Krzysztof Burghardt’s blog » Security

nCipher HSM with OpenSSL

Krzysztof Burghardt — Tue, 02 Mar 2010 22:36:50 +0000

I just finished playing with some nCipher’s HSM. Unfortunately there is no integration guide for OpenSSL that cover CHIL interface and nCipher hardware security modules.

nCipher’s installation guide is quite good, but after you finish installing hardware, drivers and daemons, you are on your own.

I found only two helpful sources: Andrea Campi’s blog entry about nCipher NetHSM and OpenSSL and Marek Marcola’s post on openssl-users mailing list.

Both guides ends on key generation and self-signed certificates. Its enough to get CHIL enabled application to work with nCipher’s HSM, but will not help you to convert any existing OpenSSL (not an CHIL-aware) application to use HSM.

CHIL enabled OpenSSL

When you have driver, hardserver and chil library for your HSM installed the next step is to install OpenSSL with CHIL support enabled. Modern Linux distribution may have CHIL already enabled. If so, there should be libchil.so library in /usr/lib/ssl/engines directory.

If libchil.so is missing follow OpenSSL installation steps as described in Apache2.2.x, OpenSSL 0.9.8x and nCipher Modules Integration Guide.

When OpenSSL in installed, add /opt/nfast/toolkits/hwcrhk to LD_LIBRARY_PATH:

$ export LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk

To check if OpenSSL is able to communicate with HSM trough CHIL interface run:

$ openssl engine -t chil
(chil) CHIL hardware engine support
     [ available ]

If CHIL is available benchmark HSM with:

$ openssl speed rsa -engine chil -elapsed -multi 50

Hardware accelerated cryptography

Use engine interface to switch to cryptography implementation from hardware security module.

#include

ENGINE *hwEngine = NULL;

int enable_chil()
{
ENGINE_load_builtin_engines();

if (!(hwEngine = ENGINE_by_id("CHIL")))
return -1;

if (!ENGINE_set_default(hwEngine, ENGINE_METHOD_ALL))
return -2;

return 0;
}

When application finish its cryptography operations, it should free engine.

void disable_chil()
{
if(hwEngine)
{
ENGINE_finish(hwEngine);
hwEngine = NULL;
ENGINE_cleanup();
}
}

Hardware key protection/storage

If you want to make your private keys more secure you should use hardware key protection (or even storage).

Hardware protected keys are stored on local filesystem, but encrypted by key stored only in HSM. To generate such key use:

$ /opt/nfast/bin/generatekey hwcrhk

Answer some questions (Protected by? module, Key type? RSA, Key size? 4096, Key identifier? keyname) and your encrypted (by module, as you choose in question above) private key is saved in /opt/nfast/kmdata/local/key_hwcrhk_rsa-keyname.

When using locally stored encryption keys you load them as in this example (I use EVP interface for high-level cryptographic functions):

EVP_PKEY *pkey = NULL;

int load_key()
{
fp = fopen("filename.key", "r");

if (fp == NULL)
return -1;

pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);

return 0;
}

When you have CHIL keys, loading them is also very simple:

void load_key_chil()
{
pkey = ENGINE_load_private_key(hwEngine, "rsa-keyname", NULL, NULL);
}

When key is no longer in use destroy it with:

void free_key()
{
EVP_PKEY_free(pkey);
}

If application just need to do some hardware accelerated RSA or it need to use hardware protected keys those code pieces along with CHIL-enabled OpenSSL is all you need.

Sptrace 1.4.2 released

Krzysztof Burghardt — Sat, 14 Mar 2009 09:00:06 +0000

New version of sptrace was released today. Sptrace is a secure ptrace() Linux Kernel Module (LKM). It limits users’ access to the ptrace() call. Module was updated to reflect changes in new kernel releases and tested with 2.6.26.

When someone not allowed to trace processes uses program that call ptrace() (like strace, ltrace or gdb) current and parent processes names, pids, uids and euids are logged, e.g.:

Mar 13 08:51:11 ghost kernel: [ 8086.730499] sptrace: ptrace() DENIED for (gdb:6810) UID(1000) EUID(1000), parent (gdb:6785) UID(1000) EUID(1000)
Mar 13 08:51:11 ghost kernel: [ 8086.984694] sptrace: ptrace() DENIED for (gdb:6785) UID(1000) EUID(1000), parent (tcsh:32216) UID(1000) EUID(1000)
Mar 13 08:51:44 ghost kernel: [ 8119.928920] sptrace: ptrace() DENIED for (gdb:6923) UID(1000) EUID(1000), parent (tcsh:32216) UID(1000) EUID(1000)

Program that call ptrace() will get EPERM error:

$ strace ls
strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
$ ltrace ls
PTRACE_TRACEME: Operation not permitted
PTRACE_SETOPTIONS: Operation not permitted
$ gdb -p 32215
GNU gdb 6.8-debian
[...]
This GDB was configured as "i486-linux-gnu".
Attaching to process 32215
ptrace: Operation not permitted.

