Kees Cook works to keep the Ubuntu operating system secure. His responsibilities include finding new vulnerabilities, checking mailing lists for reports of issues, performing code audits, triaging vulnerabilities by priority, finding or developing patches, testing patches, and publishing updated packages. He discussed various types of software vulnerabilities and mitigation strategies used in Ubuntu to improve security.

1. Security For Human Beings Protecting Ubuntu http://outflux.net/oscon/07/security.odp Kees Cook [email_address] [email_address] http://outflux.net/blog/ OSCON 2007

2. Hello... My name is Kees (pronounced “Case”). I work for Canonical and try to keep Ubuntu secure. http://ubuntu.com/ Also an Inkscape developer: http://inkscape.org/ And a kernel.org admin (just try and guess the URL to that one!)

3. I Love Hacking! security research == curiosity 2600 Magazine is great for the curious DefCon is even better “most hostile network in the world” http://defcon.org/ Capture the Flag Lock-picking contest WiFi Shoot-out and so much more

4. Day-in-the-life protecting Ubuntu find new vulnerabilities check mailing lists, new CVEs perform code-audits triage vulnerabilities (high, med, low, not) while (sort-by-priority(unpatched_vulns)) find or develop patch test patch publish new package http://www.ubuntu.com/usn/

5. What is a vulnerability? A bug with special characteristics Someone can make your stuff do stuff you didn't want your stuff doing... Denial of service Crossing privilege/trust boundaries gaining unauthorized access reading someone else's information changing someone else's information

6. Software Abuse Cross-site scripting (XSS) SQL injection Cross-site request forgery (CSRF) Shell injection Stack overflows Heap (and integer) overflows Format string attacks /tmp races ...

7. Vulnerability Mitigation Warty: no-open-ports-by-default some exceptions, e.g. DHCP client Dapper: de-root-ification (notably CUPS) stack randomization (linux kernel 2.6.15) Edgy: stack overflow protection gcc 4.1's -fstack-protector Feisty: heap overflow protection glibc 2.5's heap link checking library randomization (linux kernel 2.6.20)

8. Vulnerability Mitigation Gutsy: Mandatory access control (if attacker gains control, they can't do anything else) ASLR hiding (/proc/$pid/maps privacy) Future: -D_FORTIFY_SOURCE=2 -pie -relro kernel stack protection misc bits of GRsecurity

9. Paranoid Web Coding Filter input -- and output too (avoid XSS) GET is for information, POST is for changes (avoid CSRF) Use SQL bindings (avoid injection) Use Model-View-Controller frameworks Perl: Catalyst PHP: Smarty Python: Django Ruby: Rails

10. Language Agnostic Paranoia Call system() with an array, not a string Use safe temporary files (race, access) Keep unencrypted credentials off the network, off disk, and even out of memory Use SSL only with certificate authorities clients: get a CA list! servers: get a CA! http://cacert.org/ Abort only if absolutely required (DoS)

11. Paranoid C No strcpy, sprintf, tmpnam, mktemp, gets, strcat Yes strncpy, snprintf, mkstemp, fgets When handling a string with the *printf functions, always use “%s”, never the string directly. Memory allocation: are you sure you really know how much you were given?

12. Paranoid Testing Write a test that fails, then write code Wine project has great docs on testing Most languages have frameworks Python: python-unit Perl: Test::More C++: CxxTest C: plenty, but, I, uh, haven't used any Fuzzy input

13. Researching Security White-box Show me the source! Black-box How does it behave? Grey-box Surprise! both at once! Thinking to the future worms, PTRACE, sudo

14. Disclosure and Response Vulnerability reporting styles full disclosure (“hey everyone!”) coordinated disclosure (“hey upstream!”) Upstream response styles ignorant/defensive/antagonistic indifferent/dead air helpful/thankful future-only stable release patches

15. Security Community Common Vulnerabilities and Exposures http://cve.mitre.org/cve/ The central list of all known security bugs [email_address] private mailing list OSS distributor coordination Researchers, hackers, you name it full-disclosure mailing list bugtraq mailing list http://seclists.org/

16. Recommended Reading Books Secure Programming Cookbook for C and C++ by Viega, Messier The Art of Software Security Assessment by Dowd, McDonald, Schuh Blogs Web: http://ha.ckers.org/blog Community: http://www.matasano.com/log

17. Recommended Tools Virtualization VMWare, Xen, Qemu Firefox extensions TamperData, Firebug Forensics wireshark, foremost Beware tool-targeted attacks escape your virtualization guest, hijack your JavaScript interpreter, and overflow your sniffer...

18. Questions? Kees Cook [email_address] [email_address] http://outflux.net/blog/