• Save
Os Cook
Upcoming SlideShare
Loading in...5
×
 

Os Cook

on

  • 1,468 views

 

Statistics

Views

Total Views
1,468
Views on SlideShare
1,467
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Theme created by Sakari Koivunen and Henrik Omma Released under the LGPL license.

Os Cook Os Cook Presentation Transcript

  • Security For Human Beings
      • Protecting Ubuntu
      • http://outflux.net/oscon/07/security.odp
      • Kees Cook
      • [email_address]
      • [email_address]
      • http://outflux.net/blog/
      • OSCON 2007
  • Hello...
      • My name is Kees (pronounced “Case”).
      • I work for Canonical and
      • try to keep Ubuntu secure.
      • http://ubuntu.com/
      • Also an Inkscape developer:
      • http://inkscape.org/
      • And a kernel.org admin
      • (just try and guess the URL to that one!)
  • I Love Hacking!
    • security research == curiosity
    • 2600 Magazine is great for the curious
    • DefCon is even better
      • “most hostile network in the world”
      • http://defcon.org/
      • Capture the Flag
      • Lock-picking contest
      • WiFi Shoot-out
      • and so much more
  • Day-in-the-life protecting Ubuntu
    • find new vulnerabilities
      • check mailing lists, new CVEs
      • perform code-audits
    • triage vulnerabilities (high, med, low, not)
    • while (sort-by-priority(unpatched_vulns))
      • find or develop patch
      • test patch
      • publish new package
        • http://www.ubuntu.com/usn/
  • What is a vulnerability?
    • A bug with special characteristics
    • Someone can make your stuff do stuff you didn't want your stuff doing...
    • Denial of service
    • Crossing privilege/trust boundaries
      • gaining unauthorized access
      • reading someone else's information
      • changing someone else's information
  • Software Abuse
    • Cross-site scripting (XSS)
    • SQL injection
    • Cross-site request forgery (CSRF)
    • Shell injection
    • Stack overflows
    • Heap (and integer) overflows
    • Format string attacks
    • /tmp races
    • ...
  • Vulnerability Mitigation
    • Warty: no-open-ports-by-default
      • some exceptions, e.g. DHCP client
    • Dapper:
      • de-root-ification (notably CUPS)
      • stack randomization (linux kernel 2.6.15)
    • Edgy: stack overflow protection
      • gcc 4.1's -fstack-protector
    • Feisty: heap overflow protection
      • glibc 2.5's heap link checking
      • library randomization (linux kernel 2.6.20)
  • Vulnerability Mitigation
    • Gutsy:
      • Mandatory access control (if attacker gains control, they can't do anything else)
      • ASLR hiding (/proc/$pid/maps privacy)
    • Future:
      • -D_FORTIFY_SOURCE=2
      • -pie
      • -relro
      • kernel stack protection
      • misc bits of GRsecurity
  • Paranoid Web Coding
    • Filter input -- and output too (avoid XSS)
    • GET is for information, POST is for changes (avoid CSRF)
    • Use SQL bindings (avoid injection)
    • Use Model-View-Controller frameworks
      • Perl: Catalyst
      • PHP: Smarty
      • Python: Django
      • Ruby: Rails
  • Language Agnostic Paranoia
    • Call system() with an array, not a string
    • Use safe temporary files (race, access)
    • Keep unencrypted credentials off the network, off disk, and even out of memory
    • Use SSL only with certificate authorities
      • clients: get a CA list!
      • servers: get a CA! http://cacert.org/
    • Abort only if absolutely required (DoS)
  • Paranoid C
    • No
      • strcpy, sprintf, tmpnam, mktemp, gets, strcat
    • Yes
      • strncpy, snprintf, mkstemp, fgets
    • When handling a string with the *printf functions, always use “%s”, never the string directly.
    • Memory allocation: are you sure you really know how much you were given?
  • Paranoid Testing
    • Write a test that fails, then write code
    • Wine project has great docs on testing
    • Most languages have frameworks
      • Python: python-unit
      • Perl: Test::More
      • C++: CxxTest
      • C: plenty, but, I, uh, haven't used any
    • Fuzzy input
  • Researching Security
    • White-box
      • Show me the source!
    • Black-box
      • How does it behave?
    • Grey-box
      • Surprise! both at once!
    • Thinking to the future
      • worms, PTRACE, sudo
  • Disclosure and Response
    • Vulnerability reporting styles
      • full disclosure (“hey everyone!”)
      • coordinated disclosure (“hey upstream!”)
    • Upstream response styles
      • ignorant/defensive/antagonistic
      • indifferent/dead air
      • helpful/thankful
        • future-only
        • stable release patches
  • Security Community
    • Common Vulnerabilities and Exposures
      • http://cve.mitre.org/cve/
      • The central list of all known security bugs
    • [email_address] private mailing list
      • OSS distributor coordination
    • Researchers, hackers, you name it
      • full-disclosure mailing list
      • bugtraq mailing list
      • http://seclists.org/
  • Recommended Reading
    • Books
      • Secure Programming Cookbook for C and C++ by Viega, Messier
      • The Art of Software Security Assessment by Dowd, McDonald, Schuh
    • Blogs
      • Web: http://ha.ckers.org/blog
      • Community: http://www.matasano.com/log
  • Recommended Tools
    • Virtualization
      • VMWare, Xen, Qemu
    • Firefox extensions
      • TamperData, Firebug
    • Forensics
      • wireshark, foremost
    • Beware tool-targeted attacks
      • escape your virtualization guest, hijack your JavaScript interpreter, and overflow your sniffer...
  • Questions?
      • Kees Cook
      • [email_address]
      • [email_address]
      • http://outflux.net/blog/