Security Posts

Infocon: green

ISC Stormcast For Monday, February 6th, 2023 https://isc.sans.edu/podcastdetail.html?id=8356
Categories: Security Posts

Cursos online de seguridad Informática & hacking durante Febrero en @HackBySecurity #ciberseguridad

Un informático en el lado del mal - 5 hours 17 min ago
Hoy os traigo disponible la lista de formaciones online que puedes hacer a tu ritmo desde casa, que  ya tenemos publicadas para este mes de FEBRERO. Están diseñadas para los que queréis formaros  en Seguridad informática & Hacking, como complemento a vuestra jornada diaria. Esta es la lista de Cursos Online de Ciberseguridad de HackBySecurity que van a tener lugar este segundo mes del año.
Figura 1: Cursos Online de Seguridad Informática & hacking para durante Febrero de 2023 en HackBySecurityImagen Dall-e 2: "happy hacker in cyber punk art style"
Además, si quieres tener un descuento en ellos, puedes utilizar tus Tempos de MyPublicInbox para comprar un código descuento de 10% de descuento por 10 Tempos en la sección de Canjea tus Tempos. Solo hay 10 códigos.
Figura 2: Consigue el código 10 % descuento en MyPublicInbox
Y ahora, la lisa de cursos online que tienes en HackBySecurity para este mes de FEBERO. Aquí tienes a los que puedes apuntarte para formarte online a tu ritmo en cibeseguridad, hacking y seguridad informática.
CAIFOR (Curso Online de Análisis Informático Forense en iOS): Esta formación, que da comienzo el próximo 8 de Febrero está diseñada para que, durante 100 horas de trabajo, los asistentes aprendas a realizar ejercicios forenses, tanto en sistemas encendidos, donde aprenderás a extraer información volatil, como sobre sistemas apagados. Realiza correctamente las copias sobre las que hacer la forensia, trabaja con sistemas WIndows, Linux y MacOS, todo desde un enfoque práctico y apoyado constantemente por un docente experto en la materia.  Figura 3: CAIFOR (Curso Online de Análisis Forense en iOS)
Además, el curso tiene como complemento a la formación el libro de 0xWord escrito por Pilar Vila, llamado "Técnicas de Análisis Forense para Peritos Judiciales profesionales".  Figura 4: "Técnicas de Análisis Forense Informático para
Peritos Judiciales Profesionales
"
Libro de Pilar Vila en 0xWord para todos los alumnos.
  - CTEC (Curso Técnico Especialista en Ciberinteligencia): El día 9 de FEBRERO comienza la formación para aquellos que quieran empezar a trabajar en labores de ciberinteligencia en el mundo de la empresa. Con el objetivo de aprender cuáles son las fuentes de información pública, las técnicas de captura de información y cómo realizar una investigación en Internet y en la Deep Web, este curso enseña metodologías y procedimientos de análisis de información.  El curso tiene por docente a Rafael García Lázaro, con el que puedes consultar en su buzón público para resolver dudas.
Figura 5: CTEC (Curso Técnico Especialista en Ciberinteligencia)
Además, como complemento a esta formación se entrega el libro de Vicente Aguilera y Carlos Seisdedos de "OSINT (Open Source INTelligence): Investigar personas e identidades en Internet", que recoge la gran mayoría de los temas que se explican en la formación. Figura 6: Libro Open Source INTelligence (OSINT):
Investigar personas e Identidades en Internet
   - BLPI (Curso Online Básico Legal del Perito Informático)Esta formación comienza el 14 de FEBRERO, y es un el curso online dedicado a la disciplina de Análisis Forense tanto para el Peritaje Judicial, como para la gestión de los incidentes y su respuesta. El curso lo imparte Juan Carlos Fernández, y cuenta con un temario formado por doce módulos que recorren los principales temas legales básicos a conocer por todo buen analista forense.  Figura 7: Básicos Legales del Perito Informático  El curso tiene como complemento a la formación el libro de 0xWord escrito por Pilar Vila, llamado "Técnicas de Análisis Forense para Peritos Judiciales profesionales".CHSW (Curso Online en Hardening de Servidores Windows), que ha creado y tutoriza Ángel A. NúñezMVP de Microsoft desde el año 2016 en Tecnologías Cloud & DataCenter, y escritor del libro de 0xWord "Windows Server 2016: Configuración, Administración y Seguridad" y del "VBOOK de Windows Server 2016" tendrá lugar el próximo 16 de FEBRERO.
