[SecurityRatty] tag: grep

Improve Security with "A Layer of Hurt"

Thu, 31 Jul 2008 15:13:00 +0000

Hello, Michael here.

I got a lot of interesting comments from my TechEd 2008 presentation entitled, "How To Review Your Code And Test For Security Bugs," but the most comments and questions were reserved for fuzz testing; I was blown away by the number of people who thought fuzz testing was hard, or that you only left fuzz testing to ‘leet hackers.

During the presentation I mentioned in some depth how to perform fuzz testing, and what parts of an application should be fuzz testing targets. I also introduced an idea (that's not new) to help people who have never performed fuzz testing begin fuzz testing with very little cost and friction. The idea is to add a small layer of code to an application to automatically mutate untrusted data as it comes into an application; I called that code layer "a layer of hurt."

Before I continue, I want to point out that fuzzing is an SDL requirement, but the idea in this blog post is not an SDL requirement, it's just another way to help meet SDL fuzzing requirements.

Adding a layer of hurt, as shown in the picture below, is pretty simple as it involves adding code to an application to tweak data as it comes into an application. You can work out where to place the fuzzing code by looking at your threat models to see where data crosses trust boundaries. You could also simply grep the code looking for APIs that read data, for example:

Read from files: fread, ReadFile
Reading from sockets: recv, recvfrom
For .NET code, any stream.Read

You get the picture.

The fuzzing code should appear right after the API that reads that data.

For example, C or C++ code that reads from a UDP socket and then fuzzes the data before it's consumed by the rest of the application might look like this:

char RecvBuf[1024];
int BufLen = sizeof(RecvBuf);

int result = recvfrom(
   RecvSocket,
   RecvBuf,
   BufLen,
   0,
   (SOCKADDR *)&SenderAddr,
   &SenderAddrSize);

#ifdef _FUZZ
Fuzz(RecvBuf,&BufLen);
#endif

Or, in C#, code that reads from an untrusted file:

FileStream fileStream = new FileStream(filename, FileMode.Open, FileAccess.Read);
uint len = (uint)(fileStream.Length);
byte[] fileData = new byte[fileStream.Length];
fileStream.Read(fileData, 0, (int)len);
fileStream.Close();

#if _FUZZ_
Malform pain = new Malform();
fileData = pain.Fuzz(fileData);
#endif

In both code examples, Fuzz() mutates the incoming data. In the C++ case, the fuzzing code looks like this:

void Fuzz(_Inout_bytecap_(*pcbBuf) char *pBuf,
_Inout_ size_t *pcbBuf) {

if (!pcbBuf || !pBuf || !*pcbBuff || *pBuf) return;
if ((rand() % 100) > 5) return; // fuzz about 5% of Buffers

size_t cLoop = 1 + (rand() % 4);

for (size_t j = 0; j < cLoop; j++) {

    size_t i=0,
      iLow = rand() % *pcbBuf,
      iHigh = 1+rand() % *pcbBuf,
      iIter = 1+rand() % 8;

    if (iLow > iHigh)
      {size_t t=iHigh; iHigh=iLow; iLow=t;}

char ch=0;
switch(rand() % 9) {

      case 0 : // reset upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] &= 0x7F;
        break;

      case 1 : // set upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] |= 0x80;
        break;

      case 2 : // toggle all bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] ^= 0xFF;
        break;

      case 3 : // set to random chars
        for (i=iLow; i < iHigh; i++)
          pBuf[i] = (char)(rand() % 256);
        break;

      case 4 : // set NULL chars to (possibly) non-NULL
        for (i=iLow; i < iHigh; i++)
          if (!pBuf[i])
            pBuf[i] = (char)(rand() % 256);
        break;

      case 5 : // swap adjacent bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          {char t=pBuf[i]; pBuf[i] = pBuf[i+1]; pBuf[i+1]=t;}
        break;

      case 6 : // set to random chars every n-bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          pBuf[i] = (char)(rand()%256);
        break;

      case 7 : // set bytes to one random char
        ch=(char)(rand() % 256);
          for (i=iLow; i < iHigh; i++)
            pBuf[i] = ch;
        break;

      default: // truncate stream
        *pcbBuf = iHigh;
        break;
     }
   }
}

The sample C# and C++ fuzzing code is available as a ZIP file at the end of this post.

This code is an example of dumb-fuzzing, which is fuzzing with little or no regard for the data structure being manipulated. If you've never performed any kind of fuzz testing in the past, then you will probably find bugs with this simple fuzzing technique. Once you have weeded out the low-hanging bugs, you may need to turn your attention to smarter fuzzers. For example, in theory, this code would find few if any bugs in a PNG parser, because PNG files have a built in check-sum, so if you fuzz a PNG file, you'd have to recalculate the checksum to get decent code coverage.

When I showed this code during my presentation, I urged people to add it to their applications today if they currently don't do fuzz testing, and simply run their applications through their normal testing processes. Within three days of my presentation I received emails from people saying they had found bugs. I have no doubt others did too.

One of the comments I made during the session was,"If you can't spend the time on great fuzzing, fuzz anyway" and adding a "layer of hurt" is a reasonable start.

Please feel free to sound off if you have ideas to help improve the code and let us know what you think, either through email or comments to this post.

Your 3 Favorite Linux Commands?

Fri, 25 Jul 2008 10:02:41 +0000

Here’s a fun Friday post…

Some of you may know I’ve been preparing to brush up on my *nix skills. A couple of our new solutions are running on Linux platforms and I feel compelled to understand any platform I’m working with inside and out… I know, it’s a bit OCD.

But to be honest, I haven’t really touched a Linux platform for about 10 years, since I was one of the three students running the Sun network over at NCSSM. I still remember the humorous ‘root’ ‘of all evil’ admin name that we used and the password, iaceo (in mixed caps), which was a Latin word for (I think) to lie dead. (Please correct me if you know what it means). When you’re 17, these things are amusing.

I’ve kept my ls-ing and cd-ing over the years, but will be brushing up on the grep-ing and tail-ing ;)

So with any system, I think we all have our favourite commands that we use daily and are part of our daily arsenal. I’m working out mine but wanted to hear from you…

What are your 3 favorite Linux commands?

And is there 1 obscure one you really love (or hate)?

# # #

My kids get XO's, I go to the command line

Sat, 22 Mar 2008 22:30:39 +0000

They finally came! My friend Raj Bhargava bought my two sons laptops from the OLPC project around the holiday season. Unfortunately due to the high demand, the project ran out of laptops and we have been waiting 3 months for them to arrive. They finally came on Friday. This was part of the buy one, donate one program so two other lucky children in the world have computers now too thanks to Raj's generosity. For those of you not familiar with the project, this was born out of Nicholas Negroponte's MIT lab to bring a $100 dollar laptop to children the world over. While they have not quite hit the $100 dollar cost, they are under $200. The laptop's are called XO laptops.

The laptops use low power, are extremely rugged and kid friendly and run Linux. The interface is called Sugar and is very different than a Windows type of metaphor. It takes some getting used to, but my kids seem to have picked it up pretty quickly. The wireless networking is great. In addition to regular wireless access points, the computers network in a "mesh" network that allow them to share information and chat with each other with the pre-installed software. My kids discovered chat pretty quickly and now sit next to each other chatting away over the computer. Why they just don't talk to each other I guess is part of the magic of computers. It also has a nice Mozilla based browser, a word processor, video camera and a bunch of other software. The boys are having a blast using the machines and take them everywhere. All of their friends who see them want one too, so maybe it will lead to more folks joining the buy one, give one program.

My kids are also really into webkinz. One of the first things they wanted to do was get on the webkinz site with their new machines. The webkinz site uses flash extensively. The XO laptop though only comes with open software, free is not enough. So they use an open source flash plug in, but it does not play all flash files. You can download and install the flash plug in for Linux, but this takes a little behind the scenes Linux command line work. So Dad told them to go to sleep and when they woke up, their machines would play webkinz in the morning.

It has been years since I had to work on a Linux/Unix system in the command line. Actually since I first started TriStar Web hosting with my partners and a few nights a week, I was the designated graveyard shift technical support dude. Even then, I knew only enough to get myself in trouble. Kill a process, grep files, chmod permissions, stuff like that. These laptops, while they run Linux, have a different kind of file and directory structure as to where they keep and store files and the naming system is weird. Files are truncated into numeric named files that bear no resemblance to the file name that shows up in the Sugar GUI. You have to go by the date created and size to recognize the file you are looking for and then you can rename it. The script I was trying to run got messed up in the word processor that comes with the laptop, so I had to go into Vi and fix that. It has been a while since I have used Vi too. Than the script did not have execute permissions set, so I had to do that. Well I have to tell you that this all took a few hours, but when the boys woke up in the morning, they turned on their computers and went to webkinz world and just as Dad promised, everything worked fine. I wish all of their wishes and wants were solved so easily!

Evil Silos

Thu, 24 Jan 2008 12:42:00 +0000

Today I will speak about evil. Yes, evil! There is plenty of evil in the world of logs (e.g. ugly logs), but this is a "bigger, better" evil :-): siloed approach to logs!

There is little that I hate more than siloed approach to logs. A situation when you have your security team "owning" network IDS logs, network team having firewall and router logs (as well as all SNMP traps) and, say, a sysadmins possessing (or, rather, ignoring!) the logs from servers and desktop is not only sad, counterproductive, inefficient and wasteful, but also dangerous.

Where does such approach to logs (where they are divided by both technical and political chasms) breaks down most painfully? In case of an incident response, of course. This is where instead of one query across all logs and all log sources (or whatever needed subset of logs or log sources), you'd end up with having run around, beg, connect, wait, swear, wait, download logs, dig in many places at once, wait, grep, suffer with many UIs, swear more - and have a time of your life in general! :-) All of the above instead of connecting to your shiny new log management system and running a few reports, drilldowns and searches across the relevant logs.

Ideally, you'd fight the evil and break down the silo walls by deploying a log management platform across the entire organization and then letting every team that needs logs to get them from the system in a controlled fashion, via the interface or a web API (BTW, LogLogic has a web API to get logs!). Apart from being a trend (e.g. see recent ESG report on that), it will make your IT and security operations that much more efficient - and pleasant!

On the other hand, what is bizarre is that some newer vendors, who claim to do log management, actually work to propagate, not combat, the siloed approach. For example, selling the tool for $5000 to each of the many separate teams within the organization IMHO must be made illegal :-) as it builds walls, not bridges; digs holes and overall "silo-izes" your operation...

Technorati tags: logging, log management

Google Spamming Us

Thu, 20 Dec 2007 19:11:11 +0000

You know, we get some really odd traffic. Some of it good, some of it not so much. Let’s take a look at some of Google’s traffic since it’s a slow day. If nothing else it’s good for a laugh. First let’s look at Google trying to hack us - XSS style:

66.249.73.40 - - [26/Nov/2007:01:53:58 +0000] “GET /blog/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1″ 200 55053 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Not too bad for a robot. How about some totally innane Apache directory structure stuff that couldn’t possibly work?

66.249.73.40 - - [26/Nov/2007:00:46:03 +0000] “GET /bluehat-spring-2007/?C=S;O=A HTTP/1.1″ 200 3681 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Someone needs to figure out how UTF-7 works:

66.249.73.40 - - [26/Nov/2007:02:25:19 +0000] “GET /s.js+ACIAPgA8-/script+AD4-x HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Oh don’t we love the Google spam? I really am disheartened that it’s this easy to con Google into spamming websites. As if I don’t get enough referrer spam, Google does one better. *sigh*

66.249.73.40 - - [23/Nov/2007:19:11:23 +0000] “GET /weird/popup.html/Buy-NET.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [09/Dec/2007:07:21:51 +0000] “GET /weird/popup.html/Buy-COM.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [11/Dec/2007:05:24:19 +0000] “GET /weird/popup.html/Buy-MEUK.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [14/Dec/2007:17:48:58 +0000] “GET /weird/popup.html/Buy-INFO.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Google has a lust for the goatse! Cannot get enough of it!!!!! Seriously, Google. I just don’t have Goatse on my machine. I promise! Granted, I 302 redirect all 404s to the homepage, instead of 301, so that’s my bad, but seriously - there is a reason I might want to do that and still not have goatse on my site. I don’t ever remember having it anyway. Time to give up the obsession, Google!

66.249.73.40 - - [30/Nov/2007:01:04:10 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [07/Dec/2007:19:36:57 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [10/Dec/2007:20:17:00 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.40 - - [19/Dec/2007:22:58:31 +0000] “GET /goatse.html HTTP/1.1″ 302 204 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

More spam anyone? Let’s see here… Google likes Viagra and goatse. I’m seeing a theme here!

66.249.73.40 - - [26/Nov/2007:04:47:00 +0000] “GET /fierce/?ref=SaglikAlani.Com HTTP/1.1″ 304 - “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

And the trackbacks… oh Google, please figure out what a Trackback is and stop spidering it. I swear, no matter how many bazillion times you look at the trackback pages, you’re still not going to find anything useful there. I double cross my heart and swear to die. This is from Nov 18th-Dec 20th (just over one month):

$ grep 66.249.73.40 error_log |grep -c wp-trackback
938

Think how much bandwidth Google uses that is just completely unnecessary. The countless and senseless bandwidth waste-age. I started using Google because it was light on my personal bandwidth - so much for that idea.

Logging Poll #3 "What Do You Do With Logs?" Analysis

Fri, 07 Dec 2007 06:19:00 +0000

So, the results of my 3rd poll are ready: live results are here, picture is also in this post. This sure was fun!

First, this poll way more popular than my previous "why" poll. Yes, it seems like people do hate to wonder "why" :-)

Second, what are the two choices, that are by far the most popular? They are:

Store raw logs on a server (23%)
Search raw logs (grep) when needed (24%)

Yes, this is the "state of the art" of logging: collection of raw logs and "as needed" grep aka "slow and painful" search. In fact, the above answers might not even be given by the same people: some might be grepping logs on the individual servers, while others collect them on syslog servers and never touch them. That is why being in log management business is such a great thing: you have nearly the whole world to evangelize about the value of logs and log management tools.

Third, what's the next most popular idea of analyzing logs? It is "Run my own log analysis tool" at 10% of the respondents. Indeed, the movement started by the "enlightened" Leopold von Sacher-Masoch still lives and thrives: people choose the Build->Suffer approach to log management often enough ...

Fourth, next come my somewhat self-inflicted surprise: apart from commercial log management (at 4%) and rolling one's own (discussed above at 10%), I added the option of "Use other log analysis tools" which captured 7% of the vote. But what does that mean? I have no idea!

Fifth, I am NOT surprised by the lack of popularity of the rule-based correlation tools, such as SIEM (at 2%). When I made my decision to join LogLogic, I had to ponder this one really, really hard. Sorry to use this post to rant, but my conclusion at the time (which is also valid now) was that "SIEM is for some, log management is for everybody." This poll confirms this further.

Finally, all my logging polls and analysis are here. Next one is coming up!

Technorati tags: logging, polls, log management