1 |
hello, |
2 |
|
3 |
On Sat, 2003-09-06 at 16:52, Jan Krueger wrote: |
4 |
> I would like to present you an example showing how silly source scanning can |
5 |
> be if done without thought: |
6 |
> |
7 |
> qmail and exim |
8 |
> |
9 |
> flawfinder reports more flaws in qmail (10 or so) then in exim (only 1). |
10 |
> If one would make a decision based on the flawfinder output only, one would |
11 |
> install exim. |
12 |
> |
13 |
> Offcourse if one compares the number of actual security holes found in exim to |
14 |
> those found in qmail, one would install qmail. |
15 |
don't think so. |
16 |
there must be a reason for flawfinder to find so much "problems" in |
17 |
qmail. |
18 |
|
19 |
> |
20 |
> So i understand source code analysis as the first step only to create |
21 |
> something for developers and admins/users that is able to guide them in |
22 |
> security questions. |
23 |
there is nothing that can "guide" you, in my opinion. |
24 |
the program that checks for flaws must print out a list of "problematic" |
25 |
code pieces based on real facts. |
26 |
the threat is real, so must be the defense mechanisms. |
27 |
no "guidance" or "counseling" needed for the user to be influenced. |
28 |
> |
29 |
> some of the next steps i can imagin are: |
30 |
> - a ports security policy :) |
31 |
well, devs are notorious overworked ppl. |
32 |
you would not rush in open doors. |
33 |
but i appreciate your thoughts and will try to make up my mind. |
34 |
> |
35 |
> - suid scans |
36 |
> |
37 |
> - scans of binaries |
38 |
not possible. |
39 |
writing disassemblers that make assumptions is bad practice. |
40 |
> |
41 |
> - complexity analysis (we got the code, we got the binaries - if there was |
42 |
> createt only 1 biiig binary out of al the code we know that the potential |
43 |
> security impact is higher (exim) then if there would have been created |
44 |
> several small binaries (assuming modularity, like qmail), etc. |
45 |
qmail is not more secure than exim, if the author says so, he may say |
46 |
so. i myself do not believe it, should be careful what you interpret. |
47 |
|
48 |
the truth is that packages like qmail deserve the high reputation only |
49 |
from the people who are using it. |
50 |
|
51 |
> |
52 |
> - dynamic meta-information from external sources (CERT, GLSA Database) |
53 |
|
54 |
very good point, we could make a "link" to bugs found regarding the |
55 |
source URI. |
56 |
which would resolve in a mapping: CERT/Bugtraq <-> SRC_URI |
57 |
|
58 |
> This would result in: |
59 |
> # emerge -p somemta |
60 |
> Calculating dependencies ...done! |
61 |
> ebuild information | version | hardened | CERT | GLSA |
62 |
> [ebuild N ] net-mail/exim-4.14 - 5 2 |
63 |
> |
64 |
> # emerge -p --secinfo somemta |
65 |
> |
66 |
> * net-mail/somemta |
67 |
> Latest version available: 4.14 |
68 |
> Latest version installed: [ Not Installed ] |
69 |
> Size of downloaded files: 1,531 kB |
70 |
> Homepage: http://www.somemta.org/ |
71 |
> ebuild Maintainer: someone@×××××××××.org |
72 |
> Description: A highly configurable, drop-in replacement for sendmail |
73 |
> |
74 |
> Package is part of gentoo hardened : no |
75 |
> CERT Security Advisories for somemta found : 5 |
76 |
> CERT affecting this version of somemta found : 1 |
77 |
> GLSA for somemta found : 2 |
78 |
> GLSA affecting this version of somemta found : 1 |
79 |
> |
80 |
> Warnig: This version is affected by several security advisories. |
81 |
> It is recommended to not install this version! |
82 |
> You may try emerge sync or search at bugs.gentoo.org to get a newer |
83 |
> version or contact the ebuild maintainer |
84 |
> |
85 |
> and while you do |
86 |
> # emerge somemta |
87 |
> you get additional information: |
88 |
> * source code analysis report: |
89 |
> * 1 potential security flaw found |
90 |
> .... |
91 |
> |
92 |
> * compexity analysis report: |
93 |
> * package seems to fairly complex, possible security impact: medium |
94 |
> |
95 |
> * suid scan report: |
96 |
> * the software would like to install the following suids |
97 |
> * 1) /usr/sbin/exim suid root |
98 |
> * 2) /usr/sbin/blalaber suid mail |
99 |
> What would like to do? |
100 |
> -3) install all as shown |
101 |
> -1) install all without suid |
102 |
> or choose number of binary: |
103 |
> |
104 |
> ofcourse, this all can be enhanced and so on, thats why i put it here :) |
105 |
|
106 |
thank you, |
107 |
|
108 |
a last thought about your binary scanning. |
109 |
|
110 |
pipacs is the brain behind PaX who is working out the logic for |
111 |
protecting accesses. |
112 |
|
113 |
the holy grail is "full bounds checking" which means basically that you |
114 |
can watch, control AND limit any arbitrary (random, going everwhere) |
115 |
memory address write or read by the running program. |
116 |
the running program has 4GB open memory with 1GB of the 4GB is kernel |
117 |
memory. |
118 |
|
119 |
even stackguards preventing direct linear overwriting of addresses can |
120 |
be "circumenvented" as we all know. |
121 |
even address space layout randomization, basically moving round and |
122 |
round of ELF segments and making the memory address relocations not |
123 |
writable with PIC compilation, can be information leaked. |
124 |
|
125 |
it is not possible to employ bounds checkers like the "mudflap" gcc or |
126 |
other solutions. |
127 |
|
128 |
it is just a compromise between speed and security. |
129 |
|
130 |
you inspired me and what has come into my mind is some kind of "hybrid" |
131 |
solution where we run the preprocessed source through some kind of |
132 |
"bounds checking sandbox" which evaluates the possible program flows in |
133 |
terms of trees (gcc people can explain more about this) and evaluate the |
134 |
pointers at each point of execution. |
135 |
|
136 |
remember that the program is not yet binary and is not actually _run_. |
137 |
|
138 |
it is just a funky parsing of the CPP preprocessed source, or later at |
139 |
RTL stage, in the gcc. |
140 |
|
141 |
in so called "red areas" the gcc would put full bounds checking in. |
142 |
in other areas that appear to be "safe" or "green" in the preprocessor |
143 |
dry run, the bounds checks can be left out for speedup. |
144 |
|
145 |
anyway, this would significantly increase compile time by factors of two |
146 |
or more. think about compiling xfree86 with that gcc. |
147 |
|
148 |
instead of 8 hours on a hppa machine it would take 20 hours or more. |
149 |
|
150 |
but it would have no or little impact on the final binary because the |
151 |
speed is gained from the "dry run" in the gcc CPP stage. |
152 |
|
153 |
have fun, |
154 |
-pappy |
155 |
|
156 |
> |
157 |
> Jan |
158 |
> |
159 |
|
160 |
|
161 |
|
162 |
-- |
163 |
gentoo-hardened@g.o mailing list |