codeblog code is freedom — patching my itch

2/18/2010

data mining for NX bit

Filed under: Blogging,Debian,Security,Ubuntu,Ubuntu-Server — kees @ 11:15 am

9% of Ubuntu systems that were used to report bugs that included their /proc/cpuinfo file need to fix their BIOS settings to gain the NX bit.

Check for yourself. (Run it with --verbose for useful details.)

Out of 7511 Ubuntu bugs Brian Murray collected for me that included /proc/cpuinfo files, there were 7270 unique contents (which surprised me — I was expecting this to be much lower).

  • 5 (0.07%) were non-x86.
  • 1 (0.02%) had corrupted contents (likely due to a search/replace in apport gone awry).
  • 5670 (77.99%) had NX (this also surprised me — I was not expecting it to be so high).
  • 337 (4.64%) lacked PAE, and so cannot have NX (I didn’t expect this to be so low; Ubuntu bug reporters must have relatively recent hardware overall).
  • 595 (8.18%) had PAE and correctly lacked NX (I didn’t expect this to be so high — PAE without NX is a bit more common than I’d hoped; hopefully these systems are running 32bit kernels to at least get the partial NX emulation).
  • 662 (9.1%) had PAE but incorrectly lacked NX.

It’s this last group of systems I’m hoping to get fixed through education.

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

2/9/2010

easy example of filesystem capabilities

Filed under: Blogging,Debian,Networking,Security,Ubuntu,Ubuntu-Server — kees @ 11:15 am

Instead of using setuid programs, the goal for the future is to use fine-grained capabilities. For example, here is /bin/ping:

$ ls -la /bin/ping
-rwsr-xr-x 1 root root 35680 2009-11-05 00:41 /bin/ping
$ ./ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.041 ms

$ sudo setcap CAP_NET_RAW=ep /bin/ping
$ getcap /bin/ping
/bin/ping = cap_net_raw+ep
$ ./ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.041 ms

$ dmesg | tail -n1
[212275.772124] warning: `/bin/ping’ has both setuid-root and effective capabilities. Therefore not raising all capabilities.

The best part is that the kernel will choose the set of least privileges when both setuid and capabilities exist. Easy way to transition!

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

2/8/2010

rng-tools with TPM

Filed under: Blogging,Debian,Security,Ubuntu,Ubuntu-Server — kees @ 7:32 pm

In Ubuntu, I uploaded an rng-tools that supports the RNG in TPM devices (my patch is waiting in Debian). This hardware is available on a bunch of systems, including several Thinkpads and the Intel Q35, Q45 and newer main boards.

While most TPM RNGs aren’t really heavy-duty hardware RNGs, they are at least a mild source of randomness. I’ll be using an entropy key eventually, but for now, the TPM can supplement my collected entropy.

/etc/default/rng-tools:

HRNGDEVICE=/dev/null
RNGDOPTIONS=”–hrng=tpm –fill-watermark=90% –feed-interval=1″

After it’s been running a bit:

Feb 8 19:10:51 linux rngd[13143]: stats: bits received from HRNG source: 6180064
Feb 8 19:10:51 linux rngd[13143]: stats: bits sent to kernel pool: 6166144
Feb 8 19:10:51 linux rngd[13143]: stats: entropy added to kernel pool: 4624608
Feb 8 19:10:51 linux rngd[13143]: stats: FIPS 140-2 successes: 309
Feb 8 19:10:51 linux rngd[13143]: stats: FIPS 140-2 failures: 0
Feb 8 19:10:51 linux rngd[13143]: stats: FIPS 140-2(2001-10-10) Monobit: 0
Feb 8 19:10:51 linux rngd[13143]: stats: FIPS 140-2(2001-10-10) Poker: 0
Feb 8 19:10:51 linux rngd[13143]: stats: FIPS 140-2(2001-10-10) Runs: 0
Feb 8 19:10:51 linux rngd[13143]: stats: FIPS 140-2(2001-10-10) Long run: 0
Feb 8 19:10:51 linux rngd[13143]: stats: FIPS 140-2(2001-10-10) Continuous run: 0
Feb 8 19:10:51 linux rngd[13143]: stats: HRNG source speed: (min=5.207; avg=6.145; max=6.200)Kibits/s
Feb 8 19:10:51 linux rngd[13143]: stats: FIPS tests speed: (min=66.925; avg=75.789; max=112.861)Mibits/s
Feb 8 19:10:51 linux rngd[13143]: stats: Lowest ready-buffers level: 0
Feb 8 19:10:51 linux rngd[13143]: stats: Entropy starvations: 308
Feb 8 19:10:51 linux rngd[13143]: stats: Time spent starving for entropy: (min=3150263; avg=3178447.994; max=3750848)us

