| 1 |
On Saturday 06 September 2003 15:27, Alexander Gabert wrote: |
| 2 |
> hello, |
| 3 |
> |
| 4 |
> there is nothing that can "guide" you, in my opinion. |
| 5 |
> the program that checks for flaws must print out a list of "problematic" |
| 6 |
> code pieces based on real facts. |
| 7 |
> the threat is real, so must be the defense mechanisms. |
| 8 |
> no "guidance" or "counseling" needed for the user to be influenced. |
| 9 |
|
| 10 |
Well, thats true. I thought of an average user that wants to install a |
| 11 |
userspace program that does something with internet. The user heard about |
| 12 |
security issues with the internet and so cares a little bit but ofcourse has |
| 13 |
no knowledge about what this really means nor is the user a developer who is |
| 14 |
able to fix that. luckily there are several option for such a program |
| 15 |
available. So the user exploits some of the suggested emerge commands and |
| 16 |
based on the results uses for now the software with the least impact and |
| 17 |
additionally files a bug report to bugs.gentoo.org saying that actual emerge |
| 18 |
found security issues the user wants to get fixed (and is willing to donate a |
| 19 |
donut for fixing :) |
| 20 |
|
| 21 |
> > some of the next steps i can imagin are: |
| 22 |
> > - a ports security policy :) |
| 23 |
> |
| 24 |
> well, devs are notorious overworked ppl. |
| 25 |
> you would not rush in open doors. |
| 26 |
> but i appreciate your thoughts and will try to make up my mind. |
| 27 |
Most of such a policy is published and available on the net, from other |
| 28 |
projects or known highly secure OS's. (One of them, espicially for those who |
| 29 |
dont like to hear it, is OpenBSD :) I understand that gentoo hardened can not |
| 30 |
be an isolated project. It has to be open + cooperative even with "competing" |
| 31 |
OS's to reach the goal "hardened") |
| 32 |
|
| 33 |
> > - suid scans |
| 34 |
> > |
| 35 |
> > - scans of binaries |
| 36 |
> |
| 37 |
> not possible. |
| 38 |
> writing disassemblers that make assumptions is bad practice. |
| 39 |
Thats not what i meant, so i try to explain better: |
| 40 |
We have much information about the binary from the build process before, there |
| 41 |
is no need to disassemble. |
| 42 |
|
| 43 |
Lets say a binary "mta" is build and but into $IMAGE/usr/sbin with suid root. |
| 44 |
|
| 45 |
From analysis of the Makefiles in the still existing source tree we know: |
| 46 |
this file comes from the directory $S/smtp/core/mta |
| 47 |
|
| 48 |
And is made out of: |
| 49 |
smtp.o |
| 50 |
connect.o |
| 51 |
socket.o |
| 52 |
checkuser.o |
| 53 |
deliver.o |
| 54 |
rfc.o |
| 55 |
bla.o |
| 56 |
digitalmess.o |
| 57 |
randommess.o |
| 58 |
(mess here short for message ;) |
| 59 |
|
| 60 |
for those we got the corresponding source files. |
| 61 |
So we can see deliver.o makes extensive use of functions executing external |
| 62 |
binaries. deliver.o is part oft mta. mta is installed suid. no part of mta |
| 63 |
calls a function that indicates a drop of priviliges. Conclusion: mta is |
| 64 |
potentially dangerous. |
| 65 |
|
| 66 |
> > - complexity analysis (we got the code, we got the binaries - if there |
| 67 |
> > was createt only 1 biiig binary out of al the code we know that the |
| 68 |
> > potential security impact is higher (exim) then if there would have been |
| 69 |
> > created several small binaries (assuming modularity, like qmail), etc. |
| 70 |
> |
| 71 |
> qmail is not more secure than exim, if the author says so, he may say |
| 72 |
> so. i myself do not believe it, should be careful what you interpret. |
| 73 |
Its not that i believe in what the author of qmail claims to be true. |
| 74 |
|
| 75 |
I, therefore i am a unix-user, believe in modularity, simplicity, small tools |
| 76 |
that do dedicated tasks and nothing else, that can be combined to something |
| 77 |
usefull (Well, unix :) |
| 78 |
|
| 79 |
qmail is the only full functioning mta that consistently implements this |
| 80 |
principles (afaik) and _thats_ the reason for me to believe qmail is more |
| 81 |
secure than all those other mta's around. |
| 82 |
|
| 83 |
(Beside the fact that i will receive 500$ as soon as i find a security hole in |
| 84 |
qmail :) This "security garantee" i see as an political advantage of qmail.) |
| 85 |
|
| 86 |
> the truth is that packages like qmail deserve the high reputation only |
| 87 |
> from the people who are using it. |
| 88 |
> |
| 89 |
> > - dynamic meta-information from external sources (CERT, GLSA Database) |
| 90 |
> |
| 91 |
> very good point, we could make a "link" to bugs found regarding the |
| 92 |
> source URI. |
| 93 |
> which would resolve in a mapping: CERT/Bugtraq <-> SRC_URI |
| 94 |
> |
| 95 |
|
| 96 |
> > ofcourse, this all can be enhanced and so on, thats why i put it here :) |
| 97 |
> |
| 98 |
> thank you, |
| 99 |
> |
| 100 |
> a last thought about your binary scanning. |
| 101 |
> |
| 102 |
> pipacs is the brain behind PaX who is working out the logic for |
| 103 |
> protecting accesses. |
| 104 |
> |
| 105 |
> the holy grail is "full bounds checking" which means basically that you |
| 106 |
> can watch, control AND limit any arbitrary (random, going everwhere) |
| 107 |
> memory address write or read by the running program. |
| 108 |
> the running program has 4GB open memory with 1GB of the 4GB is kernel |
| 109 |
> memory. |
| 110 |
> |
| 111 |
> even stackguards preventing direct linear overwriting of addresses can |
| 112 |
> be "circumenvented" as we all know. |
| 113 |
> even address space layout randomization, basically moving round and |
| 114 |
> round of ELF segments and making the memory address relocations not |
| 115 |
> writable with PIC compilation, can be information leaked. |
| 116 |
> |
| 117 |
> it is not possible to employ bounds checkers like the "mudflap" gcc or |
| 118 |
> other solutions. |
| 119 |
> |
| 120 |
> it is just a compromise between speed and security. |
| 121 |
Thats always true :) |
| 122 |
Really always? |
| 123 |
|
| 124 |
If transfering mail would be secure (no spam possible) the internet would be |
| 125 |
faster (no trillionsibytes of spam traffic). Hm. |
| 126 |
|
| 127 |
> you inspired me |
| 128 |
Finally i did something useful :) |
| 129 |
|
| 130 |
> and what has come into my mind is some kind of "hybrid" |
| 131 |
> solution where we run the preprocessed source through some kind of |
| 132 |
> "bounds checking sandbox" which evaluates the possible program flows in |
| 133 |
> terms of trees (gcc people can explain more about this) and evaluate the |
| 134 |
> pointers at each point of execution. |
| 135 |
Thats nearly what i wanted to say but could not express :) |
| 136 |
I tried to explain above. |
| 137 |
|
| 138 |
Thank you for your positive words. |
| 139 |
|
| 140 |
Jan |
| 141 |
|
| 142 |
|
| 143 |
-- |
| 144 |
gentoo-hardened@g.o mailing list |
Archives