Module log both allowed and denied ptrace() calls. Allowed traces as logged as:

Mar 11 19:14:48 ghost kernel: [ 6445.524669] sptrace: ptrace() by (ltrace:27558) UID(1000) EUID(1000), parent (ltrace:27557) UID(1000) EUID(1000)
Mar 11 19:14:48 ghost kernel: [ 6445.525460] sptrace: ptrace() by (ltrace:27557) UID(1000) EUID(1000), parent (tcsh:26606) UID(1000) EUID(1000)

By default sptrace deny access to ptrace() to all non root users (GID != 0). Root group (or wheel) is allowed to use this call. To disable tracing for all users, including those in root group pass parameter ptrace_group=-1, e.g.:

$ insmod ./sptrace.ko ptrace_group=-1

Download: sptrace-1.4.2.tar.gz (.asc)

md5sum: 9a23198cbdcd256b11e2b0dc2c03b331
sha1sum: 458f9b15e9a5b02cd18759b6b09a4b41d062d7cd

ClamFS 1.0.0 has been released

Krzysztof Burghardt — Sun, 08 Feb 2009 14:18:45 +0000

ClamFS 1.0.0 has been released yesterday. It contains some new features that might be quite interesting for its users.

Completed clamd results caching

This was a long waiting feature. Version 0.9.1 cache only information about clean files. Infected files was scanned on every access. Starting from version 1.0.0 information about both clean and infected files are kept in cache while files that cannot be scanned (mostly because of permission problems) are discarded from cache.

Starting without clamd available

A new “check” option was added to allow you to mount a ClamFS file system when clamd is not available, such as during an early stage of the boot process. To disable ClamAV Daemon (clamd) check on ClamFS startup set option check to no:

socket="/var/run/clamav/clamd.ctl" check="no" />

Mounting file systems from /etc/fstab

With “check=no” mounting ClamFS file systems form /etc/fstab is possible using fuse mount helper (/sbin/mount.fuse). ClamFS will be started on boot with configuration file defined here provided as its argument. Simple definition of ClamFS mount point in /etc/fstab looks like:

clamfs#/etc/clamfs/share.xml /clamfs/share fuse defaults 0 0

Read-only mounts

The “readonly” option was added to the filesystem options allowing you to create a read-only protected file system. Just extend filesystem definition in config file with readonly option set to yes:

root="/share" mountpoint="/clamfs/share" readonly="yes" />

File system and cache statistics

ClamFS has file system statistics that allow you to monitor and tune its performance. Statistics module keep track of file system usage and cache hits. Stats module is configured with “stats” tag. It can dump statistics periodically and on ClamFS dismount:

atexit="yes" every="3600" />

Statistics are dumped to configured logging target. Here is an example of such statistics dumped to syslog:

Feb  8 14:52:51 ghost clamfs: --- begin of statistics ---
Feb  8 14:52:51 ghost clamfs: Early cache hit: 1038
Feb  8 14:52:51 ghost clamfs: Early cache miss: 1030
Feb  8 14:52:51 ghost clamfs: Late cache hit: 1038
Feb  8 14:52:51 ghost clamfs: Late cache miss: 0
Feb  8 14:52:51 ghost clamfs: Whitelist hit: 10
Feb  8 14:52:51 ghost clamfs: Blacklist hit: 108
Feb  8 14:52:51 ghost clamfs: Files bigger than maximal-size: 3
Feb  8 14:52:51 ghost clamfs: open() function called 2081 times (allowed: 1803, denied: 278)
Feb  8 14:52:51 ghost clamfs: Scan failed 278 times
Feb  8 14:52:51 ghost clamfs: --- end of statistics ---

Better default extension blacklist

Default blacklist in configuration file was extended. I advise all users to incorporate blacklist from version 1.0.0 into their configuration files.

