kerckho s’ legacy: open source and security - …assets.en.oreilly.com/1/event/61/kerckhoffs_...
TRANSCRIPT
www.subgraph.com
Kerckhoffs’ Legacy: Open Source and Security
David Mirza, Subgraph Technologies Montreal
www.subgraph.com
• Open-source security startup
• Based in Montreal
• Experienced founders: • Secure Networks Inc.
• SecurityFocus (Symantec)
• Core Security Technologies
• Netifera
• REcon
Who We Are
www.subgraph.com
Open Source and Security • Kerckhoffs’ principle • Auguste Kerckhoffs: 19th Century
Dutch linguist and cryptographer • Made an important realization:
• “The security of any cryptographic system does not rest in its secrecy, it must be able to fall into the enemy’s hands without inconvenience”
• The adversary knows the system (Claude Shannon)
• As opposed to “security through obscurity”
“ ” “ ” The security of any cryptographic system does not rest in its secrecy, it must be able to fall into the enemy’s hands without inconvenience.
The adversary knows the system (Claude Shannon)
www.subgraph.com
Open Source and Security • Kerckhoffs’ Principle
• Well understood in the world of cryptography
• New ciphers not trusted • Because cryptography is a
“black box” • Once in a while, less now,
companies try to market proprietary ciphers • There’s a term for this: “snake
oil” • Kerckhoffs’ principle can be
understood as “open source is good security”
www.subgraph.com
Beyond Cryptography • Security Research Community • Active, global community of passionate
professionals, amateurs, students and hackers • Collaborative • Open • Underground, above ground, academic
• Examples • Phrack magazine (hacker zine published since 1985) • Bugtraq (1993) • Defcon • Blackhat • REcon!
www.subgraph.com
Security researchers • Have one thing in common • Passionate about breaking things • Driven by a natural tendency to challenge
authority, control • Skeptical about security claims
• Possess an innate understanding of Kerckhoffs’ principle • Share information
• Do not trust each other • Tools not open source are treated suspiciously • Underground hacking scene is the same, but closed
www.subgraph.com
Security Research Community: Conferences • There are a lot of them, all over the world • One recent list had 70, many informal, low-budget • www.felipemartins.info/2011/07/security-events-complete-list • “B-Sides”
• Curious mix: teenage hackers, students, professionals, military, intelligence agency people – all attending the same conferences • Researchers present new techniques, tools • Open source, nearly without exception • Materials made available for all: very often • My example, REcon: slides, videos (hosted on
archive.org)
www.subgraph.com
Bugtraq • Bugtraq had ~50,000 subscribers during its peak:
2001-2005 • Even more people read the archives
• Chaotic, controversial • This community changed the software industry
• Sysadmins, users had no way to get security issues fixed • Answer: full disclosure
• It was controversial, not anymore, full disclosure won • Better security for all
• Vendors had to respond • As we’ll see, systems were hardened using methods invented
in the open source / free software world • Today: Bug bounties
• Google, Mozilla
www.subgraph.com
www.subgraph.com
Community was defiantly open • In fact, there were some who felt Bugtraq was
not open enough • Moderation on the list was a response to the
90s spam problem • Reluctantly implemented
• Some were opposed to this at that time • The Symantec acquisition of SecurityFocus
provoked strong, protective reactions • Almost conspiracy theories • Creation of new lists: “Full-Disclosure”
• Hackers protecting freedom to code, openness
www.subgraph.com
Freeing strong Crypto: DJB Vs. The USA
• In the 1990s, strong cryptography was classified as munitions • Export restricted under ITAR regulations • So, in 1995, Security researcher Daniel J.
Bernstein sued the United States of America (and won) • The ruling in this monumental case declared
software “protected speech” under the First Amendment
• (DJB also wrote key open source server software: qmail, djbdns..)
www.subgraph.com
Hackers protested the absurdity creatively.
Text Text
(it’s not code, it’s an image on a t-shirt!)
RSA dolphin created by Vipul Ved Prakash
www.subgraph.com
Sharing Knowledge: Open Source in Spirit
• Hackers and security enthusiasts have always shared their research • Someone finds a new class of attack,
exploits appear, and the cycle continues • Even in the underground computer
hacking scene • “tfiles” – Internet museum at textfiles.org • Zines – Phrack, etc. • Papers in the academic style
www.subgraph.com
Inspired a Generation: Smashing the Stack for Fun and Profit (Elias Levy, aka aleph1)
www.subgraph.com
Another example: LSD-PL
www.subgraph.com
Real benefits of open security research: another example
• It’s the mid-late 1990s • IDS vendors are in high-gear, selling
network intrusion detection systems • Designed to detect attack signatures on the
wire, report intrusion attempts • “Anti-virus” for the network • Cool, right? Just buy this box and don’t
worry about hackers ever again!
www.subgraph.com
Except it was broken
www.subgraph.com
When Tom Ptacek and Tim Newsham broke IDS
• The paper was published and made available to all • The code used to build the attack traffic
was open source • Imagine there weren’t passionate people
always trying to break security black boxes just to prove they’re breakable? • There’d still be people trying to break security..
www.subgraph.com
Backlash • Some hackers and researchers felt their
work was being exploited by the security industry • “No more free bugs”
• Some hackers just wanted to keep exploits from being patched • Anti-sec movement
• Within their own protected circles, there was still information sharing • Leaking socially unacceptable
www.subgraph.com
• ImageShack a casualty.
• Hacked by someone supporting the AntiSec movement.
• Curiously, some associated with Anonymous/Lulzec have addopted the term “antisec”.
• Close your eyes, the next slide is NSFW
www.subgraph.com
A bunch of whitehats got owned.
www.subgraph.com
Open source security tools • These researchers write tools – often free
software • Exploits • Network security (e.g. nmap)
• Enough to have specialized, dedicated LiveCDs.. • BackTrack – Penetration testing LiveCD • Helix – Forensics LiveCD
• The world owes them so much • Grassroots, open source innovation
www.subgraph.com
oh hai Trinity, whatcha doin’?
www.subgraph.com
Just running nmap, and sshd exploit
• Nmap: Open-source network mapping tool used by everyone, written by Fyodor
• “sshnuke”: Exploits a bug in sshd discovered and disclosed publicly by Michal Zalewski, noted security researcher, developer of many open source tools (most recently, Skipfish)
www.subgraph.com
Example: Anti-Exploitation • Open Source/Free Software Security
Innovation • Solar Designer’s non-exec stack patch
• Linux, 1997 • StackGuard
• GCC, 1997 • ProPolice • PAX
• Commercial adoption • Windows (2003, starting with /GS in the
compiler and then DEP, Vista) • OS X (“ASLR” starting at 2007)
www.subgraph.com
Examples: Vulnerability Assessment
• ISS • Created in 1992 as an open source scanner by
Chris Klaus • Closed the source, commercialized it • ISS the company went IPO • Eventually acquired by IBM for 1.3B
• SATAN (1995) • Controversial in its time • Performed a variety of checks • “Metasploit of 1995”
www.subgraph.com
Example: OpenSSH • SSH Version 1 designed and implemented in
1995 as freeware • By 1999 was no longer free software • The OpenBSD project took up the job of
creating a new version of SSH, OpenSSH • Enormous eventual success: the whole world
abandoned telnet, rsh, rlogin for OpenSSH • OpenSSH continued to innovate, adding
things like privilege separation, built-in SOCKS5 proxy
www.subgraph.com
Commercial Open Source Security • Some open source projects became major
commercial successes • Snort IDS
• Sourcefire IPO – 750million market cap, 165m revenue
• Started with open source project • Everyone in open source knows about Red Hat, but
what about Sourcefire? • Open source Snort IDS is still going strong
• Metasploit • World’s largest Ruby project • Project and key staff acquired by Rapid7 • Open source development continues
www.subgraph.com
Open Source: Web Security • Web application security • Followed the same path • Collaborative, open research, advocacy
• E.g. OWASP • Great open source tools, frameworks
• Also, the cutting edge of web application development • Entirely open source and free software!
www.subgraph.com
Our Vision • One web, one web security tool
• Open source • Consistent, well-designed UI • Functions really well as an automated scanner
• Shouldn’t need to be a penetration tester • Advanced features for those who are
• User extensibility • Community
• Plus all that boring stuff • Documentation, help, business friendly features
• We are building the ultimate platform for web security • New attacks • Nobody should have to use commercial tools
• Because Vega is free
www.subgraph.com
Hi, My Name Is:
• Vega is a commercial open source web-application security tool • It finds vulnerabilities in your website • Written in Java, runs on:
• Mac OS X • Windows • Linux
• A desktop application with a nice GUI • Eclipse RCP
• Extensible: Embedded JS interpreter (Rhino) • Open Source: licensed under the EPL 1.0 • Download @ www.subgraph.com, github.com/subgraph/Vega
www.subgraph.com
Does open source = better security?
• In theory, does open source really result in better security? • I think so, but it’s not a magic solution • Careful attention still needed • Sort of a counterexample
www.subgraph.com
Counterexample? Debian OpenSSL Fiasco
• In May 2006, a Debian maintainer asked the openssl-dev list about an uninitialized data “bug” reported by a static analysis tool • The response was “ok, fix it”
• This removed most of the entropy used to seed the random number generator, leaving only process ID • Devastating
• Undetected for 2.5 years
• Affected derivatives, such as Ubuntu
www.subgraph.com
lol
www.subgraph.com
Reflecting on the Debian OpenSSL Fiasco
• Though it took a long time, the vulnerability was eventually found by an Argentine security researcher
• Vulnerable derivatives were identified, patches disseminated
• Security researchers produced key lists, open source tools to find any weak keys
• The vulnerability was traced to its origin on a public mailing list • Oversight, not an intentional backdoor
• It was bad – but imagine if it were closed source? • Yikes
www.subgraph.com
Full Disclosure: Still Relevant • Security advocates pushing for SSL support in
privacy sensitive online services • Vendor response was to ignore or take their time
• Just a cost, no perceived benefit • SSL is opaque, users cannot tell and therefore do not
care • Security researcher Eric Butler releases Firesheep
• Does not even exploit any new bug, just a sniffer with a GUI
• (I’ll add that it’s open source) • Hugely controversial. Sound familiar?
• “Send him to Gitmo!”
www.subgraph.com
Firesheep and the Arab Spring • Firesheep fiasco forces web services to
start offering SSL sooner • Google • Facebook
• Timing is great for when the “Arab Spring” begins..
www.subgraph.com
Open Source and Security • Open source and free software have always been a
part of security • Collaborative, open research • Open source tool development
• Kerckhoffs’ Law: open code scrutiny • Means better security, in general
• Open source security software • Is more trustworthy: read the source, compile it yourself • Do not necessarily need to rely on the vendor for
patches • No worries, no matter where in the world you live
• Why doesn’t everyone demand free software for security?
www.subgraph.com
In Conclusion • The security, hacking world is strange • Innately open • The spirit of Kerckhoffs • A little healthy paranoia • Willingness to share, teach • The above is true even in the closed “black hat”
world • Security geeks protected freedoms then: • DJB vs. USA
• And now: • Firesheep • Tor project
www.subgraph.com
Thank you!
• Web • http://www.subgraph.com
• Twitter • Company: @subgraph • Me: @attractr
• IRC • irc.freenode.org, #subgraph
• Try Vega • http://www.subgraph.com
• Get the source! • http://github.com/subgraph/Vega
• E-mail us • [email protected]