1 |
On Thu, 20 Feb 2014 22:59:59 +0200 Alan McKinnon wrote: |
2 |
> On 20/02/2014 22:41, Nicolas Sebrecht wrote: |
3 |
> > On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote: |
4 |
> > |
5 |
> >> And this point is one of the highest security benefits in real world: |
6 |
> >> one have non-standard binaries, not available in the wild. Most |
7 |
> >> exploits will fail on such binaries even if vulnerability is still |
8 |
> >> there. |
9 |
> > |
10 |
> > While excluding few security issues by compiling less code is possible, |
11 |
> > believing that "non-standard binaries" (in the sense of "compiled for |
12 |
> > with local compilation flags") gives more security is a dangerous dream. |
13 |
> > |
14 |
> |
15 |
> |
16 |
> +1 |
17 |
> |
18 |
> "non-standard binaries" is really just a special form of security by |
19 |
> obscurity. Or alternatively a special form of "no-one will eva figure |
20 |
> out my l33t skillz! Mwahahaha!" |
21 |
|
22 |
Exactly. This is security trough obscurity. I never claimed this is |
23 |
an ultimate or a sufficient way to protect a system. But this is just |
24 |
a single of many multiple layers which can be used to provide |
25 |
acceptable security level. |
26 |
|
27 |
> Which is a very poor stance to take. |
28 |
> |
29 |
> The total amount of code not compiled by setting some USE flags off is |
30 |
> on the whole not likely to be very much, and hoping with finger crossed |
31 |
> that the next weakness in a package will just happen to fall within a |
32 |
> code path that got left out by USE flags is a fools dream. |
33 |
|
34 |
You mare compare binary sizes for e.g. openldap (and all its |
35 |
libraries) with minimal and full (USE="-minimal *") setup. Quite |
36 |
impressive, not to count all external so libraries involved. |
37 |
|
38 |
> I'm glad you mentioned this Andrew, because the internets are full of |
39 |
> stupid advice like this "non-standard binary" nonsense. |
40 |
|
41 |
Are you considering Bruce Schneier's advice as a stupid nonsense? In |
42 |
his "Applied cryptography" he recommended one of the ways to |
43 |
straighten a system: to use not so frequently used algorithms instead |
44 |
of selected standards because less frequently used algorithms has no |
45 |
better math but are less targeted, have less specialized hardware |
46 |
built to crack them and so on. |
47 |
|
48 |
> Yes, the |
49 |
> arguments at face value are difficult to refute with hard facts, but |
50 |
> those that do not known it is stupid are easily led into a sense of |
51 |
> false security, doesn't matter how many disclaimers are tagged on the end. |
52 |
> |
53 |
> I reckon it's the duty of all knowledgeable sysadmins to stamp out this |
54 |
> crap HARD every time it raises it's head. To the user who brought it up |
55 |
> - this might seem overly harsh but I've yet to find a better method that |
56 |
> actually works and gets through to people. |
57 |
|
58 |
I never talked about a sense of security just because system has |
59 |
non-standard binaries. I talked about high variance which brings a |
60 |
_bit_ more security. And I'm talking not from some theorizing, but |
61 |
from practical experience on both ends (data protection and |
62 |
legitimate system forensics). |
63 |
|
64 |
Have you ever considered how systems became broken in the wild? The |
65 |
most common way (in numbers of hosts, not significance) are automated |
66 |
robots and botnets. They just scan the net, try to bruteforce any |
67 |
login service they found and try to apply any exploit appropriate |
68 |
from their database. If one have a widely used and improperly |
69 |
configured (or not timely updated) setup, it will be hacked this way. |
70 |
|
71 |
The key point of any attack is *cost*, is *money* one needs to spend |
72 |
for an attack. Automated attacks are cheap and such _simple |
73 |
and cheap_ measures as obscured binaries and non-standard (e.g. ssh) |
74 |
ports will stop most of these attacks. This way it will cost _more_ |
75 |
for the attacker to break into protected system and with raise of an |
76 |
attack cost system protection level also rises. |
77 |
|
78 |
Of course, obfuscation is _not_ sufficient for system protection. |
79 |
This is just one small step forward. I don't want to discuss full |
80 |
scope of server protection issues, because this is far out of the |
81 |
topic of this discussion and because measures needed are task- |
82 |
dependent. |
83 |
|
84 |
However I want to notice one critical security issue quite common for |
85 |
production servers: an old software. It doesn't matter how many |
86 |
protection layers system have, how skilled person configured it was. |
87 |
When software is old it is quite trivial to look up for CVEs and |
88 |
break the system. Quite practical encounter from my own experience: I |
89 |
was asked to legitimately obtain root on the box (admin forgot |
90 |
password, reboot (with init=/bin/bash) was not an option and root |
91 |
access was needed for reconfiguration); a box was a year old RHEL |
92 |
with SELinux enforced. Third kernel exploit worked perfectly (I just |
93 |
found them on the net, not bothered to code myself). Such trivia with |
94 |
Gentoo and its custom binaries is not possible. And Gentoo is quite |
95 |
good with recent software updates (RH sometimes is too slow with |
96 |
critical kernel/libc issues). |
97 |
|
98 |
Old software is evil. It doesn't matter how good and tested it _was_. |
99 |
Variety and diversity are quite important for real word systems |
100 |
protection. |
101 |
|
102 |
Of course, it is possible to break _any_ box on the Earth, the |
103 |
only question is how high the cost will be. My point is that Gentoo |
104 |
provides native techniques to raise the attack cost. That's all. |
105 |
|
106 |
Best regards, |
107 |
Andrew Savchenko |