Your SlideShare is downloading. ×
Os Cook
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Os Cook

1,113
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,113
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Theme created by Sakari Koivunen and Henrik Omma Released under the LGPL license.
  • Transcript

    • 1. Security For Human Beings
        • Protecting Ubuntu
        • http://outflux.net/oscon/07/security.odp
        • Kees Cook
        • [email_address]
        • [email_address]
        • http://outflux.net/blog/
        • OSCON 2007
    • 2. Hello...
        • My name is Kees (pronounced “Case”).
        • I work for Canonical and
        • try to keep Ubuntu secure.
        • http://ubuntu.com/
        • Also an Inkscape developer:
        • http://inkscape.org/
        • And a kernel.org admin
        • (just try and guess the URL to that one!)
    • 3. I Love Hacking!
      • security research == curiosity
      • 2600 Magazine is great for the curious
      • DefCon is even better
        • “most hostile network in the world”
        • http://defcon.org/
        • Capture the Flag
        • Lock-picking contest
        • WiFi Shoot-out
        • and so much more
    • 4. Day-in-the-life protecting Ubuntu
      • find new vulnerabilities
        • check mailing lists, new CVEs
        • perform code-audits
      • triage vulnerabilities (high, med, low, not)
      • while (sort-by-priority(unpatched_vulns))
        • find or develop patch
        • test patch
        • publish new package
          • http://www.ubuntu.com/usn/
    • 5. What is a vulnerability?
      • A bug with special characteristics
      • Someone can make your stuff do stuff you didn't want your stuff doing...
      • Denial of service
      • Crossing privilege/trust boundaries
        • gaining unauthorized access
        • reading someone else's information
        • changing someone else's information
    • 6. Software Abuse
      • Cross-site scripting (XSS)
      • SQL injection
      • Cross-site request forgery (CSRF)
      • Shell injection
      • Stack overflows
      • Heap (and integer) overflows
      • Format string attacks
      • /tmp races
      • ...
    • 7. Vulnerability Mitigation
      • Warty: no-open-ports-by-default
        • some exceptions, e.g. DHCP client
      • Dapper:
        • de-root-ification (notably CUPS)
        • stack randomization (linux kernel 2.6.15)
      • Edgy: stack overflow protection
        • gcc 4.1's -fstack-protector
      • Feisty: heap overflow protection
        • glibc 2.5's heap link checking
        • library randomization (linux kernel 2.6.20)
    • 8. Vulnerability Mitigation
      • Gutsy:
        • Mandatory access control (if attacker gains control, they can't do anything else)
        • ASLR hiding (/proc/$pid/maps privacy)
      • Future:
        • -D_FORTIFY_SOURCE=2
        • -pie
        • -relro
        • kernel stack protection
        • misc bits of GRsecurity
    • 9. Paranoid Web Coding
      • Filter input -- and output too (avoid XSS)
      • GET is for information, POST is for changes (avoid CSRF)
      • Use SQL bindings (avoid injection)
      • Use Model-View-Controller frameworks
        • Perl: Catalyst
        • PHP: Smarty
        • Python: Django
        • Ruby: Rails
    • 10. Language Agnostic Paranoia
      • Call system() with an array, not a string
      • Use safe temporary files (race, access)
      • Keep unencrypted credentials off the network, off disk, and even out of memory
      • Use SSL only with certificate authorities
        • clients: get a CA list!
        • servers: get a CA! http://cacert.org/
      • Abort only if absolutely required (DoS)
    • 11. Paranoid C
      • No
        • strcpy, sprintf, tmpnam, mktemp, gets, strcat
      • Yes
        • strncpy, snprintf, mkstemp, fgets
      • When handling a string with the *printf functions, always use “%s”, never the string directly.
      • Memory allocation: are you sure you really know how much you were given?
    • 12. Paranoid Testing
      • Write a test that fails, then write code
      • Wine project has great docs on testing
      • Most languages have frameworks
        • Python: python-unit
        • Perl: Test::More
        • C++: CxxTest
        • C: plenty, but, I, uh, haven't used any
      • Fuzzy input
    • 13. Researching Security
      • White-box
        • Show me the source!
      • Black-box
        • How does it behave?
      • Grey-box
        • Surprise! both at once!
      • Thinking to the future
        • worms, PTRACE, sudo
    • 14. Disclosure and Response
      • Vulnerability reporting styles
        • full disclosure (“hey everyone!”)
        • coordinated disclosure (“hey upstream!”)
      • Upstream response styles
        • ignorant/defensive/antagonistic
        • indifferent/dead air
        • helpful/thankful
          • future-only
          • stable release patches
    • 15. Security Community
      • Common Vulnerabilities and Exposures
        • http://cve.mitre.org/cve/
        • The central list of all known security bugs
      • [email_address] private mailing list
        • OSS distributor coordination
      • Researchers, hackers, you name it
        • full-disclosure mailing list
        • bugtraq mailing list
        • http://seclists.org/
    • 16. Recommended Reading
      • Books
        • Secure Programming Cookbook for C and C++ by Viega, Messier
        • The Art of Software Security Assessment by Dowd, McDonald, Schuh
      • Blogs
        • Web: http://ha.ckers.org/blog
        • Community: http://www.matasano.com/log
    • 17. Recommended Tools
      • Virtualization
        • VMWare, Xen, Qemu
      • Firefox extensions
        • TamperData, Firebug
      • Forensics
        • wireshark, foremost
      • Beware tool-targeted attacks
        • escape your virtualization guest, hijack your JavaScript interpreter, and overflow your sniffer...
    • 18. Questions?
        • Kees Cook
        • [email_address]
        • [email_address]
        • http://outflux.net/blog/