A fairly detailed overview on current state of security and hardening countermeasures being employed on a modern OS like Linux. With a focus on teaching the basics of BOF (Buffer OverFlow), so that one understands how these attacks work.
So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
How Many Linux Security Layers Are Enough?Michael Boelen
Talk about Linux security and the related possibilities to secure your systems. Several areas are discussed, like what is possible, how to select the right security measures and tips to implement them.
Some subjects passing by in the presentation are file integrity (IMA/EVM), containers like Docker, virtualization.
The referenced tool Lynis can be downloaded freely from https://cisofy.com/downloads/
This document provides an overview of Linux security and auditing. It discusses the history and architecture of Linux, important security concepts like physical security, operating system security, network security, file system security and user/group security. It also describes various Linux security tools that can be used for tasks like vulnerability scanning, auditing, intrusion detection and password cracking.
Are you really sure the security of your Linux systems is done properly? Since 2002, Michael Boelen performs research in this field. The answer is short: there is too much to possible and to do. For this reason, he created several open source security tools, to help others saving time. We will look into how Lynis can help with technical security scans.
In this talk, we had a look on how Lynis helps with system hardening. We discussed the background of the tool, lessons learned after 13 years of open source software development, and what the future plans are.
This presentation of 40 minutes gives a quick introduction in the world of Linux malware and incident handling. We cover malware, like rootkits and how they hide on the system. Finally we look at how to handle with a compromised system, and go into the possible defenses to limit the risks.
This document provides an overview of Linux security, including:
1) It introduces user security in Linux which uses a model of users and groups, each with a unique ID and permissions to access files.
2) It describes Linux file system security which implements read, write, and execute permissions for users and groups.
3) It discusses access control lists which provide a more granular approach than default permissions by allowing individual user and group permissions for each file.
So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
How Many Linux Security Layers Are Enough?Michael Boelen
Talk about Linux security and the related possibilities to secure your systems. Several areas are discussed, like what is possible, how to select the right security measures and tips to implement them.
Some subjects passing by in the presentation are file integrity (IMA/EVM), containers like Docker, virtualization.
The referenced tool Lynis can be downloaded freely from https://cisofy.com/downloads/
This document provides an overview of Linux security and auditing. It discusses the history and architecture of Linux, important security concepts like physical security, operating system security, network security, file system security and user/group security. It also describes various Linux security tools that can be used for tasks like vulnerability scanning, auditing, intrusion detection and password cracking.
Are you really sure the security of your Linux systems is done properly? Since 2002, Michael Boelen performs research in this field. The answer is short: there is too much to possible and to do. For this reason, he created several open source security tools, to help others saving time. We will look into how Lynis can help with technical security scans.
In this talk, we had a look on how Lynis helps with system hardening. We discussed the background of the tool, lessons learned after 13 years of open source software development, and what the future plans are.
This presentation of 40 minutes gives a quick introduction in the world of Linux malware and incident handling. We cover malware, like rootkits and how they hide on the system. Finally we look at how to handle with a compromised system, and go into the possible defenses to limit the risks.
This document provides an overview of Linux security, including:
1) It introduces user security in Linux which uses a model of users and groups, each with a unique ID and permissions to access files.
2) It describes Linux file system security which implements read, write, and execute permissions for users and groups.
3) It discusses access control lists which provide a more granular approach than default permissions by allowing individual user and group permissions for each file.
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
Co-presented with Matt Jamison (Sr Architect, DoD Programs) at the IBM Teach the Teacher (IBM T3) conference. Discussed SELinux, Policy Enforcement, Discretionary Access Control, Multi-Level Security vs Multi-Category Security, Role-Based Access Control, usage of SELinux, Linux Audit Subsystem, and host hardening procedures.
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.
This document discusses basic Linux system security. It recommends securing physical access to machines, using the principle of least privilege by limiting accounts, ports, and applications. It also recommends strong passwords, closing unnecessary ports, encrypting network connections, keeping software updated, using intrusion detection, and advanced techniques like auditing OSes and using virtual machines.
The document summarizes a presentation on network security and Linux security. The presentation covered introduction to security, computer security, and network security. It discussed why security is needed, who is vulnerable, common security attacks like dictionary attacks, denial of service attacks, TCP attacks, and packet sniffing. It also covered Linux security topics like securing the Linux kernel, file and filesystem permissions, password security, and network security using firewalls, IPSEC, and intrusion detection systems. The presentation concluded with a reference to an ID-CERT cybercrime report and a call for questions.
The document discusses vulnerabilities in the Linux operating system and countermeasures to protect Linux systems from remote attacks. It describes how attackers can use tools like Nessus to discover vulnerabilities, deploy trojan programs, and create buffer overflows. It also provides recommendations for system administrators, including keeping systems updated with the latest patches, using rootkit detectors, and training users to avoid social engineering attacks.
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014Michael Boelen
Presentation about Lynis, a tool to audit and harden Linux, Mac and Unix systems. In this presentation we compare a few methods to secure your systems. We take a look at Lynis and how it can provide a solution to a common problem of lacking compliance and security controls.
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.
An introduction to implementation will be presented in order to understand how to develop a security module.
This document provides an overview of security features in UNIX and Linux operating systems. It discusses permissions, access control lists, mandatory access control, password hashing, system patching, sandboxing users and services, and other security concepts. The document aims to educate readers on basic and advanced security techniques available in UNIX/Linux to protect systems from threats.
File System Implementation & Linux SecurityGeo Marian
This document discusses file system implementation and Linux security. It begins by describing how file systems are typically stored on disks with partitions and sectors. It then explains how files are created, opened, read, written to, and deleted in a file system. Two common allocation methods are also summarized - contiguous allocation and linked allocation. Finally, it outlines some common security threats like intruders, malicious programs, and generic attacks and how TCP wrappers can be used to filter network access on Linux servers.
Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0Security Bootcamp
This document discusses Docker security in a DevOps environment. It begins with an introduction to DevOps and Docker containers. It then outlines several Docker security practices, including hardening the Docker host, using TLS with Docker, content trust for images, network segmentation, image vulnerability scanning, and security assessment tools. The document provides an overview of how Docker and containers are used in DevOps and some key strategies for securing Docker deployments.
This document discusses Linux network security and the xFirewall program. It provides an overview of Linux and its networking capabilities. It then describes iptables, the built-in Linux firewall, and xFirewall, a user-friendly frontend for iptables. xFirewall detects network attacks and logs unauthorized access based on allowed ports in its configuration file. The document shows nmap scan results for a system running xFirewall, demonstrating that it only allows connections to specified open ports and blocks other ports from being discovered.
This document provides an overview of SELinux, including its introduction, access control mechanisms, policy, administration, and benefits. SELinux is a Linux security module that implements mandatory access controls to confine processes and restrict their access. It defines types for objects like files and directories, domains for processes, and roles to determine what access users and processes have. SELinux policy enforces these controls and can be configured through booleans and modified policy modules. It helps strengthen security by auditing access and confining services like web servers even if they are compromised by an attack.
This document provides an overview of Security Enhanced Linux (SELinux). It discusses what SELinux is, how it implements mandatory access control on Linux systems, and some basic SELinux concepts like types, users, roles, and the policy. It also covers installing SELinux on CentOS 7 and checking the mode.
• Each SELinux access control model is simple, but actually
access control is more complex
• Red Hat puts a lot of effort into SELinux, policy and utils for
SELinux usability
– Enlarging default policy modules
– Encouraging Policy module system
– Analyzing and generating policies from access violation log
The document discusses how firewalls are commonly bypassed using techniques like tunneling traffic over allowed protocols like HTTP and DNS. It provides an example attack scenario where a victim is infected via a client-side exploit delivered over HTTP. While ideal security would involve disconnecting systems, more practical approaches include deep packet inspection, application-aware firewalls, and host-based signatures to detect protocol misuse and anomalous traffic.
This Slide consists of the security topic comes in the Linux Platform only.
It basically changes the context of the files stored in the server or the client system and thus prevent the unauthorized access.
Agenda:
An in depth review of various security mechanisms in the kernel like those added by PAX and grsecurity.
Speaker:
Yehontan Biton, senior kernel developer and computer science researcher for Ben Gurion University of the Negev.
The document discusses DDoS attacks and countermeasures. It begins with an overview of common DDoS attack types like botnet attacks and distributed reflected DNS attacks. It then discusses challenges like how easy it is to build botnets and buy them online. The document also covers the xFlash attack technique and new capabilities in Flash 9. The second part discusses countermeasures, emphasizing performance tuning, caching, scalability through architecture like shared nothing, and implementing defense in depth. It concludes by thanking the audience and asking for questions.
This short seminar presentation discusses the basic idea of my dissertation. It uncovers the main ideas of a three players conflict in missile guidance with bounded controls.
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
Co-presented with Matt Jamison (Sr Architect, DoD Programs) at the IBM Teach the Teacher (IBM T3) conference. Discussed SELinux, Policy Enforcement, Discretionary Access Control, Multi-Level Security vs Multi-Category Security, Role-Based Access Control, usage of SELinux, Linux Audit Subsystem, and host hardening procedures.
