\documentclass[% pdf, %nocolorBG, colorBG, slideColor, gyom, %slideBW, %draft, %frames %azure %contemporain %nuancegris %troispoints %lignesbleues %darkblue %alienglow %autumn ]{prosper} \usepackage[latin1]{inputenc} \usepackage{verbatim} \usepackage{alltt} \title{Weeding out security bugs in Debian} \subtitle{How to improve security for our users \\ http://people.debian.org/{\~\ }jfs/debconf6/security/} \author{Javier Fernández-Sanguino Peña} \email{jfs@debian.org} \slideCaption{Debconf6 - Mexico - May 18th 2006} \begin{document} \FontTitle{% \usefont{T1}{ptm}{m}{sl}\fontsize{16pt}{18pt}\selectfont}{% \usefont{T1}{ptm}{m}{sl}\fontsize{16pt}{18pt}\selectfont} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont} % TBD \maketitle \begin{slide}{Weeding out security bugs} \begin{itemize} \item Main Goal: Provide information to DDs on how to avoid/fix security issues in their packages. \item How? \begin{itemize} \item Describe status of security in our OS (risks?) \item Describe the work of the different security-related teams. \item Show some tools to audit source code. \item Present lessons from the audit team. \item Discuss recommendations for improvement. \end{itemize} \end{itemize} \end{slide} \begin{slide}{Impact of security bugs in the OS} What happens when a serious security issue is found in our OS? \begin{itemize} \item Our users are at risk. \item DDs and security teams have to work fast to provide a patch. \item Our security mirror servers/bandwidth are stressed. \item Some systems might get compromised. \item Our public image is affected. \end{itemize} Resources required to deal with these bugs increase with time. \end{slide} \begin{slide}{First comments on security bugs} \begin{itemize} \item All software has bugs. \item Security bugs are of varying severity (CVVS): \begin{itemize} \item remote vs. local \item DoS vs. code execution \end{itemize} \item Security bug types vary with time (investigators shift focus). \end{itemize} Note: Coverity analysis: 0.3 per 100k LOC in stable (and audited) projects. \end{slide} % From Debconf 3 %\begin{slide}{Security in the Debian OS: The Bad Things} %\begin{itemize} %\item Average time to fix a security issue and number of DSAs increases %every year. From (median) time of 3,5 days (1999) to 63 days %(this year, kernel issues...) %\item Number of DSAs issues is also increasing every year. 17 in 1997, 124 last year %and with the current trend expect 233 this year. %\item Our Security Team is behind other Security Teams with security fixes. %To fix the same vulnerability issue: %\begin{itemize} %\item RedHat, median is 8 days later (average 16) %\item Mandrake, median is 3 days later (average 18) %\end{itemize} %\item But faster than others (Conectiva 10 days -median- faster) %\end{itemize} %\end{slide} %\begin{slide}{Security in Debian: The Bad Things} %Full data at http://people.debian.org/{\~\ }jfs/debconf/security/ %\includegraphics[width=9.5cm]{images/dsa-data.eps} %\end{slide} %\begin{slide}{Security in Debian: The Bad Things} %Full data at http://people.debian.org/{\~\ }jfs/debconf/security/ %\includegraphics[width=9.5cm]{images/dsa-releases.eps} %\end{slide} \begin{slide}{Status of security issues in Debian} \begin{itemize} \item The size of the distribution keeps increasing in every release, so do the bugs in it. \item We are not much better than we were 3 years ago (see my Debconf-3 talk) \begin{itemize} \item But there are now more teams than the Security Team. \end{itemize} \item Let's see some lies\^\ W data... (download file {\em data.tgz}) \end{itemize} \end{slide} % Note: % select count(distinct(dsaid)) from dsa where date >= '2001/01/01'; % select count(distinct(cvedsa.cve)) from dsa,cvedsa where dsa.dsaid=cvedsa.dsaid and dsa.date >= '2001/01/01'; \begin{slide}{Security bugs in Debian: some {\em lies}} Total advisories published for Debian: 1231 advisories \begin{itemize} \item Potato: 197 DSAs (256) - 59 MLOC, maintenance 2.79 yr \item Woody: 699 DSAs (1070) - 105 MLOC, maintenance 3.7 yr \item Sarge: 271 DSAs (570) - 216 MLOC \end{itemize} Based on CVE Names: 1047 advisories since 2001 for 1387 distinct vulnerabilities. \end{slide} \begin{slide}{Security in Debian: Fancy graph take 1} \includegraphics[width=9cm]{images/accum-dsas.eps} In sarge, most of them in packages of section {\em net} (\~\ 16\%) or {\em web} (\~\ 23\%) \end{slide} % TBD: add more graphics \begin{slide}{Teams handling security bugs} There are three different teams handling security bugs in Debian: \begin{itemize} \item Security Team: handles security bugs (aka patches) in {\em stable}. \item Security Testing Team: handles security bugs in {\em testing}. \item Security Audit Team: looks for security bugs. \end{itemize} \end{slide} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{10.4pt}{10pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{10.4pt}{10pt}\selectfont} \begin{slide}{Security bugs in Debian: more {\em damn lies}} Different types: \begin{itemize} \item Buffer overflows: 26,9\% \item Improper data handling: 26,3\% \item Design issues: 18,2\% \item Exceptional condition handling: 7,4\% \item Boundary condition: 5,7\% \item Access validation: 5,6\% \item Unclassified: 3,9\% \item Race condition: 2,8\% \end{itemize} Approx. 