Multiple FreeBSD jails sharing one IP address

Krzysztof Burghardt — Sat, 10 Jan 2009 22:19:35 +0000

If you want to use multiple jails on FreeBSD with only one external IP addresses you may set up all jails on private addressed with little help of loopback interface, NAT and PF.

Networking

Each jail requires one IP address. First create lo1 loopback interface and assign IPs to it:

# ifconfig lo1 create
# ifconfig lo1 inet 10.0.0.1 netmask 255.255.255.0 alias
# ifconfig lo1 inet 10.0.0.2 netmask 255.255.255.0 alias
...

To make this permanent add following lines to /etc/rc.conf:

cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
...

Now configure port redirection (forwarding) from your IP to your jails’s IPs. Here is my PF line (add it to /etc/pf.conf):

rdr on re0 proto tcp from any to ext._ip port http -> 10.0.0.1 port http
rdr on re0 proto tcp from any to ext._ip port ircd -> 10.0.0.2 port ircd
...

If jails need network access (e.g. to download ports) create NAT on your external network interface:

nat on re0 from lo1:network to any -> (re0)

Finally reload PF rules:

# pfctl -d
# pfctl -e -f /etc/pf.conf

Ezjail

Install ezjail from /usr/ports/sysutils/ezjail:

# cd /usr/ports/sysutils/ezjail
# make install clean

After ezjail installation create base jail. This jail is used as skeleton of all jails. Before creating base jail you need to have current FreeBSD sources in /usr/src. If you have built them add -i option to update command to prevent (re)building them:

# ezjail-admin update

Creating jails

When basejail is installed we are ready to create jails:

# ezjail-admin create -f default apachejail 10.0.0.1
# ezjail-admin create -f default ircjail 10.0.0.2

Source code (security) auditing utilities available in Debian

Krzysztof Burghardt — Sat, 10 Jan 2009 21:05:12 +0000

Debian GNU/Linux provides several packages that can be used to audit C/C++ source code. First three search for programming errors that might lead to potential security flaws:

Next two tools find bugs in C and C++ source code by doing a static check too, but their checks are not security-related:

Web browser anonymity threats

Krzysztof Burghardt — Tue, 13 May 2008 22:05:35 +0000

Anonymity in important for many people. Few years ago, it was problematic issue only for hackers, human rights workers and anonymity freaks. They want to keep they identity in secret for obvious reasons. They were traced only by law enforcement agencies and government. Today everything is much more difficult. Hundreds of advertising agencies trying to reveal identity of people to target their commercials better.

Web browser can give them so many information. For example in which languages you speak (browser shares your language preferences with sites you visit)., in which city you live (this can be obtained from IP), how big is your computer display (web page can get your display resolution), what video player or office suite you have installed (they can query installed browser plugins) and much more...

Server side

Various information are available from PHP and Apache.

This include IP address, hostname (reverse DNS lookup), source port and sometimes user name:

Your IP: 38.107.191.91Your hostname: 38.107.191.91Your source port: 6864Your username:

Those basic information are available from _SERVER associative array members named REMOTE_ADDR, REMOTE_PORT and REMOTE_USER.

Here is an example how to get hostname quering DNS using gethostbyaddr():

echo gethostbyaddr($_SERVER["REMOTE_ADDR"]); ?>

In the same way we can obtain name and version of browser (HTTP_USER_AGENT). You are using:

CCBot/1.0 (+http://www.commoncrawl.org/bot.html)

HTTP_REFERER reveals site you come form. Currently:

We are able to check what browser accepts as a response (HTTP_ACCEPT, HTTP_ACCEPT_ENCODING, HTTP_ACCEPT_CHARSET):

HTTP_ACCEPT: text/html,application/xhtml+xml,text/xml;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5HTTP_ACCEPT_ENCODING: gzipHTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Those settings may leak your language and, if you leave default settings, your browser identity.

Proxy

Proxy servers often adds new headers to those sent by browser. We can access them using HTTP_X_FORWARDED_FOR and HTTP_FORWARDED . Some proxy servers sets also headers like HTTP_CLIENT_IP, HTTP_VIA, HTTP_PROXY_CONNECTION, HTTP_XROXY_CONNECTION.

Currently they are set to:

X-Forwarded-For: Forwarded: Client-IP: Via: PROXY: XROXY:

If none of above is set user is probably using direct connection. However some proxy servers (often called "high anonymous proxy" or "elite proxy") forward requests without adding any headers or even removing some headers that leaks browser identity.

Client side

Web browser may leak user identity to anyone who is able to run JavaScript. By default browsers run any script embedded into web page.

