| 1 |
hello, |
| 2 |
|
| 3 |
On Sat, 2003-09-06 at 16:52, Jan Krueger wrote: |
| 4 |
> I would like to present you an example showing how silly source scanning can |
| 5 |
> be if done without thought: |
| 6 |
> |
| 7 |
> qmail and exim |
| 8 |
> |
| 9 |
> flawfinder reports more flaws in qmail (10 or so) then in exim (only 1). |
| 10 |
> If one would make a decision based on the flawfinder output only, one would |
| 11 |
> install exim. |
| 12 |
> |
| 13 |
> Offcourse if one compares the number of actual security holes found in exim to |
| 14 |
> those found in qmail, one would install qmail. |
| 15 |
don't think so. |
| 16 |
there must be a reason for flawfinder to find so much "problems" in |
| 17 |
qmail. |
| 18 |
|
| 19 |
> |
| 20 |
> So i understand source code analysis as the first step only to create |
| 21 |
> something for developers and admins/users that is able to guide them in |
| 22 |
> security questions. |
| 23 |
there is nothing that can "guide" you, in my opinion. |
| 24 |
the program that checks for flaws must print out a list of "problematic" |
| 25 |
code pieces based on real facts. |
| 26 |
the threat is real, so must be the defense mechanisms. |
| 27 |
no "guidance" or "counseling" needed for the user to be influenced. |
| 28 |
> |
| 29 |
> some of the next steps i can imagin are: |
| 30 |
> - a ports security policy :) |
| 31 |
well, devs are notorious overworked ppl. |
| 32 |
you would not rush in open doors. |
| 33 |
but i appreciate your thoughts and will try to make up my mind. |
| 34 |
> |
| 35 |
> - suid scans |
| 36 |
> |
| 37 |
> - scans of binaries |
| 38 |
not possible. |
| 39 |
writing disassemblers that make assumptions is bad practice. |
| 40 |
> |
| 41 |
> - complexity analysis (we got the code, we got the binaries - if there was |
| 42 |
> createt only 1 biiig binary out of al the code we know that the potential |
| 43 |
> security impact is higher (exim) then if there would have been created |
| 44 |
> several small binaries (assuming modularity, like qmail), etc. |
| 45 |
qmail is not more secure than exim, if the author says so, he may say |
| 46 |
so. i myself do not believe it, should be careful what you interpret. |
| 47 |
|
| 48 |
the truth is that packages like qmail deserve the high reputation only |
| 49 |
from the people who are using it. |
| 50 |
|
| 51 |
> |
| 52 |
> - dynamic meta-information from external sources (CERT, GLSA Database) |
| 53 |
|
| 54 |
very good point, we could make a "link" to bugs found regarding the |
| 55 |
source URI. |
| 56 |
which would resolve in a mapping: CERT/Bugtraq <-> SRC_URI |
| 57 |
|
| 58 |
> This would result in: |
| 59 |
> # emerge -p somemta |
| 60 |
> Calculating dependencies ...done! |
| 61 |
> ebuild information | version | hardened | CERT | GLSA |
| 62 |
> [ebuild N ] net-mail/exim-4.14 - 5 2 |
| 63 |
> |
| 64 |
> # emerge -p --secinfo somemta |
| 65 |
> |
| 66 |
> * net-mail/somemta |
| 67 |
> Latest version available: 4.14 |
| 68 |
> Latest version installed: [ Not Installed ] |
| 69 |
> Size of downloaded files: 1,531 kB |
| 70 |
> Homepage: http://www.somemta.org/ |
| 71 |
> ebuild Maintainer: someone@×××××××××.org |
| 72 |
> Description: A highly configurable, drop-in replacement for sendmail |
| 73 |
> |
| 74 |
> Package is part of gentoo hardened : no |
| 75 |
> CERT Security Advisories for somemta found : 5 |
| 76 |
> CERT affecting this version of somemta found : 1 |
| 77 |
> GLSA for somemta found : 2 |
| 78 |
> GLSA affecting this version of somemta found : 1 |
| 79 |
> |
| 80 |