65\% remotely exploitable. Note: Data of 1369 distinct CVE names from vulnerabilities from September 1998 to March 2006. \end{slide} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont} \begin{slide}{Security in Debian: Fancy graph take 2} Median CVSS value is 7: \includegraphics[width=6cm]{images/dsas-scores.eps} See http://nvd.nist.gov/ and http://www.first.org/cvss/ \end{slide} \begin{slide}{Hands-on: hello-insecure} Download {\em hello-sample.tgz} from either ftp://homer.mexico.debconf.org/share/jfs/ or http://people.debian.org/\~jfs/debconf6/security/samples/: \begin{itemize} \item hello-insecure-2.1.1.debian.diff: changes to the hello package \item hello-daemon-insecure\_2.1.1-5\_i386.deb: the binary package. {\bf WARNING}: installing this opens up a remote root hole in 1025, is your firewall up? \item server-spotted.c: Security bugs in the server daemon commented in. \end{itemize} How many (security) bugs can you spot? \end{slide} \begin{slide}{The Debian Security Team} \begin{itemize} % Notice that not all members have been active at the same time \item Made up of 4-6 members. \item Relates with other teams through vendor-sec and CERT. \item Reviews public-disclosure bugs (do they affect us?). \item Produces and tests security patches. \item Writes security advisories. \item Publish patches through a specific buildd network. \item (sometimes) Follow up on compromise of Debian systems. \end{itemize} \end{slide} % For more info http://secure-testing-master.debian.net/ % Also see http://merkel.debian.org/~joeyh/testing-security.html % Mail from Micah to d-d-a: Message-ID: <20050316040149.GD9731@riseup.net> % LWN coverage of Debconf5 talk: http://lwn.net/Articles/144270/ \begin{slide}{The Debian Security Testing Team} \begin{itemize} \item Made up of 6 (?) members. \item Works with public information (CVE names) \item Reviews status of security fix propagation from sid to testing. \item Issue DTSAs. \end{itemize} Security support for testing started September 2005, integrated in main archive in May 2006. \end{slide} \begin{slide}{The Debian Security Audit Team} \begin{itemize} \item Made up of 4 members. \item Some members started auditing in year 2003, group formed year 2004. \item Priorise packages. \item Focused on certain things: \begin{itemize} \item bugs in setuid/setgid applications (games) \item misuse of sprintf/fscanf/syslog/... \item temporary file race conditions \end{itemize} \item Developed some tools developed to do automatic code review. \item As a result: 81 DSAs (13 \%), 121 security (non-DSA) bugs \end{itemize} \end{slide} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{10.4pt}{10pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{10.4pt}{10pt}\selectfont} \begin{slide}{Debian Security Audit Team: tools} Some tools used by the audit team (http://www.debian.org/security/audit/tools): \begin{itemize} \item RATS: C tool to review C/C++/Perl/PHP/Python, works with an XML database to detect problematic functions. \item Flawfinder: Python tool to analyse C/C++, looks at functions and how they are {\em used} \item pscan: not general purpose, just format string overflows. \item Audit::Source (http://hinterhof.net/~max/audit-perl): Run all of these at the same time (and colour the code) \item Other tools: grep, bfbtester, other black box tools... \end{itemize} \end{slide} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont} \begin{slide}{Hands-on: multiple-bugs.c} Download {\em multiple-bugs.tgz} from either ftp://homer.mexico.debconf.org/share/jfs/ or http://people.debian.org/\~jfs/debconf6/security/samples/: \begin{itemize} \item Review {\em multiple-bugs-nocomments.c}: how many security bugs can you spot? \item Run RATS, Flawfinder and pscan in it: how many did they spot? \item Review comments in {\em multiple-bugs.c} \item Compare source with {\em multiple-bugs-fixed.c} \item Run RATS, Flawfinder and pscan in {\em multiple-bugs-fixed.c}: how many did they spot? \end{itemize} \end{slide} \begin{slide}{Audit Team: Lessons learned} Some lessons learned by the security audit team: \begin{itemize} \item Many developers are not aware of common security flaws: incorrect design of software (setuid/setgid, root daemons...), buffer overflows, sanitise user input.. \item Many more security bugs waiting to be fixed (specially in software which is not popular) \item Too much software to audit, no easy way to do source code review (no centralized repo). \item FLOSS source code reviewing tools useful but need improvements. \item Fixing security bugs takes a lot of time. \end{itemize} \end{slide} \begin{slide}{Audit Team: Lessons learned DSA-656} Some lessons learned DSA-656 (see {\em DSA-656.tgz}), arbitrary file overwrite in vdr (network music daemon): \begin{itemize} \item Having a server disabled per default is not a security measure, users will start it up anyway. \item Maintainers don't heep upstream's comments, from the INSTALL file: {don't run this as root!} \item It's difficult to do a redesign in a DSA (see \#287899), thus stable users do not get all the benefits of an audit. \end{itemize} \end{slide} \begin{slide}{Hands-on: DSA-893} Pick up {\em DSA-893.tgz} from either ftp://homer.mexico.debconf.org/share/jfs/ or http://people.debian.org/\~jfs/debconf6/security/samples/: \begin{itemize} \item acidbase\_CVE-2005-3325.bad.diff: upstream's fix \item acidbase.CVE-2005-3325.diff: my fix for DSA-893 (actual package changes in acidlab.CVE-2005-3325.pack.sarge.diff) \item acidlab-0.9.6b20-12to13.diff: changes between version in sid/sarge (checkout changes to acidlab.apache.conf) \end{itemize} \end{slide} \begin{slide}{Audit Team: Lessons learned DSA-893} Some lessons learned DSA-893, SQL injection in acidlab: \begin{itemize} \item Upstream doesn't always know how to fix security bugs \item Security bugs of some packages might affect other packages with common codebase (BASE -> ACID) \item It's better to restrict access to sensitive web interfaces by default (security bug in default install -> security bug enabled by admin) \item Fixes for SQL injection bugs and XSS bugs in PHP apps are similar: review user's input! \item A security fix is not always 100\% thorough ("time to fix" pressure) \end{itemize} \end{slide} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{10.4pt}{10pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{10.4pt}{10pt}\selectfont} \begin{slide}{Audit Team: More lessons} Some more lessons learned: \begin{itemize} \item DSA-647, Temporary filename race condition in MySQL: even popular software has obvious security bugs. \item DSA-334, 354, 356, 368, 369...> vulnerability in application setGID games = compromise of users running any games in the system. Also \#291613 (setGID games writing in user's dirs without dropping privs). Are global hiscores worth it? \item \#334616, yiff-server running as root can "play" any file: why does a sound daemon need root privs. \item \#329365, mailleds can be used to kill any system process: watch your umasks! \end{itemize} \end{slide} \begin{slide}{Audit Team: Even more lessons} \begin{itemize} \item \#291389, tcl: No tempfile/mktemp/mkstemp implementation in toolkit language - some bugs do not help implement secure code. \item \#255033, securecgi design flaws: writting security code is not simple, a {\em secure} in the name does not make it so. \item \#291376, cdrtools: Unsafe recommendation (and implementation) of debugging in rscsi - some maintainers sit on security bugs ({\em lack of time}?). Please do credit where credit is due. \item \#291635, format string bug in man2html: some unaudited sofware ends up being used in CGI gateways. \end{itemize} \end{slide} \begin{slide}{Audit Team: Bored of lessons?} \begin{itemize} \item \#298114, nvi init script can be used for mischiveous purposes: bugs can remain undetected for a very long time and not all security fixes reach stable. \item \#323386, kismet, CAN-2005-2626 and CAN-2005-2627 present in sarge and etch: lazy maintainers do not want to track bugs in stable. \item \#289560 vim, Race conditions and symlink attacks in vim scripts: why provide obsolete/unsupported stuff? rewritting security patches sometimes introduce new mistakes, why take patches from Ubuntu when we have our own? \end{itemize} \end{slide} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont} \begin{slide}{Weeding out security bugs: How can I help?