LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityGuardian: Better privacy and security for AndroidWith more and more of our "computing" happening on mobile devices instead of on traditional computers, securing these devices has become important. Unfortunately, most mobile platforms, including Android, are a step backward when it comes to security, privacy, and anonymity: by default, the user's files on an Android smartphone are not encrypted, instant messaging communication can be sniffed, and web browsing is not anonymous. One project that wants to do something about this — focusing on Android — is The Guardian Project. The project describes its aim on its home page: The Guardian Project aims to create easy to use apps, open-source firmware MODs, and customized, commercial mobile phones that can be used and deployed around the world, by any person looking to protect their communications and personal data from unjust intrusion and monitoring.
This is a fairly extensive vision. For now, the Guardian project is in its first phase: enhancing existing applications and developing new secure applications. But the ultimate aim is to customize Android on even lower levels to create a secure mass-market consumer smartphone solution, based on CyanogenMod, a popular alternative Android firmware. This requires enhancements to or replacements for the Android Application Framework, as well as adding new libraries and core security services. The kernel, Android runtime, and Dalvik virtual machine will also have to be secured, and the project is even considering securing or removing hardware drivers. However, until the project is able to create their own Android firmware, the developers recommend using CyanogenMod. Transparent proxying through Tor![[Orbot]](/images/2011/orbot-sm.png)
To be able to browse the web, chat, and email without being monitored, Guardian has developed the Orbot application, which brings the power of Tor to Android and is actually the official port of Tor to Android. When first started, Orbot shows a wizard explaining what the user can do with it. If the device is rooted and the firmware is updated to an iptables-capable ROM such as CyanogenMod, Orbot can transparently proxy all web traffic on port 80 (HTTP) and 443 (HTTPS) and all DNS requests, so nothing else has to be configured. The built-in browser, Firefox Mobile, and applications like Gmail, YouTube, and Google Maps use standard web traffic so are routed through Tor transparently. The wizard also allows the user to select individual applications to route their traffic through Tor. If you don't want to root your Android device, you can only route an application's traffic through Tor if it supports an HTTP or SOCKS proxy. Orbot runs an HTTP proxy on localhost:8118 and a SOCKS 4/5 proxy on localhost:9050. For instant messaging, the Beem application (a Jabber client) supports this, as does Gibberbot. For web browsing there's the Firefox Mobile add-on ProxyMob which exposes settings for HTTP, SOCKS and SSL proxies and is configured by default to use with Orbot. For users that are still on an Android 1.x device, there's the Orweb browser. After the Orbot wizard is completed, the user can activate Tor by pressing the grey button, which turns to green when the Tor connection is set up correctly. Orbot's settings offer a lot of options, such as automatically starting Orbot when the Android device boots, using a Tor bridge to connect to the Tor network, relaying, and enabling hidden services on the Tor network. Concerned users can always confirm that they're browsing via Tor by visiting the web page check.torproject.org. End-to-end encryption![[Gibberbot]](/images/2011/gibberbot-sm.png)
While the Guardian developers previously recommended the Beem project to offer anonymous instant messaging through Tor, they are now developing their own Jabber instant messenger as a replacement for the Google Talk application: Gibberbot. It's still an alpha release and the developers warn that there are still bugs and potentially even security flaws, but the release seems promising. Gibberbot is based on code from the Google Talk IM application, but with support for Tor (via Orbot) and end-to-end encryption (using the Off-the-Record OTR4J library). The OTR protocol not only encrypts instant messages, but also attests that your correspondents are who you think they are. Moreover, the messages a user sends do not have digital signatures that can be traced to the user afterward, even though during a conversation, the correspondent is assured that the messages are coming from the user without any modification. Another nice feature is that no previous conversation is compromised if the user's private key is lost. Of course, to be able to chat securely with Gibberbot, a correspondent should be using an OTR-compatible chat client, such as Gibberbot on a smartphone, Pidgin or Adium with the OTR plugin on a computer. The Guardian project recommends some third-party applications, which all offer encryption. The first one is the email client K-9 Mail, which supports OpenPGP encryption using Android Privacy Guard. The project also recommends two projects developed by Whisper Systems, the company of security researcher Moxie Marlinspike: RedPhone, which offers end-to-end VoIP encryption using ZRTP (at the moment it's US-only), and TextSecure, which allows users to send and store SMS messages using an encryption protocol based on OTR but designed with space efficiency in mind. Both Whisper Systems applications only work if both parties use the same application. Developers, developers, developersThese applications are the most visible deliverable of the Guardian project, but the developers are also building libraries, tools, and source code for other developers, so that they are able to add security-oriented features more easily to their own Android applications. For instance, there's the Orlib library that's a drop-in replacement for Android's standard Socket and HTTPClient libraries, adding Tor support to any application because it uses the HTTP and SOCKS proxies that Orbot offers. With respect to encryption, Guardian offers SQLCipher, an extension to the SQLite database that provides transparent 256 bit AES encryption of database files. Developers that want to better protect the privacy of their users, can use SQLCipher instead of Android's default SQLite library to encrypt their database files. The Guardian developers are also working on a port of LUKS (Linux Unified Key Setup) to Android. The README emphasizes that it's still alpha software and should be "used with a grain of paranoid salt" with an explanation of why it's so hard to use LUKS on Android: While the LUKS project itself has been put through the paces on Linux desktops and servers, we are still determining the right conditions for its secure use on Android. With the many combinations of closed hardware, proprietary basebands, multitudes of kernels, firmwares and other mods, it is fairly impossible to guarantee security for any user. That said, we feel this effort is a useful public step forward in providing an increased level of protection for file storage, and exploring the limits of what we can provide as after-market software developers building open-source tools.
