[SecurityRatty] tag: rand

Understanding Terrorist Behavior

Mon, 03 Nov 2008 03:57:40 +0000

Two items, one short and one long.

The short one: "A Look at Terrorist Behavior: How They Prepare, Where They Strike," by Brent Smith, National Institute of Justice Journal, No. 260, 2008.

The long one: How Terrorist Groups End: Lessons for Countering al Qa'ida, by Seth G. Jones and Martin C. Libicki, RAND Corporation, 2008.

WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack

Mon, 08 Sep 2008 23:24:16 +0000

New WordPress version, 2.6.2, was released today to mitigate a new attack vector discovered by PHP security researcher Stefan Esser. According to an advisory from WordPress blog, Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). Blogs that allow users registration should be upgraded as soon as [...]

Improve Security with "A Layer of Hurt"

Thu, 31 Jul 2008 15:13:00 +0000

Hello, Michael here.

I got a lot of interesting comments from my TechEd 2008 presentation entitled, "How To Review Your Code And Test For Security Bugs," but the most comments and questions were reserved for fuzz testing; I was blown away by the number of people who thought fuzz testing was hard, or that you only left fuzz testing to ‘leet hackers.

During the presentation I mentioned in some depth how to perform fuzz testing, and what parts of an application should be fuzz testing targets. I also introduced an idea (that's not new) to help people who have never performed fuzz testing begin fuzz testing with very little cost and friction. The idea is to add a small layer of code to an application to automatically mutate untrusted data as it comes into an application; I called that code layer "a layer of hurt."

Before I continue, I want to point out that fuzzing is an SDL requirement, but the idea in this blog post is not an SDL requirement, it's just another way to help meet SDL fuzzing requirements.

Adding a layer of hurt, as shown in the picture below, is pretty simple as it involves adding code to an application to tweak data as it comes into an application. You can work out where to place the fuzzing code by looking at your threat models to see where data crosses trust boundaries. You could also simply grep the code looking for APIs that read data, for example:

Read from files: fread, ReadFile
Reading from sockets: recv, recvfrom
For .NET code, any stream.Read

You get the picture.

The fuzzing code should appear right after the API that reads that data.

For example, C or C++ code that reads from a UDP socket and then fuzzes the data before it's consumed by the rest of the application might look like this:

char RecvBuf[1024];
int BufLen = sizeof(RecvBuf);

int result = recvfrom(
   RecvSocket,
   RecvBuf,
   BufLen,
   0,
   (SOCKADDR *)&SenderAddr,
   &SenderAddrSize);

#ifdef _FUZZ
Fuzz(RecvBuf,&BufLen);
#endif

Or, in C#, code that reads from an untrusted file:

FileStream fileStream = new FileStream(filename, FileMode.Open, FileAccess.Read);
uint len = (uint)(fileStream.Length);
byte[] fileData = new byte[fileStream.Length];
fileStream.Read(fileData, 0, (int)len);
fileStream.Close();

#if _FUZZ_
Malform pain = new Malform();
fileData = pain.Fuzz(fileData);
#endif

In both code examples, Fuzz() mutates the incoming data. In the C++ case, the fuzzing code looks like this:

void Fuzz(_Inout_bytecap_(*pcbBuf) char *pBuf,
_Inout_ size_t *pcbBuf) {

if (!pcbBuf || !pBuf || !*pcbBuff || *pBuf) return;
if ((rand() % 100) > 5) return; // fuzz about 5% of Buffers

size_t cLoop = 1 + (rand() % 4);

for (size_t j = 0; j < cLoop; j++) {

    size_t i=0,
      iLow = rand() % *pcbBuf,
      iHigh = 1+rand() % *pcbBuf,
      iIter = 1+rand() % 8;

    if (iLow > iHigh)
      {size_t t=iHigh; iHigh=iLow; iLow=t;}

char ch=0;
switch(rand() % 9) {

      case 0 : // reset upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] &= 0x7F;
        break;

      case 1 : // set upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] |= 0x80;
        break;

      case 2 : // toggle all bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] ^= 0xFF;
        break;

      case 3 : // set to random chars
        for (i=iLow; i < iHigh; i++)
          pBuf[i] = (char)(rand() % 256);
        break;

      case 4 : // set NULL chars to (possibly) non-NULL
        for (i=iLow; i < iHigh; i++)
          if (!pBuf[i])
            pBuf[i] = (char)(rand() % 256);
        break;

      case 5 : // swap adjacent bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          {char t=pBuf[i]; pBuf[i] = pBuf[i+1]; pBuf[i+1]=t;}
        break;

      case 6 : // set to random chars every n-bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          pBuf[i] = (char)(rand()%256);
        break;

      case 7 : // set bytes to one random char
        ch=(char)(rand() % 256);
          for (i=iLow; i < iHigh; i++)
            pBuf[i] = ch;
        break;

      default: // truncate stream
        *pcbBuf = iHigh;
        break;
     }
   }
}

The sample C# and C++ fuzzing code is available as a ZIP file at the end of this post.

This code is an example of dumb-fuzzing, which is fuzzing with little or no regard for the data structure being manipulated. If you've never performed any kind of fuzz testing in the past, then you will probably find bugs with this simple fuzzing technique. Once you have weeded out the low-hanging bugs, you may need to turn your attention to smarter fuzzers. For example, in theory, this code would find few if any bugs in a PNG parser, because PNG files have a built in check-sum, so if you fuzz a PNG file, you'd have to recalculate the checksum to get decent code coverage.

When I showed this code during my presentation, I urged people to add it to their applications today if they currently don't do fuzz testing, and simply run their applications through their normal testing processes. Within three days of my presentation I received emails from people saying they had found bugs. I have no doubt others did too.

One of the comments I made during the session was,"If you can't spend the time on great fuzzing, fuzz anyway" and adding a "layer of hurt" is a reasonable start.

Please feel free to sound off if you have ideas to help improve the code and let us know what you think, either through email or comments to this post.

True Randomness

Wed, 21 May 2008 12:36:10 +0000

One more time on the Debian OpenSSL bug. It inspired web developer Bo Allen to look into the randomness of the PHP rand() function. He compared it to the results from random.org, which uses atmospheric noise as a random seed. The result is a visually clear example of randomness and not-so-randomness. Read the blog, you'll see what I mean. Allen's test makes me think that someone (no, I don't have the time) should do the same with other programmatic random number generators.

Random Number Bug in Debian Linux

Mon, 19 May 2008 02:07:59 +0000

This is a big deal:

On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. The bug in question was caused by the removal of the following line of code from md_rand.c
	MD_Update(&m,buf,j);
	[ .. ]
	MD_Update(&m,buf,j); /* purify complains */
These lines were removed because they caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code that was linked to OpenSSL. You can see one such report to the OpenSSL team here. Removing this code has the side effect of crippling the seeding process for the OpenSSL PRNG. Instead of mixing in random data for the initial seed, the only "random" value that was used was the current process ID. On the Linux platform, the default maximum process ID is 32,768, resulting in a very small number of seed values being used for all PRNG operations.

More info, from Debian, here. And from the hacker community here. Seems that the bug was introduced in September 2006.

More analysis here. And a cartoon.

Random numbers are used everywhere in cryptography, for both short- and long-term security. And, as we've seen here, security flaws in random number generators are really easy to accidently create and really hard to discover after the fact. Back when the NSA was routinely weakening commercial cryptography, their favorite technique was reducing the entropy of the random number generator.

Got Entropy ?

Tue, 01 Apr 2008 22:55:47 +0000

So I have been planning a series of podcasts on Cryptographic Controls. In the process of this planning, I fell into one of the classic traps that crypto-geeks fall into: obsessing about random number generators (RNGs).

(FYI, for the impatient, click here.)

There are two ways to generate random numbers on computers: (1) use a software program called a Pseudorandom Number Generator (PRNG) or (2) use a hardware random number generator. A Pseudorandom Number Generator uses a seed value to generate a sequence of numbers that appear random. The problem is that the same seed generates the same random sequence. The hardware based RNG observes and samples some physical phenomenon which is random, such as cosmic rays, RF noise, etc. (aka Entropy).

RNGs are important in Information Security because they are used to generate encryption keys, salts, etc. Historically, attacking RNGs has proven effective, such as the defeat of Netscape’s HTTPS sessions.

Most operating systems utilize a hybrid approach, implementing a PseudoRandom Number Generator that has a seed that is regularly updated through the collection of random hardware events. This process is called Entropy Collection or Entropy Harvesting. For most applications, this approach should be completely sufficient. However, one of the key assumptions is that the operating system has been up and running long enough for the seed value itself to become hard to predict through the collection of Entropy. Also, many of the Entropy collecting events come from properties of hardware devices, such as the minor variations in hard drive rate of rotation. As such, there are a few circumstances where the OS RNG may not be good enough for strong cryptographic key generation:

Live Boot CD ( The start state of the RNG may be predictable. )
Virtualized Hosts ( OS may be dependent on simulated events for randomness. )

( Given the exploding popularity of virtualization, this is an area worthy of research. Stay tuned. )

Design of the Got Entropy Service

Many RNGs (such as the one included in Linux, as well as OpenSSL’s) allow the addition of entropy from outside sources. So I started looking to Entropy sources I could use to bolster the RNGs on my virtual hosts (and other uses…). While I was looking into this, it occurred to me that I had an unused TV tuner card, a PVR-350.

When a TV is tuned to a channel with no local station, the ’snow’ on the screen is RF noise (the same as the static between stations on AM radios). But, for reasons beyond our scope, you never use a direct physical observation as the RNG. You have to ‘de-skew and whiten’ the data prior to sampling it. Here is the process that I use:

Collect about 3 minutes of video ( about 130 MB data ).
Using a random key and IV, encrypt the data ( using openssl & AES-128-CBC ).
Discard the first 32k of the file.
Use each of the following 32k blocks as samples.
Compress each sample with SHA-256.
Discard the last block.

Steps 2 and 3 remove any patterns, such as MPEG file formatting, from the data.
Steps 4 and 5 generate a 32-byte random value ( 1024 to 1 compression in the hash ).

Check it out at http://gotentropy.artofinfosec.com

Can an Attacker Broadcast a Signal to Undermine This?

Such an attacker could not remove RF noise from the received signal. Our eyes and brains are good at filtering out the noise in the TV video, but there is a lot of it. Part of the noise comes from the atmospheric background RF, but there are also flaws (noise) in the tuner’s radio and analog-to-digital capture circuitry.

I think this is a pretty strong RNG, and I have provided an interface for pulling just the values.

Also, I have written a script ( getEntropy.sh ) that will pull Entropy from the service and seed it into /dev/random on Linux.

Results from ENT

Here are results, from a sample run of the Got Entropy, analyzed by ENT ( A Pseudorandom Number Sequence Test Program provided by John Walker of www.fourmilab.ch - Thanks, John! ).

Entropy = 7.999987 bits per byte
Optimum compression would reduce the size of this 13366112 byte file by 0 percent.
Chi square distribution for 13366112 samples is 233.85, and randomly would exceed this value 82.48 percent of the time.
Arithmetic mean value of data bytes is 127.4767 (127.5 = random).
Monte Carlo value for Pi is 3.143054786 (error = 0.05 percent).
Serial correlation coefficient is -0.000078 (totally uncorrelated = 0.0).

Resources for the Curious…

Cheers, Erik

Art of Information Security would love your feedback !

Got Entropy ?

Banning function calls, assurance, and retrofitting

Tue, 18 Mar 2008 16:48:00 +0000

I've been working on some C/C++ secure coding standards lately, and trying to mesh those up with the results from the static analyzer I'm using. As it turns out there is a fine line to be drawn between what you consider best practices, what a static analyzer can find, how much context the static analyzer has, and how much manual review you really want to put up with.

Let me give a specific example.

Coverity's Prevent analyzer has a number of built-in "unsafe" functions defined. The list includes the standard cast such as scanf, strcpy, strcat, etc. On top of that though they add some things that didn't make Microsoft's list; for example, rand().

I don't technically have a problem with including rand() in the list of things to be extremely careful about, but whereas it is nearly impossible to guarantee that someone has used strcpy() right, rand() actually has some pretty legitimate uses.

Consider the case where we want to do a randomized delay in processing something, or where we wish to randomly assign work to different people when it comes in, or randomly pull an item off a work queue for a customer service agent. None of these cases requires a cryptographically sound random number generator. For the most part, using rand() is a perfectly reasonable choice in this sort of situation.

When you decide that you want to ban certain function calls, or call them out in findings in a static analyzer, you're treading a fine line with your developers and the people you're going to ask to go and clean up the old code you have around. You can choose to go several routes.

File defects against the old code for any use of a banned function, without investigating the specific use
File defects against old code only after verifying that in the context you have a potential vulnerability
Get a dedicated team together to just go and clean up old code

Each of these approaches has its plusses and minuses.

If you choose to file defects against your developers for code that is years old and wasn't necessarily written by them without verifying the vulnerabilities, you run the risk of them not taking the secure coding rules seriously. Many of the items they find are going to be false positives from a currently-exploitable perspective, and they are going to be cranky with you.

If you choose to go through the validate each and every defect and the types of defect are pervasive, you're going to spend almost as much verifying the defect as fixing it. Especially if you're going through and simply replacing strcpy() with strlcpy() for example. For both this and the case above though, developers are going to be going through the code, and with the proper training/awareness, they might actually learn more about some of the old code, or at least start to have a better sense of some real security issues in the code.

If you choose to get a dedicated team together to fix the old code, you're likely to save money in the short run. A dedicated team is going to get used to fixing the coding defects of this type, and you're going to make a lot shorter job of it. The downside being that the regular developers aren't getting some of the code review experience you'd really like.

To top things off, if you go route #2, wherein you only fix things that are currently exploitable, you run the risk of the code being used in a different way elsewhere and causing problems down the road.

Back to my rand() example. In every case where I've found rand() used it hasn't been in a security critical context. Do I want to leave these instances of rand() in my code as examples that others might follow, next time in a security sensitive context? Or, do I want to take a relatively dogmatic approach to this and all other banned/"unsafe" functions and eliminate them entirely from my codebase?

I'm leaning towards some sort of middle ground. If I can find the time for a dedicated team to go through the code to clean up old issues, then I'm likely to remove all instances of things that could be unsafe, just so we don't leave things around that could be copied into an truly unsafe context.

Its a tricky balancing act to determine how dogmatic you want to be about fixing up the use of certain "unsafe" functions. Getting it wrong either way can have long term consequences for your secure development program. As always, the right answer depends on a lot of factors.