Information Security Reading Room - Computer Security White Papers. ICS security: SANS needs your input on attacks and threats and how you're preventing and mitigating them in the industrial control systems environments. Share your experiences and enter to win a $400 Amazon gift card! More than 75,000 unique visitors read papers in the Reading Room every month and it has become the starting point for exploration of topics ranging from SCADA to wireless security, from firewalls to intrusion detection.
The SANS Reading Room features over 2,650 original computer security white papers in 102 different categories. Auto-Nuke It from Orbit: A Framework for Critical Security Control Automation STI Graduate Student Research by Jeremiah Hainly - March 15, 2017 in Automation, Incident Handling, Free and Open Source Software Over 83% of security teams report that the use of automation in security needs to increase within the next three years (Algosec, 2016). All papers are copyrighted. Cryptography - XKCD #936: Short complex password, or long dictionary passphrase? - IT Security - Stack Exchange.
Edit: there seems to lack a thorough explanation of the mathematics in this comic (at least not as detailed as it could be), so here it is. The little boxes in the comic represent entropy in a logarithmic scale, i.e. "bits". Each box means one extra bit of entropy. Entropy is a measure of the average cost of hitting the right password in a brute force attack. We assume that the attacker knows the exact password generation method, including probability distributions for random choices in the method. An entropy of n bits means that, on average, the attacker will try 2n-1 passwords before finding the right one.
The point of using "bits" is that they add up. That being said, let's see the two methods described in the comic. The "correct horse" method The password generation process for this method is: take a given (public) list of 2048 words (supposedly common words, easy to remember). The total entropy is then 44 bits, matching the 44 boxes in the comic. The "troubador" method Applicability. Cryptography and Network Security, Fourth Edition. Jockey execution record/replay library. PinkTrace-0.1.2 :: Home. About PinkTrace is a ptrace() wrapper library. Overview PinkTrace is a lightweight C99 library that eases the writing of tracing applications. It consists of the following parts: Wrappers around different ptrace() requests. PinkTrace is currently used by sydbox.
Pandora uses PinkTrace-Easy. Current Status Version 0.1.2 has an unstable API and ABI. Documentation An extensive API reference is available. Bindings Bindings are available for: Note: Bindings for pinktrace-easy have not been written yet. Building This package is made with the GNU autotools, you should run . --enable-easy Build pinktrace-easy (default) --enable-ipv6 Enable support for IPV6 --enable-doxygen Build API documentation using Doxygen --enable-haskell Checks for cabal and generates Setup.lhs --enable-python Build Python bindings --enable-python-doc Build API documentation of Python using epydoc --enable-ruby Build Ruby bindings --enable-ruby-doc Build API documentation of Ruby using rdoc Compiling C Code Examples Contribute License News. Nweb: a tiny, safe Web server (static pages only) Introduction Have you ever wanted to run a tiny, safe web server without worrying about using a fully blown web server that could be complex to install and configure?
Do you wonder how to write a program that accepts incoming messages with a network socket? Have you ever just wanted your own Web server to experiment and learn with? Further updates in 2012 to support recent web-server and browser standards and a code refresh. Well, look no further -- nweb is what you need. This article covers: What the nweb server program offersSummary of C functions features in the programPseudo code to aid understanding of the flow of the codeNetwork socket system calls used and other system callsHow the client side operatesC source code nweb only transmits the following types of files to the browser : Static Web pages with extensions .html or .htmGraphical images such as .gif, .png, .jgp, or .jpegCompressed binary files and archives such as .zip, .gz, and .tar Compile with the following command.
Log() web() Selinux sandbox. This is the second in a series of blogs arising from security discussions in my LUG. This month we covered selinux and here I will show some examples of using the selinux sandbox. Dan Walsh explains a selinux sandbox Introducing the SELinux Sandbox . Many people first encounter sandbox when they find multiple mounts, see this discussion on the Fedora Forums.
Rather then turning this feature off, I would like to give examples of how to use it on a desktop with graphical applications such as a browser or pdf reader. Sandbox uses Xephyr for graphical applications and although you can not resize a Xepher window, you can specify the size of the window and you can run a window manager within Xephyr.
Evince Evince is a straight forward application to use with sandbox and you can open a PDF with sandbox -X evince 1782.pdf & The -X flag allows sandbox to use Xephyr. Midori I am going to use midori first as for me it works out of the box and is a fast browser. We can also add the midori configuration file. Introducing the SELinux Sandbox. The other day some of my colleagues and I were discussing a recent request for the Linux Kernel to add "security sandbox" functionality. We talked about how we could do this with SELinux. The discussions brought up an old Bug report of my about writing policy for the "little things". SELinux does a great job of confining System Services, but what about applications executed by users.
The bug report talked about confining grep, awk, ls ... The idea was couldn't we stop the grep or the mv command from suddenly opening up a network connection and copying off my /etc/shadow file to parts unknown. Could we write an SELinux policy that allows users to build scripts to process untrusted content into some output that they could safely use. cat /tmp/UNTRUSTEDCONTENT | sandbox /sbin/filter.sh > /tmp/SEMITRUSTEDCONTENT Another possible use case would be to tie sandbox into GRID jobs, or Condor.
So what were my security goals in writing sandbox. Creating the Sandbox policy. I added. SELinux/Understanding. I gave a course at the SELinux Symposium on using SELinux in Red Hat Enterprise Linux. After the talk, I was amazed at how many people came up to me and said they wish they had this talk before some of the more advanced talks. In the early 80's when I went to college, Holy Cross, computers were the big thing on campus. Everyone thought they had to take a computer class in order to understand computing. We are doing the same thing with SELinux.
SELinux Reference Policy. Project Overview ¶ The SELinux Reference Policy project (refpolicy) is a complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. Reference Policy was originally based on the NSA example policy, but aims to accomplish many additional goals. Reference Policy is under active development, with support and development staff from Tresys Technology.
The current release is available from the DownloadRelease page. The status page has more details on what is included in the current release. The project is always looking for policy developers interested in contributing. For an in-depth discussion of Reference Policy concepts, see the paper published at the 2006 SELinux Symposium. Project Goals ¶ Security is the reason for existence for SELinux policies and must, therefore, always be the first priority. Strong Modularity: central to the design of the policy is strict modularity. Implementación de SELinux. El presente trabajo trata sobre la necesidad actual de trabajar bajo estándares seguros y administrar de manera eficiente los sistemas operativos, SELinux puede aplicar una política de seguridad definida administrativamente sobre todos los procesos y objetos en el sistema, en base a decisiones en etiquetas que contienen una variedad de información de seguridad-pertinente.
La arquitectura proporciona flexibilidad limpia, separando la política lógica de la política de ejecución lógica. La política decision-making lógica se encapsula dentro de un solo componente conocido como el servidor de seguridad con una interfaz de seguridad general. Una amplia gama de modelos de seguridad puede llevarse a cabo como los servidores de seguridad sin requerir cambios a cualquier otro componente del sistema. Selinux fortalece los mecanismos de control de acceso forzando la ejecución de los procesos dentro de un entorno con el mínimo de privilegios. 3.
SELinux 3.1 Definición 3.2 Características. Hardening The Linux Kernel With Grsecurity (Debian. Security is based on three characteristics: prevention, protection and detection. Grsecurity is a patch for Linux kernel that allows you to increase each of these points. This howto was performed on a Debian Lenny system.
Thus some tools are Debian specific. However, tasks can be performed with other distro specific tools or even with universal tools (make). Everything will done with root privileges. However, you can perform them with a limited account thanks to sudo and fake-kpkg tools. 1. To compile the kernel, you need to install some specific packages: rom1:/root# aptitude install patch bin86 kernel-package build-essential If you like to configure your kernel in graphical console mode (make menuconfig), you must install one more package: rom1:/root# aptitude install libncurses5-dev Check that iniramfs-tools (used to generated the init ramdisk) is installed (it should be): rom1:/usr/src# dpkg -l initramfs* Go to the source folder: rom1:/root# cd /usr/src Download the grsecurity patch and the.
Grsecurity « All that is wrong with the world… Table of Contents Introduction Secure by default Security practices and philosophy No way to thoroughly lock down a system The need for extended access controls Extended access controls are too complex Conclusion References Introduction Firstly, I would to apologize for, and clarify the title of this article. I wanted to use a title which would hold attention and encourage discussion while remaining true to the argument I make.
I certainly don’t mean to imply that OpenBSD is a horribly insecure operating system – it isn’t. I do however need to highlight that OpenBSD is quite far removed from a secure operating system, and will attempt to justify this position below. To start, we must clarify at a bare minimum what a secure operating system can be considered to be. Despite this OpenBSD is widely regarded as being one of the most secure operating systems currently available.
Secure by default Used as an indicator to gauge the security of OpenBSD however, it is worthless. Grsecurity TPE Guide. TPE tends to be one of the harder to understand parts of GRSecurity as options like invert GID can be confusing at times. In this documents we explain how each possible TPE setup behaves and summarize it with the results of a simple test suite. Introduction Trusted Path Execution (TPE) is a protection which restricts the execution of files under certain circumstances determined by their path. Using it will make privilege escalation harder when an account restricted by TPE is compromised as the attacker won't be able to execute custom binaries which are not in the trusted path. You can also enable a weaker restriction which will prevent race conditions on code executed by non root users. This weaker condition makes non-root users able to run only executables on directories owned by them or root and writeable only by the owner.
To explain how TPE works we will first explain what each kernel option does, and then show the results with an example. Note The different setups No TPE [Collapse] Install grsecurity kernel security from binary package (without kernel recompile) on Debian and Ubuntu | Walking in Light with Christ - Faith, Computing, Diary. GRsecurity is since long time known that it is a next generation armouring agains 0 day local kernel exploits as well as variousof other cracker attacks. Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GNU GPL. GRSecurity is linux kernel patch which has to be applied to the kernel before compile time.
However we’ve been lucky and somebody has taken the time and care to prepare linux image binary deb packages . Some of the key grsecurity features are : An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration Change root (chroot) hardening /tmp race prevention Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc) Prevention of arbitrary code execution in the kernel A restriction that allows a user to only view his/her processes. Kernelsec, Debian and Ubuntu GrSecurity packages. HOWTO: Installing Grsecurity patched kernel in debian/ubuntu. Source: This is based on the same walkthrough I posted for grsecurity on red hat based kernels except this is for debian based kernels. The current stable debian kernel is vulnerable to about all of the new local exploits and if you are running the 2.4 kernel you are vulnerable to even more.
Debian even had one of their servers hacked with the local root exploits, they only released a patched kernel for the testing branch to my knowledge. The PDF version can be found HERE . Ok so here goes. If you have not done any compiling or built any kernels you must get the packages needed. sudo apt-get install build-essential bin86 kernel-package sudo apt-get install libqt3-headers libqt3-mt-dev (needed for make xconfig) First get what is needed and patch the kernel. cd /usr/src wget wget tar -xjvf linux-2.6.17.7.tar.bz2 cd linux make-kpkg clean. How To Compile A Kernel - Debian Etch. Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 06/01/2007 Each distribution has some specific tools to build a custom kernel from the sources. This article is about compiling a kernel on a Debian Etch system. It describes how to build a custom kernel using the latest unmodified kernel sources from www.kernel.org (vanilla kernel) so that you are independent from the kernels supplied by your distribution.
It also shows how to patch the kernel sources if you need features that are not in there. I do not issue any guarantee that this will work for you! 1 Preliminary Note I will describe two ways of compiling a new kernel. The second method is to compile a kernel the "traditional" way. 2 Building A Kernel .deb Package This chapter shows how to build a kernel and end up with a .deb package that you can install and share with others. 2.1 Install Required Packages For Kernel Compilation First we update our package database: apt-get update 2.2 Download The Kernel Sources.
The User-mode Linux Kernel Home Page. Ch07 : The Linux Boot Process. How To Compile Linux Software With Debian Linux. Debian Linux Kernel Handbook. Strace in lenny. Read and Write a /proc File. Systrace - Interactive Policy Generation for System Calls. Index of /pub/linux/kernel/v2.6. 13.11 Sandboxed Evaluation.
Libvirt, LXC & KVM. Java - Why Security? Memory management - stack and heap. Time of check to time of use.