system() with an array, not a string </li></ul><ul><li>Use safe temporary files (race, access) </li></ul><ul><li>Keep unencrypted credentials off the network, off disk, and even out of memory </li></ul><ul><li>Use SSL only with certificate authorities </li></ul><ul><ul><li>clients: get a CA list! </li></ul></ul><ul><ul><li>servers: get a CA! http://cacert.org/ </li></ul></ul><ul><li>Abort only if absolutely required (DoS) </li></ul>
    11. 11. Paranoid C <ul><li>No </li></ul><ul><ul><li>strcpy, sprintf, tmpnam, mktemp, gets, strcat </li></ul></ul><ul><li>Yes </li></ul><ul><ul><li>strncpy, snprintf, mkstemp, fgets </li></ul></ul><ul><li>When handling a string with the *printf functions, always use “%s”, never the string directly. </li></ul><ul><li>Memory allocation: are you sure you really know how much you were given? </li></ul>
    12. 12. Paranoid Testing <ul><li>Write a test that fails, then write code </li></ul><ul><li>Wine project has great docs on testing </li></ul><ul><li>Most languages have frameworks </li></ul><ul><ul><li>Python: python-unit </li></ul></ul><ul><ul><li>Perl: Test::More </li></ul></ul><ul><ul><li>C++: CxxTest </li></ul></ul><ul><ul><li>C: plenty, but, I, uh, haven't used any </li></ul></ul><ul><li>Fuzzy input </li></ul>
    13. 13. Researching Security <ul><li>White-box </li></ul><ul><ul><li>Show me the source! </li></ul></ul><ul><li>Black-box </li></ul><ul><ul><li>How does it behave? </li></ul></ul><ul><li>Grey-box </li></ul><ul><ul><li>Surprise! both at once! </li></ul></ul><ul><li>Thinking to the future </li></ul><ul><ul><li>worms, PTRACE, sudo </li></ul></ul>
    14. 14. Disclosure and Response <ul><li>Vulnerability reporting styles </li></ul><ul><ul><li>full disclosure (“hey everyone!”) </li></ul></ul><ul><ul><li>coordinated disclosure (“hey upstream!”) </li></ul></ul><ul><li>Upstream response styles </li></ul><ul><ul><li>ignorant/defensive/antagonistic </li></ul></ul><ul><ul><li>indifferent/dead air </li></ul></ul><ul><ul><li>helpful/thankful </li></ul></ul><ul><ul><ul><li>future-only </li></ul></ul></ul><ul><ul><ul><li>stable release patches </li></ul></ul></ul>
    15. 15. Security Community <ul><li>Common Vulnerabilities and Exposures </li></ul><ul><ul><li>http://cve.mitre.org/cve/ </li></ul></ul><ul><ul><li>The central list of all known security bugs </li></ul></ul><ul><li>[email_address] private mailing list </li></ul><ul><ul><li>OSS distributor coordination </li></ul></ul><ul><li>Researchers, hackers, you name it </li></ul><ul><ul><li>full-disclosure mailing list </li></ul></ul><ul><ul><li>bugtraq mailing list </li></ul></ul><ul><ul><li>http://seclists.org/ </li></ul></ul>
    16. 16. Recommended Reading <ul><li>Books </li></ul><ul><ul><li>Secure Programming Cookbook for C and C++ by Viega, Messier </li></ul></ul><ul><ul><li>The Art of Software Security Assessment by Dowd, McDonald, Schuh </li></ul></ul><ul><li>Blogs </li></ul><ul><ul><li>Web: http://ha.ckers.org/blog </li></ul></ul><ul><ul><li>Community: http://www.matasano.com/log </li></ul></ul>
    17. 17. Recommended Tools <ul><li>Virtualization </li></ul><ul><ul><li>VMWare, Xen, Qemu </li></ul></ul><ul><li>Firefox extensions </li></ul><ul><ul><li>TamperData, Firebug </li></ul></ul><ul><li>Forensics </li></ul><ul><ul><li>wireshark, foremost </li></ul></ul><ul><li>Beware tool-targeted attacks </li></ul><ul><ul><li>escape your virtualization guest, hijack your JavaScript interpreter, and overflow your sniffer... </li></ul></ul>
    18. 18. Questions? <ul><ul><li>Kees Cook </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>http://outflux.net/blog/ </li></ul></ul>

    ×