• No results found

SECURITY ASPECTS OF OPEN SOURCE

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SECURITY ASPECTS OF OPEN SOURCE"

Copied!
30
0
0

Loading.... (view fulltext now)

Download now ( 30 Page )

Full text

(1)

SECURITY ASPECTS OF

OPEN SOURCE

(2)

2 © 2015 Black Duck Software, Inc. All Rights Reserved.

THE OPEN SOURCE

SECURITY LANDSCAPE

March 2015

(3)

OPEN SOURCE VIEWED AS MORE SECURE

(4)

4 © 2015 Black Duck Software, Inc. All Rights Reserved.

(5)

OPEN SOURCE SECURITY LANDSCAPE

• Open Source is increasingly pervasive

• Vulnerabilities accompany wide development and deployment

• Recent vulnerabilities in last 18 months have raised questions about the OSS security model

(6)

6 © 2015 Black Duck Software, Inc. All Rights Reserved.

HEARTBLEED

A serious vulnerability in the popular OpenSSL cryptographic software library.

Allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

SSL/TLS provides communication security and privacy over the

Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

• Names and passwords of the users and the actual content.

• Eavesdrop on communications

(7)

SHELLSHOCK BASH (BASHDOOR)

Shellshock is a vulnerability in GNU's bash shell

Allows attackers access to run remote commands on a vulnerable system.

Executing Bash with a chosen value in its environment variable list, an attacker can execute arbitrary commands or exploit other bugs that may exist in Bash's command interpreter.

(8)

8 © 2015 Black Duck Software, Inc. All Rights Reserved.

POODLE

Padding Oracle On Downgraded Legacy Encryption (POODLE) is a flaw in how browsers handle encryption.

Attackers, as man-in-the-middle, can change data in a way that forces a leak of data in a block called cipher.

Many of the cipher suites in SSL v3.0 are already not being used due to insecure and small key sizes.

POODLE vulnerability allows attackers to use the design of SSL v3.0 to decrypt sensitive information secret session cookies which give the attacker the ability to hijack sessions for users’ accounts. Because the protocol is too old, the flaw can’t be patched, but it’s hastening the death of SSL v3.0 as a standard.

(9)

GHOST

"GHOST" is the name of a vulnerability recently found in one of the key components of Linux systems.

The component is the Linux GNU C Library that is used by all Linux programs.

The vulnerability has been found in a function of this library that is used to convert Internet host names to Internet addresses.

If an attacker found vulnerable software and a way to transfer a

properly crafted host name up to this function then theoretically the attacker could take over the control of the system.

(10)

10 © 2015 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE SECURITY

Community Purview, Limitations

(11)

User Community & Ecosystem

Developer Community Core Developers

OPEN SOURCE DEVELOPMENT MODEL

• Core project developers create, maintain, curate code base

• Vet contributions from larger communities

• Focus on project goals – features, performance, etc.

(12)

12 © 2015 Black Duck Software, Inc. All Rights Reserved.

User Community & Ecosystem Developer Community

Core Developers

OPEN SOURCE CODE CURATION MODEL

Code v1 Code v2 Code vN

(13)

OPEN SOURCE CODE QUALITY ASSURANCE

Linus’ Law: Many eyes make all bugs shallow

-- Eric Raymond

CODE

unterminated strings

Indices out of bounds memory leaks

faulty logic regressions misconfiguration stray pointers

back doors parameter reversal debug code

race conditions deprecated versions priority inversion unitialized variables privilege violations

COMMUNITY

Maintainers,

developers, users

(14)

14 © 2015 Black Duck Software, Inc. All Rights Reserved.

THEORETICAL “TRIPLE FENCE” OF OSS SECURITY

Enterprise / OEM Integration

Distribution / Platform Creation

OSS Project Purview

Production

Code

(15)

OPEN SOURCE CODE SECURITY GAP

Majority of eyes occupied elsewhere

Minority of community is security-savvy

CODE

unterminated strings

Indices out of bounds memory leaks

faulty logic regressions misconfiguration stray pointers

back doors parameter reversal debug code

race conditions deprecated versions priority inversion unitialized variables privilege violations

(16)

16 © 2015 Black Duck Software, Inc. All Rights Reserved.

• Use-case specific errors

• Local misconfiguration • LAN-based vulnerabilities • Deployed deprecated s/w versions • Weak encryption • Bad authentication • Stolen credentials

• Viruses, Trojans & other malware

• Denial of service attacks

• Weak passwords

• Unenforced security policy

• Phishing

• Man-in-the-middle attacks

• Forged certificates

• Spoofed MACs and IP addresses

• Latent zero-day exploits

• Brute force decryption

(17)

BLACK DUCK & OSS SECURITY

Open Source Logistics and

(18)

18 © 2015 Black Duck Software, Inc. All Rights Reserved.

SECURITY TECHNOLOGIES

Intrusion

Detection

End-point

Security

Network

Security

Certifiable

Systems

Formal

Verification

Authentication

Code Quality

Tools

Binary

Obfuscation

Encryption

Capabilities &

Access Control

Policy

Enforcement

Patch/Update

Management

Configuration

Management

Auditing

& Logging

Physical

Security

Hardware

Mechanisms

(19)

BLACK DUCK OSS SECURITY

VULNERABILITY DETECTION AND REMEDIATION

Intrusion

Detection

End-point

Security

Network

Security

Certifiable

Systems

Formal

Verification

Authentication

Code Quality

Tools

Binary

Obfuscation

Encryption

Capabilities &

Access Control

Policy

Enforcement

Patch/Update

Management

Configuration

Management

Auditing

& Logging

Physical

Security

Hardware

Mechanisms

(20)

20 © 2015 Black Duck Software, Inc. All Rights Reserved.

AUTOMATE VISIBILITY AND CONTROL – OSS LOGISTICS

Choose

OSS Logistics

Approve Scan Inventory Secure Deliver

Approve Scan Inventory Secure Deliver

(21)

AUTOMATE VISIBILITY AND CONTROL – OSS LOGISTICS

Choose

OSS Logistics

Approve Scan Inventory Secure Deliver

Approve Scan Inventory Secure Deliver

Approve Scan Inventory Secure Deliver

(22)

22 © 2015 Black Duck Software, Inc. All Rights Reserved.

VERSION PROLIFERATION IN SOFTWARE STACKS

Deprecated Versions of OSS

• Can contain

• Bugs fixed later

• Security vulnerabilities

• Add size & complexity • Unneeded extra code

• Namespace conflicts

• Operational costs

OSS Reality Check

• Modern apps contain • Millions of lines of code

• Thousands of OSS s/w

components & 3rd party code

• Multiple versions of each

• Multiple points of ingress • Developers take code from

multiple sources

• Not all reliable, up-to-date

EIT or OEM Deployment

Value-added Code

Open Source Libraries, etc.

Update-to-Date Versions Version N-1

(23)

BLACK DUCK HELPS KEEP OPEN SOURCE S/W CONTENT UP TO DATE AND VULNERABILITY-FREE

Black Duck Tools

• Help enforce sourcing polices

• Licenses

• Versioning

• Security

• Eliminate version proliferation

• Identify deprecated s/w versions

• Keep s/w up-to-date

• Root out known / possible vulnerabilities

EIT or OEM Deployment

Value-added Code

Open Source Libraries, etc.

Update-to-Date Versions Version N-1

(24)

24 © 2015 Black Duck Software, Inc. All Rights Reserved.

OSS CERTIFICATION

CHALLENGES

(25)

OPEN SOURCE PLATFORMS – A CERTIFICATION CHALLENGE

Linux, Android too large, too dynamic to certify

• Linux kernel now tops 20 MLoC

• Certification competency < 15 KLoC

• 200-500 additional packages (libs, utils, etc.) – all moving targets Certification regimes require comprehensive specification

• Documentation does not exist at requisite level

Alternative Path – Virtualization / Separation Kernels

(26)

26 © 2015 Black Duck Software, Inc. All Rights Reserved.

PRODUCT LIFE CYCLE ALIGNMENT WITH OSS AND CERTIFICATION Project Launch Code Freeze Product Release End of Life Maintenance Updates, etc.

PRE-MARKET

CERTIFY

RE-CERTIFY

OSS VERSION

OSS VERSION

OSS VERSION

OS Tools M/W Security Docs

Up

dates

OS Tools M/W Security Docs

Up

dates

(27)

COMMERCIAL (3RD PARTY) SERVICES TO SUPPORT

DEVICE CERTIFICATION

What is available to you? Dedicated Consulting Practices

• Security analysis, certification services Artifacts Generation

• Storyboarding, benchmarking, requirements capture Design for

• Verification and validation

• Safety, security, and standards compliance

Development process review and risk planning Vulnerability analysis

• For software and hardware architectures

(28)

28 © 2015 Black Duck Software, Inc. All Rights Reserved.

TECHNOLOGY STRATEGY RECOMMENDATIONS

Choose embedded OSS platform carefully

• Be wary of informal supply of embedded Linux, Android by semiconductor manufacturers

• Consider working with commercial platform providers

• Gain access to services targeted at medical OEMs Treat embedded Linux as COTS s/w base

• Establish formal ingestion procedures

• Maintain platform code in isolation from value-added apps and other Gambro-specific software

Certification-specific concerns

• Anticipate challenges/levels of concern by building artifact base around Linux platform early in life-cycle

• Construct or acquire secondary documentation, test plan and test harness to facilitate traceability

(29)

Rehost legacy apps, OS as

a guest in a virtual machine

• Type I Hypervisor (bare metal)

• Native Linux Containers -LXC

• Commercial products

• GB Broadband (OK Labs) • GreenHills (Padded Cell) • Red Bend (VirtualLogix) • VMware, et al.

• Wind River

Strengths

• No porting, retain certification

• Smaller TCB

Weaknesses

• Still requires legacy RTOS, stack,

(30)

30 © 2015 Black Duck Software, Inc. All Rights Reserved.

References

Download now ( PDF - 30 Page - 2.23 MB )

Related documents

An Agent-Based Framework for E-Commerce Information Retrieval Management Using Genetic Algorithms

This paper tries to show how genetic algorithms can be used in the field of information retrieval and which the differ- ences between a static are and a dynamic ap- proach, used

ISAM. ISAM Whitepapers And Research Memorandums. A Selected List June International Standard Asset Management

Trend Following: Empirical Findings of Diversification by Less Liquid Markets Abstract: In this paper, we highlight a specific factor of capital allocation: inclusion

Additionality of Wind Energy Investments in the U.S. Voluntary Green Power Market

This overlap is illustrated in Table 4 by the large fraction of the sample (95.7%) that is eligible to sell RECs into a liquid RPS compliance REC market as well as a voluntary

Understanding victims of identity theft: A grounded theory approach

The paper has also provided an overview of the identity theft domain, which explains the reasoning behind using a traditional grounded theory approach, highlights some of the

Bridging the Cultural Divide Between Banks and Life Insurers TM Australia Bancassurance Study

Given the increasingly extensive bank customer needs Australian life insurers and banks are seeking to address via bancassurance, it is essential that the issues outlined thus far

3-2-1 Code It!, 4 th Edition 2014 CPT & HCPCS Level II Code Updates. Textbook. Chapter 7 Page 349

(HCPCS Level II codes also describe emerging technology, procedures and services; when a HCPCS Level II code exists, it must be reported for Medicare claims.).. EXAMPLE:

Isoform-level gene signature improves prognostic stratification and accurately classifies glioblastoma subtypes.

( D) Boxplot represents the expression of marker genes for the four different subtypes in Penn-cohort of GBM patients identified by our PIGExClass based classifier. All fold changes

Population Ecology of Rocky Mountain Elk in the Black Hills, South Dakota and Wyoming

Dakota Department of Game, Fish and Parks from 2007–2009 in the eastern region of the BHNF estimated that adult cow survival ranged from 0.56–0.68 (Schmitz 2011); hunter harvest