1 |
On Saturday 06 September 2003 15:27, Alexander Gabert wrote: |
2 |
> hello, |
3 |
> |
4 |
> there is nothing that can "guide" you, in my opinion. |
5 |
> the program that checks for flaws must print out a list of "problematic" |
6 |
> code pieces based on real facts. |
7 |
> the threat is real, so must be the defense mechanisms. |
8 |
> no "guidance" or "counseling" needed for the user to be influenced. |
9 |
|
10 |
Well, thats true. I thought of an average user that wants to install a |
11 |
userspace program that does something with internet. The user heard about |
12 |
security issues with the internet and so cares a little bit but ofcourse has |
13 |
no knowledge about what this really means nor is the user a developer who is |
14 |
able to fix that. luckily there are several option for such a program |
15 |
available. So the user exploits some of the suggested emerge commands and |
16 |
based on the results uses for now the software with the least impact and |
17 |
additionally files a bug report to bugs.gentoo.org saying that actual emerge |
18 |
found security issues the user wants to get fixed (and is willing to donate a |
19 |
donut for fixing :) |
20 |
|
21 |
> > some of the next steps i can imagin are: |
22 |
> > - a ports security policy :) |
23 |
> |
24 |
> well, devs are notorious overworked ppl. |
25 |
> you would not rush in open doors. |
26 |
> but i appreciate your thoughts and will try to make up my mind. |
27 |
Most of such a policy is published and available on the net, from other |
28 |
projects or known highly secure OS's. (One of them, espicially for those who |
29 |
dont like to hear it, is OpenBSD :) I understand that gentoo hardened can not |
30 |
be an isolated project. It has to be open + cooperative even with "competing" |
31 |
OS's to reach the goal "hardened") |
32 |
|
33 |
> > - suid scans |
34 |
> > |
35 |
> > - scans of binaries |
36 |
> |
37 |
> not possible. |
38 |
> writing disassemblers that make assumptions is bad practice. |
39 |
Thats not what i meant, so i try to explain better: |
40 |
We have much information about the binary from the build process before, there |
41 |
is no need to disassemble. |
42 |
|
43 |
Lets say a binary "mta" is build and but into $IMAGE/usr/sbin with suid root. |
44 |
|
45 |
From analysis of the Makefiles in the still existing source tree we know: |
46 |
this file comes from the directory $S/smtp/core/mta |
47 |
|
48 |
And is made out of: |
49 |
smtp.o |
50 |
connect.o |
51 |
socket.o |
52 |
checkuser.o |
53 |
deliver.o |
54 |
rfc.o |
55 |
bla.o |
56 |
digitalmess.o |
57 |
randommess.o |
58 |
(mess here short for message ;) |
59 |
|
60 |
for those we got the corresponding source files. |
61 |
So we can see deliver.o makes extensive use of functions executing external |
62 |
binaries. deliver.o is part oft mta. mta is installed suid. no part of mta |
63 |
calls a function that indicates a drop of priviliges. Conclusion: mta is |
64 |
potentially dangerous. |
65 |
|
66 |
> > - complexity analysis (we got the code, we got the binaries - if there |
67 |
> > was createt only 1 biiig binary out of al the code we know that the |
68 |
> > potential security impact is higher (exim) then if there would have been |
69 |
> > created several small binaries (assuming modularity, like qmail), etc. |
70 |
> |
71 |
> qmail is not more secure than exim, if the author says so, he may say |
72 |
> so. i myself do not believe it, should be careful what you interpret. |
73 |
Its not that i believe in what the author of qmail claims to be true. |
74 |
|
75 |
I, therefore i am a unix-user, believe in modularity, simplicity, small tools |
76 |
that do dedicated tasks and nothing else, that can be combined to something |
77 |
usefull (Well, unix :) |
78 |
|
79 |
qmail is the only full functioning mta that consistently implements this |
80 |
principles (afaik) and _thats_ the reason for me to believe qmail is more |
81 |
secure than all those other mta's around. |
82 |
|
83 |
(Beside the fact that i will receive 500$ as soon as i find a security hole in |
84 |
qmail :) This "security garantee" i see as an political advantage of qmail.) |
85 |
|
86 |
> the truth is that packages like qmail deserve the high reputation only |
87 |
> from the people who are using it. |
88 |
> |
89 |
> > - dynamic meta-information from external sources (CERT, GLSA Database) |
90 |
> |
91 |
> very good point, we could make a "link" to bugs found regarding the |
92 |
> source URI. |
93 |
> which would resolve in a mapping: CERT/Bugtraq <-> SRC_URI |
94 |
> |
95 |
|
96 |
> > ofcourse, this all can be enhanced and so on, thats why i put it here :) |
97 |
> |
98 |
> thank you, |
99 |
> |
100 |
> a last thought about your binary scanning. |
101 |
> |
102 |
> pipacs is the brain behind PaX who is working out the logic for |
103 |
> protecting accesses. |
104 |
> |
105 |
> the holy grail is "full bounds checking" which means basically that you |
106 |
> can watch, control AND limit any arbitrary (random, going everwhere) |
107 |
> memory address write or read by the running program. |
108 |
> the running program has 4GB open memory with 1GB of the 4GB is kernel |
109 |
> memory. |
110 |
> |
111 |
> even stackguards preventing direct linear overwriting of addresses can |
112 |
> be "circumenvented" as we all know. |
113 |
> even address space layout randomization, basically moving round and |
114 |
> round of ELF segments and making the memory address relocations not |
115 |
> writable with PIC compilation, can be information leaked. |
116 |
> |
117 |
> it is not possible to employ bounds checkers like the "mudflap" gcc or |
118 |
> other solutions. |
119 |
> |
120 |
> it is just a compromise between speed and security. |
121 |
Thats always true :) |
122 |
Really always? |
123 |
|
124 |
If transfering mail would be secure (no spam possible) the internet would be |
125 |
faster (no trillionsibytes of spam traffic). Hm. |
126 |
|
127 |
> you inspired me |
128 |
Finally i did something useful :) |
129 |
|
130 |
> and what has come into my mind is some kind of "hybrid" |
131 |
> solution where we run the preprocessed source through some kind of |
132 |
> "bounds checking sandbox" which evaluates the possible program flows in |
133 |
> terms of trees (gcc people can explain more about this) and evaluate the |
134 |
> pointers at each point of execution. |
135 |
Thats nearly what i wanted to say but could not express :) |
136 |
I tried to explain above. |
137 |
|
138 |
Thank you for your positive words. |
139 |
|
140 |
Jan |
141 |
|
142 |
|
143 |
-- |
144 |
gentoo-hardened@g.o mailing list |