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.
This document discusses basic Linux system security. It recommends securing physical access to machines, using the principle of least privilege by limiting accounts, ports, and applications. It also recommends strong passwords, closing unnecessary ports, encrypting network connections, keeping software updated, using intrusion detection, and advanced techniques like auditing OSes and using virtual machines.
The document summarizes a presentation on network security and Linux security. The presentation covered introduction to security, computer security, and network security. It discussed why security is needed, who is vulnerable, common security attacks like dictionary attacks, denial of service attacks, TCP attacks, and packet sniffing. It also covered Linux security topics like securing the Linux kernel, file and filesystem permissions, password security, and network security using firewalls, IPSEC, and intrusion detection systems. The presentation concluded with a reference to an ID-CERT cybercrime report and a call for questions.
The document discusses vulnerabilities in the Linux operating system and countermeasures to protect Linux systems from remote attacks. It describes how attackers can use tools like Nessus to discover vulnerabilities, deploy trojan programs, and create buffer overflows. It also provides recommendations for system administrators, including keeping systems updated with the latest patches, using rootkit detectors, and training users to avoid social engineering attacks.
Lynis - Hardening and auditing for Linux, Mac and Unix - NLUUG May 2014Michael Boelen
Presentation about Lynis, a tool to audit and harden Linux, Mac and Unix systems. In this presentation we compare a few methods to secure your systems. We take a look at Lynis and how it can provide a solution to a common problem of lacking compliance and security controls.
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.
An introduction to implementation will be presented in order to understand how to develop a security module.
This document provides an overview of security features in UNIX and Linux operating systems. It discusses permissions, access control lists, mandatory access control, password hashing, system patching, sandboxing users and services, and other security concepts. The document aims to educate readers on basic and advanced security techniques available in UNIX/Linux to protect systems from threats.
File System Implementation & Linux SecurityGeo Marian
This document discusses file system implementation and Linux security. It begins by describing how file systems are typically stored on disks with partitions and sectors. It then explains how files are created, opened, read, written to, and deleted in a file system. Two common allocation methods are also summarized - contiguous allocation and linked allocation. Finally, it outlines some common security threats like intruders, malicious programs, and generic attacks and how TCP wrappers can be used to filter network access on Linux servers.
Nguyen Duc Thinh - Docker security in Dev Ops environment 2.0Security Bootcamp
This document discusses Docker security in a DevOps environment. It begins with an introduction to DevOps and Docker containers. It then outlines several Docker security practices, including hardening the Docker host, using TLS with Docker, content trust for images, network segmentation, image vulnerability scanning, and security assessment tools. The document provides an overview of how Docker and containers are used in DevOps and some key strategies for securing Docker deployments.
This document discusses Linux network security and the xFirewall program. It provides an overview of Linux and its networking capabilities. It then describes iptables, the built-in Linux firewall, and xFirewall, a user-friendly frontend for iptables. xFirewall detects network attacks and logs unauthorized access based on allowed ports in its configuration file. The document shows nmap scan results for a system running xFirewall, demonstrating that it only allows connections to specified open ports and blocks other ports from being discovered.
This document provides an overview of SELinux, including its introduction, access control mechanisms, policy, administration, and benefits. SELinux is a Linux security module that implements mandatory access controls to confine processes and restrict their access. It defines types for objects like files and directories, domains for processes, and roles to determine what access users and processes have. SELinux policy enforces these controls and can be configured through booleans and modified policy modules. It helps strengthen security by auditing access and confining services like web servers even if they are compromised by an attack.
This document provides an overview of Security Enhanced Linux (SELinux). It discusses what SELinux is, how it implements mandatory access control on Linux systems, and some basic SELinux concepts like types, users, roles, and the policy. It also covers installing SELinux on CentOS 7 and checking the mode.
• Each SELinux access control model is simple, but actually
access control is more complex
• Red Hat puts a lot of effort into SELinux, policy and utils for
SELinux usability
– Enlarging default policy modules
– Encouraging Policy module system
– Analyzing and generating policies from access violation log
The document discusses how firewalls are commonly bypassed using techniques like tunneling traffic over allowed protocols like HTTP and DNS. It provides an example attack scenario where a victim is infected via a client-side exploit delivered over HTTP. While ideal security would involve disconnecting systems, more practical approaches include deep packet inspection, application-aware firewalls, and host-based signatures to detect protocol misuse and anomalous traffic.
This Slide consists of the security topic comes in the Linux Platform only.
It basically changes the context of the files stored in the server or the client system and thus prevent the unauthorized access.
Agenda:
An in depth review of various security mechanisms in the kernel like those added by PAX and grsecurity.
Speaker:
Yehontan Biton, senior kernel developer and computer science researcher for Ben Gurion University of the Negev.
The document discusses DDoS attacks and countermeasures. It begins with an overview of common DDoS attack types like botnet attacks and distributed reflected DNS attacks. It then discusses challenges like how easy it is to build botnets and buy them online. The document also covers the xFlash attack technique and new capabilities in Flash 9. The second part discusses countermeasures, emphasizing performance tuning, caching, scalability through architecture like shared nothing, and implementing defense in depth. It concludes by thanking the audience and asking for questions.
This short seminar presentation discusses the basic idea of my dissertation. It uncovers the main ideas of a three players conflict in missile guidance with bounded controls.
VoIP: Attacks & Countermeasures in the Corporate WorldJason Edelstein
Discusses VoIP security threats and countermeasures with a specific focus on the Cisco Call Manager implementations.
Additional information can be found at: http://www.senseofsecurity.com.au
Thomas Lang, University of California San Francisco: "Bone Loss in Long-Duration Spaceflight: Measurements and Countermeasures." Presented at the 2013 International Space Station Research and Development Conference, http://www.astronautical.org/issrdc/2013.
Certified Information Security Professional (CISP)vjgarciaq
El curso para la certificación CISP tiene como objetivo enseñarnos como proteger a nuestra organización de ataques
externos o internos a nuestros sistemas. Mediante una metodología de estudio práctica, aprenderemos las técnicas y
herramientas de última generación que utilizan los hackers para vulnerar la seguridad de los sistemas de información,
comprenderemos el cómo y el por qué de los diferentes tipos de ataques y, lo más importante, como crear una estructura
de defensa eficiente y proactiva.
Digital Astroturfing: Definition, typology, and countermeasures.Marko Kovic
This document outlines a framework for understanding digital astroturfing. It begins with defining digital astroturfing as manufactured, deceptive, strategic online activity by political actors meant to mimic grassroots activity. It then presents a typology that categorizes different types of digital astroturfing based on the target, initiating actor, and goal. Next, it describes the tools, venues, and actions used in digital astroturfing. The document discusses both restrictive and incentivizing countermeasures and notes the challenges of researching digital astroturfing given its clandestine nature.
This document is the introduction to a book about securing Microsoft Internet Information Services (IIS) for administrators and programmers. The book teaches computer professionals and information security specialists how to build secure solutions using IIS. It aims to help them secure and defend networked information systems to benefit end users, clients, and less technical coworkers, rather than teaching the tools and techniques used by hackers.
**Return-oriented programming** bezeichnet eine gewiefte IT-Angriffstechnik, die im Prinzip eine Verallgemeinerung von *return-to-libc*-Attacken ist, welche wiederum zu den *stack buffer overflow exploits* gehören.
Wem das alles nichts sagt - keine Angst: Im Vortrag werden zunächst die Grundlagen von Puffer-Überläufen und deren Angriffspotential erläutert und einige historische Beispiele aufgezeigt, bevor schrittweise die Brücke zu **ROP** geschlagen wird. Zum Abschluss werden kurz einige Abwehrmaßnahmen vorgestellt und im Hinblick auf Umsetzbarkeit und Wirkungsgrad bewertet.
So die Demo-Götter es wollen, wird live u.A. ein Beispiel-Programm mithilfe von **ROP**-Tools gecrackt.
Designing Countermeasures For Tomorrows ThreatsDarwish Ahmad
Abstract:
Internet and network security is the most important and top priority issues for almost all types of organizations, for instance, military divisions, ministries, banks, other public and private sectors, and even to everyone who concerns it.
These organizations may use security mechanisms to protect their assets safe against evil and attackers, but most of the security countermeasures that they use are based on known attacks, threats and vulnerabilities. They hardly pay attention to protect their assets against unknown and new types of attacks, threats and vulnerabilities. Most of the organizations faced to challenges the new types of unknown attacks and threats.
This research paper's main aim is to focus and study approaches and solutions against the unknown attacks and threats, and therefore, titled Designing Countermeasures for Tomorrows Threats to make the organizations enable to detect new types attacks, threats or vulnerabilities before they damage their assets or systems.
In addition, the outcome of this research paper will give the chance to the organizations to learn who is attacking their systems, how they are being attacked, and what the attackers are trying to achieve. The concepts that this research paper (thesis) used for Designing Countermeasures for Tomorrows Threats are Honeypot and Honeynet systems.