Figura 8: Contactar con Ángel A. Nuñez en MyPublicInbox Esta formación, que esta creada para enseñar a los equipos de seguridad de sistemas, los equipos Blue Team, y a los arquitectos de sistemas que trabajan con los DevSecOps cómo dejar fortificado al máximo los servidores de la infraestructura. En ella se entregará el libro de "Windows Server 2016: Configuración, Administración y Seguridad".    CSIO (Curso de Seguridad Informática Ofensiva): En este curso online de seguridad informática ofensiva que comienza el 20 de FEBRERO el alumno adquirirá los conocimientos y habilidades necesarias para realizar pruebas de penetración y auditorías de seguridad informática pudiendo llegar a desempeñar puesto como el de hacker ético, pentester o auditor de ciberseguridad. Se le introducirán desde los conceptos de hacking básicos hasta la creación de sus propios exploits, pasando por las técnicas de ataque y herramientas más avanzadas y efectivas.  Figura 9: Curso Online de Seguridad Informática Ofensiva
Además, el alumno tendrá como complemento del mismo una de las dos opciones siguientes, que puede elegir. Podrá tener el libro de Metasploit para Pentesters Gold Edition o el VBOOK de Ethical Hacking de 0xWord
Figura 10: Metasploit para Pentesters Gold Edition  Este Curso Online de Seguridad Informática Ofensiva en HackBySecurity es una de las mejores opciones si lo que estás es buscando formarte profesionalmente para trabajar de pentester, y además quieres un modelo flexible de formación, y tiene como docentes a Sergio Rodríguez Gijón y a Pablo González, con los módulos de Python y Bash, que además puedes conocer mejor en la entrevista que le han hecho donde habla de muchas cosas de este mundo.  Figura 11: VBook Ethical Hacking de Pablo González en 0xWord  - CNCC (Curso Online de Ciberseguridad y Normativa en Cloud Computing): El objetivo de este curso, que da comienzo el próximo 22 de FEBRERO impartido por Rubén López,  es proporcionar un lenguaje común y la comprensión de la computación en la nube para profesionales de la seguridad, destacando las diferencias entre la nube y la computación tradicional, y ayudar a orientar a los profesionales de seguridad hacia un enfoque de la adopción de la nube nativa que resulten en una mejor seguridad (y esos otros beneficios), en lugar de crear más riesgos. Figura 12: CNCC (Curso Online de Ciberseguridad yNormativa en Cloud Computing). Docente Rubén López. Además, todos los alumnos recibirán como documentación asociada libro de "Cifrado de las comunicaciones digitales de la cifra clásica al algoritmo RSA 2ª Edición".  CSCE (Curso de Seguridad de Creación de Exploits) El próximo 27 de FEBRERO da comienzo un curso de nivel intermedio en el que se va a explicar cómo construir exploits para vulnerabilidades localizadas. Es decir, cómo explotar vulnerabilidades descubiertas, así que es un curso de nivel intermedio ya que debes tener conocimientos previos de pentesting para saber cómo funciona los bugs, los exploits y la automatización de la explotación de vulnerabilidades. Figura 13: Curso de Seguridad de Creación de Exploits Este libro lleva como material de estudio y acompañamiento el libro de Linux Exploiting de 0xWord donde se explican las metodologías de descubrimiento y explotación de vulnerabilidades en sistemas GNU/Linux.
Figura 14: Linux Exploiting de 0xWord 