The Guardian developers are also collaborating with the human rights organization WITNESS to develop a secure camera application named Camera Obscura. They aim to support some common scenarios for activists, such as an easy way to remove all traces of any captured images when the phone is compromised and automatically blurring the faces of people in the background when recording a video interview of a spokesperson at a protest. There are also collaborations with the developers of the personal firewall DroidWall and with the developers of DroidTracker, an application that shares your location with your friends or colleagues. Other features that the Guardian project is working on are a remote data wipe and better physical access control. All code developed in the Guardian project can be found on GitHub. Paranoid AndroidsThe Guardian project is not the only one to secure Android phones. Apart from the ones we already mentioned because Guardian is collaborating with them or recommending them, there's also WhisperCore, a custom Android ROM created by Whisper Systems. By default, WhisperCore encrypts the phone's entire data partition, and it can optionally encrypt the phone's SD card as well. WhisperCore is closed source software (but free for individual use) and is in an early beta phase. Currently it only supports the Google Nexus One and Nexus S phones. One of the components of WhisperCore is WhisperMonitor, a personal firewall for Android users. When enabled, it intercepts all outbound network traffic and asks the user whether the application is allowed to connect to a specific server/port combination. This way, WhisperMonitor determines egress filter rules for the firewall, giving the user complete control over what each application is able to send over the network. It also provides an interface to modify or update rules defined per application, as well as a complete connection history of all applications. Of course there are many other small tools, each of them helping in its own domain to secure Android. For instance, the SSH Tunnel application offers an easy-to-use interface to create an SSH tunnel to the user's server in order to use an encrypted channel on an untrusted network. On a rooted phone, the application can even set up system-wide tunneling. Much work to doWhile the Guardian project and other projects to make Android more secure are still in their infancy, many of their applications are already usable for more technically-inclined people. However, if you look at the use cases they're aiming for, it's clear that there's still much work to do to create a privacy-enhanced mobile phone operating system that is consumer-ready. The core developer team is small, but they are eager to collaborate with partner organizations and they have opportunities for internships and jobs. If you're a security-conscious developer who wants to make a difference, the Guardian project is definitely a project to consider joining. But even if you don't have any developer skills, you could help by joining the project as an alpha tester.
Brief items Security quote of the week
But it was very interesting to see some of the anti-rootkit tools not
showing the dispatch table hooks that are usually pretty straightforward to
identify. Also this malware would not allow an external debugger (WinDbg)
to break, which was annoying.
-- Rachit
Mathur on a memory forging rootkit
The reason for hooks not being reported was that the memory being read by the tools was not the actual memory! The dispatch table as "seen" by the tools appeared not to be hooked—whereas in reality it was hooked. The part that made it interesting was that the memory was being read at the correct address with a mov instruction and not using some system API that could be hooked. We know of some proof-of-concept ways to achieve this, but I had not seen this behavior before from a threat in the wild.
Exim 4.76 fixes a remote security holeThe Exim mail transfer agent suffers from a remotely exploitable format string vulnerability; the 4.76 release contains a fix. "CVE-2011-1764: a format string attack in logging DKIM information from an inbound mail may permit anyone who can send you email to cause code to be executed as the Exim run-time user. No exploit is known to exist, but we do not believe that an experienced attacker would find the exploit hard to construct." Debian has an update available; others are certainly coming.
IronBee, Community and SSL (The H)The H interviews Ivan Ristić about the IronBee web application firewall. "Going back to my earlier comments, ModSecurity was pretty open, but I think it has a flaw which all GPLv2 programs have, which is that if you have a single entity owning the code and asking people who contribute to assign the IP of their contributions to them, you get a certain asymmetry in the community. [...] So I have good theories on why a community of developers didn't form around ModSecurity; one is the licence and the other is that the program itself is monolithic, so there was a barrier to entry there which stopped people from being able to do something useful. I want to address that too with IronBee; we've made it very modular and we are going to have good documentation, so that if you have an itch to scratch, if you have a particular problem that you need to solve, you don't have to understand the whole thing. "
Mozilla resists US gov't request to nuke "MafiaaFire" add-on (ars technica)The US Department of Homeland Security (DHS) has asked Mozilla to remove the MafiaaFire Redirector Firefox add-on, ars technica reports. The article is based on a blog posting from Mozilla lawyer Harvey Anderson, where he says that Mozilla has not complied and instead asked the DHS for a legal justification. The add-on is a simple redirector for domains that were seized by the DHS for alleged copyright violations. "As for the developer of the MafiaaFire Redirector, he says that a Chrome version is coming soon and that his work shouldn't be repressed. 'Now, because my idea, which took less than a week to createand the Chrome version 2 daysmakes them walk around with egg on their face after the millions spent (it cost me less than $100), they went running to Mozilla seeking another favor,' he tells Ars. 'They did not even try to contact us. Hats off to Mozilla for sticking up to them, at first we were afraid if Mozilla would even host it due to its controversial nature but they truly backed up their open source supporting words with actions.'"
New vulnerabilities cronie: privilege escalation
exim4: format string vulnerability
kernel: privilege escalation
kernel: multiple vulnerabilities
kernel: multiple vulnerabilities
kernel: multiple vulnerabilities
otrs2: cross-site scripting
postfix: code execution
python: information disclosure
sssd: access restriction bypass
widelands: arbitrary file overwrite
wordpress: privilege escalation
xen: arbitrary code execution
Page editor: Jake Edge |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||