Honeypot and Honeynet Systems are one of the most interesting and well-known concepts for all the security professionals to know their enemies and identify their weakness. Worth mentioning that most of the countries i.e. Iran, Pakistan, India, Saudi Arabia, Germany and Polish are using these concepts to protect their internal networks and assets against the attackers. Besides, there are a great number of security organizations and communities that use these concepts for research to learn and educate public about new types of attacks, threats and vulnerabilities naming Honeynet Project, Norse, FireEye, WorldMap and Global Botnet Threat Activity.
This thesis implemented most of the existed-based technologies on the concept of Honeypot and Honeynet systems both open source and close source. Finally suggest and recommend the best solution for Afghanistan to protect its internal networks especially important organizations like Ministry of Interior and other ministries and sectors.
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"Alonso Caballero
Este documento anuncia un webinar gratuito sobre herramientas gráficas en Kali Linux 2.0 dictado por Alonso Eduardo Caballero Quezada, instructor y consultor en hacking ético, informática forense y GNU/Linux. El webinar se llevará a cabo el 3 de noviembre de 2016 y presentará las ventajas de usar herramientas gráficas en Kali Linux, así como demostraciones de dichas herramientas.
This document outlines a presentation on finding cryptographic secrets using Google searches. It covers advanced Google search parameters and examples of hacking techniques. The presentation will discuss finding hashed passwords, secret keys, public keys, private keys, encrypted messages, and signed messages through Google searches. Automatic tools for searching are also mentioned, as well as countermeasures to prevent discovery of sensitive information.
The term Massively Parallel BigData Processor names a recent advance in bigdata processing technology which has advanced from the traditional distributed processing represented by Hadoop to modern parallel processing represented by various multicore and manycore architectures. The problem in massively parallel systems is the irregularity which is when a single item -- can be referred to as a blackswan -- incurs much more processing cost than the majority of items. This paper discusses the respective countermeasures divided into (1) distribution and (2) runtime models and optimizations. The differences between multicore and manycore cases is also discussed, where the latter is represented by the currently default design with tiles and n-neighbor switching.
Owasp Top 10 And Security Flaw Root CausesMarco Morana
The document discusses root causes of common web application security flaws and vulnerabilities known as the OWASP Top 10. It provides an overview of tactical and strategic approaches to address these issues, including threat modeling, mapping vulnerabilities to application architecture, and implementing security by design principles. Specific guidelines are given for securely handling authentication, authorization, cryptography, sessions, input validation, errors and logging.
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...CODE BLUE
Air-gapped networks are isolated, separated both logically and physically from public networks. For example, military, industrial, and financial networks. Although the feasibility of invading such systems has been demonstrated in recent years, communication of data to/from air-gapped networks is a challenging task to attackers to perpetrate, an even more difficult threat to defend against.
New methods of communicating with air gapped networks are currently being exposed, some advanced and difficult to mitigate. These new found vulnerabilities have wide reaching implications on what we considered to be a foolproof solution to network security –the placement of a physical air gap.
But it doesn’t stop there – new techniques of covertly getting information in and out of air gapped networks are being exposed. Thus it is important not only to publicize these vectors of attack, but their countermeasures and feasibility as well.
In this talk, we will outline the steps an attacker must take in order to bridge an air gapped network. We will review the state-of-the-art techniques over thermal, radio, and acoustic channels, and discuss each one’s countermeasures and feasibility. Most of techniques in this talk were discovered in our labs by researcher Mordichai Guri under the supervision of Prof. Yuval Elovici.
--- Mordechai Guri
Mordechai Guri is an accomplished computer scientist and security expert with over 20 years of practical research experience. He earned his Bsc and Msc Suma Cum Laude, from the computer science department at the Hebrew University of Jerusalem.
--- Yisroel Mirsky
Yisroel Mirsky is a Ph.D. candidate supervised by Prof. Bracha Shapira and Prof. Yuval Elovici, in the department of Information Systems Engineering in Ben-Gurion University.
--- Yuval Elovici
Yuval Elovici is the director of the Telekom Innovation Laboratories at Ben-Gurion University of the Negev (BGU), head of BGU Cyber Security Research Center, and a Professor in the Department of Information Systems Engineering at BGU.
The document discusses the importance of conducting thorough site surveys and risk management assessments. It outlines a 6-step process for assessing assets, threats, vulnerabilities, risks, countermeasures, and making risk management decisions. The process involves identifying critical assets, potential threats, existing vulnerabilities, likelihood and impact of risks, cost-effective countermeasures, and selecting strategies to reduce risks to acceptable levels. Conducting a comprehensive risk assessment is essential to developing effective security plans to protect clients and personnel.
Secure routing in wsn-attacks and countermeasuresMuqeed Abdul
1) The document discusses security issues in wireless sensor networks, specifically focusing on attacks against routing protocols and potential countermeasures. It outlines common attacks like spoofing, selective forwarding, sinkhole attacks, Sybil attacks, wormholes, and HELLO flood attacks.
2) The document then discusses countermeasures against each type of attack, such as link layer security, identity verification, verification of link bidirectionality, multipath routing, and better protocol design.
3) Finally, the document emphasizes that routing protocols for wireless sensor networks must be designed with security in mind to effectively defend against both insider and outsider adversaries.
Web application security: Threats & CountermeasuresAung Thu Rha Hein
The document discusses security fundamentals, threats and countermeasures for a three-tiered web application. It covers principles of defense in depth and least privilege. It also describes the anatomy of a web attack and categories of threats including STRIDE (spoofing, tampering, etc.). Network, host and application level threats and countermeasures are examined. Input validation, authentication, session management and other areas are identified as needing security measures.
Workshop on Root Cause Analysis tools: Ask Why five times and fishbone (Ishikawa) diagram. I use this to teach basic concepts and give people an experience of using the tools.
Sitio Web: http://www.reydes.com
e-mail: caballero.alonso@gmail.com
Las técnicas antiforenses son cualquier cambio intencional o accidental las cuales pueden oscurecer, cifrar, u ocultar datos de la herramientas forenses. Muy pocas técnicas antiforenses funcionan de la forma en la cual se podría esperar, creyendo es factible ocultar huellas. El intentar hacer esto frecuentemente solo ayuda al investigador a conocer los lugares donde buscar y descubrir evidencia digital.
Java runtime takes care of security baselines but cross-site scripting, cross-site request forgery, and outdated third-party libraries still pose risks. The document recommends validating all input, escaping all output, using security libraries, implementing content security policies and anti-CSRF tokens, and testing dependencies and defenses. Developers are responsible for application security.
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid
As the movement of applications from bare metal to the cloud continues, considerations around analytics and tracing are becoming more prevalent for security, monitoring, and accounting. As an open source project under the Linux Foundation, the IO Visor Project is working with the kernel community on extending BPF (eBPF) and is being used by many companies for security, tracing, and analytics. This talk will describe how an OpenStack micro-segmentation framework using eBPF can be utilized for analytics and tracing to secure application workloads. Use cases around application security, intrusion detection using service insertion, identity will be described. While networking is one piece of the solution, sandboxing applications to avoid attacks is also important. We will also touch upon how eBPF technology and a unified policy framework can secure application workloads in areas beyond networking.
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
Vulnerability Management Nirvana: A Study in Predicting Exploitability
When everything is a priority, nothing is. 15% or 10,000 vulnerabilities have a CVSS score of 10. Vendors and practitioners alike use CVSS or their own threat intelligence models to predict which vulnerabilities will be exploited next. We review current options, present a predictive data-driven prioritization model, and how attendees can get started using our approach in their vulnerability management program.
Open source tools and standards dominate the field of information security due to their collaborative development model and widespread availability. This includes programming languages like Python and GCC used to create network security tools, open standards like TCP exploited to build tools like Nmap, and security distributions like Kali Linux that contain hundreds of security tools. However, application layer vulnerabilities still pose major risks despite advantages of open source, and additional training resources are needed to fully leverage the open security ecosystem.
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
This document discusses the history and causes of software security problems. It begins with a brief history of attacks on systems like UNIX and web applications. Important causes of security problems mentioned include buggy software and vulnerable users. The document argues that security is often a secondary concern compared to functionality. It also discusses challenges like the tradeoff between security and convenience. Approaches to improving security discussed include raising awareness of vulnerabilities, secure development practices, and the use of security technologies.
Lessons Learned from Porting HelenOS to RISC-VMartin Děcký
HelenOS is an open source operating system based on the microkernel multiserver design principles. One of its goals is to provide excellent target platform portability. From the time of its inception, HelenOS already supported 4 different hardware platforms and currently it supports platforms as diverse as x86, SPARCv9 and ARM. This talk presents practical experiences and lessons learned from porting HelenOS to RISC-V.
While the unprivileged (user space) instruction set architecture of RISC-V has been declared stable in 2014, the privileged instruction set architecture is technically still allowed to change in the future. Likewise, many major design features and building blocks of HelenOS are already in place, but no official commitment to ABI or API stability has been made yet. This gives an interesting perspective on the pros and cons of both HelenOS and RISC-V. The talk also points to some possible research directions with respect to hardware/software co-design.
Security Content Automation Protocol and Web Application SecurityMichael Smith
The document introduces the Security Content Automation Protocol (SCAP) which comprises a suite of specifications for organizing and expressing security-related information in standardized ways. SCAP can be used to automatically verify the installation of patches, check system security configuration settings, and examine systems for signs of compromise. It then describes some of the key components of SCAP including XCCDF for security checklists, OVAL for auditing, CCE for configuration guides, CPE for environment descriptions, CVE for vulnerability disclosures, and CVSS for vulnerability impact scoring. The document encourages using SCAP to automate security tasks wherever possible and contributing new SCAP content.
Securing your web apps before they hurt the organizationAntonio Fontes
This document summarizes a presentation on securing web projects. It discusses how vulnerabilities commonly occur during design, implementation, and deployment phases due to issues like incomplete specifications, lack of security requirements analysis, coding mistakes, and insecure default configurations. The presentation covers common web attacks, secure development principles, and steps organizations can take to move from a reactive to proactive security posture.
This document discusses customizing Security Content Automation Protocol (SCAP) content for openSUSE. It begins with an introduction to SCAP and its components like OVAL, XCCDF, and OCIL. It notes that while OVAL definitions exist for openSUSE, an XCCDF benchmark is needed to enable compliance testing. The document considers customizing an existing SLES or RHEL XCCDF file by changing platform identifiers and related files. It demonstrates using the oscap tool to evaluate a customized RHEL XCCDF benchmark against an openSUSE system and generating results. Further work is needed to fully adapt the customized XCCDF content to the openSUSE standard and profile for compliance benchmarks.
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
This document provides an overview of the Vulners Project, which aggregates vulnerability data from multiple sources to provide a comprehensive and machine-readable database. It describes Vulners' goals of being a centralized vulnerability search engine and information security "Google". Key features highlighted include a fast search engine, API, RSS feeds, email subscriptions, and tools for vulnerability scanning and auditing Linux systems. The document encourages integration of Vulners' data and using their free services for applications like security scanners and threat intelligence.
Dive into the realm of cybersecurity mastery with our Advanced Penetration Testing course! 🌐💻 Unleash your skills in ethical hacking, vulnerability assessment, and secure system fortification. This advanced training goes beyond the basics, providing hands-on experience in navigating complex security landscapes. Elevate your expertise and become a guardian against evolving cyber threats. Join us in this transformative journey where you'll learn to think like a hacker to better defend against cyber adversaries. 🛡️🚀 Don't just secure systems; become the formidable defender every digital landscape needs. Enroll now and level up your penetration testing prowess!
Click on the links given to contact us📳
🌐 https://certhippo.com/page/courses/comptia
📧 info@certhippo.com
📱 https://wa.me/+13029562015
☎️ +1 302 956 2015
#certhippo #AdvancedPenTesting #EthicalHacking #CybersecurityMastery #SecureYourNetwork #PenTestExpertise #HackerMindset #HandsOnTraining #CyberDefense #InfoSecPro #DigitalGuardian #SecurityLandscape #ElevateYourSkills #DefendAgainstThreats #EnrollNow #ExpertCyberDefender #CyberSecurityTraining #PenTestMastery #TechSkills #TransformativeLearning #CybersecurityGuardian #HackersBeware #LevelUpYourSecurity
This document discusses vulnerabilities in antivirus software. It begins by noting that over 165 vulnerabilities have been reported in antivirus software in the past 4 years according to the US National Vulnerability Database. It then examines why antivirus software is a target for attackers, including that users have blind faith in it and its error-prone nature in processing many file formats. The document outlines techniques used to find vulnerabilities, including source code audits, reverse engineering, and fuzzing. It also looks at exploiting found vulnerabilities, such as through weak permissions. The overall aim is to raise awareness of security issues in antivirus products.
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
The document provides an overview of the Security Content Automation Protocol (SCAP), which is a set of standards for automating security compliance and vulnerability management. SCAP includes six specifications for representing system state, vulnerabilities, and security configurations. It allows organizations to standardize how they express security information and ensure interoperability of security tools. The specifications include languages like OVAL and XCCDF, enumerations like CVE and CCE, and scoring systems like CVSS. SCAP content combines elements from the specifications to assess security configuration compliance.
17ª edição da Security BSides São Paulo, uma conferência gratuita sobre segurança da informação e cultura hacker, também conhecida como BSidesSP.
Desta vez, estivemos duplamente representados pelo nosso Head de Produto, Leonardo Pinheiro e pelo nosso Head of Threat and Detection Research, Rodrigo Montoro. Imperdível! ;)
Ambos apresentaram a palestra "Exploit Prediction Scoring System (EPSS) – Aperfeiçoando a priorização de vulnerabilidades de forma efetiva". Confira!
This document provides a checklist of secure coding practices for software developers. It covers topics such as input validation, output encoding, authentication, session management, access control, cryptography, error handling, data protection, and general coding practices. Implementing the practices in this checklist can help mitigate common software vulnerabilities and security issues. The document recommends defining security roles and responsibilities, providing training, and following a secure software development lifecycle model.
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
Similar to Security, Hack1ng and Hardening on Linux - an Overview (20)
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Top 9 Trends in Cybersecurity for 2024.pptxdevvsandy
Security and risk management (SRM) leaders face disruptions on technological, organizational, and human fronts. Preparation and pragmatic execution are key for dealing with these disruptions and providing the right cybersecurity program.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Oracle 23c New Features For DBAs and Developers.pptx
Security, Hack1ng and Hardening on Linux - an Overview
1. Linux OS : Security and Hardening – An Overview
The Linux OS -The Linux OS -
Security and Hardening OverviewSecurity and Hardening Overview
for Developersfor Developers
Focus on Buffer OverflowFocus on Buffer Overflow
With a PoC on the ARM ProcessorWith a PoC on the ARM Processor
kaiwanTECHkaiwanTECH
http://kaiwantech.inhttp://kaiwantech.in
2. Linux OS : Security and Hardening – An Overview
Linux OS – Security and Hardening
● Agenda
– Basic Terminology
– Current State
● Linux kernel vulnerability stats
● “Security Vulnerabilities in Modern OS’s” - a few slides
– Tech Preliminary: the process Stack
– BOF Vulnerabilities
● What is BOF
● Why is it dangerous?
● [Demo: a PoC on the ARM processor]
3. Linux OS : Security and Hardening – An Overview
Linux OS – Security and Hardening
● Agenda (contd.)
– Modern OS Hardening Countermeasures
● Using Managed programming languages
● Compiler protection
● Libraries
● Executable space protection
● ASLR
● Better Testing
– Conclusion + Q&A
4. Mar 16, 2017 kaiwanTECH
4
Linux OS : Security and Hardening – An Overview
Basic Terminology
Source - Wikipedia
Vulnerability
In computer security, a vulnerability is a weakness which allows an
attacker to reduce a system's information assurance.
Vulnerability is the intersection of three elements: a system susceptibility
or flaw, attacker access to the flaw, and attacker capability to exploit the
flaw.
A software vulnerability is a security flaw, glitch, or weakness found
in software or in an operating system (OS) that can lead to security
concerns. An example of a software flaw is a buffer overflow.
5. Mar 16, 2017 kaiwanTECH
5
Linux OS : Security and Hardening – An Overview
Basic Terminology
(contd.)
Source - Wikipedia
Exploit
In computing, an exploit is an attack on a computer system,
especially one that takes advantage of a particular vulnerability
that the system offers to intruders.
Used as a verb, the term refers to the act of successfully
making such an attack.
6. Mar 16, 2017 kaiwanTECH
6
Linux OS : Security and Hardening – An Overview
Basic Terminology
(contd.)
Source: CVEdetails
What is an "Exposure"?
An information security exposure is a mistake in software
that allows access to information or capabilities that can be
used by a hacker as a stepping-stone into a system or
network.
7. Mar 16, 2017 kaiwanTECH
7
Linux OS : Security and Hardening – An Overview
Basic Terminology
(contd.)
● What is CVE? [Source]
– “Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE
Identifiers) for publicly known cybersecurity vulnerabilities. CVE's common identifiers make it
easier to share data across separate network security databases and tools, and provide a
baseline for evaluating the coverage of an organization’s security tools. ...”
– CVE is
● One name for one vulnerability or exposure
● One standardized description for each vulnerability or exposure
● A dictionary rather than a database
● How disparate databases and tools can "speak" the same language
● The way to interoperability and better security coverage
● A basis for evaluation among tools and databases
● Free for public download and use
● Industry-endorsed via the CVE Numbering Authorities, CVE Board, and CVE-Compatible
Products
8. Mar 16, 2017 kaiwanTECH
8
Linux OS : Security and Hardening – An Overview
Basic Terminology
(contd.)
What is a CVE Identifier?
CVE Identifiers (also called "CVE names," "CVE numbers," CVE-IDs," and "CVEs")
are unique, common identifiers for publicly known information security vulnerabilities.
Each CVE Identifier includes the following:
●
CVE identifier number (i.e., "CVE-1999-0067").
●
Indication of "entry" or "candidate" status.
●
Brief description of the security vulnerability or exposure.
●
Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).