MHSW ("Máster Online en Hardening de Sistemas Windows):  Además, ya se ha abierto el periódo de reserva de matrícula para este Máster Online, que ha creado y tutoriza Ángel A. NúñezMVP de Microsoft desde el año 2016 en Tecnologías Cloud & DataCenter, y escritor del libro de 0xWord "Windows Server 2016: Configuración, Administración y Seguridad" y del "VBOOK de Windows Server 2016". 
Figura 15: MHSW ("Máster Online en Hardening de Sistemas Windows)
Ángel A. Núñez es un veterano en la gestión de seguridad de plataformas Microsoft Windows, y ha desarrollado esta formación Máster Online en Hardening de Sistemas Windows para enseñar a los equipos de seguridad de sistemas, los equipos Blue Team, y a los arquitectos de sistemas que trabajan con los DevSecOps cómo dejar fortificado al máximo los servidores de la infraestructura. Esta formación incluye:Por supuesto, todas las formaciones, además de llevar incluidos los libros de 0xWord, tendrán Tempos de MyPublicInbox y salas de tutorias con los formadores de las formaciones.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)  
Contactar con Chema Alonso
Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com
Categories: Security Posts

ISC Stormcast For Monday, February 6th, 2023 https://isc.sans.edu/podcastdetail.html?id=8356, (Mon, Feb 6th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Video: Analyzing Malicious OneNote Documents, (Sun, Feb 5th)

SANS Internet Storm Center, InfoCON: green - Sun, 2023/02/05 - 18:32
I recorded a video for my diary entry "Detecting (Malicious) OneNote Files". It shows how I familiarized myzelf with the .one file format, enough to know how to extract embedded files, wrote a tool (onedump.py) and take a look at detection rules. Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Finland’s Most-Wanted Hacker Nabbed in France

Krebs - Sun, 2023/02/05 - 18:14
Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest. In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand. Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom. When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records. But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story: “Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).” “It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.” According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument. Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality. The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody. Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP. Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking). Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time. The DDoS-for-hire service allegedly operated by Kivimäki in 2012. In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet. The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI). As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents. Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki. Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location. Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico. Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558. As I wrote in 2015 following Kivimäki’s trial: “The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18. Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.” Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly. Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — Aleksanteri (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice. “Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”
Categories: Security Posts

Mi Hacker v2.0 (Teenager Edition)

