Friday, November 06, 2015

Is Linux kernel secure?

I've read a article "Net of insecurityThe kernel of the argument" from The Washington Post today. It's fuc*ing good one. I've been torturing by the security status of *stable* linux kernel for a fuc*ing long time. I never see one article can talk about the truth like this one. Many commercial customers( especially from financial data centres) has been painful to use commercial GNU/Linux products for years. Remember those 0ld good null-deref exploits and Enlightment framework back in 2000s? What did Linus and these commercial GNU/Linux vendors response back then? They said "A bug is bug" is one thing, while SELinux can protect your asset is another. Unfortunately, they are lies to you, as always.......

I'm not going to talk about those shitty history right here. You can google if you really want to know the truth. A little advice, you could start from here.

Well, speaking of the history of mitigation. I'm highly recommend you should go through thinkist's presentation at BH'10. Who the hell can explain the history so detailed like he did;-)

Black Hat USA 2010: Memory Corruption Attacks: The Almost Complete History


"As long as there is technology, there will be hackers. As long as there are hackers, there will be PHRACK magazine."( Quoted from Phrack Issue 63). As long as there are vulnerabilities, there will be exploits. As long as there are exploits, there will be mitigation.........

Basically, the possible evolution of a exploitable bug should be look like this:
Bug –> exploitable bug(vulnerability) –> poc –> exploit –> reliable/weaponized exploit

That's where the problem comes. There are two types of philosophical ideas about how to deal with exploitable bug.

1, Linus Torvalds represent the philosophy of "A bug is bug", which believes any exploitable bug should be taken care of like the normal bug. When one is being found, just get to fix it. Any security mitigation is fully waste of CPU usage. Developers should've only focus on the features and performance. He( and his followers) even believes bug info's obscurity is the way to prevent attacker and "security through obscurity" is an effective approach for Linux kernel upstream.

2, PaX Team and spender are the most fascinating guys on the side of security mitigation. They( I) believes numerous exploitable bugs can not be solved once for all by fixing them. But we can design some specific security mitigation to against the specific types of vulnerabilities. That's the only way to solve this issue.

Well, those two philosophical ideas are totally different. Why the hell happens? IMOHO, one of main reasons is the threat model is totally different. In my own adversary, the attackers may have the weaponized exploits, which developed by digital armory( Vupen, HT?) or underground. While only the skiddies in Linus's threat model( it seems to be at least;-)).

Some commercial GNU/Linux vendors basically believes public exploit is the most important reason to influence their risk assessment. Don't believe that? They admitted by themselves;-)

A lot of my customers always says one of reasons they choose GNU/Linux as their alternatives of UNIX, because GNU/Linux is secure. I've been wondering all the time and response like "ARE U fuc*ing serious?". Now GNU/Linux is dive into the next age of Internet, which some people would like to call IoT( internet of the things). But the question is: Is Linux kernel ready to face the tons of cybercriminals? You fuc*ing tell me........

btw: Kernel/Compiler/Firmware are very important core infrastructures of modern cyber world. A lot of good people are busy to defend our world by their effort. PaX/Grsecurity guys are my heros. Reproducible builds( based on the theory of DDC, by David A. Wheeler) is definitely gonna piss NSA off. CHIPSEC( for firmware) may be the starting point. I do believe only the fined FOSS solution can make this world a little more secure......

Sunday, July 12, 2015

Damn, the disclosure of PRISM cost my money;-)

Time is running on. It's been about two years after Mr.Sn0wden made the 1st disclosure of those documents back in June 2013. Everybody was shocked back then. In security/hacker community, those news about what BIG BROTHER did to us was nothing new. Guess most people already knew it. But what Mr.Sn0wden brings us, is to confirm the details about how BIG BROTHER has been doing the shit. More importantly, it has educational purposes for the public. The whole world is fuc*ing changed, because of PRISM disclosure. People( I mean crypto-anarchist, professional paranoia, etc) think differently from then. To myself( as a FOSS cybersecurity dude), the PRISM definitely changed my life.

I kept reading some astonishing news about leaked documents back in July 2013 and thought a lot during the period of oSC2013 at a beautiful city nearby Aegean Sea. "What should I do about it? Should I get involve with something? What kind of philosophical ideas can better fit in post-prism era?" and so on..these questions I asked myself many times. Then I was thinking ......

1, Philosophical level. Well, free software philosophy would be the same to me since 2007. The concept of free/libre is more important than ever before. In post-prism era, BIG BROTHER and big corps are too powerful to restrict the individual freedom in digital world. Although we've won the war between open vs. closed. But many people still misunderstand about the differences between free software and open source. IMOHO, support FSF( Free Software Foundation) will always be on my TODO.

2, Technical level. Many researches reveal that open system is more secure than closed one. Btw, Bruce Schneier agrees with that. After all these years, I finally realize there are two powerful weapons we can use to against the enemy: System security & Cryptography. Some people only focus on crypto and OS level security is totally missing, which might cause a failure. It's like building a fortress upon the sand. Some 0ld sch00l hackers criticised about it last year. In the practical cases to GNU/Linux users, PaX/Grsecurity is the only option we have.

3, Law level. Speak of law & public education, EFF has been doing the great work in past two decades. Why would I support EFF? The reason is so simple: They speak for me, or they speak for the type of person like me.

I did the math a little bit today and found out I've donated around $5800 to the FOSS community including FSF, EFF, Debian, Mempo, PaX/Grsecurity, HardenedLinux, HardenedBSD since the disclosure of PRISM. I'm not trying to convince anyone to donate money to any organizations here. But I'm encouraging you to think for yourself, about why are you here reading my fuc*ing annoying & noisy blog? Does free software matters to you? Or don't you think is worth supporting about what EFF is doing?

Long live 0ld sch00l!
Long live anarchy!

Thursday, April 09, 2015

Debian GNU/Linux security checklist and hardening

The 1st time I met Debian GNU/Linux was about a decade ago when I was a college dude. Stupid college life was too boring back then;-) It was almost the same time I met Phrack ezine in my 1st time. Damn, time is running on...

Anyway, I'd like to share this article "Debian GNU/Linux security checklist and hardening" with you guys. H0pe you can find your peace in this pathetic era;-) Yeah..yeah..I just wanna say: "Phrack is not dead, PaX/Grsecurity is not dead, DNFWAH is not dead, 0ld sch00l is not dead, the Underground spirit is not dead.....If they were, that'd be on us!!!".

Tuesday, March 17, 2015

HIGHRES TIMER can be your DoS nightmare

This is a real-life story about HIGH RESOLUTION TIMER and how lame
coders use it to make a self-DoS;-) You should be very cautions if
your system was written by those type of coders.

Incident happened:

1, A dozen of RHEL 6 GNU/Linux servers were extremely slow while
running some *** applications. The kernel CPU usage was about

2, the "free" item from vmstat was not seems OK. "free" was keep
increasing but "buff" & "cache" were decreasing when a bunch of data
went through. Then kernel gave you a *hint* about OOM( Out of Memory):

"kernel panic - not syncing: Out of memory and no killable processes..."

Then kernel tried to kill each processes until shit happened, which
was kernel panic.

I began this investigation with strace. The result was quite
strange. Why would the application( malware?) invoke the syscall
nanosleep() so often? Every 10000ns( 10us)? Seriously? All I can tell
is the application doesn't need to do real time work.

15:30:08.002047 nanosleep({0, 10000}, NULL) = 0 <0 .000082="">
15:30:08.002175 nanosleep({0, 10000}, NULL) = 0 <0 .000074="">
15:30:08.002297 nanosleep({0, 10000}, NULL) = 0 <0 .000074="">
15:30:09.917557 nanosleep({0, 10000}, NULL) = 0 <0 .000075="">
15:30:09.917661 nanosleep({0, 10000}, NULL) = 0 <0 .000071="">

The customer said it was never happened in 0ld good GNU/Linux systems(
like RHEL 5). My guts hints me to a direction: High Resolution
Timer. A type of kernel timer that can provide more accurate time
measure. I've read Linux Manual and very well explained kernel doc and 
learned that HIGHRES TIMER was added to the upstream code in
2.6.21. So I guess..just guess..some lazy & lame coders just want to
make the program "sleep" in a very "short" time. Then he/she wrote
this code very confidently:


If you're running linux kernel before 2.6.21, this line of code will
only sleep between 1ms and 2ms. But..annoying *but* is coming..if
you're running *modern* GNU/Linux distro with HIGHRES support, the
same code will sleep 10us, which might cause performance hit. CentOS
community had the similar issue before:

From the evidence we have, there are two clues might lead us to the
crime-scene: High Resolution Timer.

1, nanosleep() has been invoked >=8k times in every fuc*ing second.

2, The victim kernel was not running with kdump. But we still have
some kernel logs. According to the CallTrace, the kernel was playing
with HIGHRES-related context should not be a coincidence:

 [] ? audit_syscall_exit+0x27e/0x290
 [] ? sysret_audit+0x16/0x20
 [] ? __hrtimer_start_range_ns+0x1a3/0x460
 [] ? sysret_audit+0x16/0x20
 [] ? sysret_audit+0x16/0x20
 [] ? audit_filter_rules+0x2d/0xa10
 [] ? audit_syscall_exit+0x27e/0x290
 [] ? sysret_audit+0x16/0x20
schedule_timeout: wrong timeout value ffffffffffffb572


I'm giving you two options:

1, Modify the source code( if you have) about *sleep*-related
functions and tell the fuc*ing coders they can go home and fuck

2, Append "nohz=off highres=off" to the file /etc/grub.conf, to turn
it fuc*ing off this feature.

Testing result:

Unfortunately, we had to test this in a production system..but we did

| Item      | HIGHRES ON          | HIGHRES OFF |
| nanosleep |   >8,000 times      | 345 times   |
| buff/cache| Decreasing          | Increasing  |
| %sys      | 50%                 | 6%          |

Well, I guess we arrested the *perpetrator* this time. Damn...not every 
business impact caused by security issues;-)

Saturday, January 03, 2015

Happy New Year 2015

Time is running on and brings us to another new year. Does this fuc*ing mean another fight? I've been sitting on my butt and watching a lot of presentations of 31C3. Unfortunately, I couldn't be there physically. I'm fuc*ing jealous you guys who were there;-)

I've learned a lot from these videos. So, I'd like to write down what I thought about some great topics.

31C3 Opening Event [31c3] mit Erdgeist und Geraldine de Bastion
Nothing I can say about opening;-)

Jacob Appelbaum: Reconstructing narratives - transparency in the service of justice

This is the most fuc*ing awesome presentation I've seen in 2014 since I watched Jacob's free speech on last C3 conference. Yes..what I've been trying to tell people( friends & customers) that only a few things we may rely on: OTR, PGP, SSL/TLS with PFS... This is a very positive message that not everything is being fucked. Well... IMOHO, only taking crypto itself into account is not enough.  Kernel hardening should be a must-need stuff more than ever before. A lot of 0ld sch00l guys are complaining about people are still not taking serious about system-lvl security( PaX/Grsecurity? QubeOS? Mirage OS?) after EFF released the security guideline. Even the Information Security for Journalists focuses on crypto in the most part......damn...I think there are  a lot of interesting stuff we could try in 2015.............

SS7map : mapping vulnerability of the international mobile roaming infrastructure [31c3]

Well done, P1Sec guys! Telco security is not my major focus, but I've been learning CORENET stuff from some friends in last a few years. According to the ss7map, China is one of country has high risk in CORENET. Guess a huge consulting market is out there;-)

The Cloud Conspiracy 2008-2014 [31c3]

Everybody are talking about the cloud. Cloud might help small startup( don't have sensitive data) in many aspects, especially on cost issue. But..speak of cloud security, damn..I'm gonna speak it out: The security of public cloud is a joke, the security of private cloud is a fraud;-)

Trustworthy secure modular operating system engineering

Building trust-chains within compartment/containment is not a bad idea for defense in depth. "What you're doing is wrong" is a common phrase from hacker community. But how to do it right is a scientific problem;-) I don't think typed-safe language will be a silver-bullet. New issues and snake-oil security product always comes out. People will be happy to talk about how "Next-Gen" technology gonna change the future...unfortunately, they have no idea what the fuc* they talk about( in most cases). Why would the fuc*ing industry needs "Next-Gen" technology? I guess, no one wants talk about what the hell was the Last-Gen tech;-)

SS7: Locate. Track. Manipulate.

Wow..very good work, Tobias! I was so exciting when you show up the demo. CORENET is really interesting and amazing. That reminds me a saying from Captain: "The phone company is nothing but a computer... A computer is a System...". Ohh, did I say "cloud"?

Switches Get Stitches - Industrial System Ownership

People are taking serious about ICS security after the disclosure of Stuxnet. In the meantime, snake-oil products/services just come out of nowhere. This talk is awesome. It's almost like ICS security 101 to me. Thanks Eireann, I think I owe you a beer;-)

Reproducible Builds - Moving Beyond Single Points of Failure for Software Distribution

I love EFF and being proud as a member. EFF has been doing a great job about public education and fighting for individual's privacy. I'm not sure if we could win or not. But this is the right thing to do. Reveal the dark-side of cybersecurity is inevitable. We had to deal with shit like Mr.Dullien mentioned in Offensive work and addiction. Do we ever had a chance to live in a *purely* world without "I hunt sysadmin"? If we don't, reproducible builds is very valuable for us to against mass surveillance. Gitian is a project, which Seth & Mike mentioned about.

 Reproducible builds can't solve all potential threats. But it can help us in some levels to identify "There is a backdoor in the indentical binary or there isn't a backdoor". You might also want to read about Trusting trust issue.

By the way, another reason I love Debian is because Mempo project;-) We need your hands..fuck off, NSA!

Freedom in your computer and in the net(click me)

Fascinating free speech from RMS! My wife believes that to be idealistic is to be realistic...are we talking about leap of faith? Sometimes, faith is all we left;-) RMS is one of the most respectful man. His philosophy inspired me to started using GNU/Linux. Phrack inspired me to be a cybersec dude....

RMS talked about a few important things in 31C3:
1, The differences between Free software and open source. Free Software is more concern about ethical libre, while open source only emphasize  the practical stuff like code quality or cost issue.

2, Security aspect. Free Software is more secure than closed software. Microsoft send NSA the information of Windows bug before they fix, maybe other vendors( closed-source product) would do the same things.

3, RMS thinks all university should teach reverse engineering. It's a good choice when you had to explore something in a closed-source world.

4, RMS siad "...also the software they teach student to use must be free, because the school has social mission to educate good citizens of society that is strong, capable, independent, cooperating and free..". Damn..I was touched. I've been asking myself a question for a long time: Why would I support FSF and EFF in the 1st place? Probably I can say now, that is: It's worth. Making the public can get benefit from it and educate the public about free software and digital privacy are so important in the information age.

btw: Hope I can make it to 31C3.

May the L0rd's hacking spirit guides us in 2015!