●
CVE Identifiers are used by information security product/service vendors and
researchers as a standard method for identifying vulnerabilities and for cross-linking
with other repositories that also use CVE Identifiers.
CVE FAQs Page
9. Mar 16, 2017 kaiwanTECH
9
Linux OS : Security and Hardening – An Overview
Basic Terminology
(contd.)
CVE Identifier –
Old and New Syntax
● Practically, from Jan 2015
10. Mar 16, 2017 kaiwanTECH
10
Linux OS : Security and Hardening – An Overview
Basic Terminology
(contd.)
A CVE Example
● CVE-2014-0160 [aka “Heartbleed”]
● Description:
– The (1) TLS and (2) DTLS implementations in OpenSSL
1.0.1 before 1.0.1g do not properly handle Heartbeat
Extension packets, which allows remote attackers to
obtain sensitive information from process memory via
crafted packets that trigger a buffer over-read, as
demonstrated by reading private keys, related to
d1_both.c and t1_lib.c, aka the Heartbleed bug.
11. Mar 16, 2017 kaiwanTECH
11
Linux OS : Security and Hardening – An Overview
12. Mar 16, 2017 kaiwanTECH
12
Linux OS : Security and Hardening – An Overview
Basic Terminology
(contd.)
Most software security vulnerabilities fall into one of a
small set of categories:
● buffer overflows
● unvalidated input
● race conditions
● access-control problems
● weaknesses in authentication, authorization, or
cryptographic practices
Source
13. Mar 16, 2017 kaiwanTECH
13
Linux OS : Security and Hardening – An Overview
CWE - Common Weakness Enumeration - Types of Exploits
14. Mar 16, 2017 kaiwanTECH
14
Linux OS : Security and Hardening – An Overview
Linux kernel – Vulnerability Stats
Source (CVEdetails)
(1999 to date)
15. Mar 16, 2017 kaiwanTECH
15
Linux OS : Security and Hardening – An Overview
Linux kernel – Vulnerability Stats
Source (CVEdetails)
(1999 to date)
16. Mar 16, 2017 kaiwanTECH
16
Linux OS : Security and Hardening – An Overview
Security Vulnerabilities in Modern Operating
Systems
By Cisco, Canada, April 2014.
All rights with Cisco.
“The Common Exposures and Vulnerabilities database has
over 25 years of data on vulnerabilities in it. In this deck we
dig through that database and use it to map out trends and
general information on vulnerabilities in software in the last
quarter century. For more information please visit our
website: http://www.cisco.com/web/CA/index.html ”
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
17. Mar 16, 2017 kaiwanTECH
17
Linux OS : Security and Hardening – An Overview
OS Security Vulnerabilities
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
18. Mar 16, 2017 kaiwanTECH
18
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
19. Mar 16, 2017 kaiwanTECH
19
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
20. Mar 16, 2017 kaiwanTECH
20
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
21. Mar 16, 2017 kaiwanTECH
21
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
22. Mar 16, 2017 kaiwanTECH
22
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
23. Mar 16, 2017 kaiwanTECH
23
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
24. Mar 16, 2017 kaiwanTECH
24
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
25. Mar 16, 2017 kaiwanTECH
25
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
26. Mar 16, 2017 kaiwanTECH
26
Linux OS : Security and Hardening – An Overview
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
27. Mar 16, 2017 kaiwanTECH
27
Linux OS : Security and Hardening – An Overview
OS Security Vulnerabilities
Source: Security Vulnerabilities in Modern Operating Systems, Cisco, Apr 2014
END “Security Vulnerabilities in Modern Operating Systems”
CISCO Presentation Slides
28. Mar 16, 2017 kaiwanTECH
28
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
What exactly is a buffer overflow (BOF)?
●
Prerequisite – an understanding of the process stack!
●
Lets write some simple ‘C’ code to understand this first-hand.
●
[An Aside: As we shall soon see, nowadays several mitigations/hardening technologies exist to
help prevent BOF attacks. So, sometimes the question (SO InfoSec) arises: “
Should I bother teaching buffer overflows any more?”:
Short answer, “YES”:
“… Yes. Apart from the systems where buffer overflows lead to successful exploits, full
explanations on buffer overflows are always a great way to demonstrate how you should think
about security. Instead on concentrating on how the application should run, see what can be done
in order to make the application derail.
Also, regardless of stack execution and how many screaming canaries you install, a buffer overflow is
a bug. All those security features simply alter the consequences of the bug: instead of a remote shell,
you "just" get an immediate application crash. Not caring about application crashes (in particular
crashes which can be triggered remotely) is, at best, very sloppy programming. ...”
Preliminaries – the STACK
29. Mar 16, 2017 kaiwanTECH
29
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The Classic Case
Lets imagine that here is part of the (drastically
simplified) Requirement Spec for a console-based
app:
● Write a function ‘foo()’ that accepts the user’s
name, email id and employee number
Preliminaries – the STACK
30. Mar 16, 2017 kaiwanTECH
30
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The Classic Case – function foo() implemented below by app
developer in ‘C’:
[...]
static void foo(void)
{
char local[128];
printf(“Name: ”);
gets(local);
[...]
}
Preliminaries – the STACK
31. Mar 16, 2017 kaiwanTECH
31
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● Why have a “stack” at all ?
– Humans write code using a 3rd
or 4th
generation
high-level language (well, most of us
anyway :-)
– The processor hardware does not ‘get’ what a
function is, what parameters and return values
are!
Preliminaries – the STACK
32. Mar 16, 2017 kaiwanTECH
32
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The Classic Case – function foo() implemented below by app
developer in ‘C’:
[...]
static void foo(void)
{
char local[128];
printf(“Name: ”);
gets(local);
[...]
}
A local buffer, hence allocated
on the process stack
Preliminaries – the STACK
33. Mar 16, 2017 kaiwanTECH
33
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● So, what really, is this process stack ?
– it’s just memory treated with special semantics
– Uses a “PUSH / POP” model
– “Grows” towards lower (virtual) addresses; called a
“downward-growing stack”
● this attribute is processor-specific; it’s the case for most
modern CPUs, including x86, x86_64, ARM and ARM64)
Preliminaries – the STACK
34. Mar 16, 2017 kaiwanTECH
34
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● Why have a “stack” at all ?
– The saviour: the compiler generates assembly
code which enables the function-calling-and-
return mechanism
– By making use of the stack!
● How exactly?
… Aha ...
Preliminaries – the STACK
35. Mar 16, 2017 kaiwanTECH
35
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● The Stack
– When a program calls a function, the compiler
generates code to setup a call stack, which consists
of individual stack frames
– A stack frame can be visualized as a “block”
containing all the metadata necessary for the system
to process the “function” call and return
● Access it’s parameters, if any
● Allocate it’s local variables
● Execute it’s code (text)
● Return a value as required
Preliminaries – the STACK
36. Mar 16, 2017 kaiwanTECH
36
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● The Stack Frame
– Hence, the stack frame will require a means to
– Locate the previous (caller’s) stack frame (achieved
via the SFP – Stack Frame Pointer)
– Gain access to the function’s parameters
– Store the address to which control must continue,
IOW, the RETurn address
– Allocate storage for the function’s local variables
– Turns out that the exact stack frame layout is very
processor-dependant (depends on it’s ABI, calling
conventions)
Preliminaries – the STACK
37. Mar 16, 2017 kaiwanTECH
37
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● Recall our simple ‘C’ code:
static void foo(void)
{
char local[128];
printf(“Name: ”);
gets(local);
[...]
}
Preliminaries – the STACK
38. Mar 16, 2017 kaiwanTECH
38
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● Have it called from main()
static void foo(void)
{
char local[128];
printf(“Name: ”);
gets(local);
[...]
}
void main() {
foo();
}
Preliminaries – the STACK
39. Mar 16, 2017 kaiwanTECH
39
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● When main() calls foo(), a stack frame is setup (as part
of the call stack)
static void foo(void)
{
char local[128];
printf(“Name: ”);
gets(local);
[...]
}
void main() {
foo();
}
Preliminaries – the STACK
40. Mar 16, 2017 kaiwanTECH
40
Linux OS : Security and Hardening – An Overview
Call StackCall Stack
..
..
..
Call StackCall Stack
..
..
..
Buffer Overflow (BOF)
● When main() calls foo(),
a stack frame is setup
(as part of the call stack)
static void foo(void)
{
char local[128];
printf(“Name: ”);
gets(local);
[...]
}
void main() {
foo();
} *va = virtual addresses
Stack Frame for
main()
Stack Frame for
main()
Stack Frame for
foo()
Stack Frame for
foo()
Preliminaries – the STACK
SP (top of the stack)
Lowest address
Increasing
va*
41. Mar 16, 2017 kaiwanTECH
41
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● When main() calls foo(), a stack frame is setup (as part
of the call stack)
static void foo(void)
{
char local[12];
printf(“Name: ”);
gets(local);
[...]
}
void main() {
foo();
} *va = virtual addresses
Call Stack
.
.
.
Call Stack
.
.
.
Stack Frame for
main()
Stack Frame for
main()
Stack Frame for
foo()
Stack Frame for
foo()
Preliminaries – the STACK
SP (top of the stack)
Lowest address
Increasing
va*
42. Mar 16, 2017 kaiwanTECH
42
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● When main() calls foo(), a stack frame is setup (as part
of the call stack)
static void foo(void)
{
char local[12];
printf(“Name: ”);
gets(local);
[...]
}
void main() {
foo();
} *va = virtual addresses
Call Stack
.
.
.
Call Stack
.
.
.
Stack Frame for
main()
Stack Frame for
main()
Stack Frame for
foo()
Stack Frame for
foo()
… Parameters ...
RET Address
SFP
… Local variables ...
… Parameters ...
RET Address
SFP
… Local variables ...
SFP = Saved Frame Pointer
Preliminaries – the STACK
Increasing
va*
SP (top of the stack)
Lowest address
43. Mar 16, 2017 kaiwanTECH
43
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Wikipedia on BOF
In computer security and programming, a buffer
overflow, or buffer overrun, is an anomaly
where a program, while writing data to a buffer,
overruns the buffer's boundary and overwrites
adjacent memory locations.
44. Mar 16, 2017 kaiwanTECH
44
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Recall:
static void foo(void)
{
char local[128];
printf(“Name: ”);
gets(local);
[...]
}
void main() {
foo();
}
A Simple BOF
45. Mar 16, 2017 kaiwanTECH
45
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
At runtime
static void foo(void)
{
char local[128];
printf(“Name: ”);
gets(local);
[...]
}
void main() {
foo();
}
A Simple BOF
params -none-
RET addr
SFP = main’s stack frame
… Local variables …
128 bytes
<empty>
foo() ‘s stack frame
4128bytes4
main() ‘s stack frame
Increasing
va*
SP (top of the stack)
Lowest address
46. Mar 16, 2017 kaiwanTECH
46
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Lets give it a spin-
$ gcc getdata.c -o getdata
[...]
$
$ printf "AAAABBBBCCCCDDDD" |./getdata
Name: Ok, about to exit...
$
A Simple BOF
47. Mar 16, 2017 kaiwanTECH
47
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Okay, step by step:
Step 1 of 4 :
Prepare to execute;
main() is called
$ gcc getdata.c -o getdata
[...]
$
$ printf "AAAABBBBCCCCDDDD"
| ./getdata
A Simple BOF
main() ‘s stack frame
params -none-
RET addr
SFP = main’s stack frame
… Local variables …
128 bytes
<empty>
4128bytes4
SP (top of the stack)
Lowest address
Increasing
va*
48. Mar 16, 2017 kaiwanTECH
48
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Okay, step by step:
Step 2 of 4 :
Input 16 characters into the
local buffer via the gets();
$ gcc getdata.c -o getdata
[...]
$
A Simple BOF
main() ‘s stack frame
foo() ‘s stack frame
params -none-
RET addr
SFP = main’s stack frame
… Local variables …
128 bytes
0x43434343 0x44444444
0x41414141 0x42424242
Increasing
va*
SP (top of the stack)
4128bytes4$ printf "AAAABBBBCCCCDDDD" |./getdata
16 chars
written into the stack
@ var ‘local’
All okay!All okay!All okay!All okay!
‘local’ 128 bytes
<empty>
49. Mar 16, 2017 kaiwanTECH
49
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Okay, step by step:
Step 3 of 4 :
Input 128+4+4 = 136 characters
into the local buffer via the gets();
thus Overflowing it!
$ gcc getdata.c -o getdata
[...]
$
$ printf "AAAABBBBCCCCDDDD"
AAAABBBBCCCCDDDD$
A Simple BOF – Action!
0x41414141 0x41414141
[...]
0x41414141 0x41414141
0x41414141 0x41414141
0x41414141 0x41414141
0x41414141 0x41414141
main() ‘s stack frame
foo() ‘s stack frame
params -none-
RET addr
SFP
SP (top of the stack)
4128bytes4perl -e 'print "A"x136' |./getdata ‘local’ 128 bytes
<empty>
136 chars
written into
the stack @ var ‘local’
Increasing
va*
50. Mar 16, 2017 kaiwanTECH
50
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Okay, step by step:
Step 4 of 4 :
Input 128+4+4 = 136 characters
into the local buffer via the gets();
thus Overflowing it!
$ gcc getdata.c -o getdata
[...]
$
$ printf "AAAABBBBCCCCDDDD"
AAAABBBBCCCCDDDD$
A Simple BOF – Action!
params -none-
RET addr = 0x41414141
SFP = 0x41414141
0x41414141 0x41414141
[...]
0x41414141 0x41414141
0x41414141 0x41414141
0x41414141 0x41414141
0x41414141 0x41414141
136 chars
(ASCII ‘A’ = 0x41)
written into
the var ‘local’
4128bytes4
main() ‘s stack frame
foo() ‘s stack frame
SP (top of the stack)
Why?
As the processor tries to return to the
designated RET address,
it attempts to access and
execute code at
virtual address 0x41414141
that isn’t really there or is illegal
perl -e 'print "A"x136' |./getdata
Segmentation fault
$
It segfaults !It segfaults !
Increasing
va*
OVERWRITESOVERWRITES
51. Mar 16, 2017 kaiwanTECH
51
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
A physical buffer
overflow: The
Montparnasse
derailment of 1895
Source: “Secure Programming HOWTO”, David Wheeler
A Simple BOF / Dangerous?
52. Mar 16, 2017 kaiwanTECH
52
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Okay, it crashed.
So what? … you say
No danger, just a bug
to be fixed...
A Simple BOF / Dangerous?
53. Mar 16, 2017 kaiwanTECH
53
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Okay, it crashed.
So what? … you say …
No danger, just a bug to be fixed…
It IS DANGEROUS !!!
Why??
A Simple BOF / Dangerous?
54. Mar 16, 2017 kaiwanTECH
54
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Recall why the app crashed (segfault-ed):
– The RETURN address was set to an incorrect/bogus/junk
value (0x41414141)
● Instead of just crashing the app, a hacker will craft the RET
address to a deliberate value – code that (s)he wants
executed!
● How exactly?
A Simple BOF / Dangerous?
55. Mar 16, 2017 kaiwanTECH
55
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Instead of running the app like this:
$ perl -e 'print "A"x136' | ./getdata
which would cause it to just segfault,
how about this:
$ perl -e 'print "A"x132 . "x49x8fx04x78"'
| ./getdata
A Simple BOF / Dangerous?
56. Mar 16, 2017 kaiwanTECH
56
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The payload, or ‘crafted buffer’ is:
payload = 128 A’s + <SFP value> + <RET addr>
= AAAAA...AAAA + AAAA + 0x498f0478
● As seen, given a local buffer of 128 bytes, the overflow spills into the
higher addresses of the stack
● In this case, the overflow is 4+4 bytes
● Which overwrites the
– SFP (Saved Frame Pointer – essentially pointer to prev stack frame),
and the
– RETurn address, on the process stack
● … thus causing control to be re-vectored to the RET address!
● We thus have Arbitrary Code Execution (which could
result in privilege escalation, a backdoor, etc)!
A Simple BOF / Dangerous?
57. Mar 16, 2017 kaiwanTECH
57
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The payload or ‘crafted buffer’ can be used to deploy an
attack in many forms:
● Direct code execution: executable machine code
“injected” onto the stack, with the RET address
arranged such that it points to this code
● Indirect code execution:
– To internal program function(s)
– To external library function(s)
A Simple BOF / Dangerous?
58. Mar 16, 2017 kaiwanTECH
58
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The payload or ‘crafted buffer’ can be deployed in many
forms:
● Direct executable machine code “injected” onto the
stack, with the RET address arranged such that it points
to this code
– What code?
– Typically, a variation of the machine language for:
seteuid(0);
execl(“/bin/sh”, “sh”, 0);
A Simple BOF / Dangerous?
59. Mar 16, 2017 kaiwanTECH
59
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The payload or ‘crafted buffer’ can be deployed in many
forms:
seteuid(0);
execve(“/bin/sh”, argv, 0);
● Collection of shellcode!
http://shell-storm.org/shellcode/
– Eg. 1 : setuid(0); execve(/bin/sh,0)
http://shell-storm.org/shellcode/files/shellcode-472.php
● Or, use the Google Hacking DB (GHDB), or
● Explot-DB (Offensive Security)
A Simple BOF / Dangerous?
60. Mar 16, 2017 kaiwanTECH
60
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The payload or ‘crafted buffer’ can be deployed in many
forms:
– Eg. 2 : adds a root user no-passwd to /etc/passwd
(84 bytes)
char shellcode[]=
"x31xc0x31xdbx31xc9x53x68x73x73x77"
"x64x68x63x2fx70x61x68x2fx2fx65x74"
"x89xe3x66xb9x01x04xb0x05xcdx80x89"
"xc3x31xc0x31xd2x68x6ex2fx73x68x68"
"x2fx2fx62x69x68x3ax3ax2fx3ax68x3a"
"x30x3ax30x68x62x6fx62x3ax89xe1xb2"
"x14xb0x04xcdx80x31xc0xb0x06xcdx80"
"x31xc0xb0x01xcdx80";
A Simple BOF / Dangerous?
61. Mar 16, 2017 kaiwanTECH
61
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The payload or ‘crafted buffer’ can be deployed in many forms:
● Indirect code execution:
– To internal program function(s)
– To external program function(s)
● Re-vector (forcibly change) the RET address such that control
is vectored to an - typically unexpected, out of the “normal”
flow of control - internal program function
<<
(Time permitting :-)
Demo of a BOF PoC on ARM Linux, showing
precisely this
>>
A Simple BOF / Dangerous?
62. Mar 16, 2017 kaiwanTECH
62
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The payload or ‘crafted buffer’ can be deployed in many
forms:
● Indirect code execution:
– To internal program function(s)
– To external library function(s)
● Revector (forcibly change) the RET address such
control is vectored to an - typically unexpected, out of
the “normal” flow of control - external library function
A Simple BOF / Dangerous?
63. Mar 16, 2017 kaiwanTECH
63
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
The payload or ‘crafted buffer’ can be deployed in many forms:
● Re-vector (forcibly change) the RET address such that control is
vectored to an - typically unexpected, out of the “normal” flow of
control - external library function
● What if we re-vector control to a Std C Library (glibc) function:
– Perhaps to, say, system(char *cmd);
– Can setup the parameter (pointer to a command string) on the stack
– !!! Just think of the possibilities !!! - in effect, one can execute anything
– that’s pretty much exactly what the Ret2Libc hack / exploit is.
–
A Simple BOF / Dangerous?
64. Mar 16, 2017 kaiwanTECH
64
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
● MUST-SEE! Real Life Examples - gathers a few actual
attacks of different kinds- phishing, password, crypto, input,
BOFs, etc
● A few ‘famous’ (public) Buffer Overflow (BOF) Exploits
– 02 Nov 1988: Morris Worm – first network ‘worm’; exploits a
BoF in fingerd (and DEBUG cmd in sendmail). Article and
Details
– 15 July 2001: Code Red and Code Red II ; CVE-2001-0500
– 07 Apr 2014: Heartbleed ; CVE-2014-0160
● The Risks Digest
BoF + Other Attacks in the Real-World
65. Mar 16, 2017 kaiwanTECH
65
Linux OS : Security and Hardening – An Overview
Buffer Overflow (BOF)
Interesting!
● Mar 2017:
Hard Drive LED Allows Data Theft From Air-Gapped PCs
● Gaming console hacks – due to BOF exploits
– Jan 2003:
Hacker breaks Xbox protection without mod-chip
– PlayStation 2 Homebrew
– Wii Twilight hack
● 10 of the worst moments in network security history
BoF + Other Attacks in the Real-World
66. Mar 16, 2017 kaiwanTECH
66
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
● A modern OS, like Linux, will / should implement a number of countermeasures or
“hardening” techniques against vulnerabilities, and hence, potential exploits
● Reduces the attack surface
● Common Hardening Countermeasures include-
● Using Managed programming languages
● Compiler protection
● Library protection
● Executable space protection
● [K]ASLR
● Better Testing
67. Mar 16, 2017 kaiwanTECH
67
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Using Managed programming languages
●
Programming in C/C++ is widespread and popular
●
Pros- powerful, ‘close to the metal’, fast
●
Cons-
– Programmer handles memory
– Cause of many (most) memory bugs
– Which lead to insecure exploitable software
●
A ‘managed’ language uses a framework (eg .NET) and/or a virtual machine construct
●
Using a ‘managed’ language (Java, C#) greatly alleviates the burden of memory
management from the programmer to the ‘runtime’
●
Reality –
– Many languages are implemented in C/C++
– Real projects are usually a mix of managed and unmanaged code (eg. Android: Java
@app layer + C/C++/JNI/DalvikVM @middleware + C/Assembly @kernel/drivers layers)
● [Aside: ‘C’ outdated? See the TIOBE Index for Programming languages]
68. Mar 16, 2017 kaiwanTECH
68
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Compiler-level Protection
● Stack BOF Protection
– Early implementations include
● StackGuard (1997)
● ProPolice (IBM, 2001)
– GCC patches for stack-smashing protection
– GCC
● -fstack-protector flag (RedHat, 2005), and
● -fstack-protector-all flag
● -fstack-protector-strong flag (Google, 2012); gcc 4.9 onwards
● Early in Android (1.5 onwards) – all Android binaries include
this flag
69. Mar 16, 2017 kaiwanTECH
69
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Compiler-level Protection
● From Wikipedia:
“All Fedora packages are compiled with -fstack-protector since Fedora Core 5, and -fstack-
protector-strong since Fedora 20.[19]cite_ref-20cite_ref-20[20]
Most packages in Ubuntu are compiled with -fstack-protector since 6.10.[21]
Every Arch Linux package is compiled with -fstack-protector since 2011.[22]
All Arch Linux packages built since 4 May 2014 use -fstack-protector-strong.[23]
Stack protection is only used for some packages in Debian,[24] and only for the FreeBSD
base system since 8.0.[25] ...”
● How is the ‘-fstack-protector<-xxx>’ flag protection actually achieved?
– Typical stack frame layout:
[… local vars …] [CTLI] [RET addr] ; where [CTLI] is control information
(like the SFP)
– A random value, called a “canary”, is placed by the compiler in the stack
metadata, typically between the local variables and the RET address
– [… local vars …] [canary] [CTLI] [RET addr]
70. Mar 16, 2017 kaiwanTECH
70
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Compiler-level Protection
● How is the ‘-fstack-protector<-xxx>’ flag protection actually achieved?
[contd.]
– Before a function returns, the canary is checked (by instructions inserted by
the compiler into the function epilogue)
[… local vars …] [canary] [CTLI] [RET addr]
– If the canary has changed, it’s determined that an attack is underway (it
might be an unintentional bug too), and the process is aborted (if it occurs
in kernel-space, the Linux kernel panics!)
– The overhead is considered minimal
– [Exercise: try a BOF program. (Re)compile it with -fstack-protector gcc flag
and retry (remember, requires >= gcc-4.9)]
71. Mar 16, 2017 kaiwanTECH
71
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Compiler-level Protection
●
(Some) mitigation against a format-string attack:
– Use the GCC flags -Wformat-security -Werror=format-security
– Android
●
Oct 2008- disables use of “%n” format specifier
●
2.3 (Gingerbread) onwards uses the -Wformat-security and the -Werror=format-
security GCC flags for all binaries
● Using GCC _FORTIFY_SOURCE
– Lightweight protection against BOF in typical libc functions
– Wrappers around the following ‘typically dangerous’ functions:
● memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat,
strncat, sprintf, vsprintf, snprintf, vsnprintf, gets
– Must be used in conjunction with optimization directive:
-On -D_FORTIFY_SOURCE=n ; (n>=1)
– Eg. gcc prog.c -O2 -D_FORTIFY_SOURCE=2 -o prog -Wall <...>
– More details available here.
72. Mar 16, 2017 kaiwanTECH
72
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Compiler-level Protection
● (Full) Relro – Read-Only Relocation
– Marks the linker Global Offset Table (GOT) as RO
– Achieved by compiling with the linker options: -Wl,-z,now
– Android v4.4.1 onwards
● Address Sanitizer (ASan)
– ASan: “a programming tool that detects memory corruption bugs such as buffer overflows or
accesses to a dangling pointer (use-after-free). AddressSanitizer is based on compiler
instrumentation and directly-mapped shadow memory. AddressSanitizer is currently implemented
in Clang (starting from version 3.1[1]) and GCC (starting from version 4.8[2]). On average, the
instrumentation increases processing time by about 73% and memory usage by 340%.[3]”
– “Address sanitizer is nothing short of amazing; it does an excellent job at detecting nearly all buffer
over-reads and over-writes (for global, stack, or heap values), use-after-free, and double-free. It
can also detect use-after-return and memory leaks” Source
– Usage: just compile with the GCC flag: -fsanitize=address
● [SO] What is the most hardened set of options for GCC compiling
73. Mar 16, 2017 kaiwanTECH
73
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Libraries
● BOF exploits – how does one attack?
● By studying real running apps, looking for a weakness to
exploit (enumeration)
– f.e. the infamous libc gets() (and similar) function(s) in [g]libc!
● It’s mostly by exploiting these common memory bugs that an
exploit can be crafted and executed
● Thus, it’s Really Important that developers re-learn: we Must
Avoid using std lib functions which are not bounds-checked
– gets, sprintf, strcpy, scanf, etc
– Replaced with fgets, snprintf, strncpy, etc
74. Mar 16, 2017 kaiwanTECH
74
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Libraries
● Best to make use of “safe” libraries, especially for string handling
● Obviously, a major goal is to prevent security vulnerabilities
● Examples include
– The Better String Library
– Safe C Library
– Simple Dynamic String library
– Libsafe
– Also see:
Ch 6 “Library Solutions in C/C++Library Solutions in C/C++”, Secure Programming for UNIX and
● Source - Cisco Application Developer Security Guide
“… In recent years, web-based vulnerabilities have surpassed traditional buffer overflow attacks both in terms of
absolute numbers as well as the rate of growth. The most common forms of web-based attacks, such as cross-site
scripting (XSS) and SQL injection, can be mitigated with proper input validation.