Un informático en el lado del mal - Sun, 2023/02/05 - 14:40
Ya no te cuento cuentos. Pero sigues siendo Mi Hacker. Tus sueños ya están mucho más lejos de los que yo te pinté. Ya no dibujamos monstruos. Ahora te escucho cuando vamos y volvemos de patines. Me cuentas tus cosas. Pero no todas. Ya tienes una vida más allá. Más lejos. Quieres que te pida un "Cabi". Quieres ir a una fiesta con tus amigos. Que te lleve a la discoteca "light". A una cena con tus amigas en el Pipa & Co. No hablamos de dragones. Ya no volamos con el Dragón Matías. Ahora hablamos de coches eléctricos. De tu carné de conducir. De qué estudiar en la universidad. Peleamos por la hora de llegada. Por cómo ir allí. Por con quién. Por qué vas a hacer y cómo vas a regresar.
Figura 1: Mi Hacker v2.0 (Teenager Edition)
Te espero. A que llegues. O voy a buscarte. No me gusta que vengas sola. Te espero despierto. Leyendo mi cómic de superhéroes. Con las gafas. Mirando el móvil de refilón por si necesitaras algo. Tu hermana duerme a mi lado. Te imagino riéndote con tus amigas. Bailando. Dónde estarán La Kalabaza de PippaCantajuegos o Picapica. Ahora ya tienes tu música. Hacemos las listas de música para ir a patinar entre tres. Para que salgan tus canciones... y las mías con las de tu hermana.
Ver esta publicación en Instagram Una publicación compartida de Chema Alonso (@chemaalonso)
Me enseñas cosas. Ya no soy yo el que te enseña los trucos de la tecnología como hacía antes. Te vas a la biblioteca a estudiar. Eres responsable. Aún hay pájaros en tu cabecita. Pero cantan con más armonía. Quieres ver el mundo. Viajar. Ver Las Vegas. Ir a ver a Imagine Dragon en concierto. Y Cold Play. Disfrutar un festival con tus amigas. Hacer surf. Y esquiar. E ir en velero. O irte de compras al mercadillo con tus amigas. Sueñas con independizarte con ellas. Con volar. Alto. Lejos. Más allá de dónde yo pueda estar. De dónde yo haya llegado. 
Ver esta publicación en Instagram Una publicación compartida de Chema Alonso (@chemaalonso)
Me abrazas. Te pido mis cinco besos, mis tres "ays" y mi beso de gnomo. Como cuando eras niña y me los dabas en la escalera mientras yo me calzaba para irme al trabajo. Y me los das jugando. Y te vas a tu habitación. Cierras la puerta. Te sientas a estudiar. Te pones los cascos y hablas con alguien mientras comentas los deberes. Por vídeo conferencia. Para estar con tus amigas. Para contarte cosas que yo nunca sabré. Que son tuyas. Que ya no son parte de mi niña.
Te propongo ir a montar en monopatín, pero no puedes. Tienes plan con tus amigos. Negociamos. Hoy no, mañana sí. A qué. Dónde y cuánto tiempo. Y mi cumpleaños lo celebro con mis amigos, me dices. Y me llevo a tu amiga de compras contigo. Os suelto y me voy. Queréis ir solas. Ver las tienda. Probaros todo. Reír. Yo os espero con mi ordenador en la cafetería. Tomando café. Con mis gafas de ver, por supuesto,. La presbicia. Con mis canas en coleta. Mientras miro de reojo el móvil por si me necesitaras.
Te llevo a ver magia. Chateas con tus amigas. Hay plan a la salida del espectáculo. Quieres que te deje en casa de unos amigos. Me niego. Te enfadas. Me toca sufrir. Aguanto el chaparrón. Te lo intento explicar. Tus orejitas me escuchan. Tus pajaritos no. Cantan muy alto en ese momento. Me pides que te deje hacerte el segundo pendiente. Pongo cara de no saber qué contestar. ¿Dibujamos un rato? No te apetece. 
Ver esta publicación en Instagram Una publicación compartida de Chema Alonso (@chemaalonso)
Te imagino en el futuro. Sé que volarás lejos. Que te irás de mi lado. Pero que volverás. Sé que estarás siempre atada a mí. Con cierta distancia. Para que puedas jugar con el aire lejos de mí. Como una cometa. Pero atada con un hilo que hemos tejido durante muchos años entre nosotros. Un hilo que los dos cuidamos. Te preocupas por mí. Por cómo me va en el trabajo. Por cómo me van los proyectos. Y cada día te cuento un poco más. Para que tus pajarillos escuchen además de cantar.
Te llevo al instituto. Te llevo de la mano. Te la sueltas. Te la vuelvo a coger y me río. "Papáááááa...", me dices. Te llevo de la mano hasta la entrada. Te dejo en la puerta. Te abrazo para darte un beso. Un beso de bebé. Mis cinco besos, mis tres "ays" y me beso de gnomo. Tú me das uno de tus besos cabezones. Me inclinas la cabeza para que te dé un beso en el cogote mientras tú besas el aire. Yo me quejo y te achucho. Te doy muchos besos en los mofletes. Sonoros. Como cuando eras un bebé. Mi bebé. 
Y me dices: "Papá...., ¡que ya no soy una niña!". 
Lo sé. Ya no eres aquel bebé al que cuidar. Ahora eres esa persona que quiero descubrir con la emoción de verte resplandecer. Eres Mi Hacker v2.0 (Teenager Edition). Todo nuevo para mí.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)  


Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com
Categories: Security Posts

OpenSSH fixes double-free memory bug that’s pokable over the network

Naked Security Sophos - Fri, 2023/02/03 - 19:59
It's a bug fix for a bug fix. A memory leak was turned into a double-free that has now been turned into correct code...
Categories: Security Posts