> Warnig: This version is affected by several security advisories. |
| 81 |
> It is recommended to not install this version! |
| 82 |
> You may try emerge sync or search at bugs.gentoo.org to get a newer |
| 83 |
> version or contact the ebuild maintainer |
| 84 |
> |
| 85 |
> and while you do |
| 86 |
> # emerge somemta |
| 87 |
> you get additional information: |
| 88 |
> * source code analysis report: |
| 89 |
> * 1 potential security flaw found |
| 90 |
> .... |
| 91 |
> |
| 92 |
> * compexity analysis report: |
| 93 |
> * package seems to fairly complex, possible security impact: medium |
| 94 |
> |
| 95 |
> * suid scan report: |
| 96 |
> * the software would like to install the following suids |
| 97 |
> * 1) /usr/sbin/exim suid root |
| 98 |
> * 2) /usr/sbin/blalaber suid mail |
| 99 |
> What would like to do? |
| 100 |
> -3) install all as shown |
| 101 |
> -1) install all without suid |
| 102 |
> or choose number of binary: |
| 103 |
> |
| 104 |
> ofcourse, this all can be enhanced and so on, thats why i put it here :) |
| 105 |
|
| 106 |
thank you, |
| 107 |
|
| 108 |
a last thought about your binary scanning. |
| 109 |
|
| 110 |
pipacs is the brain behind PaX who is working out the logic for |
| 111 |
protecting accesses. |
| 112 |
|
| 113 |
the holy grail is "full bounds checking" which means basically that you |
| 114 |
can watch, control AND limit any arbitrary (random, going everwhere) |
| 115 |
memory address write or read by the running program. |
| 116 |
the running program has 4GB open memory with 1GB of the 4GB is kernel |
| 117 |
memory. |
| 118 |
|
| 119 |
even stackguards preventing direct linear overwriting of addresses can |
| 120 |
be "circumenvented" as we all know. |
| 121 |
even address space layout randomization, basically moving round and |
| 122 |
round of ELF segments and making the memory address relocations not |
| 123 |
writable with PIC compilation, can be information leaked. |
| 124 |
|
| 125 |
it is not possible to employ bounds checkers like the "mudflap" gcc or |
| 126 |
other solutions. |
| 127 |
|
| 128 |
it is just a compromise between speed and security. |
| 129 |
|
| 130 |
you inspired me and what has come into my mind is some kind of "hybrid" |
| 131 |
solution where we run the preprocessed source through some kind of |
| 132 |
"bounds checking sandbox" which evaluates the possible program flows in |
| 133 |
terms of trees (gcc people can explain more about this) and evaluate the |
| 134 |
pointers at each point of execution. |
| 135 |
|
| 136 |
remember that the program is not yet binary and is not actually _run_. |
| 137 |
|
| 138 |
it is just a funky parsing of the CPP preprocessed source, or later at |
| 139 |
RTL stage, in the gcc. |
| 140 |
|
| 141 |
in so called "red areas" the gcc would put full bounds checking in. |
| 142 |
in other areas that appear to be "safe" or "green" in the preprocessor |
| 143 |
dry run, the bounds checks can be left out for speedup. |
| 144 |
|
| 145 |
anyway, this would significantly increase compile time by factors of two |
| 146 |
or more. think about compiling xfree86 with that gcc. |
| 147 |
|
| 148 |
instead of 8 hours on a hppa machine it would take 20 hours or more. |
| 149 |
|
| 150 |
but it would have no or little impact on the final binary because the |
| 151 |
speed is gained from the "dry run" in the gcc CPP stage. |
| 152 |
|
| 153 |
have fun, |
| 154 |
-pappy |
| 155 |
|
| 156 |
> |
| 157 |
> Jan |
| 158 |
> |
| 159 |
|
| 160 |
|
| 161 |
|
| 162 |
-- |
| 163 |
gentoo-hardened@g.o mailing list |
Archives