Monthly Archive for August, 2007

LinuxWorld 07

I’d like to say thanks to all who attended my talk at LinuxWorld. A copy of the slides is available here. I hope you enjoyed it and got a lot out of it. I just posted the second demo in full here, and I’ll try to get the last one up in the near future. If you have further questions, don’t hesitate to drop me an email or post a comment here. Thanks again.

Preventing Disclosure

Problem
While it is always preferable to keep confidential information such as customer records away from a website, that is often not feasible. This is especially true in ecommerce, but is true in other areas as well. In order to protect this information, most people will employ some sort of authentication application to ensure that people can only access the data for which they are authorized. Despite this, attackers frequently find ways through or more often around this authentication mechanism.

Goal
Prevent an attacker from accessing customer records on a web site.

Approach
Solving confidentiality problems generally involves two activities. The first entails ensuring that whatever has to access the confidential data is not exploitable. This is a tall order, but is not impossible. The best strategy to take here is to make that program that has to access the confidential data as small and analyzable as possible. You can take great care in writing it and in analyzing it to ensure its correctness. So, I need to make my “guard” application that grants access to the data as small as possible. It should only contain code to do what it needs to do to authenticate the user and give back the data that user is authorized to see.
After ensuring that the application that needs access to the data is solid, the second activity in solving this problem is to ensure that nothing else can access the data. This is where I’ll use SELinux access controls. I’ll build an SELinux domain for the authentication application to run in as well as a type for the confidential records on disk. I’ll then allow only the authenitication application to access the confidential records. By doing this, I can prevent other things on the website (as well as the rest of the system) from accessing the records. An attacker may be able to compromise another part of my website, but he will not be able to get to my confidential records.1
Continue reading ‘Preventing Disclosure’

Vulnerable web applications

Problem
Web applications can be a source of very frequent vulnerabilities. These vulnerabilities can stem from bugs in the program itself as well as the libraries and frameworks upon which it depends. These vulnerabilities are often used as the entry-point for an attacker to upload malicious software onto a system. This software can contain root-kits, bots, data collection agents, or other malicious applications.

Goal
Prevent an attacker from uploading and executing malicious software through vulnerabilities in the web application.

Approach
I’ll use SELinux to confine the web application. This will involve building an SELinux domain for the web application to run in that cannot execute anything it writes to disk or access the network directly. The strictest policy I could write would not allow the domain to write anything to disk at all, but that is often not feasible for web apps, as part of their function often involves receiving uploads. By eliminating the ability to execute something that has been uploaded, I can significantly reduce the attackers ability to utilize previously generated malicious code such as a root-kit. However, the attacker may still be able to send malicious code by taking over the web app process itself. While I cannot prevent this without having a bullet-proof web app, I can limit what the attacker can do by preventing all direct access to the network. This prevents the attacker from using a compromised web app process as a bot. Additionally, I’ll limit the access that the web app has to only what is necessary for it to function in order to prevent the compromised app from scouring the system for information or further vulnerabilities. Continue reading ‘Vulnerable web applications’

Useful Security

Welcome to usefulsecurity.com. This blog is dedicated to providing tips, pointers, howtos, and other information on solving real security problems. Too often today security professionals come up with “solutions” that don’t really help users solve their security problems. This stems from many reasons, including not understanding the problem correctly, not understanding the available technologies, and a desire to sell a solution that may not make sense in a particular environment.

This blog will follow a pattern of choosing a security problem and looking at how to solve that problem. As often as possible, this will come in the form of technical examples including code and policy snippets. This blog will often utilize SELinux in some way to solve those problems. There are 2 reasons for this. First, I’m heavily involved in SELinux in my day job at Tresys, so the problems I see are frequently addressable by SELinux. Second, SELinux is a very flexible security framework, so it actually does address a very large number of security problems. That said, I’m going do my best to focus on solving the problem and utilizing appropriate technology to do it.

So, sit back and enjoy. Hopefully you’ll find solutions to some of the security problems you’re facing today. If not, feel free to let me know what those problems are so I can try to focus on them in future posts.