Harnessing the eBPF Verifier

By Laura Bauman During my internship at Trail of Bits, I prototyped a harness that improves the testability of the eBPF verifier, simplifying the testing of eBPF programs. My eBPF harness runs in user space, independently of any locally running kernel, and thus opens the door to testing of eBPF programs across different kernel versions. eBPF enables users to instrument a running system by loading small programs into the operating system kernel. As a safety measure, the kernel “verifies” eBPF programs at load time and rejects any that it deems unsafe. However, using eBPF is a CI / CD nightmare, because there’s no way to know whether a given eBPF program will successfully load and pass verification without testing it on a running kernel. My harness aims to eliminate that nightmare by executing the eBPF verifier outside of the running kernel. To use the harness, a developer tweaks my libbpf-based sample programs (hello.bpf.c and hello_loader.c) to tailor them to the eBPF program being tested. The version of libbpf provided by my harness links against a “kernel library” that implements the actual bpf syscall, which provides isolation from the running kernel. The harness works well with kernel version 5.18, but it is still a proof of concept; enabling support for other kernel versions and additional eBPF program features will require a significant amount of work. With great power comes great responsibility eBPF is an increasingly powerful technology that is used to increase system observability, implement security policies, and perform advanced networking operations. For example, the osquery open-source endpoint agent uses eBPF for security monitoring, to enable organizations to watch process and file events happening across their fleets. The ability to inject eBPF code into the running kernel seems like either a revelation or a huge risk to the kernel’s security, integrity, and dependability. But how on earth is it safe to load user-provided code into the kernel and execute it there? The answer to this question is twofold. First, eBPF isn’t “normal” code, and it doesn’t execute in the same way as normal code. Second, eBPF code is algorithmically “verified” to be safe to execute. eBPF isn’t normal code eBPF (extended Berkeley Packet Filter) is an overloaded term that refers to both a specialized bytecode representation of programs and the in-kernel VM that runs those bytecode programs. eBPF is an extension of classic BPF, which has fewer features than eBPF (e.g., two registers instead of ten), uses an in-kernel interpreter instead of a just-in-time compiler, and focuses only on network packet filtering. User applications can load eBPF code into kernel space and run it there without modifying the kernel’s source code or loading kernel modules. Loaded eBPF code is checked by the kernel’s eBPF verifier, which tries to prove that the code will terminate without crashing. A diagram of the eBPF system The picture above shows the general interaction between user space and kernel space, which occurs through the bpf syscall. The eBPF program is represented in eBPF bytecode, which can be obtained through the Clang back end. The interaction begins when a user space process executes the first in the series of bpf syscalls used to load an eBPF program into the kernel. The kernel then runs the verifier, which enforces constraints that ensure the eBPF program is valid (more on that later). If the verifier approves the program, the verifier will finalize the process of loading it into the kernel, and it will run when it is triggered. The program will then serve as a socket filter, listening on a socket and forwarding only information that passes the filter to user space. Verifying eBPF The key to eBPF safety is the eBPF verifier, which limits the set of valid eBPF programs to those that it can guarantee will not harm the kernel or cause other issues. This means that eBPF is, by design, not Turing-complete. Over time, the set of eBPF programs accepted by the verifier has expanded, though the testability of that set of programs has not. The following quote from the “BPF Design Q&A” section of the Linux kernel documentation is telling: The [eBPF] verifier is steadily getting ‘smarter.’ The limits are being removed. The only way to know that the program is going to be accepted by the verifier is to try to load it. The BPF development process guarantees that the future kernel versions will accept all BPF programs that were accepted by the earlier versions. This “development process” relies on a limited set of regression tests that can be run through the kselftest system. These tests require that the version of the source match that of the running kernel and are aimed at kernel developers; the barrier to entry for others seeking to run or modify such tests is high. As eBPF is increasingly relied upon for critical observability and security infrastructure, it is concerning that the Linux kernel eBPF verifier is a single point of failure that is fundamentally difficult to test. Trust but verify The main problem facing eBPF is portability—that is, it is notoriously difficult to write an eBPF program that will pass the verifier and work correctly on all kernel versions (or, heck, on even one). The introduction of BPF Compile Once-Run Everywhere (CO-RE) has significantly improved eBPF program portability, though issues still remain. BPF CO-RE relies on the eBPF loader library (libbpf), the Clang compiler, and the eBPF Type Format (BTF) information in the kernel. In short, BPF CO-RE means that an eBPF program can be compiled on one Linux kernel version (e.g., by Clang), modified to match the configuration of another kernel version, and loaded into a kernel of that version (through libbpf) as though the eBPF bytecode had been compiled for it. However, different kernel versions have different verifier limits and support different eBPF opcodes. This makes it difficult (from an engineering perspective) to