Kerckhoffs' Legacy - Open Source and Security

Document Sample
Kerckhoffs' Legacy -  Open Source and Security Powered By Docstoc
					  Kerckhoffs’ Legacy: 

Open Source and Security

     David Mirza, Subgraph Technologies


                Who We Are

  Open-source    security startup 

  Based   in Montreal

  Experienced   founders:

 • Secure Networks Inc.

 • SecurityFocus (Symantec) 

 • Core Security Technologies

 • Netifera

 • REcon


       Open Source and Security

  Kerckhoffs’ principle

      Auguste Kerckhoffs: 19th Century
      Dutch linguist and cryptographer

      Made an important realization:


       • “The security of any cryptographic
           The security of any cryptographic system
           does not rest in rest in its must be
         system does notits secrecy, itsecrecy, it
           able to able to fall into the enemy’s
         must be fall into the enemy’s hands without
         hands without inconvenience”


       • The adversary knows the system (Claude
           The adversary knows the system


                                (Claude Shannon)

      As opposed to “security through


        Open Source and Security

  Kerckhoffs’ Principle

       Well understood in the world
       of cryptography

       New ciphers not trusted

     Because cryptography is a
    “black box”

     Once in a while, less now,
     companies try to market
     proprietary ciphers

        •  There’s a term for this: “snake

       Kerckhoffs’ principle can be
       understood as “open source is
       good security”


         Beyond Cryptography

 Security Research Community

          global community of passionate
   professionals, amateurs, students and hackers

    • Collaborative

    • Open

    • Underground, above ground, academic


    • Phrack magazine (hacker zine published since 1985)

    • Bugtraq

    • Defcon

    • Blackhat

    • REcon!


            Security researchers

  Have one thing in common

  Passionate about breaking things

  Driven by a natural tendency to challenge
  authority, control

      Skeptical about security claims

  Possess an innate understanding of Kerckhoffs’

      Share information

  Do not trust each other

      Tools not open source are treated suspiciously

      Underground hacking scene is the same, but closed 


Security Research Community: Conferences

    There are a lot of them, all over the world

        One recent list had 70, many informal, low-budget


    Curious mix: teenage hackers, students,
    professionals, military, intelligence agency people –
    all attending the same conferences

    Researchers present new techniques, tools

    Open source, nearly without exception

    Materials made available for all: very often

        My example, REcon: slides, videos (hosted on



  Bugtraq had ~50,000 subscribers during its peak:

       Even more people read the archives

  Chaotic, controversial

  This community changed the software industry

       Sysadmins, users had no way to get security issues fixed

        •  Answer: full disclosure

  It was controversial, not anymore, full disclosure won

  Better security for all

       Vendors had to respond

       As we’ll see, systems were hardened using methods invented
       in the open source / free software world

  Today: Bug bounties

       Google, Mozilla


Community was defiantly open

  In fact, there were some who felt Bugtraq was
  not open enough

  Moderation on the list was a response to the
  90s spam problem

      Reluctantly implemented

  Some were opposed to this at that time

  The Symantec acquisition of SecurityFocus
  provoked strong, protective reactions

      Almost conspiracy theories

      Creation of new lists: “Full-Disclosure”

  Hackers protecting freedom to code, openness


 Freeing strong Crypto: DJB Vs. The

  In the 1990s, strong cryptography was
  classified as munitions

  Export restricted under ITAR regulations

  So, in 1995, Security researcher Daniel J.
  Bernstein sued the United States of America
  (and won)

    The  ruling in this monumental case declared
    software “protected speech” under the First

    (DJB also wrote key open source server
    software: qmail, djbdns..)


Hackers protested the absurdity creatively.

     (it’s not code, it’s an image on a t-shirt!)



                                         RSA dolphin created by Vipul Ved Prakash	


Sharing Knowledge: Open Source in

 Hackers and security enthusiasts have
 always shared their research

 Someone finds a new class of attack,
 exploits appear, and the cycle continues

 Even in the underground computer
 hacking scene

    “tfiles”– Internet museum at

    Zines – Phrack, etc.

    Papers in the academic style


Inspired a Generation: Smashing the Stack
 for Fun and Profit (Elias Levy, aka aleph1)


Another example: LSD-PL

Real benefits of open security research:
          another example

  It’s the mid-late 1990s

  IDS vendors are in high-gear, selling
  network intrusion detection systems

  Designed to detect attack signatures on the
  wire, report intrusion attempts

  “Anti-virus” for the network

  Cool, right? Just buy this box and don’t
  worry about hackers ever again!


Except it was broken

     When Tom Ptacek and Tim
       Newsham broke IDS

 The paper was published and made
 available to all

 The code used to build the attack traffic
 was open source

 Imagine there weren’t passionate people
 always trying to break security black boxes
 just to prove they’re breakable?

    There’d   still be people trying to break security..



 Some hackers and researchers felt their
 work was being exploited by the security

    “No   more free bugs”

 Some hackers just wanted to keep
 exploits from being patched

    Anti-sec   movement

 Within their own protected circles, there
 was still information sharing

    Leaking   socially unacceptable


  ImageShack a

  Hacked by someone
  supporting the
  AntiSec movement.

  Curiously, some
  associated with
  have addopted the
  term “antisec”.

  Close your eyes, the
  next slide is NSFW 


A bunch of whitehats got owned.


