By Jake Edge
August 28, 2013
There's been a lot of talk about reproducible (or deterministic) builds
recently for the purposes of verifying
that binaries come from the "right" source code. It's particularly
topical right now, at least in part because of the NSA spying disclosures
coupled with the concern that various
governments are actively trying to backdoor applications (especially
security applications). So, the Tor project and others (e.g. Bitcoin) have
been working on ways to create
reproducible builds.
But reproducible builds of necessity create predictable binaries. That
gives an attacker information about the layout and organization of the
code that can be used for return-oriented
programming (ROP) attacks. An alternative is to introduce
random changes into a binary as it is built to make these kinds of
attacks more difficult. Stephen Crane recently suggested
adding two kinds of code generation randomness into the LLVM compiler
framework in a post to the LLVMdev mailing list.
As part of a team at the University of California, Irvine,
Crane has been working on adding several kinds of randomness into
binaries. He proposed that the team submit patches for two types of
randomness for LLVM.
The first is "NOP insertion", which adds NOPs (i.e. no ops) between machine
instructions. The second is "scheduling randomization", which discards the
existing instruction
scheduling heuristics and randomly schedules any valid
instruction at each point. The result is a binary that still runs
correctly, is "slightly
slower", but is far more resistant to ROP attacks. It is a
"simplified subset" of the work described in a paper
[PDF] by the team.
The technique is in some ways analogous to address-space layout
randomization (ASLR). In both cases, the layout of the code is altered
such that an attacker cannot predict where code of interest will live in
memory. Either can be defeated by attackers that have access to certain kinds
of information. For ASLR, determining the address of a library function in the
running executable is generally enough to defeat it. For randomized binaries, the
attacker would need to have read access to the binary itself to find the pieces
needed for an exploit.
ROP attacks use pieces of existing code in a binary to perform their
malicious task. By finding little snippets of code (typically ending in a
return) and calling them in the right order, the attack can perform
any operation that it needs to. ROP techniques came about after operating
systems started marking data as non-executable to thwart buffer overflows
and the like. Using ROP techniques, buffer overflows can still be used,
but without executing any code on the stack.
Crane noted that there are other randomizations that the team has worked
on, but that they planned to start small when proposing patches. Nadav
Rotem asked about register allocation
randomization, for example, which Crane said could be added to the patch submission.
The patched compiler passes the existing LLVM test suite on x86_64, Crane
said. Implementing the changes for ARM is also underway.
Nick Kledzik asked how a software
distributor might be able to deliver randomized binaries, given that they
normally create a single binary that gets delivered to all of their
users. Crane had some thoughts on that,
including building multiple or individualized ("watermarked"
for example) binaries. For open source, especially for security-sensitive
binaries, users can just build their own to significantly raise the bar for
attacks. Crane noted that ROP attacks can be used for jailbreaking. That
might make the techniques of particular interest to LLVM sponsor Apple.
Security is always about trade-offs, and randomized binaries are just further
confirmation of that. Diverse binaries would make verification of the
correspondence between
source and binary much more difficult but would also make ROP
attacks harder. Given that most free software these days is built
with GCC, it would be nice to see similar patches for that compiler suite.
In any case, randomized binaries will soon be another tool available for
the security-sensitive.
Comments (19 posted)
Brief items
Consider the following hypothetical example: A young woman calls her
gynecologist; then immediately calls her mother; then a man who, during the
past few months, she had repeatedly spoken to on the telephone after 11pm;
followed by a call to a family planning center that also offers
abortions. A likely storyline emerges that would not be as evident by
examining the record of a single telephone call.
—
Ed
Felten [PDF] in a declaration on the dangers of "it's just metadata"
National Security Agency officers on several occasions have channeled their
agency’s enormous eavesdropping power to spy on love interests,
U.S. officials said.
The practice isn't frequent — one official estimated a handful of cases in the last decade — but it's common enough to garner its own spycraft label: LOVEINT.
—
The Wall Street Journal
So we're left with an agency that collects a ridiculous amount of info, and has around 1,000 employees (who are mostly actually employed by outside contractors) who can look through anything with no tracking, leaving no trace, and we're told that the data isn't abused. Really? Do Keith Alexander, James Clapper, President Obama, Dianne Feinstein and Mike Rogers really believe that none of those 1,000 sys admins have ever abused the system? And, do they believe that none of the people whom those thousand sys admins are friends with haven't had their friend "check out" information on someone else? Hell, imagine you were someone at the NSA who understood all of this already. If you wanted to abuse the system, why not befriend a sys admin and let him or her do the dirty work for you -- knowing that there would be no further trace?
Basically, it seems clear that the NSA has simply no idea how many abuses there were, and there are a very large number of people who had astounding levels of access and absolutely no controls or way to trace what they were doing.
—
Mike
Masnick
The chilling of free speech isn't just a consequence of surveillance. It's
also a motive. We adopt the art of self-censorship, closing down blogs,
watching what we say on Facebook, forgoing "private" email for fear that
any errant word may come back to haunt us in one, five or fifteen
years. "The mind's tendency to still feel observed when alone... can be
inhibiting,"
writes Janna Malamud Smith. Indeed.