tell whether a particular eBPF program will run on a kernel version other than the one it has been tested on. Moreover, different configurations of the same kernel version will also have different verifier behavior, so determining a program’s portability requires testing the program on all desired configurations. This is not practical when building CI infrastructure or trying to ship a production piece of software. Projects that use eBPF take a variety of approaches to overcoming its portability challenges. For projects that primarily focus on tracing syscalls (like osquery and opensnoop), BPF CO-RE is less necessary, since syscall arguments are stable between kernel versions. In those cases, the limiting factor is the variations in verifier behavior. Osquery chooses to place strict constraints on its eBPF programs; it does not take advantage of modern eBPF verifier support for structures such as bounded loops and instead continues to write eBPF programs that would be accepted by the earliest verifiers. Other projects, such as SysmonForLinux, maintain multiple versions of eBPF programs for different kernel versions and choose a program version dynamically, during compilation. What is the eBPF verifier? One of the key benefits of eBPF is the guarantee it provides: that the loaded code will not crash the kernel, will terminate within a time limit, and will not leak information to unprivileged user processes. To ensure that code can be injected into the kernel safely and effectively, the Linux kernel’s eBPF verifier places restrictions on the abilities of eBPF programs. The name of the verifier is slightly misleading, because although it aims to enforce restrictions, it does not perform formal verification. The verifier performs two main passes over the code. The first pass is handled by the check_cfg() function, which ensures that the program is guaranteed to terminate by performing an iterative depth-first search of all possible execution paths. The second pass (done in the do_check() function) involves static analysis of the bytecode; this pass ensures that all memory accesses are valid, that types are used consistently (e.g., scalar values are never used as pointers), and that the number of branches and total instructions is within certain complexity limits. As mentioned earlier in the post, the constraints that the verifier enforces have changed over time. For example, eBPF programs were limited to a maximum of 4,096 instructions until kernel version 5.2, which increased that number to 1 million. Kernel version 5.3 introduced the ability for eBPF programs to use bounded loops. Note, though, that the verifier will always be backward compatible in that all future versions of the verifier will accept any eBPF program accepted by older versions of the verifier. Alarmingly, the ability to load eBPF programs into the kernel is not always restricted to root users or processes with the CAP_SYS_ADMIN capability. In fact, the initial plan for eBPF included support for unprivileged users, requiring the verifier to disallow the sharing of kernel pointers with user programs and to perform constant blinding. In the wake of several privilege escalation vulnerabilities affecting eBPF, most Linux distributions have disabled support for unprivileged users by default. However, overriding the default still creates a risk of crippling privilege escalation attacks. Regardless of whether eBPF is restricted to privileged users, flaws in the verifier cannot be tolerated if eBPF is to be relied upon for security-critical functionality. As explained in an LWN.net article, at the end of the day, “[the verifier] is 2000 lines or so of moderately complex code that has been reviewed by a relatively small number of (highly capable) people. It is, in a real sense, an implementation of a blacklist of prohibited behaviors; for it to work as advertised, all possible attacks must have been thought of and effectively blocked. That is a relatively high bar.” While the code may have been reviewed by highly capable people, the verifier is still a complex bit of code embedded in the Linux kernel that lacks a cohesive testing framework. Without thorough testing, there is a risk that the backward compatibility principle could be violated or that entire classes of potentially insecure programs could be allowed through the verifier. Enabling rigorous testing of the eBPF verifier Given that the eBPF verifier is the foundation of critical infrastructure, it should be analyzed through a rigorous testing process that can be easily integrated into CI workflows. Kernel selftests and example eBPF programs that require a running Linux kernel for every kernel version are inadequate. The eBPF verifier harness aims to allow testing on various kernel versions without any dependence on the locally running kernel version or configuration. In other words, the harness allows the verifier (the verifier.c file) to run in user space. Compiling only a portion of the kernel source code for execution in user space is difficult because of the monolithic nature of the kernel and the kernel-specific idioms and functionality. Luckily, the task of eBPF verification is limited in scope, and many of the involved functions and files are consistent across kernel versions. Thus, stubbing out kernel-specific functions for user space alternatives makes it possible to run the verifier in isolation. For instance, because the verifier expects to be called from within a running kernel, it calls kernel-specific memory allocation functions when it is allocating memory. When it is run within the harness, it calls user space memory allocation functions instead. The harness is not the first tool that aims to improve the verifier’s testability. The IO Visor Project’s BPF fuzzer has a very similar goal of running the verifier in user space and enabling efficient fuzzing—and the tool has found at least one bug. But there is one main difference between the eBPF harness and similar existing solutions: the harness is intended to support all kernel versions, making it easy to compare the same eBPF program across kernel versions. The harness leaves the true kernel functionality as intact as possible to maintain an execution environment that closely approximates a true kernel context. System design The harness consists of the following main components:
  • Linux source code (in the form of a Git submodule)
  • A LibBPF mirror (also a Git submodule)
  • header_stubs.h (which enables certain kernel functions and macros to be overridden or excluded altogether)
  • Harness source code (i.e., implementations of stubbed-out kernel functions)
The architecture of the eBPF verifier harness. At a high level, the harness runs a sample eBPF program through the verifier by using standard libbpf conventions in sample.bpf.c and calling bpf_object__load() in sample_loader.c. The libbpf code runs as normal (e.g., probing the “kernel” to see what operations are supported, autocreating maps if configured to do so, etc.), but instead of invoking the actual bpf() syscall and trapping to the running kernel, it executes a harness “syscall” and continues running within the harnessed kernel. Compiling a portion of the Linux kernel involves making a lot of decisions on which source files should be included and which should be stubbed out. For example, the kernel frequently calls the kmalloc() and kfree() functions for dynamic memory allocation. Because the verifier is running in user space, these functions can be replaced with user space versions like malloc() and free(). Kernel code also includes a lot of synchronization primitives that are not necessary in the harness, since the harness is a single-threaded application; those primitives can also safely be stubbed out. Other kernel functionality is more difficult to efficiently replace. For example, getting the harness to work required finding a way to simulate the Linux kernel Virtual File System. This was necessary because the verifier is responsible for ensuring the safe use of eBPF maps, which are identified by file descriptors. To simulate operations on file descriptors, the harness must also be able to simulate the creation of files associated with the descriptors. A demonstration So how does the harness actually work? What do the sample programs look like? Below is a simple eBPF program that contains a bounded loop; verifier support for bounded loops was introduced in kernel version 5.3, so all kernel versions older than 5.3 should reject the program, and all versions newer than 5.3 should accept it. Let’s run it through the harness and see what happens! bounded_loop.bpf.c: #include "vmlinux.h" #include <BPF/BPF_helpers.h> SEC("tracepoint/syscalls/sys_enter_execve") int handle_tp(void *ctx) { for (int i = 0; i < 3; i++) { BPF_printk("Hello World.\n"); } return 0; } char LICENSE[] SEC("license") = "Dual BSD/GPL"; Using the harness requires compiling each eBPF program into eBPF bytecode; once that’s done, a “loader” program calls the libbpf functions that handle the setup of the bpf syscalls. The loader program looks something like the program shown below, but it can be tweaked to allow for different configuration and setup options (e.g., to disable the autocreation of maps). bounded_loop_loader.c: #include #include #include "bounded_loop.skel.h" static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) { return vfprintf(stderr, format, args); } int load() { struct bounded_loop_bpf *obj; const struct bpf_insn *insns; int err = 0; libbpf_set_print(libbpf_print_fn); obj = bounded_loop_bpf__open(); if (!obj) { fprintf(stderr, "failed to open BPF object. \n"); return 1; } // this function invokes the verifier err = bpf_object__load(*obj->skeleton->obj); // free memory allocated by libbpf functions bounded_loop_bpf__destroy(obj); return err; } Compiling the sample program with the necessary portions of Linux source code, libbpf, and the harness runtime produces an executable that will run the verifier and report whether the program passes verification. The output of bounded_loop.bpf.c when run through version 5.18 of the verifier. Looking forward The harness is still a proof of concept, and several aspects of it will need to be improved before it can be used in production. For instance, to fully support all eBPF map types, the harness will need the ability to fully stub out additional kernel-level memory allocation primitives. The harness will also need to reliably support all versions of the verifier between 3.15 and the latest version. Implementing that support will involve manually accounting for differences in the internal kernel application programming interfaces (APIs) between these versions and adjusting stubbed-out subsystems as necessary. Lastly, more cohesive organization of the stubbed-out functions, as well as thorough documentation on their organization, would make it much easier to distinguish between unmodified kernel code and functions that have been stubbed out with user space alternatives. Because these issues will take a nontrivial amount of work, we invite the larger community to build upon the work we have released. While we have many ideas for improvements that will move the eBPF verifier closer to adoption, we believe there are others out there that could enhance this work with their own expertise. Although that initial work will enable rapid testing of all kernel versions once it’s complete, the harness will still need to be updated each time a kernel version is released to account for any internal changes. However, the eBPF verifier is critical and complex infrastructure, and complexity is the enemy of security; when it is difficult to test complex code, it is difficult to feel confident in the security of that code. Thus, extracting the verifier into a testing harness is well worth the effort—though the amount of effort it requires should serve as a general reminder of the importance of testability.
Categories: Security Posts

