[SecurityRatty] tag: tiny

Secure Coding Secrets?

Tue, 18 Nov 2008 16:38:00 +0000

Hi, Michael here.

A recent article titled "NSA posts secrets to writing secure code" caught my eye in part because the words "writing secure code" always get my attention! But also because anything that can advance the science of securing software is of interest to me.

There is another reason why the article got my attention; my manager, Steve Lipner, is one of the few people to have designed and built a TCSEC A1 assured system and lived to tell the tale. None were sold, but they built one!

The NSA-directed project, the Tokeneer ID Station (TIS), involved building a low-defect system that conforms "to the Common Criteria requirements for Evaluation Assurance Level 5 (EAL5)" in a "cost effective manner." I'm all for this, because building high-assurance solutions is not cheap.

There's a paper with more technical detail about the project that is worth a read.

In my opinion, the project is only a science project, an experiment, for the following reasons:

It's tiny. Weighing in at a little under 10 KLOC.
It's only a very small portion of a much larger solution which has not been developed using the same rigor. This bit of context makes the solution as a whole moot. Call me cynical, but my question is "can the entire solution be built with same rigor in a ‘cost effective manner'?" Perhaps it can, but that is not what is presented.
It sits on top of many operating systems (Windows, Mac OS X and Linux) that are not EAL5 certified. So it would be a little like having an EAL5 certified CharMap application running on EAL4 Windows Vista.
It's written in a subset of Ada called SPARK, and SPARK skills are not common in the marketplace. Interestingly, SPARK makes use of annotations to help drive the static analysis process. While not a total analog, we also recommend Microsoft development teams use annotations (SAL) to help drive the required static analysis process.
The application has a large number of dependencies that are not part of the project:

Directory of C:\tokeneer\data

18/08/2007 08:51 605,333     libgdk-win32-2.0-0.dll
18/08/2007 08:51 166,177     libgdk_pixbuf-2.0-0.dll
17/08/2007 18:07 642,115     libglib-2.0-0.dll
17/08/2007 18:07 28,853      libgmodule-2.0-0.dll
17/08/2007 18:07 223,026     libgobject-2.0-0.dll
18/08/2007 08:52 3,170,609   libgtk-win32-2.0-0.dll
08/08/2008 16:32 4,868,618   libgtkada-2.10.dll
07/04/2004 11:47 44,100      libintl-1.dll
17/08/2007 18:29 522,940    libcairo-2.dll
17/08/2007 18:36 262,784    libpango-1.0-0.dll
17/08/2007 18:36 62,334      libpangocairo-1.0-0.dll
17/08/2007 18:37 88,626      libpangowin32-1.0-0.dll
07/10/2001 01:52 171,008     libpng-3.dll
07/04/2004 11:46 58,077     libz.dll
07/04/2004 11:47 843,776     iconv.dll
17/08/2007 18:22 142,762    libatk-1.0-0.dll
16/01/2007 12:27 131,784     libjpeg6b.dll

In the SDL we call these files ‘giblets' because they are components needed for your application to operate, but they do not belong to your team. Some of the files look old and highly vulnerable, such as libpng-3.dll from 2001! OSVDB lists 23 vulnerabilities since 2002 in libpng!

In summary, the TIS project is very interesting to a small number of important but specialized customers, such as the NSA, for whom this kind of research is critical. I too found it interesting, but the process is far from a set of "secrets to writing secure code" and the tools are certainly not within reach of day-to-day applications and not applicable to developing complete solutions.

As usual, all comments are very welcome.

VC and IPO Outlook

Fri, 07 Nov 2008 06:07:37 +0000

Forbes interviews venture capitalist Charlie Harris. He is the Chairman of Harris and Harris (NASDAQ:TINY) a venture capital fund which is focused on funding nanotech companies. He is bullish looking forward from today for a couple of reasons

1. We have an eight year back log of good companies and ideas due to a poor IPO environment, we have had an eight year drought in IPOs but still lots of good ideas out there.

2. Clean tech theme has a lot of room left to grow

3. The recent financial crisis has revealed and removed a lot of risks

4. The best businesses are started in times of economic distress. Dislocation equals opportunity. Companies that start during financial distress have tremendous discipline to survive.

Somewhat surprisingly for a person with 100% of his fund invested in nanotech, he does not see nanotech as the leader of a next IPO bookm. He seems to see nanotech as an enabling technology (my words not his) so you will see nanotech enabling clean fuel, cancer drugs and so on, and these individual spaces could boom, but not an "all things nanotech" type boom.

NBA Preview and Flashback

Tue, 28 Oct 2008 20:42:50 +0000

NBA starts today, it is always good to have something to look forward to once the weather gets cold in Minnie. I follow two teams. The Celtics who have a decent chance at repeating as champs. KG and Pierce should be back in full force, hopefully Ray Allen holds up. Perkins and Rondo may get a little better with experience. Biggest loss is Posey and we will miss him a lot more than people think. A real glue guy, defense, passing, rebounding, makes the smart plays and as a middleware guy myself I can relate. He will make CP3 even more dangerous.

The other team I follow is the Timberwolves. I think they will be pretty good this year. Al Jefferson is a beast down low. Only four players averaged 20 and 10 last year and he is one. He is the best big man in the post after Duncan. Getting Love and Miller for OJ Mayo was a smart deal by McHale. I think McCants can be a decent instant offense 6th man. Would be good to see Foye step up this year. Weakness looks to be defense

*Flashback*

I am biased but I think the 1980s was the most fun time to watch NBA. Everyone talks about Bird and Magic, but there were a lot of great players back then. Here is my all underrated 1980s team (no Celtics included due to conflict of interest and unobjectivity)

C: Moses Malone - beast of a big man, immovable force under the hoop with fantastic foot work for a big man. It is too bad he was traded by Portland because he and Bill Walton would have been the best big man combo of all time.

PF: Bobby Jones - great defender, good rebounder, good passer for a big man. Typical Tar Heel -fundamentally sound. He would be the James Posey of this team. (Runner up: Calvin Natt)

SF: Bernard King - what a renaissance. Watch his moves on youtube, he was not that tall like say Alex English but he could go in the lane and score on anybody. Jordan of course is an all around better player but I think King was a better scorer and that is saying something. The playoffs when he was putting up 50 and 60 a night he was a terrifying force.

SG: Andrew Toney - they called him the Boston strangler and as Celtics fan there was no one I was more afraid of. Its a real shame his career got cut short. (Runner up: George Gervin)

PG: Tiny Archibald - Ok, one Celtic, but he is seriously underrated - would go flying into the lane, disappear in the trees, Tiny would fly out the bottom of the pile, and the ball would pop out the top and drop in. Probably the last great player to come out of NYC. (Runner up: Mo Cheeks)

Sixth Man - World B. Free - no doubt about this one, he was great as a sixth man. And this guy was plain fun to watch. He would bomb it from 30 feet, when he was on he was a force. He would kick his leg into the defender when he was shooting a j to draw the foul. (Runner up: Michael Cooper)

Change!!!

Thu, 09 Oct 2008 13:17:00 +0000

No, this is not about a certain populist US politician :-) It is about a much graver subject indeed.

As of today, the only Chief Logging Evangelist in the world is no more. I have resigned from my position at LogLogic, effective October 9, 2008, which is today. Please don't contact me at the company email; use my personal email instead. My LinkedIn profile has been updated accordingly.

If you are curious, I still love logs. I really do. Logs are cute :-) You should love them too. And, it goes without saying, I will always remember that title, Chief Logging Evangelist, that I have created for myself. People did say that "Anton wakes up and thinks 'what else he can do today to make the world love logs?'" - it was pretty much like this. In fact, I think world does love logs a tiny bit more now and thus my mission of a logging evangelist has not been in vain.

I will be offline for the entire next week ("OMG, no blogging?" - "Nope, no blogging!") and you, my dear reader, will have to wait until October 20th to hear the news about ...

... where Anton is NOW!!!???

Yes, where is he? :-)

Talk to ya October 20th! The end always brings the new beginning ...

P.S. Please don't tell me that I have a penchant for dramatic. I know :-)

Technorati Tags: chuvakin

Web Based Malware Eradicates Rootkits and Competing Malware

Wed, 01 Oct 2008 14:08:43 +0000

A tiny 20kb antivirus module within "yet another web based malware in the wild", promises to get rid of all Zeus variants, and also, detect and remove rootkits found on the infected system in order to ensure that it's the only malware the victim remains infected with. What's really special about its command and control interface is that it's AJAX based, with the seller pitching the feature as "you no longer have to hit F5 in order to see how's your malware campaign doing".

Here's a brief (translated) description :

- Simultaneously execute different campaigns, allocate specific bots for specific countries only, set time and data for automatic update with the new binaries
- Firewalls and antivirus bypassing capabilities, Anti-tracing, anti-reverse engineering
- Self defense mechanism for harder removal
- ICQ notifications for finished tasks, newly infected hosts, graphical statistics

Exactly how it removes rootkits remains yet unknown due to its proprietary nature and brief description, but resetting the hosts file and taking advantage of updated BHO list of known malware are among the ways it removes competing malware.

Modified Zeus Crimeware Kit Comes With Built-in MP3 Player

Mon, 29 Sep 2008 13:55:03 +0000

Modified versions of popular open source crimeware kits rarely make the headlines due to the fact that anyone can hijack a crimeware kit's brand, build and innovate using its foundations, and claim it's a new version released by the original authors. That's of course in between the tiny time frame until he's exposed as the fake author of Zeus that may have in fact came up with a unique feature that the original authors didn't include.

This modified version of Zeus is yet another example of how cybercriminals are actively modifying crimeware kits, literally making such practices as keeping version numbers irrelevant. While the administrator is managing his botnet, he can load local, or tunein the built-in online radio stations the author of this modification included, next to changing Zeus entire graphical layout.

Let's take into consideration another example, the infamous Pinch DIY malware builder, that's been around for over 4 years. With the populist arrest of its authors in 2007, cybercriminals are still innovating on the foundations offered by Pinch, and thanks to its publicly obtainable source code. It's also worth pointing out that these two Zeus and Pinch modifications are courtesy of a single individual, that in between modifications of popular crimeware kits, seems to be busy porting different modules on different malware kits and web based malware, knowingly or unknowingly contributing to the convergence of spamming, DDoS, web based malware, and botnet management kits.

From a sarcastic perspective - what's next? Perhaps a built-in slideshow of random screenshots taken from malware infected desktops in the botnet, or even a pink layout modification for female botnet masters. Customerization, and customer tailored services can make anything happen, and naturally enjoy the higher profit margins.

Friday Squid Blogging: Dissecting a Giant Squid

Fri, 19 Sep 2008 12:56:37 +0000

In Santa Barbara.

Among other dissection highlights, Hochberg pulled out plastic-like pieces, which comprised what could be best described as a backbone, as well as a translucent brownish-yellow piece of the beak, which is made of fingernail-like material. The giant squid's anatomy features a mouth at the top of the head, which means the esophagus travels through the brain. "So you have to get very small chunks of food," said Hochberg, "or you'll blow your brains out." The sharp beaks, then, are used to chomp food into tiny pieces before sending it down the esophagus, through the brain, and into the gut.

Review: Eye-Fi Explore Hits the Mark

Tue, 12 Aug 2008 08:13:02 +0000

After spending two weeks with the $130 Eye-Fi Explore Wi-Fi memory card, I'm a fan: The Eye-Fi Explore was introduced in July by the eponymous firm to support geotagging - embedding latitude and longitude into photo metadata - and easier uploading of images. The Eye-Fi Explore is a Secure Digital (SD) card with 2 GB of storage, a tiny computer, and a Wi-Fi radio. The Explore uses Skyhook Wireless's Wi-Fi positioning data combined with Wayport's network of 10,000 hotspots, mostly McDonald's, along with revised firmware and software that dramatically improves the experience of uploading photos.

The company shuffled its products into three versions several weeks ago: Eye-Fi Home ($80), which uploads only to a specific computer over a local network; Eye-Fi Share ($100), a rebranded version identical to its first offering last year, which can upload to photo-sharing services or a computer or both; and the Explore. (You can purchase the Eye-Fi Explore from Amazon.com, as well as the other models.)

I reviewed the Explore as a geotagging system for The Seattle Times this last Saturday; I'd reviewed the original Eye-Fi (now Eye-Fi Share) for them last year as well. You can read that review for my take on geotagging, or skip to the bottom of this review, as well.

The hardware is apparently the same or nearly so, and it works just as well as it did last year. The biggest improvements, however, are a few workflow tweaks that make it far easier to manage and track uploads of pictures without draining your camera's batteries down to zero.

Microsoft and BearingPoint see space to play in the Enterprise GRC market

Thu, 07 Aug 2008 12:12:55 +0000

Earlier this week in a joint press release, Microsoft and BearingPoint announced the new BearingPoint Enterprise Governance, Risk, and Compliance product offering. Ok... it will be a while before the more veteran enterprise GRC vendors start really losing sleep over this deal. But BearingPoint continues to be a top risk consulting firm, and Microsoft’s reach through the business user community will be an attractive benefit for compliance and risk professionals trying to get hundreds or thousands of staff members to contribute to the GRC program. There’s potential here for sure.

With software giants IBM, Oracle, SAP, and now Microsoft increasing their level of commitment in the enterprise GRC space, the 2-3 year market outlook continues to change. The risk and regulatory landscape is only going to get tougher to handle, and the more GRC programs can run seamlessly with existing business processes and applications, the better. The vendors focused solely on GRC still have the advantage for now, but market consolidation is on its way... and it’s coming maybe just a tiny bit faster than it was at the start of this week.

Where Computers and Biology Intersect What is Life?

Thu, 07 Aug 2008 07:52:28 +0000

Scientists have recently discovered a biological virus called Sputnik that can infect another virus (a Giant Virus, known as mamavirus), and hijack its machinery for self-replication — and they’re using this new discovery as evidence that a virus is alive.

The question whether biological viruses are forms of life has been debated, since they lack the respiratory and metabolic process of other accepted life forms. Naturally, different scientists have different reasons for opinions either way.

So how does the new virus-infecting-virus work?

With just 21 genes, Sputnik is tiny compared with its mama — but insidious. When the giant mamavirus infects an amoeba, it uses its large array of genes to build a ‘viral factory’, a hub where new viral particles are made. Sputnik infects this viral factory and seems to hijack its machinery in order to replicate. The team found that cells co-infected with Sputnik produce fewer and often deformed mamavirus particles, making the virus less infective. This suggests that Sputnik is effectively a viral parasite that sickens its host — seemingly the first such example.

…

“It was the cause of great excitement in virology,” says Eugene Koonin at the National Center for Biotechnology Information in Bethesda, Maryland. “It crossed the imaginary boundary between viruses and cellular organisms.”

Science fiction, fantasy and the popular imagination have been fueled in recent decades by the concept of the cyborg, that fusion of machine and creature — but under the scientists’ new definition, even your laptop might be evidence of life…provided it’s infected by a computer virus.