—
Josh
Levy
Comments (9 posted)
Mike Perry
writes
about the motivations behind his deterministic build work on the Tor
Project blog. "
Current popular software development practices simply
cannot survive targeted attacks of the scale and scope that we are seeing
today. In fact, I believe we're just about to witness the first examples of
large scale 'watering hole' attacks. This would be malware that attacks the
software development and build processes themselves to distribute copies of
itself to tens or even hundreds of millions of machines in a single,
officially signed, instantaneous update. Deterministic, distributed builds
are perhaps the only way we can reliably prevent these types of targeted
attacks in the face of the endless stockpiling of weaponized exploits and
other 'cyberweapons'."
Comments (7 posted)
New vulnerabilities
chromium: multiple vulnerabilities
| Package(s): | chromium-browser |
CVE #(s): | CVE-2013-2887
CVE-2013-2900
CVE-2013-2901
CVE-2013-2902
CVE-2013-2903
CVE-2013-2904
CVE-2013-2905
|
| Created: | August 26, 2013 |
Updated: | September 18, 2013 |
| Description: |
From the CVE entries:
Multiple unspecified vulnerabilities in Google Chrome before 29.0.1547.57 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2013-2887)
The FilePath::ReferencesParent function in files/file_path.cc in Google Chrome before 29.0.1547.57 on Windows does not properly handle pathname components composed entirely of . (dot) and whitespace characters, which allows remote attackers to conduct directory traversal attacks via a crafted directory name. (CVE-2013-2900)
Multiple integer overflows in (1) libGLESv2/renderer/Renderer9.cpp and (2) libGLESv2/renderer/Renderer11.cpp in Almost Native Graphics Layer Engine (ANGLE), as used in Google Chrome before 29.0.1547.57, allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2013-2901)
Use-after-free vulnerability in the XSLT ProcessingInstruction implementation in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to an applyXSLTransform call involving (1) an HTML document or (2) an xsl:processing-instruction element that is still in the process of loading. (CVE-2013-2902)
Use-after-free vulnerability in the HTMLMediaElement::didMoveToNewDocument function in core/html/HTMLMediaElement.cpp in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving moving a (1) AUDIO or (2) VIDEO element between documents. (CVE-2013-2903)
Use-after-free vulnerability in the Document::finishedParsing function in core/dom/Document.cpp in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly have unspecified other impact via an onload event that changes an IFRAME element so that its src attribute is no longer an XML document, leading to unintended garbage collection of this document. (CVE-2013-2904)
The SharedMemory::Create function in memory/shared_memory_posix.cc in Google Chrome before 29.0.1547.57 uses weak permissions under /dev/shm/, which allows attackers to obtain sensitive information via direct access to a POSIX shared-memory file. (CVE-2013-2905) |
| Alerts: |
|
Comments (none posted)
condor: denial of service
| Package(s): | condor |
CVE #(s): | CVE-2013-4255
|
| Created: | August 22, 2013 |
Updated: | August 28, 2013 |
| Description: |
From the Red Hat advisory:
A denial of service flaw was found in the way HTCondor's policy definition
evaluator processed certain policy definitions. If an administrator used an
attribute defined on a job in a CONTINUE, KILL, PREEMPT, or SUSPEND
condor_startd policy, a remote HTCondor service user could use this flaw to
cause condor_startd to exit by submitting a job that caused such a policy
definition to be evaluated to either the ERROR or UNDEFINED states.
(CVE-2013-4255) |
| Alerts: |
|
Comments (none posted)
glibc: multiple vulnerabilities
| Package(s): | glibc |
CVE #(s): | CVE-2012-4412
CVE-2012-4424
CVE-2013-2207
CVE-2013-4237
|
| Created: | August 22, 2013 |
Updated: | September 5, 2013 |
| Description: |
From the Fedora advisory:
CVE-2012-4412 glibc: strcoll() integer overflow leading to buffer overflow
CVE-2012-4424 glibc: alloca() stack overflow in the strcoll() interface
CVE-2013-2207 glibc (pt_chown): Improper pseudotty ownership and permissions changes when granting
access to the slave pseudoterminal
CVE-2013-4237 glibc: Buffer overwrite when using readdir_r on file systems returning file names
longer than NAME_MAX characters
|
| Alerts: |
|
Comments (none posted)
kernel: two vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2013-0343
CVE-2013-4254
|
| Created: | August 23, 2013 |
Updated: | September 26, 2013 |
| Description: |
From the Red Hat bugzilla entries [1, 2]:
CVE-2013-4254: Linux kernel built for the ARM(CONFIG_ARM/CONFIG_ARM64) platforms along with the
hardware performance counter support(CONFIG_HW_PERF_EVENTS) is vulnerable to a
NULL pointer dereference flaw. This could lead to the kernel crash resulting in
DoS or potential privilege escalation to gain root privileges by a non-root user.
An unprivileged user/program could use this flaw to crash the kernel resulting
in DoS or potential privilege escalation to gain root access to a machine.