      Open source security tools

  These researchers write tools – often free


      Network security (e.g. nmap)

  Enough to have specialized, dedicated

      BackTrack – Penetration testing LiveCD

      Helix – Forensics LiveCD

  The world owes them so much

      Grassroots, open source innovation


oh hai Trinity, whatcha doin’?

Just running nmap, and sshd exploit

  Nmap: Open-source network mapping tool used by everyone, written by

  “sshnuke”: Exploits a bug in sshd discovered and disclosed publicly by
  Michal Zalewski, noted security researcher, developer of many open
  source tools (most recently, Skipfish)


   Example: Anti-Exploitation

 Open Source/Free Software Security

    Solar   Designer’s non-exec stack patch

    • Linux, 1997


    • GCC, 1997



 Commercial adoption

    Windows  (2003, starting with /GS in the
    compiler and then DEP, Vista)

    OS X (“ASLR” starting at 2007)


Examples: Vulnerability Assessment


    Created  in 1992 as an open source scanner by
    Chris Klaus

    Closed the source, commercialized it 

    ISS the company went IPO

    Eventually acquired by IBM for 1.3B

 SATAN (1995)

    Controversial in its time

    Performed a variety of checks

    “Metasploit of 1995”


        Example: OpenSSH

  SSH Version 1 designed and implemented in
  1995 as freeware

  By 1999 was no longer free software

  The OpenBSD project took up the job of
  creating a new version of SSH, OpenSSH

  Enormous eventual success: the whole world
  abandoned telnet, rsh, rlogin for OpenSSH

  OpenSSH continued to innovate, adding
  things like privilege separation, built-in
  SOCKS5 proxy


Commercial Open Source Security

 Some open source projects became major
 commercial successes

   Snort   IDS

   • Sourcefire IPO – 750million market cap, 165m

   • Started with open source project

   • Everyone in open source knows about Red Hat, but
     what about Sourcefire?

   • Open source Snort IDS is still going strong


   • World’s largest Ruby project

   • Project and key staff acquired by Rapid7

   • Open source development continues


   Open Source: Web Security

 Web application security

   Followed the same path

   Collaborative, open research, advocacy

   • E.g. OWASP

   Great   open source tools, frameworks

 Also, the cutting edge of web
 application development

   Entirely   open source and free software!


                          Our Vision

  One web, one web security tool

      Open source

      Consistent, well-designed UI

      Functions really well as an automated scanner

       •  Shouldn’t need to be a penetration tester

       •  Advanced features for those who are

      User extensibility

       •  Community

      Plus all that boring stuff

       •  Documentation, help, business friendly features

  We are building the ultimate platform for web security

      New attacks 

      Nobody should have to use commercial tools

       •  Because Vega is free


                      Hi, My Name Is:

  Vega is a commercial open source web-application security tool

  It finds vulnerabilities in your website

  Written in Java, runs on:

     Mac OS X



  A desktop application with a nice GUI

       Eclipse RCP

  Extensible: Embedded JS interpreter (Rhino)

  Open Source: licensed under the EPL 1.0

  Download @,


Does open source = better security?

  In theory, does open source really result in
  better security?

  I think so, but it’s not a magic solution

  Careful attention still needed

  Sort of a counterexample


Counterexample? Debian OpenSSL

  In May 2006, a Debian maintainer asked the
  openssl-dev list about an uninitialized data “bug”
  reported by a static analysis tool

  The response was “ok, fix it”

  This removed most of the entropy used to seed
  the random number generator, leaving only
  process ID


  Undetected for 2.5 years

  Affected derivatives, such as Ubuntu 



 Reflecting on the Debian OpenSSL

  Though it took a long time, the vulnerability was
  eventually found by an Argentine security

  Vulnerable derivatives were identified, patches

  Security researchers produced key lists, open
  source tools to find any weak keys

  The vulnerability was traced to its origin on a
  public mailing list

      Oversight, not an intentional backdoor

  It was bad – but imagine if it were closed source?



  Full Disclosure: Still Relevant

  Security advocates pushing for SSL support in
  privacy sensitive online services

  Vendor response was to ignore or take their time

      Just a cost, no perceived benefit

      SSL is opaque, users cannot tell and therefore do not

  Security researcher Eric Butler releases Firesheep

      Does not even exploit any new bug, just a sniffer with
      a GUI

      (I’ll add that it’s open source)

  Hugely controversial. Sound familiar?

      “Send him to Gitmo!”


Firesheep and the Arab Spring

 Firesheep fiasco forces web services to
 start offering SSL sooner



 Timing is great for when the “Arab
 Spring” begins..


       Open Source and Security

  Open source and free software have always been a
  part of security

      Collaborative, open research

      Open source tool development

  Kerckhoffs’ Law: open code scrutiny

      Means better security, in general

  Open source security software

      Is more trustworthy: read the source, compile it yourself

      Do not necessarily need to rely on the vendor for

      No worries, no matter where in the world you live

  Why doesn’t everyone demand free software for


                     In Conclusion

  The security, hacking world is strange

  Innately open

      The spirit of Kerckhoffs

      A little healthy paranoia

      Willingness to share, teach

      The above is true even in the closed “black hat”

  Security geeks protected freedoms then:

      DJB vs. USA

  And now:


      Tor project


                            Thank you! 

                                    Try Vega

                                Get the source!

     Company: @subgraph

     Me: @attractr
                       E-mail us


   , #subgraph


Shared By: