Other articles

  1. Materials for my talk at SSTIC 2015 - PICON : Control Flow Integrity on LLVM IR

    Here are the materials for the talk PICON : Control Flow Integrity on LLVM IR, given during SSTIC 2015. While SSTIC is a french-speaking conference, I publish here in English because my other posts also are in English.

    Here is the summary, from the website:

    Control flow integrity has been a well explored field of software security for more than a decade.

    However, most of the proposed approaches are stalled in a proof of concept state - when the implementation is publicly available - or have been designed with a minimal performance overhead as their primary objective, sacrificing security.

    Currently, none of the proposed approaches can be used to fully protect real-world programs compiled with most common compilers (e.g. GCC, Clang/LLVM).

    In this paper we describe a control flow integrity enforcement mechanism whose main objective is security. Our approach is based on compile-time code instrumentation, making the program communicate with its external execution monitor. The program is terminated by the monitor as soon as a control flow integrity violation is detected.

    Our approach is implemented as an LLVM plugin and is working on LLVM’s Intermediate Representation.

    Code is currently being published (with an opensource ...

    read more
  2. grsec kernel with nvidia module

    Compiling a grsec kernel on a laptop/workstation is a good way to add protection against wide classes of attacks. However, while the options may be easy to choose on a server, this may be difficult because a typical desktop needs more privileges. Here are a few points:

    • Xorg (wants privileged I/O, unless you use KMS) conflicts with PAX_NOEXEC and GRKERNSEC_IO
    • power management: applets to display the battery level want (non-root) read permission on /sys, this will conflict with GRKERNSEC_SYSFS_RESTRICT. You can enable SYSFS_DEPRECATED as a workaround.
    • power management: ACPI is required for a laptop (if you want to be able to use suspend/resume, control fan speed, etc.)
    • power management: suspend/restore conflicts with some options (PAX_MEMORY_UDEREF and PAX_KERNEXEC)
    • virtualization: PAX_KERNEXEC conflicts with kvm/vmx

    If you have other points to add/corrections, just send them to me !

    Now, another problem I have is that I must use the proprietary kernel. Not that I really want to, but it is the only driver with proper support for my graphics card (GT555M), since the nouveau driver has some problems here: breaks suspend to ram/disk, sucks battery (I have 2h30 of autonomy with nouveau, and about 5 with Nvidia ...

    read more
  3. DFF accepted into Debian

    DFF (Digital Forensics Framework) has been accepted into Debian unstable.

    From the website:

    The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform.The framework is used by system administrators, law enforcement examinors, digital forensicsresearchers and > students, and security professionals world-wide. Written in Python and C++,it exclusively uses Open Source technologies.

    DFF combines an intuitive user interface with a modular and cross-platform architecture.

    DFF is a nice tool, combining Python and C++ (and PyQt) to provide performances, be easy to extend and provide a nice GUI. It is GPLv2, thanks to ArxSys.

    If you like it, don’t hesitate to contact them on the IRC channel (#digital-forensic on Freenode).

    read more
  4. Project page for SIEM-live

    live06.png

    I’ve created a project in redmine for SIEM-live, so there is now a wiki, a tracker, and a repository. I’ll add some documentation and instructions on how to build the CD soon.

    Contributors would be gladly accepted :)

    I’ve also updated the Git repository for recent versions of live-build, where all variables have been renamed without keeping compatibility :/

    The bug where booting with no network (no DHCP, for ex.) made many command fail with a weird error message has been fixed:

    could not resolve 127.0.0.1: address family for hostname not supported
    

    For the record, this was caused by .. IPv6 ! Disabling it during the configuration sequence fixes the problem.

    read more
  5. Creating a live cd for open source SIEM Prelude and Suricata

    I have started to work on a Live CD for Open Source tools like Prelude SIEM, and software like Suricata, Snort, OpenVAS to send alerts. The goal is to easily test these tools, register new agents, get some alerts and be able to correlate them etc. I also want to add some visualization tools, so this CD could maybe become a reference for security alert detection and report.

    "Prewikka"

    First, a few points on applications used:

    • Debian Live for building the CD. It’s very easy, it’s based on Debian, and it allows me to re-use some work I’ve done
    • Suricata IDS, which is a very promising project
    • Snort IDS, with the free signatures
    • OpenVAS to be able to generate alerts
    • Prelude SIEM is the key point: suricata, snort, syslog etc. will send alerts to Prelude, which has a database, a correlator, a web interface (Prewikka) etc.
    • Standard useful tools: nmap, scapy, wireshark, p0f, etc.

    This first version is based on Debian Lenny and arch x86. Everything is based on packages (.debs) to make it easier to maintain, upgrade versions or add patches: most of the time, I just have to rebuild packages from squeeze or sid.

    The build ...

    read more
  6. implementing the evil maid attack on linux with Luks

    This month, Joanna Rutkowska implemented the “evil maid” attack against TrueCrypt.

    This kind of attack can be done on any OS with disk encryption: when using whole-disk encryption, you have to infect to bootloader. Linux includes dm-crypt/LUKS, which has some nice features (including TKS1 and working encrypted suspend-to-disk). But how does it play with this attack ?

    Sadly, the answer is: pretty bad. LUKS has no protection against this attack, and even requires a /boot partition in clear. Before looking at the possible solutions, we’ll play with the /boot partition to see how simple the attack is.

    Linux boot sequence basics

    The boot sequence (See http://www.ibm.com/developerworks/library/l-linuxboot/index.html) is the following:

    • System startup: the BIOS is loaded, searches for a boot medium, loads the MBR, and yields control to it.
    • Boot loader stage 1: the job of the primary boot loader is to find and load the secondary boot loader (stage 2)
    • Boot loader stage 2: its jobs is to search and load the Linux kernel and initial RAM disk (initrd) images.
    • Linux kernel: it starts by uncompressing itself, then mounts the initrd image. This image contains modules and scripts required to find ...
    read more
  7. Playing with OpenDPI

    So, Ipoque has published its deep inspection engine under a free license (LGPLv3): OpenDPI This is always good news when a company decides to release source code to the community, so first of all thanks to Ipoque for this.

    After downloading the source code on OpenDPI google project’s page, I started to look at it.

    Basically, the project looks quite unprepared for release (only a Makefile, no configure script - though no-one can be blamed for not using autotools -), but after looking at the code it seems not so bad:

    • the code is reasonably clean
    • it builds fine on x86 or x86_64 platforms
    • the code is provided with a decent list of identified protocols
    • the demo uses pcap files

    There are a few minor annoyances:

    • the provided lib is a static lib … building a shared library would be better !
    • the build system is pretty awful, rebuilding everything each time, without using deps, no install system etc.
    • no docs (looking at the demo file was sufficient to understand most of the function).
    • no correct website, forums or whatever. I’m sure it will get better in the future
    • pcap only

    This last point was the most annoying to me, so I ...

    read more
  8. Vulnerabilities (phpbb, squirrelmail)

    Just after phpbb website has been compromised (see the detailed explication on this blog, another big problem just appeared, this time on squirrelmail:

    SECURITY: Plugins Security Alert
    Feb 05, 2009 by Paul Lesniewski
        We are sorry to announce that we've had a security breach with our plugins system. An attacker uploaded at least
           four modified plugin packages, which we have since rectified. If you have downloaded any of the following
           plugins since January 17, 2009, you should immediately replace them (download them again):
    AnnotateMore Server and Mailbox Annotations version 0.2
    CAPTCHA version 1.1
    Change LDAP Password version 2.2
    Sieve Mail Filters version 1.9.7
    

    ouch ! Squirrelmail does not give much details on the impact, but given that these plugins can touch passwords, that can be very bad …

    read more
  9. Captive Portals are BAD !

    Captive portals almost always work by validating the IP address of the client, and often the MAC address. This creates a wrong feeling of security, because it is quite easy to bypass. Let’s explain the most common problem: spoofing.

    Installing a captive portal

    I have chosen to install Alcasar, which claims to be a highly secure solution developed by the French Ministry of Defense.

    First surprise, it’s a shell script ! In fact, it’s not really an application, only an installer for a few packages, with some configuration. Installation went pretty bad:

    • the installer only works for a specific version of Mandriva (2007), which is quite old, and buggy on my hardware
    • most things are hardcoded: the installer exploded without errors because my network is not ending by a 0 (10.0.0.129/25)
    • my third network card is not even used by the script ! Too bad for the DMZ

    After 4 or 5 retries, and modifications in the script, I finally got a working server.

    First tests

    After a reboot, everything seems to work. Got an address using DHCP, I try to connect to Google .. ok, the captive portal appears and asks for a login. With ...

    read more

Page 1 / 2 »