And now the kernel entropy pool is high:

$ echo $(cat /proc/sys/kernel/random/entropy_avail)/$(cat /proc/sys/kernel/random/poolsize)
3968/4096

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/24/2010

Google is wardriving

Filed under: Blogging,Debian,General,Networking,Security,Ubuntu,Web — kees @ 8:28 pm

So, a while back, Google started providing location services. This seemed pretty cool, but I kind of ignored it until recently when I was playing with my Android’s location API. With the GPS off, and no cell towers visible (my basement gets terrible cell service), my phone knew within about 500 feet of where it actually was. All I was connected to was my wifi.

Bottom line: it seems that Google, among other methods, is likely wardriving while photographing for Street View. They are now able to pinpoint wifi access points if they happened to see it while driving through your city.

I’m really rather astonished that no one is freaking out about this; I’m a bit unnerved. I implemented the location-of-your-wifi API quickly, so I could terrify myself further. You can do lookups via my location website too, if you want.

UPDATE: yeah, it would seem to be crowd-sourced wifi and cell tower triangulation data. I should say “Google is WarCrowding”.

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/19/2010

Using huludesktop on MythTV

Filed under: Blogging,Security,Ubuntu — kees @ 11:29 am

Based on a friend’s recommendation, I decided I would install Hulu Desktop for my MythTV system.

The MythTV wiki instructions were very good. However, I didn’t like that it was a closed-source binary doing network traffic. (While “system” doesn’t show up in “readelf -r” output, that doesn’t mean it isn’t doing direct syscalls, or manually finding the “system” offset in the libc library, or is vulnerable to overflows, and on and on.) So, to put my mind at ease, I decided to confine it in an AppArmor profile:

#include <tunables/global>

/usr/bin/huludesktop {
#include <abstractions/gnome>
#include <abstractions/audio>
#include <abstractions/nameservice>

/etc/huludesktop/** r,
@{HOME}/.huludesktop rwkl,
@{HOME}/.local/share/.huludesktop.data rwkl,
@{HOME}/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/*.hulu.com/** r,
@{HOME}/.macromedia/Flash_Player/#SharedObjects/ r,
@{HOME}/.macromedia/Flash_Player/#SharedObjects/*/*.hulu.com/ rw,
@{HOME}/.macromedia/Flash_Player/#SharedObjects/*/*.hulu.com/** rwkl,

# MythTV is already managing the screensaver
deny /usr/bin/xdg-screensaver x,
}

Additionally, I disabled its executable stack, which seems to serve no purpose:
$ sudo execstack -c /usr/bin/huludesktop

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/25/2009

happy holidays 2009!

Filed under: Blogging,Debian,Ubuntu,Ubuntu-Server — kees @ 9:19 pm

Happy Holidays!

Or, as my firewall reported this morning:

Dec 25 04:39:18 firewall kernel: [1054241.000084] sd 2:0:0:0: [sda] ABORT operation started
...
Dec 25 04:40:10 firewall kernel: [1054292.072173] raid1: sdb2: redirecting sector 3490144 to another mirror

I guess I’m getting my firewall a new hard drive for Christmas. :)

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/16/2009

headache empathy

Filed under: Blogging,Debian,Multimedia,Ubuntu — kees @ 9:20 pm

Run “gstreamer-properties“, click the “Video” tab, change Default Input Plugin to “Custom”, and add this Pipeline:

v4l2src ! ffmpegcolorspace ! vertigotv ! ffmpegcolorspace

Now when Empathy video-chatting with a friend, you can give them a headache!

