Security
FOSDEM'10: Maemo 6 platform security
One of the keynote speakers at FOSDEM 2010 in Brussels was Elena Reshetova, a senior security engineer at the Nokia Maemo Security team. Last October at the Maemo Summit 2009, she gave a short introduction to Maemo 6 Platform Security, a set of mechanisms and techniques to protect the Maemo 6 platform; at FOSDEM she gave a more technical overview.
Security of a platform depends on a whole "stack" of solutions: at the bottom there are hardware enablers, such as a TPM (Trusted Platform Module) chip in PCs. On top of that, software implements integrity protection, layered above that is access control, and then privacy protection. On each of these levels, the platform needs key management for encryption and signing keys, and all this is coordinated by a particular security policy. For Maemo 6, Nokia is working on this whole security stack.
DRM
It's no secret that Nokia wants to attract a larger commercial offering to its application store for Maemo. Therefore, the security framework of Maemo 6 will enforce DRM (digital rights management or digital restrictions management, depending on the viewpoint) policies. According to Elena, this is needed to be able to attract a larger developer offering: "DRM will enable a lot more use cases for Maemo devices, such as games and commercial applications.
"
When talking about DRM, most of the time that means locking down the platform. Elena assured the assembled open source audience that Maemo remains an open source platform, even when DRM comes into play. Maemo 6 will have two device modes: one mode has DRM protection, which means that users can't tinker with their platform. But there will also be an open source mode, which will have the same functionality as Maemo 5 on the N900. In this mode, users are free to hack their device, compile and flash their own kernel, define their own security policy, and do low-level platform development. However, they won't be able to run protected software or play protected media files.
The Maemo 6 device's boot process is assisted by a hardware enabler: the ARM TrustZone security extension to the ARM Cortex-A8 processor creates a trusted execution environment (TrEE) with two main keys: a root public key and a root device specific key. The boot ROM of the device checks the integrity of the boot loader and refuses to load it if it has been tampered with. Incidentally, this means that users cannot swap out Nokia's boot loader for another one. However, if Nokia's loader passes the integrity check, then it checks the integrity of the software (including Nokia's kernel). If that doesn't pass (e.g. the user compiled a custom kernel that isn't signed by Nokia) and the device is SIM locked by the carrier, the device refuses to boot. If the integrity check fails and the device is not SIM locked, then it boots an unsigned software image with restricted security functionality: DRM keys are disabled so that content from the closed mode can't be decrypted.
So, in open mode, the user cannot run DRM-protected software purchased from the Ovi Store or play music bought from the Nokia Comes With Music store. It is only if the software verifies as that shipped by Nokia that the boot loader starts the Nokia signed software image (including the kernel root file system and important system components like drivers and Application Manager), which has the DRM keys enabled and thus can decrypt DRM-protected content.
This system gives users a choice. If they want to have full access to their devices, they will continue to be able to do so in Maemo 6 just like now, but without access to DRM-protected services. Users can also switch between the open and closed modes (e.g. between a 'community' kernel and Nokia's kernel), so that after working in the open mode, users can return to the DRM-protected mode to play some music. If the application doesn't use the protected storage but just stores its data as plain files in the file system, like most non-commercial applications will do, those files are accessible in both modes. Switching modes requires rebooting the device, though, because the checks for the integrity of the software are done by the boot loader.
A new kind of access control
Because Maemo is close to a standard Linux distribution, it won't surprise that Nokia has taken a close look at the classical Linux and UNIX access control mechanisms and their extensions. The classical UNIX access control mechanisms are discretionary access controls (DAC) and were created primarily for servers and desktops with multiple users. Nokia's criteria for their Maemo platform, which is essentially a single-user system, are completely different. For starters, Elena mentioned that the platform needs mandatory access control on the process level: processes should be protected from other processes. Moreover, it needs a good level of flexibility and granularity, and all of that should require only minimal changes to the current Linux DAC model Maemo uses.
Nokia's engineers looked at existing security extensions, such as FreeBSD access controls, MLS, Biba, SELinux, RBAC, AppArmor and TOMOYO Linux, but none of them were a good match to Nokia's requirements. For example, SELinux has fine-grained access control, but needs large, complex policies that require filesystem extended attributes to store the metadata. Moreover, most of these mechanisms don't provide protection from off-line attacks, which is crucial for a mobile device.
So the main goal of Nokia's engineers was to create a lightweight system on top of existing Linux security mechanisms, while having to make the smallest possible change to existing applications. The Maemo 6 security system starts from the principle of least privilege: every application should be able to access only a limited set of needed resources. Therefore, there will be a list of protected resources, and any application that wants to use them will have to declare that in an "Aegis Manifest" file. This is an optional XML file (new as part of the Maemo 6 security model) inside a Debian package, generated automatically by the Maemo SDK (Software Development Kit) based on the source code. That means that developers don't have to worry about it and don't have to change their code. According to Elena, the full list of protected resources is not yet finalized, but components like cellular functionality or location information will be on that list. The former should be protected because misuse could harm the device, while the latter should be protected because misuse could cause harm to the user.
Secure software distribution
The Maemo 6 security framework also has a solution for secure software distribution. Each package has a "software source", which can be a software repository or a home page of the software author. Each known software source has an asymmetric key pair: the private key that has been used to sign the package, and the public key used to verify this package. On top of that, each software source is assigned a trust level. Updating a specific package is only possible from the same software source or from a software source with a higher trust level.
All of this is configured in the Aegis security policy, which contains the mapping between software sources and what the software is allowed to do. So while each application can declare the access control rights it needs in its Aegis Manifest file, ultimately the Aegis security policy decides if these access control rights are granted, based on the risk level associated to the software source.
For example, software from the Ovi Store is assigned a different trust level than software from maemo.org or the home page of an arbitrary software package. The Aegis security policy is accessible only to the application installer and can only be changed by an authorized update, meaning that the trust levels cannot be changed by the user but only by Nokia. Users always have the option to run the device in the open mode, which gives them the capability to define their own security policy.
Integrity and privacy protection
Integrity protection is handled by the Aegis Validator. This component ensures the integrity of all executable components, such as binaries and libraries. It not only protects against runtime manipulations, but also against off-line attacks. A kernel module calculates a cryptographic hash, currently SHA-1, of each file. The reference hashes, which come inside the package or can be computed during installation time, are then stored in the Aegis Protected Storage
The Aegis Protected Storage ensures the integrity of data and configuration files after installation. It can not only be used to sign and verify data, but also to protect the user's privacy by encrypting their data with an encryption key that is stored in hardware. However, applications have to explicitly use the Aegis Protected Storage APIs to place files in the protected storage. The Protected Storage APIs can be used in both of the device's modes, but with an obvious caveat: if an application uses the API to encrypt data in the closed mode, it won't be able to decrypt it in the open mode, and vice versa.
Open source
Nokia is doing its best to behave like a good citizen in the open source world. Elena said they are offering their security additions to the upstream D-Bus project. In addition, recently Nokia created a Maemo 6 Platform Security project at gitorious.org, and the first available code is from the libcreds library, which allows getting and setting the credentials of another process in a secure way. The credentials that libcreds can handle include the user id, group id, supplementary groups, and capabilities defined by the kernel. At the end of her talk, Elena said that, over time, it is Nokia's goal to open source most of the Maemo 6 security framework.
However, DRM threatens the open nature of the Maemo 6 platform. In her talk, Elena stressed how simple it is to use Platform Security because the user doesn't have to worry about key management. All encryption and signing keys of the platform are ultimately based on hardware keys of the ARM TrustZone. So if users backup their data by a simple one-to-one copy and lose their Maemo 6 device, they can't read their backup anymore. Moreover, given that the device's private key is carved in hardware in the chip factory, users can't be sure that they are the only one with access to the private key. Users don't have any control over the key, but Nokia is promoting its Maemo platform as an open platform without restrictions.
Those conflicting signals generated a lot of questions from the audience, many of whom had bad memories of the Trusted Platform Module and "Trusted Computing". So all in all, it looks like the Maemo 6 Platform Security will become a challenge for Nokia's relationship with the Maemo community. Luckily, Nokia is clearly listening to these concerns: the Finnish company has opened a wiki page with questions and official answers about the topic, and it welcomes users to add their questions to the discussion page.
New vulnerabilities
bugzilla: information leak
Package(s): | bugzilla | CVE #(s): | CVE-2009-3989 CVE-2009-3387 | ||||||||
Created: | February 9, 2010 | Updated: | June 4, 2010 | ||||||||
Description: | From the Bugzilla advisory:
This advisory covers two security issues that have recently been fixed in the Bugzilla code: + Some files stored on the web server are not correctly protected against external access and can be viewed from a web browser. + Restricting a bug to a group while moving the bug to another product has no effect if the group is not used by both products. The bug may become public if no other group restriction applies. | ||||||||||
Alerts: |
|
chrony: multiple vulnerabilities
Package(s): | chrony | CVE #(s): | CVE-2010-0292 CVE-2010-0293 CVE-2010-0294 | ||||||||||||
Created: | February 4, 2010 | Updated: | February 10, 2010 | ||||||||||||
Description: | From the Debian alert:
CVE-2010-0292: chronyd replies to all cmdmon packets with NOHOSTACCESS messages even for unauthorized hosts. An attacker can abuse this behaviour to force two chronyd instances to play packet ping-pong by sending such a packet with spoofed source address and port. This results in high CPU and network usage and thus denial of service conditions. CVE-2010-0293: The client logging facility of chronyd doesn't limit memory that is used to store client information. An attacker can cause chronyd to allocate large amounts of memory by sending NTP or cmdmon packets with spoofed source addresses resulting in memory exhaustion. CVE-2010-0294: chronyd lacks of a rate limit control to the syslog facility when logging received packets from unauthorized hosts. This allows an attacker to cause denial of service conditions via filling up the logs and thus disk space by repeatedly sending invalid cmdmon packets. | ||||||||||||||
Alerts: |
|
dokuwiki: cross-site request forgeries
Package(s): | dokuwiki | CVE #(s): | CVE-2010-0287 CVE-2010-0288 CVE-2010-0289 | ||||||||||||
Created: | February 5, 2010 | Updated: | February 10, 2010 | ||||||||||||
Description: | From the Red
Hat bugzilla:
The DokuWiki BTS identified another security vulnerability in the ACL manager. The plugin does not check against cross-site request forgeries (CSRF) which can be exploited to, for example, change access control rules by tricking a logged-in administrator into visiting a malicious website. | ||||||||||||||
Alerts: |
|
ejabberd: remote denial of service
Package(s): | ejabberd | CVE #(s): | CVE-2010-0305 | ||||||||||||||||
Created: | February 5, 2010 | Updated: | April 15, 2010 | ||||||||||||||||
Description: | From the Red
Hat bugzilla:
Remotely exploitable DoS from XMPP client to ejabberd server via flood of "client2server" messages (causing the message queue on the server to get overloaded, leading to server crash) has been found. | ||||||||||||||||||
Alerts: |
|
gmime22: arbitrary code execution
Package(s): | gmime22 | CVE #(s): | CVE-2010-0409 | ||||||||||||||||||||
Created: | February 5, 2010 | Updated: | January 22, 2014 | ||||||||||||||||||||
Description: | From the Red
Hat bugzilla:
Buffer overflow flaw was reported and fixed in the GMime library, in the code part responsible for calculating the maximum number of output bytes generated by an uuencode operation. If a local user was tricked into running a specially-crafted application, using the library, it could lead to denial of service (supplied application crash) or, potentially, to arbitrary code execution with the privileges of the user running that application. | ||||||||||||||||||||||
Alerts: |
|
gnome-screensaver: lock bypass
Package(s): | gnome-screensaver | CVE #(s): | CVE-2010-0414 | ||||||||||||||||
Created: | February 9, 2010 | Updated: | February 18, 2010 | ||||||||||||||||
Description: | From the Fedora advisory:
gnome-screensaver currently doesn't deal with monitors getting removed properly. If the unlock dialog is on the removed monitor then the unlock dialog and its associated keyboard grab are not moved to an existing monitor when the monitor removal is processed. This means that users can gain access to the locked system by placing the mouse pointer on an external monitor and then disconnect the external monitor. | ||||||||||||||||||
Alerts: |
|
HelixPlayer: multiple vulnerabilities
Package(s): | HelixPlayer | CVE #(s): | CVE-2009-4242 CVE-2009-4245 CVE-2009-4247 CVE-2009-4248 CVE-2009-4257 CVE-2010-0416 CVE-2010-0417 | ||||||||
Created: | February 9, 2010 | Updated: | February 10, 2010 | ||||||||
Description: | From the Red Hat advisory:
Multiple buffer and integer overflow flaws were found in the way HelixPlayer processed Graphics Interchange Format (GIF) files. An attacker could create a specially-crafted GIF file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened. (CVE-2009-4242, CVE-2009-4245) A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. An attacker could create a specially-crafted SMIL file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened. (CVE-2009-4257) A buffer overflow flaw was found in the way HelixPlayer handled the Real Time Streaming Protocol (RTSP) SET_PARAMETER directive. A malicious RTSP server could use this flaw to crash HelixPlayer or, potentially, execute arbitrary code. (CVE-2009-4248) Multiple buffer overflow flaws were discovered in the way HelixPlayer handled RuleBook structures in media files and RTSP streams. Specially-crafted input could cause HelixPlayer to crash or, potentially, execute arbitrary code. (CVE-2009-4247, CVE-2010-0417) A buffer overflow flaw was found in the way HelixPlayer performed URL un-escaping. A specially-crafted URL string could cause HelixPlayer to crash or, potentially, execute arbitrary code. (CVE-2010-0416) | ||||||||||
Alerts: |
|
kernel: denial of service
Package(s): | kernel | CVE #(s): | CVE-2010-0291 | ||||||||||||||||||||||||
Created: | February 5, 2010 | Updated: | July 12, 2010 | ||||||||||||||||||||||||
Description: | From the Ubuntu advisory:
Al Viro discovered that certain mremap operations could leak kernel memory. A local attacker could exploit this to consume all available memory, leading to a denial of service. | ||||||||||||||||||||||||||
Alerts: |
|
kernel: denial of service
Package(s): | kernel | CVE #(s): | CVE-2010-0307 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | February 5, 2010 | Updated: | October 14, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Red Hat bugzilla:
Reported by Mathias Krause. The problem seams to be located in fs/binfmt_elf.c:load_elf_binary(). It calls SET_PERSONALITY() prior checking that the ELF interpreter is available. This in turn makes the previously 32 bit process a 64 bit one which would be fine if execve() would succeed. But after the SET_PERSONALITY() the open_exec() call fails (because it cannot find the interpreter) and execve() almost instantly returns with an error. If you now look at /proc/PID/maps you'll see, that it has the vsyscall page mapped which shouldn't be. But the process is not dead yet, it's still running. By now generating a segmentation fault and in turn trying to generate a core dump the kernel just dies. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
kvm: multiple vulnerabilities
Package(s): | kvm | CVE #(s): | CVE-2010-0297 CVE-2010-0298 CVE-2010-0306 CVE-2010-0309 | ||||||||||||||||||||||||||||||||||||
Created: | February 9, 2010 | Updated: | June 4, 2010 | ||||||||||||||||||||||||||||||||||||
Description: | From the Red Hat advisory:
The x86 emulator implementation was missing a check for the Current Privilege Level (CPL) and I/O Privilege Level (IOPL). A user in a guest could leverage these flaws to cause a denial of service (guest crash) or possibly escalate their privileges within that guest. (CVE-2010-0298, CVE-2010-0306) A flaw was found in the Programmable Interval Timer (PIT) emulation. Access to the internal data structure pit_state, which represents the data state of the emulated PIT, was not properly validated in the pit_ioport_read() function. A privileged guest user could use this flaw to crash the host. (CVE-2010-0309) A flaw was found in the USB passthrough handling code. A specially-crafted USB packet sent from inside a guest could be used to trigger a buffer overflow in the usb_host_handle_control() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to cause a denial of service (guest hang or crash) or possibly escalate their privileges within the host. (CVE-2010-0297) | ||||||||||||||||||||||||||||||||||||||
Alerts: |
|
mysql: arbitrary code execution
Package(s): | mysql | CVE #(s): | CVE-2009-4484 | ||||||||||||||||||||
Created: | February 10, 2010 | Updated: | March 30, 2010 | ||||||||||||||||||||
Description: | From the Ubuntu advisory:
It was discovered that MySQL contained a buffer overflow when parsing ssl certificates. A remote attacker could send crafted requests and cause a denial of service or possibly execute arbitrary code. This issue did not affect Ubuntu 6.06 LTS and the default compiler options for affected releases should reduce the vulnerability to a denial of service. In the default installation, attackers would also be isolated by the AppArmor MySQL profile. | ||||||||||||||||||||||
Alerts: |
|
nss: man in the middle attack
Package(s): | nss | CVE #(s): | |||||
Created: | February 4, 2010 | Updated: | February 10, 2010 | ||||
Description: | From the Pardus alert:
A serious vulnerability was found in TLS/SSLv3 protocol as implemented in nss, which can be used by man-in-the-middle attackers to send arbitrary requests to the server as if legitimate user. The TLS/SSLv3 protocol as implemented in nss prior to this update was not able to associate already sent data to a renegotiated connection. This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed. For example Apache's mod_ssl was vulnerable to this kind of attack because it uses openssl. | ||||||
Alerts: |
|
ocsinventory: multiple vulnerabilities
Package(s): | ocsinventory | CVE #(s): | |||||||||
Created: | February 8, 2010 | Updated: | February 10, 2010 | ||||||||
Description: | From the Secunia advisory: Hernan Jais has discovered multiple vulnerabilities in OCS Inventory NG, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. 1) Input passed via the "c" parameter to index.php (when "cuaff" is set to any value) is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed via the search form for the "BIOS Manufacturer", "BIOS Version", "Computer name", "Description", "Free space", "Gateway", "IP address", "MAC address", "Manufacturer", "Memory", "Model", "Monitor: caption", "Monitor: manufacturer", "Monitor: serial", "Network number", "Processor Speed", "Registry key", "Serial number", "Service pack", "Software", "Tag", or "User" criteria to index.php (when "multi" is set to "1") and via the "All softwares" search form for the "Software name" criteria to index.php (when "multi" is set to "36") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled. 3) Input passed via the URL is not properly sanitised before being returned to the user within the index.php script. This can be exploited to execute arbitrary HTML and script code in a logged-in user's browser session in context of an affected site. The vulnerabilities are confirmed in version 1.02.1. Other versions may also be affected. | ||||||||||
Alerts: |
|
sqlite: unauthorized information access
Package(s): | sqlite | CVE #(s): | |||||
Created: | February 4, 2010 | Updated: | February 15, 2010 | ||||
Description: | From the Pardus alert:
A vulnerability has been found in sqlite, which can be exploited by malicious people to gather deleted information on sqlite database. Sqlite leaves a trace on the disk when using DELETE query. Although the deleted information cannot be seen with sqlite query, it can be seen with a text editor. | ||||||
Alerts: |
|
squid: denial of service
Package(s): | squid | CVE #(s): | CVE-2010-0308 | ||||||||||||||||||||||||
Created: | February 8, 2010 | Updated: | March 31, 2010 | ||||||||||||||||||||||||
Description: | From the Mandriva advisory: A vulnerability have been discovered and corrected in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15, which allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header (CVE-2010-0308). | ||||||||||||||||||||||||||
Alerts: |
|
thunderbird: multiple vulnerabilities
Package(s): | thunderbird | CVE #(s): | |||||
Created: | February 10, 2010 | Updated: | February 11, 2010 | ||||
Description: | From the Pardus advisory:
Security researcher Dan Kaminsky reported an integer overflow in the Theora video library. A video's dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim's computer. | ||||||
Alerts: |
|
trac-git: remote file execution
Package(s): | trac-git | CVE #(s): | CVE-2010-0394 | ||||||||
Created: | February 4, 2010 | Updated: | February 10, 2010 | ||||||||
Description: | From the Debian alert:
Stefan Goebel discovered that the Debian version of trac-git, the Git add-on for the Trac issue tracking system, contains a flaw which enables attackers to execute code on the web server running trac-git by sending crafted HTTP queries. | ||||||||||
Alerts: |
|
Page editor: Jake Edge
Next page:
Kernel development>>