Security
Guardian: Better privacy and security for Android
With more and more of our "computing" happening on mobile devices instead of on traditional computers, securing these devices has become important. Unfortunately, most mobile platforms, including Android, are a step backward when it comes to security, privacy, and anonymity: by default, the user's files on an Android smartphone are not encrypted, instant messaging communication can be sniffed, and web browsing is not anonymous. One project that wants to do something about this — focusing on Android — is The Guardian Project.
The project describes its aim on its home page:
This is a fairly extensive vision. For now, the Guardian project is in its first phase: enhancing existing applications and developing new secure applications. But the ultimate aim is to customize Android on even lower levels to create a secure mass-market consumer smartphone solution, based on CyanogenMod, a popular alternative Android firmware. This requires enhancements to or replacements for the Android Application Framework, as well as adding new libraries and core security services. The kernel, Android runtime, and Dalvik virtual machine will also have to be secured, and the project is even considering securing or removing hardware drivers. However, until the project is able to create their own Android firmware, the developers recommend using CyanogenMod.
Transparent proxying through Tor
![[Orbot]](https://static.lwn.net/images/2011/orbot-sm.png)
To be able to browse the web, chat, and email without being monitored, Guardian has developed the Orbot application, which brings the power of Tor to Android and is actually the official port of Tor to Android. When first started, Orbot shows a wizard explaining what the user can do with it. If the device is rooted and the firmware is updated to an iptables-capable ROM such as CyanogenMod, Orbot can transparently proxy all web traffic on port 80 (HTTP) and 443 (HTTPS) and all DNS requests, so nothing else has to be configured. The built-in browser, Firefox Mobile, and applications like Gmail, YouTube, and Google Maps use standard web traffic so are routed through Tor transparently. The wizard also allows the user to select individual applications to route their traffic through Tor.
If you don't want to root your Android device, you can only route an application's traffic through Tor if it supports an HTTP or SOCKS proxy. Orbot runs an HTTP proxy on localhost:8118 and a SOCKS 4/5 proxy on localhost:9050. For instant messaging, the Beem application (a Jabber client) supports this, as does Gibberbot. For web browsing there's the Firefox Mobile add-on ProxyMob which exposes settings for HTTP, SOCKS and SSL proxies and is configured by default to use with Orbot. For users that are still on an Android 1.x device, there's the Orweb browser.
After the Orbot wizard is completed, the user can activate Tor by pressing the grey button, which turns to green when the Tor connection is set up correctly. Orbot's settings offer a lot of options, such as automatically starting Orbot when the Android device boots, using a Tor bridge to connect to the Tor network, relaying, and enabling hidden services on the Tor network. Concerned users can always confirm that they're browsing via Tor by visiting the web page check.torproject.org.
End-to-end encryption
![[Gibberbot]](https://static.lwn.net/images/2011/gibberbot-sm.png)
While the Guardian developers previously recommended the Beem project to offer anonymous instant messaging through Tor, they are now developing their own Jabber instant messenger as a replacement for the Google Talk application: Gibberbot. It's still an alpha release and the developers warn that there are still bugs and potentially even security flaws, but the release seems promising. Gibberbot is based on code from the Google Talk IM application, but with support for Tor (via Orbot) and end-to-end encryption (using the Off-the-Record OTR4J library).
The OTR protocol not only encrypts instant messages, but also attests that your correspondents are who you think they are. Moreover, the messages a user sends do not have digital signatures that can be traced to the user afterward, even though during a conversation, the correspondent is assured that the messages are coming from the user without any modification. Another nice feature is that no previous conversation is compromised if the user's private key is lost. Of course, to be able to chat securely with Gibberbot, a correspondent should be using an OTR-compatible chat client, such as Gibberbot on a smartphone, Pidgin or Adium with the OTR plugin on a computer.
The Guardian project recommends some third-party applications, which all offer encryption. The first one is the email client K-9 Mail, which supports OpenPGP encryption using Android Privacy Guard. The project also recommends two projects developed by Whisper Systems, the company of security researcher Moxie Marlinspike: RedPhone, which offers end-to-end VoIP encryption using ZRTP (at the moment it's US-only), and TextSecure, which allows users to send and store SMS messages using an encryption protocol based on OTR but designed with space efficiency in mind. Both Whisper Systems applications only work if both parties use the same application.
Developers, developers, developers
These applications are the most visible deliverable of the Guardian project, but the developers are also building libraries, tools, and source code for other developers, so that they are able to add security-oriented features more easily to their own Android applications. For instance, there's the Orlib library that's a drop-in replacement for Android's standard Socket and HTTPClient libraries, adding Tor support to any application because it uses the HTTP and SOCKS proxies that Orbot offers.
With respect to encryption, Guardian offers SQLCipher, an
extension to the SQLite database that provides transparent 256 bit AES
encryption of database files. Developers that want to better protect the
privacy of their users, can use SQLCipher instead of Android's default
SQLite library to encrypt their database files. The Guardian developers are
also working on a port of
LUKS (Linux Unified Key Setup) to Android. The README emphasizes that
it's still alpha software and should be "used with a grain of
paranoid salt
" with an explanation of why it's so hard to use LUKS on Android:
The Guardian developers are also collaborating with the human rights organization WITNESS to develop a secure camera application named Camera Obscura. They aim to support some common scenarios for activists, such as an easy way to remove all traces of any captured images when the phone is compromised and automatically blurring the faces of people in the background when recording a video interview of a spokesperson at a protest. There are also collaborations with the developers of the personal firewall DroidWall and with the developers of DroidTracker, an application that shares your location with your friends or colleagues. Other features that the Guardian project is working on are a remote data wipe and better physical access control. All code developed in the Guardian project can be found on GitHub.
Paranoid Androids
The Guardian project is not the only one to secure Android phones. Apart from the ones we already mentioned because Guardian is collaborating with them or recommending them, there's also WhisperCore, a custom Android ROM created by Whisper Systems. By default, WhisperCore encrypts the phone's entire data partition, and it can optionally encrypt the phone's SD card as well. WhisperCore is closed source software (but free for individual use) and is in an early beta phase. Currently it only supports the Google Nexus One and Nexus S phones.
One of the components of WhisperCore is WhisperMonitor, a personal firewall for Android users. When enabled, it intercepts all outbound network traffic and asks the user whether the application is allowed to connect to a specific server/port combination. This way, WhisperMonitor determines egress filter rules for the firewall, giving the user complete control over what each application is able to send over the network. It also provides an interface to modify or update rules defined per application, as well as a complete connection history of all applications.
Of course there are many other small tools, each of them helping in its own domain to secure Android. For instance, the SSH Tunnel application offers an easy-to-use interface to create an SSH tunnel to the user's server in order to use an encrypted channel on an untrusted network. On a rooted phone, the application can even set up system-wide tunneling.
Much work to do
While the Guardian project and other projects to make Android more secure are still in their infancy, many of their applications are already usable for more technically-inclined people. However, if you look at the use cases they're aiming for, it's clear that there's still much work to do to create a privacy-enhanced mobile phone operating system that is consumer-ready. The core developer team is small, but they are eager to collaborate with partner organizations and they have opportunities for internships and jobs. If you're a security-conscious developer who wants to make a difference, the Guardian project is definitely a project to consider joining. But even if you don't have any developer skills, you could help by joining the project as an alpha tester.
Brief items
Security quote of the week
The reason for hooks not being reported was that the memory being read by the tools was not the actual memory! The dispatch table as "seen" by the tools appeared not to be hooked—whereas in reality it was hooked. The part that made it interesting was that the memory was being read at the correct address with a mov instruction and not using some system API that could be hooked. We know of some proof-of-concept ways to achieve this, but I had not seen this behavior before from a threat in the wild.
Exim 4.76 fixes a remote security hole
The Exim mail transfer agent suffers from a remotely exploitable format string vulnerability; the 4.76 release contains a fix. "CVE-2011-1764: a format string attack in logging DKIM information from an inbound mail may permit anyone who can send you email to cause code to be executed as the Exim run-time user. No exploit is known to exist, but we do not believe that an experienced attacker would find the exploit hard to construct." Debian has an update available; others are certainly coming.
IronBee, Community and SSL (The H)
The H interviews Ivan Ristić about the IronBee web application firewall. "Going back to my earlier comments, ModSecurity was pretty open, but I think it has a flaw which all GPLv2 programs have, which is that if you have a single entity owning the code and asking people who contribute to assign the IP of their contributions to them, you get a certain asymmetry in the community. [...] So I have good theories on why a community of developers didn't form around ModSecurity; one is the licence and the other is that the program itself is monolithic, so there was a barrier to entry there which stopped people from being able to do something useful. I want to address that too with IronBee; we've made it very modular and we are going to have good documentation, so that if you have an itch to scratch, if you have a particular problem that you need to solve, you don't have to understand the whole thing."
Mozilla resists US gov't request to nuke "MafiaaFire" add-on (ars technica)
The US Department of Homeland Security (DHS) has asked Mozilla to remove the MafiaaFire Redirector Firefox add-on, ars technica reports. The article is based on a blog posting from Mozilla lawyer Harvey Anderson, where he says that Mozilla has not complied and instead asked the DHS for a legal justification. The add-on is a simple redirector for domains that were seized by the DHS for alleged copyright violations. "As for the developer of the MafiaaFire Redirector, he says that a Chrome version is coming soon and that his work shouldn't be repressed. 'Now, because my idea, which took less than a week to createand the Chrome version 2 daysmakes them walk around with egg on their face after the millions spent (it cost me less than $100), they went running to Mozilla seeking another favor,' he tells Ars. 'They did not even try to contact us. Hats off to Mozilla for sticking up to them, at first we were afraid if Mozilla would even host it due to its controversial nature but they truly backed up their open source supporting words with actions.'"
New vulnerabilities
cronie: privilege escalation
| Package(s): | Cronie | CVE #(s): | |||||
| Created: | May 6, 2011 | Updated: | May 11, 2011 | ||||
| Description: | From the openSUSE advisory:
Cronie does not drop all privileges before calling sendmail. | ||||||
| Alerts: |
| ||||||
exim4: format string vulnerability
| Package(s): | exim4 | CVE #(s): | CVE-2011-1764 | ||||||||||||||||||||||||||||||||
| Created: | May 9, 2011 | Updated: | May 18, 2011 | ||||||||||||||||||||||||||||||||
| Description: | From the Exim advisory:
A format string attack in logging DKIM information from an inbound mail may permit anyone who can send you email to cause code to be executed as the Exim run-time user. No exploit is known to exist, but we do not believe that an experienced attacker would find the exploit hard to construct. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2011-1017 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 6, 2011 | Updated: | August 12, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Timo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2011-1494 CVE-2011-1495 CVE-2011-1745 CVE-2011-1746 CVE-2011-1079 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 10, 2011 | Updated: | September 13, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
At two points in handling device ioctls via /dev/mpt2ctl, user-supplied length values are used to copy data from userspace into heap buffers without bounds checking, allowing controllable heap corruption and subsequently privilege escalation. (CVE-2011-1494, CVE-2011-1495) Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. (CVE-2011-1079) pg_start is copied from userspace on AGPIOC_BIND and AGPIOC_UNBIND ioctl cmds of agp_ioctl() and passed to agpioc_bind_wrap(). As said in the comment, (pg_start + mem->page_count) may wrap in case of AGPIOC_BIND, and it is not checked at all in case of AGPIOC_UNBIND. As a result, user with sufficient privileges (usually "video" group) may generate either local DoS or privilege escalation. (CVE-2011-1745) page_count is copied from userspace. agp_allocate_memory() tries to check whether this number is too big, but doesn't take into account the wrap case. Also agp_create_user_memory() doesn't check whether alloc_size is calculated from num_agp_pages variable without overflow. This may lead to allocation of too small buffer with following buffer overflow. (CVE-2011-1746) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel-rt | CVE #(s): | CVE-2011-1078 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 11, 2011 | Updated: | August 19, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: |
From the Red Hat advisory: * A missing initialization flaw in sco_sock_getsockopt_old() could allow a local, unprivileged user to cause an information leak. (CVE-2011-1078, Low) * Missing validations of null-terminated string data structure elements in the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1080, Low) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2011-0726 CVE-2011-1019 CVE-2011-1080 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 11, 2011 | Updated: | August 19, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: * The start_code and end_code values in "/proc/[pid]/stat" were not protected. In certain scenarios, this flaw could be used to defeat Address Space Layout Randomization (ASLR). (CVE-2011-0726, Low) * A flaw in dev_load() could allow a local user who has the CAP_NET_ADMIN capability to load arbitrary modules from "/lib/modules/", instead of only netdev modules. (CVE-2011-1019, Low) * A missing validation of a null-terminated string data structure element in do_replace() could allow a local user who has the CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
otrs2: cross-site scripting
| Package(s): | otrs2 | CVE #(s): | CVE-2011-1518 | ||||||||||||
| Created: | May 9, 2011 | Updated: | May 17, 2011 | ||||||||||||
| Description: | From the Debian advisory:
Multiple cross-site scripting vulnerabilities were discovered in Open Ticket Request System (OTRS), a trouble-ticket system. | ||||||||||||||
| Alerts: |
| ||||||||||||||
postfix: code execution
| Package(s): | postfix | CVE #(s): | CVE-2011-1720 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 11, 2011 | Updated: | June 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: A heap-based read-only buffer overflow allows malicious clients to crash the smtpd server process using a crafted SASL authentication request. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
python: information disclosure
| Package(s): | python | CVE #(s): | CVE-2011-1015 | ||||||||||||||||||||||||||||||||||||||||
| Created: | May 6, 2011 | Updated: | October 18, 2012 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially-crafted request to obtain the CGI script's source code. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
sssd: access restriction bypass
| Package(s): | sssd | CVE #(s): | CVE-2011-1758 | ||||
| Created: | May 5, 2011 | Updated: | May 11, 2011 | ||||
| Description: | From the Red Hat Bugzilla entry: A flaw was introduced in SSSD 1.5.0 that, under certain conditions, would have sssd overwrite a cached password with the filename of the kerberos credential store (defined by krb5_ccache_template in sssd.conf). This could allow an attacker to gain access to an account without knowing the password if they knew the cached-credential string. | ||||||
| Alerts: |
| ||||||
widelands: arbitrary file overwrite
| Package(s): | widelands | CVE #(s): | |||||||||
| Created: | May 5, 2011 | Updated: | May 11, 2011 | ||||||||
| Description: | From the Red Hat Bugzilla entry: A Debian bug report noted that a security fix was committed to widelands. The commit log is quite vague, but it looks as though it might be an arbitrary file overwrite vulnerability, judging by the code changes. | ||||||||||
| Alerts: |
| ||||||||||
wordpress: privilege escalation
| Package(s): | wordpress | CVE #(s): | |||||||||
| Created: | May 11, 2011 | Updated: | May 11, 2011 | ||||||||
| Description: | From the WordPress update announcement: This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts. | ||||||||||
| Alerts: |
| ||||||||||
xen: arbitrary code execution
| Package(s): | xen | CVE #(s): | CVE-2011-1583 | ||||||||||||||||||||||||
| Created: | May 9, 2011 | Updated: | November 7, 2011 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was found that the xc_try_bzip2_decode() and xc_try_lzma_decode() decode routines did not correctly check for a possible buffer size overflow in the decoding loop. As well, several integer overflow flaws and missing error/range checking were found that could lead to an infinite loop. A privileged guest user could use these flaws to crash the guest or, possibly, execute arbitrary code in the privileged management domain (Dom0). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>