Cisco strongly recommends that you incorporate the Enterprise Security API (ESAPI) Toolkit from the Open Web
Application Security Project (OWASP) for input validation of web-based applications. ESAPI comes with a set of
well-defined security API, along with ready-to-deploy reference implementations.”
75. Mar 16, 2017 kaiwanTECH
75
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Executable Space Protection
● The most common attack vector
– Inject shellcode onto the stack (or heap), typically via a BOF vuln
– Arrange to have the shellcode execute, thus gaining privilege (or a
backdoor)
● Modern processors have the ability to ‘mark’ a page with an NX (No
eXecute) bit
– So if we ensure that all pages of data regions like the stack, heap, BSS, etc
are marked as NX, then the shellcode holds no danger!
– The typical BOF (‘stack smashing’) attack relies on memory being
readable, writeable and executeable (rwx)
● MS calls it DEP (Data Execution Prevention)
76. Mar 16, 2017 kaiwanTECH
76
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Executable Space Protection
● Linux kernel
– Supports the NX bit from v2.6.8 onwards
– On processors that have the hardware capability
● Includes x86, x86_64 and x86_64 running in 32-bit mode
● x86_32 requires PAE to support NX
● (However) For CPUs that do not natively support NX, 32-bit Linux has
software that emulates the NX bit, thus protecting non-executable pages
● Check for NX hardware support (on Linux):
grep -w nx -q /proc/cpuinfo && echo "Yes" || echo
"Nope"
● A commit by Kees Cook (v2.6.38) ensures that even if NX support is
turned off in the BIOS, that is ignored by the OS and protection remains
77. Mar 16, 2017 kaiwanTECH
77
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Executable Space Protection
● Ref: https://en.wikipedia.org/wiki/NX_bit
● (More on) Processors supporting the NX bit
– Intel markets it as XD (eXecute Disable)
– AMD as ‘EVP’ - Enhanced Virus Protection
– ARM as XN – eXecute Never
– Android: As of Android 2.3 and later, architectures which support it have
non-executable pages by default, including non-executable stack and
heap.[1][2][3]
● ARMv6 onwards (new PTE format with XN bit)
● PowerPC
● Itanium, Alpha, SunSparc, etc too support it
78. Mar 16, 2017 kaiwanTECH
78
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
ASLR – Address Space Layout Randomization
● NX (or DEP) protects a system by not allowing arbitrary code execution on
non-text pages (stack/heap/data/BSS/etc)
● But it cannot protect against attacks that invoke legal code – like [g]libc
functions, system calls (as they’re in a valid text segment and are thus marked
as r-x in their resp PTE entries)
● In fact, this is the attack vector for what is commonly called Ret2Libc and ROP-
style attacks
● How can these be prevented?
– ASLR : by randomizing the layout of the process VAS (virtual address
space), an attacker cannot know (or guess) in advance the location (virtual
address) of glibc code, system call code, etc
– Hence, launching this attack inherently fails
79. Mar 16, 2017 kaiwanTECH
79
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
ASLR – Address Space Layout Randomization
● Note though:
– (K)ASLR is a statistical protection not an absolute one; it just adds an
additional layer of difficulty (depending on the # random bits available) for
an attacker, but does not inherently prevent attacks in any way
– Also, even with full ASLR support, a particular process may not have it’s
VAS randomized
– Why? Because this requires compile-time support - within the binary
executable too: the binary must be built as a Position independent
Executable (PIE)
● Process ASLR – turned On by compiling source with the -fPIE and -pie gcc
flags
● Information leakage (for eg. a known kernel pointer value) can completely
comprise the ASLR schema (example).
80. Mar 16, 2017 kaiwanTECH
80
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Better Testing
● Of course, most Q&A teams (as well as conscientious developers) will
devise, implement and run an impressive array of test cases for the
given product or project
● However, it’s usually the case that most of these fall into the positive
test-cases bracket (checks that the test yields the desired outcome)
● This approach will typically fail to find bugs and vulnerabilities that an
attacker probes for
– We have to adopt an “attacker” mindset (“set a thief to catch a thief”)
– We need to develop an impressive array of thorough negative test-
cases (which check whether the program-under-test fails correctly
and gracefully)
81. Mar 16, 2017 kaiwanTECH
81
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Better Testing
● A typical example:
the user is to pass a simple integer value:
– Have test cases been written to check that it’s within
designated bounds?
– Both positive and negative (integer overflow – IOF - bugs
are heavily exploited! ;
see SO: How is integer overflow exploitable?)
● From OWASP: “Arithmetic operations cause a number to either grow
too large to be represented in the number of bits allocated to it, or too
small. This could cause a positive number to become negative or a
negative number to become positive, resulting in
unexpected/dangerous behavior.”
82. Mar 16, 2017 kaiwanTECH
82
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Better Testing
● Food for thought
ptr = calloc(var_a*var_b, sizeof(int));
● What if it overflows??
– Did you write a validity check for the parameter to calloc?
– Old libc bug- an IOF could result in a much smaller buffer being
allocated via calloc() !
● Static analysis could / should catch a bug like this
● Dynamic analysis - take Valgrind’s MemCheck tool (of
course, Valgrind will only work on dynamic memory,
not compile-time memory)
83. Mar 16, 2017 kaiwanTECH
83
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Better Testing
● IOF
– Google wrote a safe_iop (integer operations) library for Android
(from first rel)
– However, as of Android 4.2.2, it appears to be used in a very limited
fashion and is out-of-date too
● Fuzzing
– “Fuzz testing or fuzzing is a software testing technique used to
discover coding errors and security loopholes in software, operating
systems or networks by inputting massive amounts of random data,
called fuzz, to the system in an attempt to make it crash.” Source
84. Mar 16, 2017 kaiwanTECH
84
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Better Testing
● Mostly-positive testing is practically useless
for secure software
● Thorough Negative Testing is a MUST
● Fuzzing
– especially effective in finding security-related bugs
– Bugs that cause a program to crash (in the normal
case)
85. Mar 16, 2017 kaiwanTECH
85
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
● Experience shows that having several hardening
techniques in place is far superior to having just 1 or 2
● Depth-of-Defense is critical
● For example, take ASLR and NX (or XN):
– Only NX, no ASLR: security bypassed via ROP-based
attacks
– Only ASLR, no NX: security bypassed via code injection
techniques like heap spraying
– Both full ASLR and NX: difficult to bypass by an attacker
86. Mar 16, 2017 kaiwanTECH
86
Linux OS : Security and Hardening – An Overview
Modern OS Hardening Countermeasures
Linux kernel – security patches into mainline
– Not so simple; the proverbial “tip of the iceberg”
– As far as security and hardening is concerned,
projects like GRSecurity, PaX and OpenWall have shown what
can be regarded as the “right” way forward
– However, the reality is that there continues to be serious resistance
from the kernel community to merging in similar patchsets
– [Why? Some legitimate-
● Info hiding - many apps / debuggers rely on pointers, information
from /proc, /sysfs, etc
● Debugging – breakpoints into code - don’t work with NX on
● Boot issues on some processors when NX used (being solved now)]
● More info available: Making attacks a little harder, LWN, Nov 2010
87. Mar 16, 2017 kaiwanTECH
87
Linux OS : Security and Hardening – An Overview
Conclusion
Basic principle of attack
First, a program with an exploitable vulnerability – local or remote - must be found.
This process is called Reconnaissance / footprinting / enumeration.
(Dynamic approach- attackers will often ‘fuzz’ a program to determine how it behaves;
static- use tools to disassemble/decompile (objdump,strings,IDA Pro,etc) the program
and search for vulnerable patterns. Use vuln scanners).
[Quick Tip: Check out nmap, Exploit-DB, the GHDB (Google Hacking Database) and
the Metasploit pen(etration)-testing framework].
A string containing shellcode is passed as input to the vulnerable program. It
overflows a buffer (a BOF), causing the shellcode to be executed (arbitrary code
execution). The shellcode provides some means of access (a backdoor, or simply a
direct shell) to the target system for the attacker.
Stealth- the target system should be unaware it’s been attacked (log cleaning, hiding).
88. Mar 16, 2017 kaiwanTECH
88
Linux OS : Security and Hardening – An Overview
Conclusion
ADVANCED-
Defeat protections?
●
ROP (Return Oriented Programming)
● Defeats ASLR, NX
– Not completely; modern Linux PIE executables and library PIC code
●
Uses “gadgets” to alter and control PC execution flow
●
A gadget is an existing piece of machine code that is leveraged to piece
together a sequence of statements
– it’s a non-linear programming technique!
– Each gadget ends with a :
●
X86: ‘ret’
● RISC (ARM): pop {rX, …, pc}
● Sophisticated, harder to pull off
●
But do-able!
…
Questions?
89. Linux OS : Security and Hardening – An Overview
Thank You!
kaiwanTECHkaiwanTECH
http://kaiwantech.inhttp://kaiwantech.in