Marcin and I were talking a bit about mainframe security today. I
recalled how fantastic mainframes were while he had his hands in the
trenches. Yes, I know that IBM renamed MVS to z/OS (as well as other
things) years ago. However, the concepts remain the same: TSO, ISPF, and
JCL are still there.
I tried to explain some of the differences between z/VM and z/OS. z/VM
is based on VM/CMS, which ran an antiquated version of hardware
virtualization concepts that we find in modern technology such as Xen. I
also pointed Marcin to the Wikipedia entry for
RACF,
where we checked out and discussed all the links. Recently, I had also
read Mainframe Basics for Security
Professionals, so you can check it out
if you want more information.
As we got deeper into the conversation, we talked less and less about
mainframes and more and more about Xen. I related concepts of clustering
from the Big Blue days of IBM, which ran AIX on SP2 clusters. What Xen
and new-age hardware virtualization packages are lacking is not only
security concepts, but also general improvements and refinement of
technique.
The whole point of running multiple OSes on a single machine escapes
most people. They mostly want it so that they can run Mac OS X and
Windows on the same laptop. That's the opposite of what this technology
is meant to do. It's for big servers with lots of processors and memory.
It's intended to be able to migrate, restore, route-around availability
issues, and increase performance.
That's correct: increase performance while also moving an OS between
physical machines. Late at night, an entire mainframe-sized machine or
two can be shutdown for maintenance and to save money on power -- while
another mainframe-sized machine picks up that work until early in the
morning.
Some people say, "well if this computer is sitting here only running one
task on CPU for 4 hours a day at 90%, then we can just run SETI@home the
rest of the time it's idling at 10%". This is exactly the kind of
attitude that caused the Dot-Com era way of thinking. The real goal is
to move services off that machine when it's not using them, and safely
carry them out elsewhere.
Speaking of the laptop, think of Xen save/restore/migrate more like your
laptop's hibernate feature. When it comes up again, you're back in
business. Xen migrate makes moving an OS between machines "instant
business". The primary extra difficulty system administrators and IT
people have with understanding Xen migration is that it requires shared
storage. I've setup iSCSI with Xen and maintained it using CentOS
(RedHat Enterprise Linux, or RHEL), even in a clustered configuration.
When architecting this sort of solution -- you really have to look at
all the dependencies you create, otherwise you're just adding more
headache. For an introduction to the subject, check out this article on
Live Migration of Xen Domains.
While separating out every service into its own guest seems like a great
idea at first, it also would require installing many OSes and keeping
them all up-to-date with patches. This would seem to lessen the security
since most people install an OS using a CDROM or DVD using default
configurations. They don't want to take the time to setup and manage
"more" machines, when they already have their fill with the current
situation/mess they are in.
Enter VMcasting. VMcasting allows package updates to be distributed via
RSS feeds to the guests. I had first heard about VMcasting from a
company who makes both Enterprise Xen control software, as well as an
open-source version --
Enomalism. Enomalism has
features that are very different than most of the other Xen Enterprise
managers, including VMcasting. It supports
sHype
(a hypervisor access-control system similar to SELinux or RACF, with
support of RBAC and TE), a firewall management application, centralized
user management with LDAP controls, and a custom web API written in --
you guessed it -- Ajax. I can't believe I just used Ajax and RSS in the
same paragraph as describing the benefits of hardware virtualization as
it applies to vulnerability management, but there you have it.
The additional benefit of Enomalism comes in the form of its EVA
containers (Enomalism Virtual Appliances). An EVA is a package, but that
package can contain multiple virtual machines, such as two web servers
and two database servers. These can be pre-configured and ready to be
put into a lab or staging environment right away. Speaking of labs,
imagine setting up a security penetration-testing lab using EVA
containers.
After recently also reading "Penetration Tester's Open-Source Toolkit,
Volume 2", the updated section on Building Penetration Test
Labsgives some excellent suggestions on using Pen-Test "system lab"
LiveCD's for learning purposes. Booting from CDROM as a virtual
environment takes a lot of the work out, but imagine if you combined it
into a bootable Pen-Test "network lab" with an EVA package.
Check out the authors' website at DE-ICE.Net
for a list of the LiveCD "system lab" packages. See if you can spend
some time making them into an EVA container, but don't VMcast and
accidentally upgrade all of the out-of-date packages! Also of note would
be the SecurityDistro website, which lists many of the FOSS LiveCD
projects -- be sure to check out their new Beta website
portal (register and join the
fourms!), which should roll into their main
site very shortly.
Posted by Dre on Tuesday, February 5, 2008 in
Hacking,
Linux,
Security and
Tech.
I often sound like a Linux bigot.
Before I was a labeled as a Linux bigot, I was considered a classic
FreeBSD bigot (so you would think I like Mac OS X, but I don't). Before
everyone tagged me as a FreeBSD bigot, I again gave the impression of
being a Linux bigot (but that was before 2.2.2 when Slackware first came
out; I mostly used Linux early on as SLS). Before everyone was sure that
I was a first generation Linux bigot, I was also considered a 386BSD
bigot. Before 386BSD, my background demonstrated that I had to be a
SunOS 3.x/4.x bigpot (because it was my first introduction to Unix).
Before that, everyone thought I was into Amigas or something.
This is all very untrue, including the parts about Mac OS X. I am not an
OS bigot; I am not a fanboy. I like computers and computers like me.
I'll use anything you put in front of me, especially if it's free
hardware and software. Microsoft is no exception.
Microsoft is big. Microsoft thinks they own everything. Microsoft thinks
ASP.NET is bigger and better than Java EE or PHP and that C#/CIL is
bigger than Java.
I really like Microsoftisms. Microsoft Vista is incredible. It
consistently amazes me. Mono/.NET is the way to go for all programming.
C# is the best language and has the best community. ASP.NET 3.5 is the
third best framework for web application programming, right after HDIV
SpringMVC (best) and HDIV Struts2. JSF is probably fourth place. I also
like Grails and RoR, but these are toys compared to JEE and ASP.NET.
Toys in the same way that first generation Linux was also a toy.
Microsoft went and released the sources to the .NET
framework
almost three weeks ago (check out this link is for Casaba Security who
hasn't blogged in quite some time until just recently!). Last week, I
found out that the Microsoft Code
Gallery (formerly known as the
GotDotNet community portal) is back and in full force. Microsoft also
released Wave 0 for
Vista yesterday, not to mention Windows Server 2008. Would this have
anything to do with Bill Gates passing on the crown? I doubt it.
Bill Gates started the Trustworthy Computing
initiative in
2002 from a memo in 2001. TwC is an acronym that reminds me of SwA
(Software Assurance), and this is what the concept is probably really
about. Software Assurance is a concept that nobody besides Matt Bishop
seems to be able to talk about effectively. Even Gary McGraw is too busy
with gaming to worry about tackling such a large issue.
The new SwA is now called "Secure SDLC", which is one word with one
acronym I'm very happy to see next to each other. The Microsoft SDL is
widely touted as the only Security Lifecycle around, which is completely
untrue. Threat-modeling (which I refer to as "attack-modeling") came
from Microsoft -- actually, no, it's much better explained by either the
DHS BHI's Architectural Risk Analysis or the Octotrike Trike and
Privilege-centric Analysis models. Smart fuzzing is another huge
Microsoft win, were it not for the work by VDA Labs, DVLabs,
Codenomicon, and a few other fuzzer shops. SAL, SLAM, and
Phoenix/Cthulhu were all partially responsible for kernel/driver
security "beefing-up" in Windows Vista. Can you think of other recent
wins for Microsoft?
Sure, more web applications are written in PHP than ASP.NET (all
versions) and Classic ASP combined. Of course Microsoft stole ASLR from
GRSecurity and OpenBSD. The Microsoft SDL is a clear rip-off of SSE-CMM
or Cigital Touchpoints. Threat-modeling is really just informal (i.e.
arguments for) specification during design for risk-based and security
reasons. Even fuzzing has been around since that Bart Simpson guy got
that cool haircut -- and he probably stole it from methods combining
source tracing, structural analysis, and advanced forms of functional
testing that came out of the early 1970's.
All of the above "a priori" intellectual property may have been stolen
by Microsoft -- and then subsequently patented by them, but they were
the ones that made it work for the masses.
So it didn't surprise me when Fortify announced support for
.NET
last March in their Defender product, or has had support for .NET
throughout their SCA product. What surprises me is that Microsoft hasn't
bought them yet.
If you haven't already checked out Fortify's products, I suggest you get
their book, "Secure Programming with Static Analysis" -- however, you
can also find reference and screenshots of SCA in "Software Security:
Building Security In" as well as "Buffer Overflow Attacks: Detect,
Exploit, Prevent". Even if you're lacking in the book department, you
can at least check out Marcus Ranum's review of their
tools
with some amazing screenshots.
Ranum attempts to hint throughout his article the difference between
`security researchers' and `vulnerability pimps'. He claims, "if [...]
`security researchers' actually wanted to be useful, they'd be working
as part of the code audit team for Oracle, or Microsoft. But then they
couldn't claim their fifteen minutes of fame on CNN or onstage at
DEFCON.". He's right, of course.
In a recent blog post from Bryan Sullivan on the Microsoft SDL Blog we
see striking similarities. Bryan is interested in creating a sort of
Sexy Development
Lifecycle
where Linux GNOMEs compile C programs for you. Ok, that's not exactly
what Bryan said, but there is a lot to be said about the fact that
software security is no longer about ad-hoc penetration-testing.
Vulnerability pimps are a dead breed. In 2008, anybody can use tools
like Fortify SCA or .NET Reflector/Deblector to find bugs. Have we
already moved on in security research to where software vulnerabilities
are no longer considered research, but novel software weaknesses are the
minimum barrier to entry for BlackHat or even DEFCON?
Posted by Dre on Tuesday, February 5, 2008 in
Security and
Windows.
The other night, we had the special privilege of being guests on Martin
McKeay's Network Security
Podcast with co-host Rich
Mogull. While having a great time several
weeks ago at SunSec, and several beers into the night, we tricked Mogull
into letting us crash the podcast... j/k :D
We started off with Mystery Malware affecting Linux/Apache
websites,
which lead to a discussion on web application security and how we can go
about solving the problems. From there, we introduced our talk at
ShmooCon and gave some more details as to what we've been doing.
You can download this episode 92 of the Network Security
Podcast. Martin usually has a...
let's say, "different" taste in music than us, but the song he played
last night was pretty funny `-`- If this Geek Ruled the World.
Posted by Marcin on Wednesday, January 30, 2008 in
People and
Security.
I have one ShmooCon ticket available for $300. Contact me if you are
interested.
Why do I have one ShmooCon ticket for sale? I bought it in case we
didn't get accepted to ShmooCon, but we did! Dre, Tom Stracener of
Cenzic (and formerly nCircle), and I will be giving a talk on:
Path X: Explosive Security Testing Tools Using XPath We will cover
what XPath is, how it is used to parse XML in web applications in order
to aid security testing tools, and why XPath expressions are good
locators in comparison to other methods such as DOM or CSS selectors. We
will attempt to demonstrate how XPath can be used for good instead of
being targeted with injection or blind XPath injection attacks.
Check the ShmooCon Speakers list
for all the talks. If you're going to ShmooCon as well and want to hang
out, post a comment. We can't wait for this years Podcasters
Meetup -- last years totally
rocked. There is going to be a lot happening and it's all going to be a
lot of fun.
New Look
We have changed our look slightly and have a new theme. You might not
notice much of a difference if all you read is our RSS. We hope that the
new theme makes it easier for those who come to our site be able to read
longer posts more easily. Not to mention, it's faster, simpler, and
cleaner... and I had it validating XHTML 1.0 Strict on my staging
server, but not anymore. If anyone can help me out that'd be great,
getting 100% Strict validation was pretty cool for those 15 minutes. :/
Research
Dre and I have been pouring a ton of research into web testing tools and
using those tools to find vulnerabilities in web applications. Some
coincides with the information we have put into our talk, which we will
be publishing soon.
Posted by Marcin on Monday, January 28, 2008 in
Conferences,
Other and
Security.
Here's a new 2008 security prediction for you --
The iPhone camera is an odd device. There is no notification that a
picture is being taken, so the only requirement for malware is to wait
for user activity and then start taking pictures.
My prediction is that malware will be written to do just this and upload
it all to a website. The unknowing iPhone user's face with then be
auto-BBQ'd (this
link is NSFW) and other personal information will also be uploaded to
further embarrass the individual.
The malware will likely be injected once Facebook apps start
integrating well with the iPhone. Gives
new meaning to the phrase, SuperPoke.
All you need to get started on this project is to integrate Metasploit
with the iPhone Photo Library framework. A simple
class-dump of
PhotoLibrary.framework/PhotoLibrary will dump all the libraries,
including the necessary CameraController class file. Creating a hidden
photo-taking utility or integrating it with malware is easy from this
point on.
For more information (and to see where I got some of the ideas), be sure
to check out the book, iPhone Open Application Development: Programming
an Exciting Mobile
Platform, when it
becomes available.
Posted by Dre on Sunday, January 27, 2008 in
Apple,
Hacking,
Privacy,
Security and
Tech.
