這篇文章是閱讀了 Kuon Ding 在 COSCUP 2016 發表的演講簡報「開源編譯器,如何實現系統安全最後一哩路」的一點想法。因為 COSCUP 一直待在場外聊天,未進入演講廳聽講,這些心得僅僅參考投影片的資訊。

私認為資訊安全沒有最後一哩路[1],需要保持紀律的環環層層不停的造橋鋪路。

這場演講分享了開放原始碼編譯工具針對系統安全的發展,編譯工具的確是重要一環,以 Ubuntu 為例[2], gcc 的 Stack Protector、built as PIE for exec ASLR、Fortify Source、Read-only relocation 都做額外的補釘加強安全性。然而 toolchain 不能提供獨立的安全保護,像是 Address Space Layout Randomization (ASLR) 必須是從 kernel 層做的。不管是融合桌面、手機環境的 Ubuntu 或是以手機為主的 Android 而言,安全性的發展都是盡可能的降低攻擊範圍(attack surface) 並層層疊加安全限制。

以最近發布的 Android 7[7][8] 為例子,針對系統面的保護改進用 SELinux 與 seccomp sandboxing 中減少 ioctl 的白名單呼叫範圍、 Library ASLR[3]、從 Grsecurity 學來的 CONFIG_DEBUG_RODATA 等等。這些都一步步的減少了攻擊暴露範圍。

舉例而言,文中提到了像是 2016/08 的 DEFCon 24 發布的 QuadRooter 相關漏洞[4],許多都是來自 SoC 的程式碼設計缺陷所造成,而這些缺陷很難透過代碼審查的方式查出,特別是由於智慧產權的限制,很多有問題的驅動程式是以二進位檔散布的,作業系統廠商或終端硬體品牌商是拿不到原始碼的。這些只能透過系統安全機制[15]來防護。

如 QuadRooter 中提到的 CVE-2016-2059: Linux IPC router binding any port as a control port,這個攻擊的前提是系統關掉 kASLR[5],然後才有機會做 Heap Spraying,但是要再拿到 root 還得關閉 SELinux 才行。而攻擊第一步 iocl 命令是可以透過 SELinux Policy 抑制的,例如 CVE-2016-0820 中,MediaTek 的 WiFi 驅動程式的 private ioctl 漏洞,可以關掉一般程式存取 device private commands[6].

編譯器未能防止類似的問題,必須依賴其他機制來保護系統。

編譯器[9]實踐的 KAsan (Kernel Address Sanitizer)[21] 功能可以查找 QuadRooter 中 CVE-2016-2503/CVE-2016-2504 等 use-after-free attack[22] 問題,但是一樣需要核心的支援[10]。而這個在 4.4 中的功能能夠發送到使用者手上尚須要一段時間[14],不僅僅是更新 toolchain 重新編譯即可。

不是所有的理論技術都可以在安全、便利性、效能上帶來好處,作業系統往往必須做出取捨。

  • 例如啟動了投影片中[1]提到 vtable verification feature[27],這個功能會讓一些重要的軟體如 Firefox 炸掉[11],因為開發者會對 vtable 用一些奇計淫巧。
  • 例如前述的 Ubuntu 中的 built as PIE 在 i686 平台上會造成 5-10% 的效能損失[12],只能挑某些重要的庫使用。到 16.10 才因為 64 bit 環境成熟而預設啟用。
  • 例如啟動了 Kernel Address Space Layout Randomisation (kASLR) 後,在 x86 上就無法讓電腦休眠[13] ,對沒電時需要緊急休眠的筆記型電腦使用者是無法接受的。

每項安全設計都不能只從單方面來看,需要全局的評估。有些無法在編譯器中實踐的功能,可以在 kernel 中完成,kenrel 的問題可以透過 app sandboxing 來補強。

而最近幾年的作業系統發展趨勢以 Isolation (Sandboxing) 為方向,像是 Android 使用 Selinux 的 Sandbox、ChoromeOS 中使用 Minijail[16],Linux Desktop 上的 xdg-app/Flatpak[17][18],以及 Ubuntu 使用 Snappy (Apparmor)[19][20] 等等技術。除了 Linux 以外,Apple OSX 基於 TrustedBSD Mandatory Access Control (MAC) Framework 的 Sandbox[23][24][25], 以及 Microsoft 的 Windows Runtime sandbox[26] 等等。這些系統的設計都是為了保護使用者的資料,除了防止惡意程式之外,如果程式遭到破解,所能造成的破壞也會被侷限在沙箱內。

最大的挑戰之一,或許是針對新的 security model 設計具備彈性 API,以及在多重限制的運行環境下仍可提供友善便利的使用者體驗吧。

[1] 開源編譯器,如何實現系統安全最後一哩路 by Funny Systems – https://speakerdeck.com/FunnySystems/kai-yuan-bian-yi-qi-ru-he-shi-xian-xi-tong-an-quan-zui-hou-li-lu
[2] https://wiki.ubuntu.com/Security/Features
[3] Implement Library Load Order Randomization – https://android.googlesource.com/platform/bionic/+/4f7a7ad3fed2ea90d454ec9f3cabfffb0deda8c4%5E%21/
[4] QuadRooter Research Report – https://www.checkpoint.com/downloads/resources/quadRooter-vulnerability-research-report.pdf
[5] Kernel address space layout randomization [LWN.net] – https://lwn.net/Articles/569635/
[6] Only allow shell user to access unprivileged socket ioctl commands. – https://android.googlesource.com/platform/external/sepolicy/+/57531ca%5E%21/
[7] Security | Android Open Source Project – https://source.android.com/security/
[8] Security Enhancements in Android 7.0 | Android Open Source Project – https://source.android.com/security/enhancements/enhancements70.html
[9] [ASan] Initial support for Kernel AddressSanitizer · llvm-mirror/llvm@e9149f4 – https://github.com/llvm-mirror/llvm/commit/e9149f4f8cd3b915ada134d80452c6eae7875ca4
[10] KASan support for arm64 – http://lkml.iu.edu/hypermail/linux/kernel/1511.0/02583.html
[11] Crash in mozJSComponentLoader::ModuleEntry::GetFactory when compiled with GCC 4.9.0 and VTV – https://bugzilla.mozilla.org/show_bug.cgi?id=1046600
[12] PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86) – https://wiki.ubuntu.com/Security/Features#pie
[13] Prefer kASLR over Hibernation – Patchwork – https://patchwork.kernel.org/patch/8765121/
[14] KASan support for arm64 – http://lkml.iu.edu/hypermail/linux/kernel/1511.0/02583.html
[15] Google Online Security Blog: Protecting Android with more Linux kernel defenses – https://security.googleblog.com/2016/07/protecting-android-with-more-linux.html
[16] Chromium OS Sandboxing – The Chromium Projects – https://www.chromium.org/chromium-os/developer-guide/chromium-os-sandboxing#h.l7ou90opzirq
[17] Projects/SandboxedApps – GNOME Wiki! – https://wiki.gnome.org/Projects/SandboxedApps
[18] Sandbox · flatpak/flatpak Wiki – https://github.com/flatpak/flatpak/wiki/Sandbox
[19] snapcraft – Snaps are universal Linux packages – http://snapcraft.io/
[20] Snappy Interfaces | Labix Blog – http://blog.labix.org/2016/04/22/snappy-interfaces
[21] Kernel Address Sanitizer – https://github.com/google/kasan/wiki
[22] Four new Android privilege escalations [LWN.net] – https://lwn.net/Articles/696716/
[23] The Apple Sandbox https://media.blackhat.com/bh-dc-11/Blazakis/BlackHat_DC_2011_Blazakis_Apple%20Sandbox-Slides.pdf
[24] The Apple Sandbox https://media.blackhat.com/bh-dc-11/Blazakis/BlackHat_DC_2011_Blazakis_Apple_Sandbox-wp.pdf
[25] SandBlaster: Reversing the Apple Sandbox – https://arxiv.org/pdf/1608.04303.pdf
[26] WinRT: The Metro-politan Museum of Security https://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Sebastien%20Renaud%20and%20Kevin%20Szkudlapski%20-%20WinRT.pdf
[27] Improving Function Pointer Security for Virtual Method Dispatches https://gcc.gnu.org/wiki/cauldron2012?action=AttachFile&do=get&target=cmtice.pdf

Dropbox 在 2012 的時候曾經傳出被入侵盜走六百九十萬筆個人資料。結果最近媒體發現[1],其實是被偷走 68,680,741 筆,其中31,865,280 組密碼使用 bcrypt hashing 加密,而另外的36,815,461組密碼則使用SHA1 hashing 加密。「我被黑了嗎?」(Have I been pwned[2]) 的站長 Troy Hunt[3] 拿到這批資料,驗證[4]之後確定是 Dropbox 被偷走得資料、不是假資料。

這些資料包含電子郵件與密碼,雖然這些密碼是被加密過,但是還是可能被破解猜出來。若沒有用不同密碼的習慣,別人就可能有機會用同樣帳號密碼登入不同的服務。而這些資料除了某些熟門路的人拿的到,像是 LeakedSource[5] 也提供付費版 API[6] 供人取用受害者原始資料 (亦即加密後的密碼等資料)。

比較好的習慣是使用密碼管理軟體 (Password Manager) 與雙因素授權 (Two factor authentication, 2FA)[9]。

密碼管理軟體的基本功能就是幫你產生亂數密碼,自動登入等,所以你可輕易在不同服務間使用難破解的密碼。密碼管理器的選擇很多[7][8],我自己是使用 Lastpass[11],它在瀏覽器與 Android 平台上整合的很方便。而且價格是 12 USD 一年,相較其他軟體更為便宜,雖然目前服務的公司有提供免費帳號,但是我已經買了好幾年了。Lastpass 雖然在 2015 也被入侵過[12],不過由於安全設計得當,並沒有產生重大問題。

我每個月都會定期做一次 Lastpass security challenge[10],他會檢查密碼強度、是否重複使用密碼,以及類似 Have I been pwned[2]、LeakedSource[5] 的功能,會查找已知的受害者資料庫,提醒是否為高風險需要採取任何行動。

快選一個密碼管理器吧。 https://lastpass.com/f?4133426

同場加映: Password manager security papers | Wilders Security Forums – http://www.wilderssecurity.com/threads/password-manager-security-papers.365724/

  • “Password Managers: Risks, Pitfalls, and Improvements” (2014)

    We study the security of popular password managers and their policies on automatically filling in passwords in web pages. We examine browser built-in password managers, mobile password managers, and 3rd party managers. We show that there are significant differences in autofill policies among password managers. Many autofill policies can lead to disastrous consequences where a remote network attacker can extract multiple passwords from the user’s password manager without any interaction with the user. We experiment with these attacks and with techniques to enhance the security of password managers. We show that our enhancements can be adopted by existing managers.

  • “Protecting Users Against XSS-based Password Manager Abuse” (2014)

    To ease the burden of repeated password authentication on multiple sites, modern Web browsers provide password managers, which offer to automatically complete password fields on Web pages, after the password has been stored once. Unfortunately, these managers operate by simply inserting the clear-text password into the document’s DOM, where it is accessible by JavaScript. Thus, a successful Cross-site Scripting attack can be leveraged by the attacker to read and leak password data which has been provided by the password manager. In this paper, we assess this potential threat through a thorough survey of the current password manager generation and observable characteristics of password fields in popular Web sites. Furthermore, we propose an alternative password manager design, which robustly prevents the identified attacks, while maintaining compatibility with the established functionality of the existing approaches.

  • “Vulnerability and Risk Analysis of Two Commercial Browser and Cloud Based Password Managers” (2013)

    Web users are confronted with the daunting challenges of managing more and more passwords to protect their valuable assets on different online services. Password manager is one of the most popular solutions designed to address such challenges by saving users’ passwords and later auto-filling the login forms on behalf of users. All the major browser vendors have provided password manager as a built-in feature; third-party vendors have also provided many password managers. In this paper, we analyze the security of two very popular commercial password managers: LastPass and RoboForm. Both of them are Browser and Cloud based Password Managers (BCPMs), and both of them have millions of active users worldwide. We investigate the security design and implementation of these two BCPMs with the focus on their underlying cryptographic mechanisms. We identify several critical, high, and medium risk level vulnerabilities that could be exploited by different types of attackers to break the security of these two BCPMs. Moreover, we provide some general suggestions to help improve the security design of these and similar BCPMs. We hope our analysis and suggestions could also be valuable to other cloud-based data security products and research.

  • “Automated Password Extraction Attack on Modern Password Managers” (2013)

    To encourage users to use stronger and more secure passwords, modern web browsers offer users password management services, allowing users to save previously entered passwords locally onto their hard drives. We present Lupin, a tool that automatically extracts these saved passwords without the user’s knowledge. Lupin allows a network adversary to obtain passwords as long as the login form appears on a non-HTTPS page. Unlike existing password sniffing tools, Lupin can obtain passwords for websites users are not visiting. Furthermore, Lupin can extract passwords embedded in login forms with a destination address served in HTTPS. To determine the number of websites vulnerable to our attack, we crawled the top 45,000 most popular websites from Alexa’s top website list and discovered that at least 28% of these sites are vulnerable. To further demonstrate the feasibility of our attack, we tested Lupin under controlled conditions using one of the authors’ computers. Lupin was able to extract passwords from 1,000 websites in less than 35 seconds. We suggest techniques for web developers to protect their web applications from attack, and we propose alternative designs for a secure password manager.

  • “Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage” (2013)

    To protect sensitive user data against server-side attacks, a number of security-conscious web applications have turned to client-side encryption, where only encrypted user data is ever stored in the cloud. We formally investigate the security of a number of such applications, including password managers, cloud storage providers, an e-voting website and a conference management system. We find that their security relies on both their use of cryptography and the way it combines with common web security mechanisms as implemented in the browser. We model these applications using the WebSpi web security library for ProVerif, we discuss novel attacks found by automated formal analysis, and we propose robust countermeasures.

  • “On The Security of Password Manager Database Formats” (2012)

    Password managers are critical pieces of software relied upon by users to securely store valuable and sensitive information, from online banking passwords and login credentials to passport- and social security numbers. Surprisingly, there has been very little academic research on the security these applications provide.
    This paper presents the first rigorous analysis of storage formats used by popular password managers. We define two realistic security models, designed to represent the capabilities of real-world adversaries. We then show how specific vulnerabilities in our models allow an adversary to implement practical attacks. Our analysis shows that most password manager database formats are broken even against weak adversaries.

  • From Web-based Attacks on Host-Proof Encrypted Storage (2012):

    Cloud-based storage services, such as Wuala, and password managers, such as LastPass, are examples of so-called host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing.
    We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces.

利益揭露: lastpass 的邀請連結是我的個人 premium referral link.

[1] Hackers Stole Account Details for Over 60 Million Dropbox Users | Motherboard – http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts
[2] Have I been pwned? Check if your email has been compromised in a data breach – https://haveibeenpwned.com/
[3] Troy Hunt, a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security – https://haveibeenpwned.com/About
[4] Troy Hunt: The Dropbox hack is real – https://www.troyhunt.com/the-dropbox-hack-is-real/
[5] Find the source of your leaks – https://www.leakedsource.com/
[6] LeakedSource API Purchase – https://www.leakedsource.com/api/purchase
[7] Password Managers Compared http://www.howtogeek.com/?p=240255
[8] Best Password Manager http://www.asecurelife.com/dashlane-vs-lastpass-vs-1password-vs-roboform-vs-keepass/
[9] https://en.wikipedia.org/wiki/Multi-factor_authentication
[10] https://blog.lastpass.com/tag/lastpass-security-challenge/
[11] https://lastpass.com/f?4133426
[12] LastPass Hacked http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

先前注意到中國 CA 憑證簽發單位[1]可能會濫發簽章,而導致中間人攻擊等風險,而過去也的確發生過一些隨意簽發 Google 網域簽章的案例[2]。最近看到 Mozilla 討論 WoSign 的安全疑慮[3][4],如濫發 github.com 簽章等。決定把中國的 CA 全數移除。

RevokeChinaCerts[5] 可以

  • 移除 Network Security Service 中的設定。 (需要裝 libnss3-tools)
  • 移除全系統的 default internet SSL certificate trustchains. (ca-certificates)

修正了 Linux 版本的的問題[6]。

另外發現 Ubuntu 還沒有做 ArchLinux 上那種簡易黑名單簽章管理機制[7]。

[1] http://blog.nutsfactory.net/tag/cnnic/
[2] http://bit.ly/2bBnm9g
[3] Mozilla 在考慮移除 WoSign 的 CA Root http://bit.ly/2bwXAbU
[4] Incidents involving the CA WoSign – http://bit.ly/2bOoHx8
[5] https://github.com/chengr28/RevokeChinaCerts
[6] http://bit.ly/2bymDKF
[7] Managing SSL certificates – http://bit.ly/2bFAoUX

今年 COSCUP 2013 時候,總於又開始辦 Key Signing Party。其實過去幾年在 Debian Birthday Party 時,常常也會非正式的交換簽章。這是第一次比較正式的用 The ‘Sassaman-Efficient’ Method 進行。總共二十人參與,成效還不錯!

IMG_3787 gpg-20130808

過程中收到幾個朋友來信詢問問題,特地整理幾個 FAQ

金鑰過期時間 (Expire day) 是否要設定,要設定多久?
你應該養成設定過期時間的習慣。你不用擔心過期要重新建立新的金鑰,你可以延長過期時間後,重新送到 key server 上。這樣別人就會取得你新的金鑰。若你金鑰遺失或忘記密碼也弄丟 revocation certificate 的時候,過期時間可以告訴你的朋友這把金鑰已經不能夠相信了。請找你聯絡換把新的。至於過期時間,則看你有多頻繁使用 PGP,我個人設定六個月,純屬偏好。

記得生成 revocation certificate
revocation certificate 是當你的金鑰遺失或被竊走得時候,你可以宣告這個金鑰失效。所以請生一份出來藏好,然後千萬不要被別人偷走。
gpg --output revoke.asc --gen-revoke <keyid>
如何簽署金鑰?
若你使用 Debian 或 Ubuntu, 請安裝 signing-party, 其中有一個工具叫做 caff(1). 他會以提問方式將你所選擇的金鑰簽署之後,以郵件加密寄給該金鑰收件人。這麼做的目的是,我們當場於會場認證對方的姓名,但是無法驗證他的電子郵件。經由加密寄送的方式,可以確保他使用該郵件系統。

因此你不應該把簽署過金鑰直接送到 key server 上,而是加密寄給他。這樣就不會造成他可能冒用別人的郵件信箱。

如何接收簽名?
請將每個人寄給你的信件解密,取出新的金鑰簽章,匯入你自己的 GPG Keyring,然後把新的金鑰上傳到 keyserver. 如果你沒有上傳,其他人是無法知道你已取得簽章。

姓名識別
交換的過程,最常見就是大家都只使用音譯,但是一般的中文證件上不會顯示英譯。所以你必須攜帶護照,才能讓對方驗證你的名字。你也可以在產生新簽章的時候,在註解 (comment) 輸入中文姓名 (請使用 UTF-8),這樣會比較容易進行驗證。但是不要在 comment 寫一些亂七八糟,無益辨識的資訊

另外,臺灣的護照容許你使用 Alias Name, 不彷把常用的英文名字加入。例如我的護照上即有 “Rex” 為別名。

使用金鑰包裝套件的技巧
你若常常需要包裝套件,不妨新增一把 subkey。一般而言,你必須十分小心的藏好的你的金鑰,例如存在其他人無法存取的離線媒體上。但是身為一個 Debian / Ubuntu 開發者,你每天都需要簽署並上傳新的套件。金鑰藏在離線媒體其實非常不便利。

Subkey 容許你在沒有主金鑰 (Master key) 的狀況下簽名或加密,也可以隨時取消或更改 subkey. 因此你可以安全的把金鑰藏在某個無人知曉的地方,把新的 subkey 專門拿來簽署用。萬一出了狀況,只要註銷這把子金鑰即可,不用大費周章的重生一把新的金鑰。

Firefox 4.0 出來之後,一直沒有抽時間出來更新 CertAlert,不過最近看到 AT&T 上的 Facebook 流量莫名被轉到中國南韓去,似乎有某種暗黑勢力蠢蠢欲動。

頗擔心 CNNIC 有惡意作為,稍微更新了 CertAlert,讓它支援 Gecko 2.0 XPCOM API,可以裝在 Firefox 4.0 上。新版安裝檔可以於 github 下載。

Mozilla 官方 AMO 因爲疏於更新,暫時被拿下來了,將重新上傳等官方審閱後即可再次下載。

2011-03-29 01:30

官方 AMO 已經重新開放安裝,仍於申請審閱程序中。

之前曾經介紹過波蘭的 Invisible Things Lab,她們在 2009 年初曾揭露過 Intel Trusted Execution Technology 的安全保護機制缺失。這個月,她們推出了一個新的試驗,Introducing Qubes OSQubes OS 是一個利用 Xen, X, Linux 所開發的作業系統。

基本的架構是將各種不同領域的軟體置入 Xen 虛擬機器中,所謂不同領域 (domain),指的是使用情境 (context)。如你可能有一個工作專用、網路銀行專用、網路小遊戲專用等等不同的領域。在不同的領域中,各個軟體元件都可以被隔開在自己的環境沙箱 (sandbox) 中,包含檔案系統、網路等也是利用 Xen 進行隔離的。也就是 Security by Isolation 的概念,論文中有詳盡介紹。

至於操作介面,則是利用 X Window System 的 client-server 架構,各個不同的領域的軟體 (X Client),將圖形化介面投到共用的 X Server。寄說還做了 Secure copy-and-paste 的機制,進而保護了剪貼簿的內容。設計上,他們做了一個 GUId 來處理圖形化問題,且每個 Domain 都有其 X Server,因此也不用怕有人利用 XQueryKeymap 寫 keylogger 來錄密碼。

由於各個軟體都被鎖在獨立的檔案系統、網路中,只透過網路傳送圖形介面。因此你不用擔心因為在網路遊戲中查看一些網站而中毒,因而影響到你的作業系統穩定性或刪改到工作檔案。

這是一個很有趣的嘗試。

不過顯而易見,系統資源相對會使用更多,例如每個 domain (Xen VM),都會固定佔掉 400M 記憶體 (?),而每個 domain 中,都需要留置一份自己的相關 userland libraries, programs 等。雖然 Qubes 看起來是用 COW 技術,讓系統盡量共享 Domain-0 中的 userland program. 不過若要新增軟體大概還是會佔掉不少空間。

另外則是由於軟體被安裝到不同的 domain 中,自然 menu/launcher 得重新設計,否則無法找到不同 domain 中的軟體。操作性上可能會弱一點。