[ubuntu-hardened] Proactive Security?

John Richard Moser nigelenki at comcast.net
Mon May 15 20:52:41 BST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It looks like ProactiveSecurityRoadmap[1] never made it to Breezy.. I
inserted some comments of my own and changed it from BreezyGoal to EdgyGoal.

[1] https://wiki.ubuntu.com/UbuntuDownUnder/BOFs/ProactiveSecurityRoadmap

I put some comments in at the end, mostly talking about increasing basic
ASLR entropy (this is standard in 2.6.12+) and adding Exec Shield (more
testing, less intrusive than PaX).

I also point out the lack of passive/active separation of PROT_WRITE and
PROT_EXEC (i.e. data-code separation) without PaX, and recommend
eventual patches to supply these.  SELinux-based security knobs for this
might be useful too...

I also noted in various places that FORTIFY_SOURCE and ProPolice/SSP are
pretty well merged into gcc 4.1 and used in Fedora Core 5.  These will
be adopted in upcoming RHEL5 as well.  When Ubuntu moves to gcc 4.1,
serious attempts to ProPolice/FORTIFY_SOURCE by default should be made;
even if there are problems in beta, some good debugging data will be
collected so that future attempts can be refined.

If ProPolice/FORTIFY_SOURCE are used in Dapper+1 (Edgy), then a new
update policy is needed.  I recommend that patches which serve purely to
make a package work with ProPolice/FORTIFY_SOURCE fall into the Security
Updates category.  I would recommend the same for patches which purely
address things like an executable stack (i.e. Gaim), which negates
protections from PaX or Exec Shield.

Note that the brute force deterrent model given by GrSecurity is a
little damaging.  I have redesigned this model to focus on accept()
instead of fork(), old piece of work from Project Eva...

- ------------------------------------------------------------------------
- ------------------------------------------------------------------------
- ------------------------------------------------------------------------
- ------------------------------------------------------------------------

===== ASLR Brute Force Deterrence =====
''Project Eva'' will utilize an anti-attack method from
'''GrSecurity''', with several enhancements.  ''Address space layout
randomization'' can be brute forced by repeatedly trying for extended
periods of time; in daemons which use fork() to handle connections and
thus keep the same address space, this can allow systematic brute
forcing in 216 seconds on average on IA-32.  A brute force deterrent
would extend this time period drasticly; a more robust one would target
the attackers as well.

''Project Eva'' will base on the method given by '''GrSecurity''',
queueing fork() operations and executing them at a specific interval
once an attack is detected.  This method has the disadvantage of
producing a major denial of service, however, and thus this will quickly
become more specific.  The interval of 1 second will raise the average
period to at least 32,000 seconds with ''ASLR'' in a generic address
space on 32-bit architectures, or 68 years on 64-bit architectures.

This technique will be further refined in ''Project Eva'' by creating a
decay period.  When an attack is detected, a timer is reset to 1 hour.
When that timer counts down, all queued and further calls to fork() are
executed immediately.  If at any time within the 1 hour period another
attack is detected on an affected process, the timer related to that
process is reset to 1 hour.

Calls to fork() will queue up to a fixed maximum before being denied.
For example, if there are 3600 calls to fork() awaiting execution, and a
3601st is made, that call will be denied; once one of the queued calls
is executed, a new call to fork() will again be queued.  This will
prevent memory from filling up or attacks from being pre-buffered.
Pre-buffered attacks could make it possible to buffer one hour's worth
(''3601'') of simple connections, then release thousands of attacks
which will all be fork()ed when the decay period runs out, allowing
sudden mass attacks.

''Project Eva'' will further refine this method of brute force deterrent
by targeting all established (''already accept()ed'') network
connections handled by the attacked process.  The decay period will be
set up per host, based on network address; the fork() will occur, but
accept() of the connection for that host will be queued and delayed.  In
this way, attacks from a single host will DoS that host without
affecting other hosts.  Attacks from bot networks of thousands of
zombies will DoS thousands of zombies, potentially creating excess
memory and CPU usage but otherwise being contained.

The network association for brute force deterrence in ''Project Eva''
will be further extended by tracking short-term repeat offenders.  A
"repeat offense" is considered to happen when an attack is detected from
a host while a decay period is in effect on that host.  After a fixed
number of repeat offenses, accept() for the host is denied for one hour.
 After this hour is up, all sanctions against the host are ended, and
the cycle repeats.

With this final form of brute force deterrent, attacks from a host may
occur at a fixed maximum.  For example, if the final denial of accept()
is set after 10 repeat offenses, then the maximum number of attacks is
10 per hour from one host.  Resetting the decay timer on denial is not
useful, as this only forces the attacker to actually wait silently for
the 1 hour.  Further, each host may only cause a denial of service to
itself or to hosts it can spoof; and with the short decay periods, this
denial of service is very small scale.


- ------------------------------------------------------------------------
- ------------------------------------------------------------------------
- ------------------------------------------------------------------------
- ------------------------------------------------------------------------

It is not genuinely useful; but resetting the decay timer on denial may
be good for attackers who are dumb and carry out a continuous attack.
On the other hand, it may make wider DoS attacks where the attacker
sends spoofed source-address attack packets for "every possible IP
address" to attempt to down the site.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond

    We will enslave their women, eat their children and rape their
    cattle!
                                     -- Evil alien overlord from Blasto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRGjcBws1xW0HCTEFAQIzVhAAkd3fIkgxDsItexbMQQBi4oYcQu0LrUVy
gxiSSdMMncWJG+WOP6QK4rJSOk0iazEAEEWBpR4+bOmqkag7rmaQ7EXSewocNHzx
3ZfSNevltn4GK6FBU0kEhIhg29tAf2IFNZ/g2msa19TTnRT+pvcu8Uua7ZuuoW4m
YFqpyi7Cy7MPvOXdWAFkoH4/Nga1Rs3thMy+NQ6u9r04opYFtVWFNqUts+qts59h
QvZ5964O0BwZhvIEWJg9P0mi+zOZNzE1Izi3451OvcSOOa+nlgKBiVQ/nzZMB4qV
yAtuik3XzbwnS/o5Q+BlSuewbN0FB6o3vQniZM/u0qnjwrvghfeREWX4rfPgi+rR
wmLj/530qNeGsBGvyyrUyC3OUUaU/wm7Qpv45KM2z7x24xHChznzo0il9E68Rezn
QSrQh8vjD+ltGrNC2oP3q1jcGT6XA9i/s8w8tWf09q+Mm3SaUV9g8SOBFrtZuSzL
Y5emcksGcif4/GEP7z33+nA13iPA/rP/tGhUhnY5EM2Te1HV4SzxhyJJvf1nlqj+
IhzsTKmOviEpzLrdstRJYO+Qbdb0tLN2pOy4vg/uezvETbARqZUL9rlUzhF7ijaj
RcgLuKZldIo9YIMtjH3medh69SZHLTxWIzbj2lD2ueqB0jACp02rS2ZI9Gg6EtLf
XCbzQtGAPqo=
=qi0N
-----END PGP SIGNATURE-----

More information about the ubuntu-hardened mailing list