| 1 |
On Thu, 20 Feb 2014 22:59:59 +0200 Alan McKinnon wrote: |
| 2 |
> On 20/02/2014 22:41, Nicolas Sebrecht wrote: |
| 3 |
> > On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote: |
| 4 |
> > |
| 5 |
> >> And this point is one of the highest security benefits in real world: |
| 6 |
> >> one have non-standard binaries, not available in the wild. Most |
| 7 |
> >> exploits will fail on such binaries even if vulnerability is still |
| 8 |
> >> there. |
| 9 |
> > |
| 10 |
> > While excluding few security issues by compiling less code is possible, |
| 11 |
> > believing that "non-standard binaries" (in the sense of "compiled for |
| 12 |
> > with local compilation flags") gives more security is a dangerous dream. |
| 13 |
> > |
| 14 |
> |
| 15 |
> |
| 16 |
> +1 |
| 17 |
> |
| 18 |
> "non-standard binaries" is really just a special form of security by |
| 19 |
> obscurity. Or alternatively a special form of "no-one will eva figure |
| 20 |
> out my l33t skillz! Mwahahaha!" |
| 21 |
|
| 22 |
Exactly. This is security trough obscurity. I never claimed this is |
| 23 |
an ultimate or a sufficient way to protect a system. But this is just |
| 24 |
a single of many multiple layers which can be used to provide |
| 25 |
acceptable security level. |
| 26 |
|
| 27 |
> Which is a very poor stance to take. |
| 28 |
> |
| 29 |
> The total amount of code not compiled by setting some USE flags off is |
| 30 |
> on the whole not likely to be very much, and hoping with finger crossed |
| 31 |
> that the next weakness in a package will just happen to fall within a |
| 32 |
> code path that got left out by USE flags is a fools dream. |
| 33 |
|
| 34 |
You mare compare binary sizes for e.g. openldap (and all its |
| 35 |
libraries) with minimal and full (USE="-minimal *") setup. Quite |
| 36 |
impressive, not to count all external so libraries involved. |
| 37 |
|
| 38 |
> I'm glad you mentioned this Andrew, because the internets are full of |
| 39 |
> stupid advice like this "non-standard binary" nonsense. |
| 40 |
|
| 41 |
Are you considering Bruce Schneier's advice as a stupid nonsense? In |
| 42 |
his "Applied cryptography" he recommended one of the ways to |
| 43 |
straighten a system: to use not so frequently used algorithms instead |
| 44 |
of selected standards because less frequently used algorithms has no |
| 45 |
better math but are less targeted, have less specialized hardware |
| 46 |
built to crack them and so on. |
| 47 |
|
| 48 |
> Yes, the |
| 49 |
> arguments at face value are difficult to refute with hard facts, but |
| 50 |
> those that do not known it is stupid are easily led into a sense of |
| 51 |
> false security, doesn't matter how many disclaimers are tagged on the end. |
| 52 |
> |
| 53 |
> I reckon it's the duty of all knowledgeable sysadmins to stamp out this |
| 54 |
> crap HARD every time it raises it's head. To the user who brought it up |
| 55 |
> - this might seem overly harsh but I've yet to find a better method that |
| 56 |
> actually works and gets through to people. |
| 57 |
|
| 58 |
I never talked about a sense of security just because system has |
| 59 |
non-standard binaries. I talked about high variance which brings a |
| 60 |
_bit_ more security. And I'm talking not from some theorizing, but |
| 61 |
from practical experience on both ends (data protection and |
| 62 |
legitimate system forensics). |
| 63 |
|
| 64 |
Have you ever considered how systems became broken in the wild? The |
| 65 |
most common way (in numbers of hosts, not significance) are automated |
| 66 |
robots and botnets. They just scan the net, try to bruteforce any |
| 67 |
login service they found and try to apply any exploit appropriate |
| 68 |
from their database. If one have a widely used and improperly |
| 69 |
configured (or not timely updated) setup, it will be hacked this way. |
| 70 |
|
| 71 |
The key point of any attack is *cost*, is *money* one needs to spend |
| 72 |
for an attack. Automated attacks are cheap and such _simple |
| 73 |
and cheap_ measures as obscured binaries and non-standard (e.g. ssh) |
| 74 |
ports will stop most of these attacks. This way it will cost _more_ |
| 75 |
for the attacker to break into protected system and with raise of an |
| 76 |
attack cost system protection level also rises. |
| 77 |
|
| 78 |
Of course, obfuscation is _not_ sufficient for system protection. |
| 79 |
This is just one small step forward. I don't want to discuss full |
| 80 |
scope of server protection issues, because this is far out of the |
| 81 |
topic of this discussion and because measures needed are task- |
| 82 |
dependent. |
| 83 |
|
| 84 |
However I want to notice one critical security issue quite common for |
| 85 |
production servers: an old software. It doesn't matter how many |
| 86 |
protection layers system have, how skilled person configured it was. |
| 87 |
When software is old it is quite trivial to look up for CVEs and |
| 88 |
break the system. Quite practical encounter from my own experience: I |
| 89 |
was asked to legitimately obtain root on the box (admin forgot |
| 90 |
password, reboot (with init=/bin/bash) was not an option and root |
| 91 |
access was needed for reconfiguration); a box was a year old RHEL |
| 92 |
with SELinux enforced. Third kernel exploit worked perfectly (I just |
| 93 |
found them on the net, not bothered to code myself). Such trivia with |
| 94 |
Gentoo and its custom binaries is not possible. And Gentoo is quite |
| 95 |
good with recent software updates (RH sometimes is too slow with |
| 96 |
critical kernel/libc issues). |
| 97 |
|
| 98 |
Old software is evil. It doesn't matter how good and tested it _was_. |
| 99 |
Variety and diversity are quite important for real word systems |
| 100 |
protection. |
| 101 |
|
| 102 |
Of course, it is possible to break _any_ box on the Earth, the |
| 103 |
only question is how high the cost will be. My point is that Gentoo |
| 104 |
provides native techniques to raise the attack cost. That's all. |
| 105 |
|
| 106 |
Best regards, |
| 107 |
Andrew Savchenko |
Archives