This talk discusses automated techniques for finding bugs and vulnerabilities in Linux software packages. The techniques were able to find: - 27+ bug reports submitted to Debian after scanning for memset function bugs - 741 programs that crashed when passed a null argv[0] parameter in Debian (27% crash rate) - 3 segmentation faults when fuzzing most SUID/SGID programs in Debian - 16 vulnerabilities found in Debian packages and 15 in Fedora packages after scanning for signatures of embedded vulnerable libraries Linux distributions are using the results to improve security testing and patch vulnerabilities.

1. Silvio Cesare <silvio.cesare@gmail.com> Deakin University

2. PhD student at Deakin University Malware detection Software theft detection Automated vulnerability discovery Speaker at Ruxcon, Blackhat, CSW and academic conferences. This talk contains some Linux work done at university.

3. C Bugs Environment Variable Fuzzing Bugs Inter-Distribution Bugs Embedded Packages Bugs

4. void *memset(void *DST, int C, size_t length) Assign buffer contents to a specific value. Zeroing a buffer is common. C and length are sometimes confused. memset(x,y,0) is almost always a bug. Not very exploitable (except sensitive data).

5. Scanned Debian, Fedora, and Owl. 27+ bug reports for Debian. 2 bugs in Owl. As a result, Debian now incorporating a memset check in their automated testing system.

6. /* Initialize to 0 so that test_parse_c gives reliable results */ memset (&Uni2, sizeof (Uni2), 0 ); memset (&Uni3, sizeof (Uni2), 0 ); /* only the paranoids survive */ memset( list, sizeof( HListNode ), 0 ); gnat-gps package in Debian bibindex package in Debian

7. argv[0] is the program name passed by exec* to execute a command in Unix. You can pass a NULL argv[0]. Crashes programs that (mis)use argv[0]. Unlikely to be exploitable. A non null argv[0] should be enforced in the kernel.

8. In Debian using 2737 programs. 741 crashes. 27% crash.

9. Format String Bugs printf\(getenv|printf\(argv 1 format string bug in Debian (debug). gets Use of this function is a bug. 1 in Debian debug binutils h8300-hms target.

10. argv buffer overflows strcpy\(.*argv|sprintf\(.*argv|strcat\(.*argv Restricted to SUID/SGID programs. Vulnerability in Debian xdigger SGID games. getenv buffer overflows So many overflows in non privileged programs. A future project is to submit bug reports for these. My PhD work use static analysis on binaries to detect simple bugs.

11. Need to know which programs to audit? find / -type f \( -perm +2000 –o –perm +4000 \) Better -> look at a package repository. Fedora is aiming to eliminate SUID.

12. Debian 298 SUID/SGID programs. Fedora 368 SUID/SGID programs Debian now using my list on the security tracker. Fedora using my list on the wiki.

13. Long env variables can trigger buffer overflows. Attacker targets SUID/SGID programs. Local attack – set hostile env variable, then run privileged program. Public fuzzing tools for 10+ years, eg sharefuzz.

14. Fuzzed most SUID/SGID programs in Debian. A number of assertion failures. 3 segmentation faults. 2 segv in SGID games programs. 1 SUID root segv zhcon package (bug in libggi).

15. If package FOO in Fedora vuln, then package FOO in Debian probably vuln. If no advisory, then it might be untracked. Performed one time scan correlating Fedora and Debian advisories. 1 missing vulnerability in Debian gnucash package.

16. Software often embeds libraries or other code. Classic example zlib compression library. If zlib is vuln, update system library.. In embedded case, update needs to be done manually and package rebuilt.

17. Many libraries have version strings that identify them. Manual approach is to grep for vulnerable embedded package signatures. Bugs found scanning for libpng, bzip2, libtiff etc signatures in Debian and Fedora. My PhD work replaces and automates this process.

18. 16 vulnerabilities in Debian 15 vulnerabilities in Fedora Eg, Fedora sepostgresql using a vulnerable fork of postgresql. Fedora to use my results on their wiki.

19. For simple bug classes, given enough data you will find vulnerabilities. Linux vendors have patched these or are patching. http://github.com/silviocesare/Automated-Audits Thanks for watching!