Browser identity is hold in navigator object. Its name is in navigator.appName Currently:

Browser code name (navigator.appCodeName):

Browser version (navigator.appVersion):

Finally, platform it is running on (navigator.platform):

History length (or how many pages were visited - history.length):

Screen size and dept is hold in screen object. Example code to obtain screen properties:

document.write(screen.width," x ",screen.height, " x ", screen.colorDepth, " bpp (available for browser: ", window.screen.availWidth, " x ", window.screen.availHeight, ")");

Result of the above:

Referrer can be read from document.referrer:

Using simple loop one can iterate trough installed plugins:

if (navigator.plugins.length) {
for (i = 0; i < navigator.plugins.length; i++) {
plugin = navigator.plugins[i];
document.write(plugin.name, " (", plugin.filename, ")\n");
}
}

Result of above code:

Java

If Java is enabled JavaScript can use Java VM to obtain more information from OS. navigator.javaEnabled() returns true or false if Java is enabled.

JavaScript with small help of Java can obtain client IP address with:

if (navigator.javaEnabled()) {
addr=java.net.InetAddress.getLocalHost();
host=addr.getHostName();
ip=addr.getHostAddress();
document.write(ip, " (hostname: ", host, ")");
}

Results:

Or with alternative version:

if (navigator.javaEnabled()) {
host= window.location.host;
port=window.location.port || 80;
sock=new java.net.Socket();
sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
sock.connect(new java.net.InetSocketAddress(host, (!port)?80:port));
addr=sock.getLocalAddress();
host=addr.getHostName();
ip=addr.getHostAddress();
document.write(ip, " (hostname: ", host, ")");
} else {
document.write("Java disabled");
}

Results:

Java applets

Another possibility to obtain IP address of client is using Java applets. Here is sample applet that tries to connect back to web server and reveal client address:

//

import java.applet.*;
import java.awt.*;
import java.net.*;

public class ShowIP extends Applet {
String m_ip;
public void init() {
try {
m_ip = (new Socket(getDocumentBase().getHost(), getDocumentBase().getPort())).getLocalAddress().getHostAddress();
} catch (Exception e) {
m_ip = "unknown";
e.printStackTrace();
}
}
public void stop() { }
public void paint(Graphics g) {
g.drawString(m_ip, 10, 10);
}
}

Applet in action:

ActiveX and other threats

ActiveX object can reveal client identity, too. Fortunately AvtiveX works only in Internet Explorer on Windows. Maybe also Flash's Action Script can be used to achieve this. If you known any other possibilities let me known.

Deploying IPsec in small LAN in 3 easy steps

Krzysztof Burghardt — Mon, 03 Mar 2008 22:04:48 +0000

I think about installing IPsec on computers in my home LAN for some time. There are many configurations possible: tunnel mode, transport mode, peer-to-peer solution or star topology with single VPN hub. Also there are different IPsec implementations. KAME for *BSD, Openswan, strongSwan and Linux 2.6 PF_KEY implementation (which can be used with setkey and racoon or with OpenBSD’s isakmpd). Choosing one is not easy, but for me the simplest method was best. I choose Linux 2.6 PF_KEY with ipsec-tools and racoon for dynamic key exchange (now part of ipsec-tools). Its simple, easy to implement and… configuration files without any modification (except file paths) can be used also in FreeBSD (tested with 6.3-RELEASE).

Step 1. Use OpenVPN easyRSA to set up your own Certificate Authority, generate certificates and keys and sign them. You will need to create links to certificates and keys in form hash.(r)0. Use this command to compute hash:

# openssl x509 -hash -in keys/ca.crt

And then create links replacing question marks by hashes.

# ln -s ca.crt keys/????????.0
# ln -s crl.pem keys/????????.r0

Step 2. When you have all your certificates created you need only to do two more things. First create /etc/ipsec-tools.conf to set Security Policy Database (SPD):

#!/usr/sbin/setkey -f

## Flush the SAD and SPD

flush;
spdflush;

## SPDs for racoon

spdadd 192.168.1.0/24 192.168.1.0/24 any -P out ipsec esp/transport//use;
spdadd 192.168.1.0/24 192.168.1.0/24 any -P in ipsec esp/transport//use;

Step 3. And then configure racoon to negotiate and maintain Security Association Database (SAD). Racoon read configuration from /etc/racoon/racoon.conf:

path certificate "/etc/racoon/certs";

sainfo anonymous {
encryption_algorithm aes256,aes128,blowfish128,3des;
authentication_algorithm hmac_sha256,hmac_sha1,hmac_md5;
compression_algorithm deflate;
lifetime time 30 min;
}

remote anonymous {
exchange_mode main,aggressive;
lifetime time 60 min;
certificate_type x509 "host.crt" "host.key";
verify_cert on;
my_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}

Now (re)start setkey and racoon on all hosts in LAN. If everything is fine IPsec should be in use for all local connections.

O tym jak to Chuck Norris skopiował dane z Naszej Klasy na dyskietkę

Krzysztof Burghardt — Thu, 24 Jan 2008 20:08:10 +0000

Hacking.pl opublikował artykuł Nasza-Klasa.pl – pobierz sobie dane milionów Polaków. Zasugerowano w nim, że każdy może pobrać dane wszystkich użytkowników Naszej-Klasy. Na alarm uderzył również Dziennik Internautów i Computerworld. Wszyscy zwrócili uwagę na fakt, że prosty robot internetowy może skopiować strony z portalu, przefiltrować ciekawe informacje i zapisać je na dysku. Niestety większości umknął jeden ważny problem… czas potrzebny do skopiowania 8 milionów stron.

Prosty skrypt w PHP korzystający z biblioteki cURL może wyglądać tak:

function getProfile($id) {
$ch = curl_init("http://nasza-klasa.pl/profile/$id");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, "nk_session=[ tu wpisać identyfikator sesji ]");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 5.1; U; en)");
return curl_exec($ch);
}

function parseProfile($rawData) {
preg_match_all('/wartosc">(.*), $rawData, $m, PREG_SET_ORDER);
return $m[0][1] . "," . $m[1][1] . "," . $m[2][1] . "," . $m[3][1] . "," . $m[4][1] . "," .
$m[5][1] . "," . $m[6][1] . "," . $m[7][1] . "," . $m[8][1] . "," . $m[9][1];
}

$fh = fopen("nk.log", 'a') or die("plik nie chce się otworzyć :-(");

$i = 4085305;

while ($i < (4085305 + 25)) {
echo "$i ";
fputs($fh, $i . "," . parseProfile(getProfile($i)) . "\n");
++$i;
}

fclose($fh);

A czas jego wykonania? Na moim komputerze (i łączu internetowym) pobranie 25 profili, zaczynając od mojego, trwa:

/usr/bin/time -v php5 nk.php 2>&1 | grep wall
	Elapsed (wall clock) time (h:mm:ss or m:ss): 6:39.42

Policzmy zatem. 8 milionów profili do pobrania. ~6 i pół minuty na każde 25 z nich.

( ( ( 8000000 / 25 ) * 6.5 ) / 60 ) / 24 = 1444.(4) dni
1444.(4) / 365 =~ 3.95738 lat

Już po 4 latach pobierania profili miałbym komplet danych użytkowników Naszej Klasy. Nie ma zatem realnych szans na skopiowanie wszystkich danych z Naszej Klasy. Chyba, że… zrobi to Chuck Norris. Tak samo jak kiedyś skopiował cały Internet na dyskietkę ;-)

Limiting access to ptrace() call in Linux

Krzysztof Burghardt — Fri, 28 Dec 2007 23:19:42 +0000

Ability to trace and debug software on servers is not needed for most users. Giving them right to trace processes may leak information and if ptrace() is vulnerable lead to more problems.

Sptrace is a secure ptrace() Linux Kernel Module (LKM). It limits users’ access to the ptrace() call. It can disable strace (and ltrace) altogether, or if you add a ptrace group to your system, only users in that group will be able to use ptrace() call.

When someone not allowed to trace processes uses program that call ptrace() current and parent processes names, pids, uids and euids are logged, e.g.:

Dec 29 00:39:27 techie kernel: sptrace: ptrace() DENIED for (strace:28733) UID(1000) EUID(1000), parent (strace:28732) UID(1000) EUID(1000)
Dec 29 00:39:40 techie kernel: sptrace: ptrace() DENIED for (ltrace:28745) UID(1000) EUID(1000), parent (ltrace:28744) UID(1000) EUID(1000)

New version was just adjusted to reflect changes in Linux and was tested with latest kernel version available (2.6.23). Support for 2.4 line is still there, but it is no longer tested.

Download: sptrace-1.4.1.tar.gz (.asc)

md5sum: d0b58eced8f60e696c39dfaf4b306771
sha1sum: 49696880b92837e35e16b6a34c346b00084df4e2