} \begin{itemize} \item Learn how to spot security bugs, review upstream's code. \item QA your {\em own} code for security bugs. \item Learn how to program with security in mind and do proper design of your packages. \item Review applications you maintain: \begin{itemize} \item Track security bugs upstream. \item Follow guidelines for handling security bugs. \end{itemize} \item Join one of the security teams. \end{itemize} \end{slide} \begin{slide}{Prevent/minimize security bugs} \begin{itemize} \item Do not package or include alpha/beta/unsupported software (or prevent it into getting into {\em stable}. \item Use low-privilege users for daemons and cron tasks (see \#337086) \item Avoid {\em setgid} and {\em setuid} software (review the Policy) \item Default {\em safe} configurations \item Review applications you maintain: \begin{itemize} \item Security track record? \item Responsiveness of upstream for security bugs? \end{itemize} \end{itemize} \end{slide} \begin{slide}{Conclusions} \begin{itemize} \item Some new technologies (SElinux, GCC 4.1 SPP, PaX, exec-shield, RSBAC..) might enhance protection of our users, but they might not cover {\em all} possible security bugs. \item Removal of security bug is a group work: make sure you've done your part. \item Try to code in a secure way (learn how if you don't know) and review your upstream's code (help them learn too) \item Use tools to help you in review (but don't trust them fully) \item Learn from past mistakes (even other's). \end{itemize} \end{slide} \begin{slide}{Thanks} Thanks! \end{slide} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{10.4pt}{10pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{10.4pt}{10pt}\selectfont} \begin{slide}{For more information} Recommended reading thingies: \begin{itemize} \item Debian specific: \begin{itemize} \item Debian Security Team FAQ: http://www.debian.org/security/faq \item Debian Securing Manual: http://www.debian.org/doc/manuals/securing-debian-howto/ \item Debian Security Audit Team: http://www.debian.org/security/audit/ \end{itemize} \item David Wheeler's {\em Secure Programming for Linux and Unix HOWTO}: http://www.dwheeler.com/secure-programs/ \item Fortify's {\em Taxonomoy of Coding Errors}: http://vulncat.fortifysoftware.com/ \end{itemize} \end{slide} \begin{slide}{For more information} \begin{itemize} \item Courses: \begin{itemize} \item Dan Bernstein's {\em UNIX Security Holes Course}: http://cr.yp.to/2004-494.html \item University of Purdue's {\em Secure Programming Educational Material}: http://www.cerias.purdue.edu/secprog \end{itemize} \item Books: \begin{itemize} \item {\em Practical Unix Security}: Simon Garfinkel and Gene Spafford. ISBN 0-596-00323-4 \item {\em Secure Coding, Principles and Practices}: Mark Graff and Kenneth R.van Wyk. ISBN: 0-596-00242-4 \end{itemize} \end{itemize} \end{slide} \FontText{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont}{% \usefont{T1}{phv}{m}{n}\fontsize{12.4pt}{12pt}\selectfont} \begin{slide}{Answers: hello-insecure} Hello-insecure security bugs (knowingly introduced): \begin{itemize} \item Design problems: running as root, startup a debug daemon listening in all interfaces \item Maintainer postinst bug: create stuff in /tmp \item Maintainer compile bugs: why -DDEBUG? \item Server code bugs: format string, buffer overflow, log in /tmp and DoS due to memory exhaust \end{itemize} \end{slide} \begin{slide}{Answers: multiple-bugs} Hello-insecure security bugs (knowingly introduced): \begin{itemize} \item BoF using getenv with sprintf \item Hardcoded path of logfile in /tmp \item fopen use with race condition \item Stack overflow due to gets \item Static bof due to fixed size buffer (sprintf) \item Format string overflow because of misuse of syslog \item Command injection due to misuse of system () \end{itemize} \end{slide} %\begin{slide}{Reasons} %\begin{itemize} %\item Possible reasons: %\begin{itemize} %\item The size of the distribution just keeps increasing. %\item More complex software. %\item Unmaintained software. %\end{itemize} %\end{itemize} %\end{slide} %\begin{slide}{Security in Debian: Some impromevents} % More info at % http://lists.debian.org/debian-devel/2002/debian-devel-200210/msg02133.html %No formal audit yet conducted %\begin{itemize} %\item Need to do this for upstream? %\item Start with base system, network servers and popular packages %\item Several efforts: Steve Kemp (http://www.steve.org.uk/Debian/), and %Drew Daniels (https://sourceforge.net/projects/debraudit/) %\end{itemize} %Move this to Alioth? Official backup? Coordinate with Sardonix.org? %\end{slide} \end{document} %\begin{slide}{Security in Debian: } %\begin{itemize} %\item %\end{itemize} %\end{slide} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: