Kerckhoffs' Legacy - Open Source and Security

Document Sample
Kerckhoffs' Legacy -  Open Source and Security Powered By Docstoc
					  Kerckhoffs’ Legacy: 

Open Source and Security





     David Mirza, Subgraph Technologies

                  Montreal





          www.subgraph.com

                Who We Are


  Open-source    security startup 

  Based   in Montreal

  Experienced   founders:

 • Secure Networks Inc.

 • SecurityFocus (Symantec) 


 • Core Security Technologies

 • Netifera

 • REcon

                www.subgraph.com

       Open Source and Security

  Kerckhoffs’ principle

      Auguste Kerckhoffs: 19th Century
      Dutch linguist and cryptographer

      Made an important realization:




       “

       • “The security of any cryptographic
           The security of any cryptographic system
           does not rest in rest in its must be
         system does notits secrecy, itsecrecy, it
           able to able to fall into the enemy’s
         must be fall into the enemy’s hands without
         hands without inconvenience”

           inconvenience.


       • The adversary knows the system (Claude
           The adversary knows the system
         Shannon)

                                               ”

                                (Claude Shannon)


      As opposed to “security through
      obscurity”

                       www.subgraph.com

        Open Source and Security

  Kerckhoffs’ Principle

       Well understood in the world
       of cryptography

       New ciphers not trusted

     Because cryptography is a
    “black box”

     Once in a while, less now,
     companies try to market
     proprietary ciphers

        •  There’s a term for this: “snake
           oil”

       Kerckhoffs’ principle can be
       understood as “open source is
       good security”


                          www.subgraph.com

         Beyond Cryptography

 Security Research Community

          global community of passionate
    Active,
   professionals, amateurs, students and hackers

    • Collaborative

    • Open

    • Underground, above ground, academic

    Examples

    • Phrack magazine (hacker zine published since 1985)

    • Bugtraq
        (1993)

    • Defcon

    • Blackhat

    • REcon!

                   www.subgraph.com

            Security researchers

  Have one thing in common

  Passionate about breaking things

  Driven by a natural tendency to challenge
  authority, control

      Skeptical about security claims

  Possess an innate understanding of Kerckhoffs’
  principle

      Share information

  Do not trust each other

      Tools not open source are treated suspiciously

      Underground hacking scene is the same, but closed 

                     www.subgraph.com

Security Research Community: Conferences
 

    There are a lot of them, all over the world

        One recent list had 70, many informal, low-budget

        www.felipemartins.info/2011/07/security-events-complete-list

        “B-Sides”

    Curious mix: teenage hackers, students,
    professionals, military, intelligence agency people –
    all attending the same conferences

    Researchers present new techniques, tools

    Open source, nearly without exception

    Materials made available for all: very often

        My example, REcon: slides, videos (hosted on
        archive.org)


                          www.subgraph.com

                               Bugtraq

  Bugtraq had ~50,000 subscribers during its peak:
  2001-2005

       Even more people read the archives

  Chaotic, controversial

  This community changed the software industry

       Sysadmins, users had no way to get security issues fixed

        •  Answer: full disclosure

  It was controversial, not anymore, full disclosure won

  Better security for all

       Vendors had to respond

       As we’ll see, systems were hardened using methods invented
       in the open source / free software world

  Today: Bug bounties

       Google, Mozilla

                             www.subgraph.com

www.subgraph.com

Community was defiantly open

  In fact, there were some who felt Bugtraq was
  not open enough

  Moderation on the list was a response to the
  90s spam problem

      Reluctantly implemented

  Some were opposed to this at that time

  The Symantec acquisition of SecurityFocus
  provoked strong, protective reactions

      Almost conspiracy theories

      Creation of new lists: “Full-Disclosure”

  Hackers protecting freedom to code, openness


                     www.subgraph.com

 Freeing strong Crypto: DJB Vs. The
                USA

  In the 1990s, strong cryptography was
  classified as munitions

  Export restricted under ITAR regulations

  So, in 1995, Security researcher Daniel J.
  Bernstein sued the United States of America
  (and won)

    The  ruling in this monumental case declared
    software “protected speech” under the First
    Amendment

    (DJB also wrote key open source server
    software: qmail, djbdns..)

                 www.subgraph.com

Hackers protested the absurdity creatively.

     (it’s not code, it’s an image on a t-shirt!)





                         Text

                          Text





                                         RSA dolphin created by Vipul Ved Prakash	





                  www.subgraph.com

Sharing Knowledge: Open Source in
              Spirit

 Hackers and security enthusiasts have
 always shared their research

 Someone finds a new class of attack,
 exploits appear, and the cycle continues

 Even in the underground computer
 hacking scene

    “tfiles”– Internet museum at textfiles.org

    Zines – Phrack, etc.

    Papers in the academic style


               www.subgraph.com

Inspired a Generation: Smashing the Stack
 for Fun and Profit (Elias Levy, aka aleph1)





               www.subgraph.com

Another example: LSD-PL





       www.subgraph.com

Real benefits of open security research:
          another example

  It’s the mid-late 1990s

  IDS vendors are in high-gear, selling
  network intrusion detection systems

  Designed to detect attack signatures on the
  wire, report intrusion attempts

  “Anti-virus” for the network

  Cool, right? Just buy this box and don’t
  worry about hackers ever again!


               www.subgraph.com

Except it was broken





     www.subgraph.com

     When Tom Ptacek and Tim
       Newsham broke IDS

 The paper was published and made
 available to all

 The code used to build the attack traffic
 was open source

 Imagine there weren’t passionate people
 always trying to break security black boxes
 just to prove they’re breakable?

    There’d   still be people trying to break security..


                    www.subgraph.com

                    Backlash

 Some hackers and researchers felt their
 work was being exploited by the security
 industry

    “No   more free bugs”

 Some hackers just wanted to keep
 exploits from being patched

    Anti-sec   movement

 Within their own protected circles, there
 was still information sharing

    Leaking   socially unacceptable

                   www.subgraph.com

  ImageShack a
  casualty.

  Hacked by someone
  supporting the
  AntiSec movement.

  Curiously, some
  associated with
  Anonymous/Lulzec
  have addopted the
  term “antisec”.

  Close your eyes, the
  next slide is NSFW 


                  www.subgraph.com

A bunch of whitehats got owned.





           www.subgraph.com

      Open source security tools

  These researchers write tools – often free
  software

      Exploits

      Network security (e.g. nmap)

  Enough to have specialized, dedicated
  LiveCDs..

      BackTrack – Penetration testing LiveCD

      Helix – Forensics LiveCD

  The world owes them so much

      Grassroots, open source innovation


                    www.subgraph.com

oh hai Trinity, whatcha doin’?





          www.subgraph.com

Just running nmap, and sshd exploit





  Nmap: Open-source network mapping tool used by everyone, written by
  Fyodor

  “sshnuke”: Exploits a bug in sshd discovered and disclosed publicly by
  Michal Zalewski, noted security researcher, developer of many open
  source tools (most recently, Skipfish)



                         www.subgraph.com

   Example: Anti-Exploitation

 Open Source/Free Software Security
 Innovation

    Solar   Designer’s non-exec stack patch

    • Linux, 1997

    StackGuard

    • GCC, 1997

    ProPolice

    PAX

 Commercial adoption

    Windows  (2003, starting with /GS in the
    compiler and then DEP, Vista)

    OS X (“ASLR” starting at 2007)

                     www.subgraph.com

Examples: Vulnerability Assessment


 ISS

    Created  in 1992 as an open source scanner by
    Chris Klaus

    Closed the source, commercialized it 

    ISS the company went IPO

    Eventually acquired by IBM for 1.3B

 SATAN (1995)

    Controversial in its time

    Performed a variety of checks

    “Metasploit of 1995”



                    www.subgraph.com

        Example: OpenSSH

  SSH Version 1 designed and implemented in
  1995 as freeware

  By 1999 was no longer free software

  The OpenBSD project took up the job of
  creating a new version of SSH, OpenSSH

  Enormous eventual success: the whole world
  abandoned telnet, rsh, rlogin for OpenSSH

  OpenSSH continued to innovate, adding
  things like privilege separation, built-in
  SOCKS5 proxy



               www.subgraph.com

Commercial Open Source Security

 Some open source projects became major
 commercial successes

   Snort   IDS

   • Sourcefire IPO – 750million market cap, 165m
     revenue

   • Started with open source project

   • Everyone in open source knows about Red Hat, but
     what about Sourcefire?

   • Open source Snort IDS is still going strong

   Metasploit

   • World’s largest Ruby project

   • Project and key staff acquired by Rapid7

   • Open source development continues

                  www.subgraph.com

   Open Source: Web Security

 Web application security

   Followed the same path

   Collaborative, open research, advocacy

   • E.g. OWASP

   Great   open source tools, frameworks

 Also, the cutting edge of web
 application development

   Entirely   open source and free software!


                  www.subgraph.com

                          Our Vision

  One web, one web security tool

      Open source

      Consistent, well-designed UI

      Functions really well as an automated scanner

       •  Shouldn’t need to be a penetration tester

       •  Advanced features for those who are

      User extensibility

       •  Community

      Plus all that boring stuff

       •  Documentation, help, business friendly features

  We are building the ultimate platform for web security

      New attacks 

      Nobody should have to use commercial tools

       •  Because Vega is free



                            www.subgraph.com

                      Hi, My Name Is:



  Vega is a commercial open source web-application security tool

  It finds vulnerabilities in your website

  Written in Java, runs on:

     Mac OS X

     Windows

       Linux

  A desktop application with a nice GUI

       Eclipse RCP

  Extensible: Embedded JS interpreter (Rhino)

  Open Source: licensed under the EPL 1.0

  Download @ www.subgraph.com, github.com/subgraph/Vega


                          www.subgraph.com

Does open source = better security?


  In theory, does open source really result in
  better security?

  I think so, but it’s not a magic solution

  Careful attention still needed

  Sort of a counterexample





                www.subgraph.com

Counterexample? Debian OpenSSL
           Fiasco

  In May 2006, a Debian maintainer asked the
  openssl-dev list about an uninitialized data “bug”
  reported by a static analysis tool

  The response was “ok, fix it”

  This removed most of the entropy used to seed
  the random number generator, leaving only
  process ID

  Devastating

  Undetected for 2.5 years

  Affected derivatives, such as Ubuntu 

                  www.subgraph.com

       lol





www.subgraph.com

 Reflecting on the Debian OpenSSL
              Fiasco

  Though it took a long time, the vulnerability was
  eventually found by an Argentine security
  researcher

  Vulnerable derivatives were identified, patches
  disseminated

  Security researchers produced key lists, open
  source tools to find any weak keys

  The vulnerability was traced to its origin on a
  public mailing list

      Oversight, not an intentional backdoor

  It was bad – but imagine if it were closed source?

      Yikes 

                     www.subgraph.com

  Full Disclosure: Still Relevant

  Security advocates pushing for SSL support in
  privacy sensitive online services

  Vendor response was to ignore or take their time

      Just a cost, no perceived benefit

      SSL is opaque, users cannot tell and therefore do not
      care

  Security researcher Eric Butler releases Firesheep

      Does not even exploit any new bug, just a sniffer with
      a GUI

      (I’ll add that it’s open source)

  Hugely controversial. Sound familiar?

      “Send him to Gitmo!”


                     www.subgraph.com

Firesheep and the Arab Spring

 Firesheep fiasco forces web services to
 start offering SSL sooner

   Google

   Facebook


 Timing is great for when the “Arab
 Spring” begins..





               www.subgraph.com

       Open Source and Security

  Open source and free software have always been a
  part of security

      Collaborative, open research

      Open source tool development

  Kerckhoffs’ Law: open code scrutiny

      Means better security, in general

  Open source security software

      Is more trustworthy: read the source, compile it yourself

      Do not necessarily need to rely on the vendor for
      patches 

      No worries, no matter where in the world you live

  Why doesn’t everyone demand free software for
  security?

                      www.subgraph.com

                     In Conclusion

  The security, hacking world is strange

  Innately open

      The spirit of Kerckhoffs

      A little healthy paranoia

      Willingness to share, teach

      The above is true even in the closed “black hat”
      world

  Security geeks protected freedoms then:

      DJB vs. USA

  And now:

      Firesheep

      Tor project

                      www.subgraph.com

                            Thank you! 





  Web
                                    Try Vega

       http://www.subgraph.com
                http://www.subgraph.com

  Twitter
                                Get the source!

     Company: @subgraph
                       http://github.com/subgraph/Vega

     Me: @attractr
                       E-mail us

  IRC
info@subgraph.com

     
       irc.freenode.org, #subgraph




                             www.subgraph.com


				
DOCUMENT INFO
Shared By:
Tags:
Stats:
views:52
posted:7/28/2011
language:English
pages:40