CVE-2013-0343:
Due to the way the Linux kernel handles the creation of IPv6 temporary
addresses a malicious LAN user can remotely disable them altogether
which may lead to privacy violations and information disclosure.
Reference:
http://seclists.org/oss-sec/2012/q4/292
http://seclists.org/oss-sec/2013/q1/92 |
| Alerts: |
|
Comments (none posted)
kfreebsd-9: privilege escalation/information leak
| Package(s): | kfreebsd-9 |
CVE #(s): | CVE-2013-3077
CVE-2013-4851
CVE-2013-5209
|
| Created: | August 27, 2013 |
Updated: | August 28, 2013 |
| Description: |
From the Debian advisory:
CVE-2013-3077:
Clement Lecigne from the Google Security Team reported an integer
overflow in computing the size of a temporary buffer in the IP
multicast code, which can result in a buffer which is too small
for the requested operation. An unprivileged process can read or
write pages of memory which belong to the kernel. These may lead
to exposure of sensitive information or allow privilege
escalation.
CVE-2013-4851:
Rick Macklem, Christopher Key and Tim Zingelman reported that the
FreeBSD kernel incorrectly uses client supplied credentials
instead of the one configured in exports(5) when filling out the
anonymous credential for a NFS export, when -network or -host
restrictions are used at the same time. The remote client may
supply privileged credentials (e.g. the root user) when accessing
a file under the NFS share, which will bypass the normal access
checks.
CVE-2013-5209:
Julian Seward and Michael Tuexen reported a kernel memory
disclosure when initializing the SCTP state cookie being sent in
INIT-ACK chunks, a buffer allocated from the kernel stack is not
completely initialized. Fragments of kernel memory may be
included in SCTP packets and transmitted over the network. For
each SCTP session, there are two separate instances in which a
4-byte fragment may be transmitted.
This memory might contain sensitive information, such as portions
of the file cache or terminal buffers. This information might be
directly useful, or it might be leveraged to obtain elevated
privileges in some way. For example, a terminal buffer might
include an user-entered password. |
| Alerts: |
|
Comments (none posted)
lcms: buffer overflows
| Package(s): | lcms |
CVE #(s): | CVE-2013-4276
|
| Created: | August 27, 2013 |
Updated: | August 28, 2013 |
| Description: |
From the Mageia advisory:
Three buffer overflows in Little CMS version 1.19 could possibly be
exploited through user input. |
| Alerts: |
|
Comments (none posted)
nmap: arbitrary file upload flaw
| Package(s): | nmap |
CVE #(s): | CVE-2013-4885
|
| Created: | August 28, 2013 |
Updated: | August 28, 2013 |
| Description: |
From the nmap advisory:
It is possible to write arbitrary files to a remote system, through a
specially crafted server response for NMAP http-domino-enum-passwords.nse
script (from the official Nmap repository). |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2013-4248
CVE-2011-4718
|
| Created: | August 26, 2013 |
Updated: | September 9, 2013 |
| Description: |
From the CVE entries:
Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. (CVE-2011-4718)
The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. (CVE-2013-4248) |
| Alerts: |
|
Comments (none posted)
poppler: code execution
| Package(s): | poppler |
CVE #(s): | CVE-2012-2142
|
| Created: | August 22, 2013 |
Updated: | October 1, 2013 |
| Description: |
From the openSUSE advisory:
PDF files
could emit messages with terminal escape sequences which
could be used to inject shell code if the user ran a PDF
viewer from a terminal shell (CVE-2012-2142).
|
| Alerts: |
|
Comments (3 posted)
python: man in the middle attack
| Package(s): | python |
CVE #(s): | CVE-2013-4238
|
| Created: | August 26, 2013 |
Updated: | October 1, 2013 |
| Description: |
From the CVE entry:
The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. |
| Alerts: |
|
Comments (none posted)
python-django: cross-site scripting
| Package(s): | python-django |
CVE #(s): | CVE-2013-4249
|
| Created: | August 23, 2013 |
Updated: | September 3, 2013 |
| Description: |
From the Red Hat bugzilla entry:
When displaying the value of a URLField -- a model field type for storing URLs -- this interface treated the values of such fields as safe, thus failing to properly accommodate the potential for dangerous values. A proof-of-concept application has been provided to the Django project, showing how this can be exploited to perform XSS in the administrative interface.
In a normal Django deployment, this will only affect the administrative interface, as the incorrect handling occurs only in form-widget code in django.contrib.admin. It is, however, possible that other applications may be affected, if those applications make use of form widgets provided by the admin interface. |
| Alerts: |
|
Comments (none posted)
tiff: code execution
| Package(s): | tiff |
CVE #(s): | CVE-2013-4244
|
| Created: | August 28, 2013 |
Updated: | September 18, 2013 |
| Description: |
From the Debian advisory:
Pedro Ribeiro and Huzaifa S. Sidhpurwala discovered multiple
vulnerabilities in various tools shipped by the tiff library. Processing
a malformed file may lead to denial of service or the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