Or give yourself a headache by trying it directly from the command line:

gst-launch v4l2src ! ffmpegcolorspace ! vertigotv ! ffmpegcolorspace ! xvimagesink

Feel free to replace “vertigotv” with any other or more of the video effects listed in “gst-inspect effectv“.

Here’s me with edgetv ! vertigotv:

Edge Vertigo

© 2009 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/7/2009

Larson Scanner on Arduino

Filed under: Blogging,Embedded,Ubuntu — kees @ 8:58 am

Inspired by the Larson Scanner project, I finally broke out my Arduino and ported the code from the ATtiny to the ATmega. (The Arduino IDE runs fine with openjdk-6.) I’m sure the power usage is terrible, but I wasn’t after long battery life. I wanted my very own Cylon eye.

DorkBoard running the Cylon eye

Since I was successful with porting the code and wiring up the Arduino, I figured I’d see if the tiny Arduino-clone called the “DorkBoard” would work with it too.

Later in the weekend I grabbed a AAA-battery holder and hooked that up so the eye is untethered from the USB power source. Next up, coding the pesky self-awareness.

© 2009 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

9/12/2009

uninstall sun-java6

Filed under: Blogging,Debian,Ubuntu,Ubuntu-Server — kees @ 11:59 am

With the vrms meme raging on Planet Ubuntu, I noticed some people still have sun-java6 installed. I’ve been using openjdk-6 since Hardy, and everything I use works fine with it (e.g. Vuze, Catan, Eclipse, FreeMind, and even Facebook’s photo uploader thing). Given the Ubuntu Tech Board’s “remove sun-java6 from the archive” Agenda item, it’s possible sun-java6 (being redundant and orphaned) would go away in Ubuntu Karmic (sun-java5 is already gone because Sun will drop support for it in October, and sun-java6 is not far behind).

I’ve heard some noises about openjdk-6 not working for people, but I haven’t actually seen any direct technical evidence of something working in one and not the other. Seeing as Jaunty’s OpenJDK was certified by Sun, it would be very interesting to find failures, as this would indicate that Sun’s certifications are missing something.

Looking for examples of failures in Google, I couldn’t find anything with obvious test-cases that failed with openjdk-6. I suspect I’m just not trying hard enough, but I’m curious what other people have run into.

Test for yourself:

sudo apt-get purge sun-java6-jdk sun-java6-jre sun-java6-bin sun-java6-plugin
sudo apt-get install openjdk-6-jdk icedtea6-plugin

(Don’t forget to restart your browser.)

© 2009 – 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

9/10/2009

vrms meme: 15.2%

Filed under: Blogging,Ubuntu — kees @ 6:57 pm

Inspired by Jorge, I decided to see how high a vrms score I could manage. I started with a minimal chroot (via mk-sbuild-lv), and did:

$ sudo -s
# echo "deb http://archive.canonical.com/ jaunty partner" >> /etc/apt/sources.list
# sudo apt-get update
# apt-get --no-install-recommends install $(grep ^Package /var/lib/apt/lists/*{multiverse,partner}*Packages | awk '{print $NF}' | sort -u | egrep -v '^(ttf-lucida|crafty-books-medium|crafty-books-small|festvox-rablpc8k|kxmame|funguloids|ltsp-controlaula|mplayer-nogui|ora2pg|python-pygpu|sdlmame|sdlmame-tools|linux-rt|e-uae|e-uae-dbg|sun-java5-fonts|sun-java6-fonts)$')

Since we want to minimize free packages, I added --no-install-recommends since it would only pull in free stuff (since I was already installing all of multiverse and partner directly). I tried to solve conflicts by making choices that would install the maximum number of packages. After installing 10G worth of packages, I had my results:

# vrms | grep ^[a-z0-9] | wc -l
514
# vrms | tail -n2
342 non-free packages, 15.2% of 2252 installed packages.
172 contrib packages, 7.6% of 2252 installed packages.

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/31/2009

blocking module loading

Filed under: Blogging,Debian,Security,Ubuntu,Ubuntu-Server — kees @ 11:47 am

New for Linux 2.6.31 (and Ubuntu 9.10) is the ability to throw a one-way toggle to block module loading via /proc/sys/kernel/modules_disabled:

# uname -a
Linux sec-karmic-amd64 2.6.31-4-generic #23-Ubuntu SMP Mon Jul 27 18:39:59 UTC 2009 x86_64 GNU/Linux
# lsmod | head -n3
Module Size Used by
binfmt_misc 10220 1
ppdev 8200 0
# cat /proc/sys/kernel/modules_disabled
0
# modprobe usb-storage
# lsmod | head -n3
Module Size Used by
usb_storage 65600 0
binfmt_misc 10220 1
# echo 1 > /proc/sys/kernel/modules_disabled
# rmmod usb-storage
ERROR: Removing 'usb_storage': Operation not permitted
# modprobe zlib_deflate
FATAL: Error inserting zlib_deflate (/lib/modules/2.6.31-4-generic/kernel/lib/zlib_deflate/zlib_deflate.ko): Operation not permitted
# echo 0 > /proc/sys/kernel/modules_disabled
bash: echo: write error: Invalid argument
# cat /proc/sys/kernel/modules_disabled
1

The intent is for this to allow paranoid server admins (or other people not expecting to hot-plug new hardware or kernel services) the ability to block module loading without compiling a monolithic kernel.

This kind of thing used to be available through the “lcap” utility modifying the global capability bounding set (which was removed in 2.6.25), but init could always be made to turn it back on.

Combined with the removal of /dev/kmem and the hardening of /dev/mem, this closes another kernel rootkit door. It’s not a cure-all, but it’s another layer.

Now we just have to figure out ways to stamp out unexpected ioport-triggered DMA access.

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/16/2009

Diminished Dapper

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 10:18 am

Dapper has reached it’s half-way support age. This means that only shipped server packages are getting official support. If you’re still running Dapper, upgrade to Hardy (and then consider upgrading through Intrepid to Jaunty too, since Intrepid and newer has awesome compiler defaults).

Looking back through my build logs, I can see that my desktop spent 51 hours, 48 minutes, and 37 seconds building 389 security updates. As before, these times obviously don’t include patch hunting/development, failed builds, testing, stuff done on my laptop or the porting machines, etc.

Current combined devel/security build standings per release:

hardy: 172:23:11
intrepid: 85:34:53
jaunty: 20:11:53

Thank you Dapper Desktop! I am reminded what you look like each time I start a Dapper VM. If not for that, my memory of you would have diminished long ago.

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/19/2009

recording from PulseAudio

Filed under: Blogging,Debian,General,Multimedia,Ubuntu — kees @ 11:42 am

Every PulseAudio “Sink” has a “Source” named “monitor”. This lets you attach to a given Sink and chain more stuff to it, for example, recording the audio that is playing through PulseAudio at any given moment. This is very handy for creating, for example, PubQuiz-style clips of songs, movies, etc.

Here is a script to find the monitor for the most recently added Sink, record from it, and shove it through “sox” to get a WAV instead of raw sound data (requires recent sox, Pulse, etc):

#!/bin/bash
WAV="$1"
if [ -z "$WAV" ]; then
    echo "Usage: $0 OUTPUT.WAV" >&2
    exit 1
fi
rm -f "$WAV"

# Get sink monitor:
MONITOR=$(pactl list | egrep -A2 '^(\*\*\* )?Source #' | \
    grep 'Name: .*\.monitor$' | awk '{print $NF}' | tail -n1)
echo "set-source-mute ${MONITOR} false" | pacmd >/dev/null

# Record it raw, and convert to a wav
echo "Recording to $WAV ..."
echo "Close this window to stop"
parec -d "$MONITOR" | sox -t raw -r 44k -sLb 16 -c 2 - "$WAV"

© 2009 – 2011, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/17/2009

Goodbye Gutsy

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 3:05 pm

(In reading my prior EOL posts, I realize I should have said “Enough Edgy” or something like that to be appropriately alliterative.)

Gutsy is now officially at end-of-life.

Looking back through my build logs, I can see that my desktop spent 25 hours, 6 minutes, and 47 seconds building 208 security updates. (And 18 hours, 23 minutes, 45 seconds doing 335 builds during the Gutsy devel window.) As before, these times obviously don’t include patch hunting/development, failed builds, testing, stuff done on my laptop or the porting machines, etc.

Current combined devel/security build standings per release:

dapper: 51:27:29
hardy: 171:21:40
intrepid: 84:23:19
jaunty: 18:43:09

Thank you Gutsy! You were much nicer than Feisty, especially for wifi on my poor laptop.

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

4/9/2009

CODEGATE 2009 ran Ubuntu Intrepid

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 9:05 pm

I’m pleased to hear than the CODEGATE 2009 International Hacking Contest ran Ubuntu Intrepid for both the qualifying rounds and the final match. The host machine was running the 32bit -server kernel, so NX was active (along with all the other memory-corruption protections). From what I can see the compiled challenges were stack-protected and fortified, so the contestants had to work around that as well as the randomized stack, heap, and library locations. Sounds like it was a fun contest in a real-world situation. All that’s left now is for 64bit to become the standard. And PIE too. I can’t wait to hear more. :)

$ nm cracktris | grep _chk
         U __fprintf_chk@@GLIBC_2.3.4
         U __printf_chk@@GLIBC_2.3.4
         U __sprintf_chk@@GLIBC_2.3.4
         U __stack_chk_fail@@GLIBC_2.4
         U __strcat_chk@@GLIBC_2.3.4
         U __strcpy_chk@@GLIBC_2.3.4

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

2/13/2009

World Of Goo compiled on Ubuntu

Filed under: Blogging,Debian,Reverse Engineering,Ubuntu — kees @ 3:44 pm

I first played World of Goo on the Wii. I loved it. Great stuff, reminded me a little of Lemmings, but way way better. Today I found out it’s also available for Linux, and I immediately downloaded it. I was pleased to see a .deb available and thought I’d dig into the binary a little to see how it was put together.

I’m hugely excited to see that it looks like the game was built on Ubuntu Intrepid for both the .deb and .tar.gz packages:

$ strings -a WorldOfGoo.bin | grep -i gcc
...
GCC: (Ubuntu 4.3.2-1ubuntu12) 4.3.2

The bundled libraries appear to come from Gentoo:

$ strings -a libs/libogg.so.0 | grep -i gcc
...
GCC: (GNU) 4.2.3 (Gentoo 4.2.3 p1.0)

OpenSSL (and libpng?) from Gentoo seem to have been statically linked into the binary:

$ strings -a WorldOfGoo
...
GCC: (GNU) 4.2.3 (Gentoo 4.2.3 p1.0)
_x86_AES_encrypt
...

What I’m so very excited about is that third party software producers are using Ubuntu for their releases. This means they get all the security and code-quality improvements that are built into the Ubuntu compiler for free:

$ objdump -CR WorldOfGoo.bin | grep _chk
...
084043f0 R_386_JUMP_SLOT __memcpy_chk

Many thanks to Maks Verver for doing the porting. I’m really enjoying the demo. Also, I can see your devel path! :)

$ strings -a WorldOfGoo.bin | grep openssl
OPENSSLDIR: "/home/maks/Projects/wog/libs/openssl-0.9.8j-linux-i386/ssl"
...

All this said, it may be that they’re actually only compiling pieces (like the Open Dynamics Engine, which seems to contain the bulk of the *_chk calls) on Ubuntu (or using .a files from a distro-compiled library that enables hardening only in builds — RedHat, SuSE), but doing the .deb and .tar.gz project linking on Ubuntu (which is why the compiler name shows up in the resulting binary). The RPM shows the *_chk functions too — actually the disassembly is identical between deb and RPM, which would imply that only final linking was done on the native distros but compiled elsewhere. I’d love to hear more details if Maks stumbles on this blog. :)

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/24/2009

debugging hangs in MIMEDefang

Filed under: Blogging,Debian,Ubuntu,Ubuntu-Server — kees @ 3:21 pm

I spent a while this morning hunting down the root cause of a 100% CPU MIMEDefang process. (Turned out to be one specific email triggering one of my custom SpamAssassin rules that seems to get processed really inefficiently.) I wasn’t able to find any documentation on how to debug where in MIMEDefang an email was getting stuck, and even jacking up the debugging output of my mimedefang-filter script seemed to imply it was happening late in the filtering process. After digging through mimedefang.pl, I found a “status reporting” subsystem and tracked it back out into configuration in /etc/default/mimedefang:

# Uncomment next line to have busy slaves send status updates to the
# multiplexor. NOTE: Consumes one extra file descriptor per slave, plus
# a bit of CPU time.
# MX_STATUS_UPDATES=yes

Turning this on, and then using “md-mx-ctrl busyslaves” (I command I didn’t know existed until today either) I got to see exactly where it was stuck:

3 B 13380 (Running SpamAssassin j951iX1t025805)

Now I’m having fun running md-mx-ctl with histo, barstatus, and load. :)

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/1/2009

happy new year, RIP md5

Filed under: Blogging,Debian,Security,Ubuntu,Ubuntu-Server — kees @ 10:59 am

Welcome to 2009! Really, seriously, everyone can stop using MD5 now. However, be sure not to overreact. The forged CA research is a great read, but there’s no need to break existing certs. For a calm reaction, please read this.

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

12/3/2008

bogosec run on intrepid main

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 10:16 am

Care of Mike Owens and Dustin Kirkland, bogosec has been uploaded to Jaunty (in the NEW queue at the moment). It is a source-code analyzer framework with plugins for lintian, rats, and flawfinder. Out of curiousity, I ran it on all of Intrepid main. Highest 5 scores were:

  1. 0.717338929043293 lsscsi
  2. 0.612729234088457 nevow
  3. 0.561151781356762 powertop
  4. 0.431034482758621 language-pack-tk-base
  5. 0.431034482758621 language-pack-se-base

As Dustin reminded me, bogosec seems biased against smaller code bases. In the case of the lang packs, the score is entirely from lintian. Both lsscsi and powertop deal mostly with input from kernel strings, so while they scored highly, I doubt either is actually vulnerable to very much. I haven’t looked at nevow yet. Also, both rats and flawfinder yell about things that are mitigated by compiler flags (e.g. -D_FORTIFY_SOURCE=2) so those warnings are less interesting too.

Really, this all boils down to “we need better code analyzers”. The best tool will be one that predicts CVE counts (I would expect the Linux kernel to be at the top, since it has the all-time highest number of CVEs filed against it).

To get closer to reality, I think just doing a normal package build and scanning for stderr output would be meaningful (gcc has plenty of built-in checks already). Steve Beattie suggested writing a plugin for sparse, too.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

11/21/2008

directing firefox url opening

Filed under: Blogging,Debian,Ubuntu,Web — kees @ 5:53 pm

A while ago, I found a way to open multiple firefox instances so I could have multiple cookie/password repositories. One issue that plagued me was that when launching URLs from other applications (e.g. liferea, gnome-terminal, etc), the URL would open in the longest running firefox, so if I opened my Browsing instance first, then my Authenticated instance, URLs would open in the Browsing instance. That’s what I wanted.

However, if I had to restart my Browsing instance (like, say, when flash was crashing), URLs would start opening in the Authenticated instance, which I didn’t want. So, I changed the Gnome preferences to run this script when launching a browser:

#!/bin/sh
firefox -p Browsing -remote 'openURL('"$@"')'

Ta-da, URLs are always directed to the “Browsing” instance, regardless of when it was started.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

11/18/2008

md5 lookups for 4 chars and common words

Filed under: Blogging,Debian,Security,Ubuntu,Web — kees @ 8:19 pm

Here’s a fun link. This site appears to have seeded their md5 hash list with all lower case character strings of 4 characters or fewer and many english words (probably from some large dictionaries), and they seem to be adding more as they go. This makes me want to put up an interface to the 7 character alpha-numeric-plus-many-special-chars rainbow table I’ve got. But searching the 500G table for a single hash takes… a while. I’d need to batch it up. Go-go-gadget web 2.0!

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

11/11/2008

phrase from nearest book meme

Filed under: Blogging,Debian,General,Ubuntu — kees @ 12:42 pm

Meme from Jono:

  • Grab the nearest book.
  • Open it to page 56.
  • Find the fifth sentence.
  • Post the text of the sentence in your journal along with these instructions.
  • Don’t dig for your favorite book, the cool book, or the intellectual one: pick the CLOSEST.

My result:

“The term linear just means that each output bit of the mixing function is the XOR of several of the input bits.”Practical Cryptography, Niels Ferguson, Bruce Schneier.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

11/9/2008

“rooting” the HTC G1 Android

Filed under: Blogging,Debian,Embedded,Security,Ubuntu,Vulnerabilities — kees @ 10:27 am

People noticed that running telnetd seemed to run as root. Later it was discovered that everything you typed was being run by the root user also. So, that ends the first mystery: when you typed “telnetd” both the Terminal user and root ran it. It would fail (without error messages) for the Terminal user, and run successfully for the root user. So now, the question is, what the f is a root shell doing mirroring user input?!

So, there is a much easier way to get root that doesn’t require network connectivity. While the /sdcard mount point is nosuid,noexec, it’ll still run scripts if you explicitly direct them to run. It seems that the weird background root shell doesn’t understand the alt-keys, so it can only run stuff that can be typed without using alt, shift, etc. So, put the following in /sdcard/pwn:


mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
cd /system/bin
cat sh > sh.root
chmod 4755 sh.root
mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system

You can either do this by dropping the file in place over USB mass storage, or you can type it via the Terminal using “cat“. (Rebooting here might help get the root shell in a sane state.) Finally, just navigate there without slashes and run the script:


$ cd sdcard
$ sh pwn

You’ll see lots of errors (but these are only from the Terminal user). The script is, however, run by the root shell too. You can verify the results:


$ ls -l /system/bin/sh*
-rwxr-xr-x root          shell     86936 2008-09-13 00:13 sh
-rwsr-xr-x root          root      86936 2008-11-09 10:12 sh.root

Next up: cross-compiling a little helper to elevate to real UID 0, and require a password to keep malware from looking for setuid shells.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

11/3/2008

days since last incident…

Filed under: Blogging,Debian,Networking,Security,Ubuntu,Ubuntu-Server — kees @ 11:15 am

If I made one of those work-site signs that tracked “Days since last incident”, and made one for “Days since last in-the-wild remote-root worm” for Windows and Linux, what would they each say? 0 and 7304 respectively?

Update: while the post was tongue-in-cheek (everyone suffers when any large subset of computers is being attacked), I should lower the Linux days count to 2783 (for L10n on March 23, 2001, which is slightly newer than Ramen on January 17, 2001). Thanks for everyone’s comments. :)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/30/2008

how to drain your entropy and have fun with ssh fingerprint ASCII-art

Filed under: Blogging,Debian,General,Ubuntu,Ubuntu-Server — kees @ 10:48 am

SSH’s new “VisualHostKey” option (in Ubuntu Intrepid and Debian Lenny) is great fun. Normally it is disabled, but it seems that “ssh-keygen” turns it on when generating new keys. In celebration of the Ubuntu release, here is a script to entertain yourself with RSA ASCII-art, care of SSH and your system’s entropy pool:


#!/bin/sh
set -e
DIR=$(mktemp -t -d rsa-art-XXXXXX)
trap "rm -f $DIR/key*; rmdir $DIR" EXIT HUP INT QUIT TERM

while :
do
    ART=$(ssh-keygen -t rsa -f $DIR/key -N "" | tail -n 11)
    rm -f $DIR/key
    /bin/echo -e "\x1Bc"
    echo "$ART"
done

Makes me feel like I’m watching Life. (Use control-C to stop it.)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/21/2008

Feisty Finale

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 3:59 pm

Feisty is now officially at end-of-life.

Looking back through my build logs, I can see that my desktop spent 34 hours, 44 minutes, and 46 seconds building 255 security updates. (And 25 hours, 40 minutes, 13 seconds doing 249 builds during the Feisty devel window.) As before, these times obviously don’t include patch hunting/development, failed builds, testing, stuff done on my laptop or the porting machines, etc.

As a correction to the Edgy EOL post, my desktop actually spent 50:59:40 doing 322 security builds and 04:14:23 doing 84 devel builds.

Current standings:

dapper: 49:42:36
gutsy: 43:14:36
hardy: 166:11:15
intrepid: 70:24:52

As mentioned, these numbers are mixed devel/security times.

Thank you Feisty! You were much more stable than Edgy, even if we didn’t see eye-to-eye about wifi connectivity.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/14/2008

RCS keyword expansion in BZR

Filed under: Blogging,Ubuntu — kees @ 6:04 pm

I’m going to need to look into keyword expansion in bzr. I use $Id:$ and $Revision:$ headers in a bunch of the files I shove out to web servers. Switching to bzr has caused me to lose that for the time-being. I probably don’t want it enabled in all my repositories, so this is really just a reminder to my future self to investigate it further.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/10/2008

the goal is freedom

Filed under: Blogging,Ubuntu — kees @ 10:37 am

I’m proud of Ubuntu, but I’m always a little sad when I see news items like this.

I don’t want to see everyone who contributes to the World Resource Institute and the Conservation International Foundation to start giving entirely to the Greenpeace Fund. They’re all doing fantastic work and doing it in slightly different ways. Changing allocation between these organizations doesn’t have any real benefit.

I want to see the news of everyone moving their money out of Exxon and General Motors and putting it into the things linked above or anything like them. Then big stuff starts happening; multinationals have less to work with and environmental groups have more. That’s a win.

Organizations moving from Free Software to Free Software is a distraction. There is no net gain; there is no more freedom; there are no more users and no more chances to create new Free Software developers. It is news when an organization moves from proprietary software to Free. That’s important, and we should stay focused on that goal.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

9/13/2008

their names are…

Filed under: Blogging,Ubuntu — kees @ 8:05 am

Continuing the meme:

  • lucien – not strictly owned by me, but the first Linux machine I had influence over. Named by my college roommate after Lucien from the Sandman comics, the librarian of The Dreaming. Seemed right for a computer.
  • locutus – this name served multiple machines in late college. It was my desktop at home, at work at Motorola, and at my HP post at UIUC. For a while, all three were simultaneously online. They all had different domain names, so it seemed sensible and little comical. The name itself comes from my infatuation with the Borg of Star Trek fame. Locutus was the first to have an individual designation.
  • clam – given to multiple machines, but both laptops (an ancient Toshiba, and a more recent Mac). Like clamshell mobile phones, laptops look the same.
  • boofis – served as the name for a public XTerm for guests, and later as a desktop machine. This was based on a friend’s alternate word for “thingy” or “dohicky”.
  • naboo – currently the home firewall, but was my desktop when it was new. From the Star Wars planet Naboo.
  • cube – always the home multimedia server hooked to the TV, but has had three incarnations. Originally, it was a Shuttle box, which was, frankly, cube shaped. It was also influenced again by the Borg, and it was around here that I started to notice a strange and unintentional trend in my computer names: they nearly all had an “oou” sound. Since then I’ve usually managed to avoid it, but have tried to include at least 1 if not 2 “o” letters in future computer names.
  • stompy – currently the home disk server, but was my desktop when it was new. Named based on a game my wife and I play with our dogs called Stompy Stompy Bad Thing, in which we slowly approach our dog like a Sumo wrestler, and the dog goes crazy barking and running in circles.
  • ox – current laptop. Compared to the Toshiba from 1999, it’s like an ox, even if now it’s 3 years old itself.
  • gorgon – current desktop. Loosely based on the concept that the most famous gorgon has multiple heads. As this is a 4-way machine, it seemed fitting.
  • nushooz – currently my wife’s desktop, but was mine prior to gorgon, but named differently. Current name is based on the freaky “*pft* New shoes!” line from Twin Peaks.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

9/4/2008

all PIE distro

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 2:00 pm

Major props to NCommander for taking on the painful experiment of getting the entire Ubuntu Intrepid archive rebuilt with PIE on amd64. After getting all the other hardening defaults enabled for Intrepid, PIE is the last on the original list for enabling “by default”. Due to the overhead of PIE on i386, it’s really only an option on architectures with lots of general registers.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer PostsOlder Posts »

Powered by WordPress