Forget the Gym – Start 2023 Right by Getting Your Digital Life in Shape

Webroot - Wed, 2023/01/04 - 20:02
The welcoming of a new year also welcomes the return of one of the most overused sayings in our shared lexicon: “New Year, New Me!” While there are countless overused resolutions like starting a workout regimen, the new year does provide an opportunity for additional self-improvement that most people never consider – bolstering cybersecurity protections. If the beginning of the new year follows the trends of the last, there’s a good chance phishing will spike in the first four months of 2023. Rather than take a vacation to spend their holiday earnings, cybercriminals are using the new year as a prime opportunity to access bank accounts, install malicious software, and steal identities to commit fraud. These threats are especially prevalent as millions of people set up new devices, facilitate online shopping returns, and shop online with money and gift cards received throughout the holiday season. Fortunately, through its new partnership with Allstate Identity Protection (AIP), Webroot will help you easily protect your devices, identity, and privacy. The partnership combines Webroot’s digital device protection with AIP, which shields the personal information and data you share online. Together, the two services offer multi-layer protection against cyber threats to protect your digital life. Webroot Premium with AIP includes anti-virus protection for up to five devices, identity protection for one individual with up to $500,000 in fraud expense reimbursement*, up to $50,000 in stolen funds reimbursement*, and a password manager and secure browser for privacy. But the protection doesn’t stop there; additional benefits include: Device protection:
  • Real-time anti-phishing, malware, and ransomware protection against emerging threats
  • Lightning-fast threat scans without interruption
  • Proactive alerts with firewall and network connection monitoring
  • Cleans devices and improves performance
Identity protection:
  • Dark web monitoring
  • Credit monitoring (one bureau)
  • Financial monitoring including account takeover alerts
  • Identity monitoring with identity health status updates
  • 24/7 U.S.-based identity restoration
Privacy protection:
  • Secure browser with alerts for malicious sites and apps
  • Deletes traces of online activity
As we kick off this new year, don’t sweat the gym or stress about a resolutions list. Start 2023 off right with comprehensive device and identity protection. To learn more, visit Webroot Premium with Allstate Identity Protection. *Allstate Identity Protection Legal Disclaimer Identity theft insurance covering expense and stolen funds reimbursement is underwritten by American Bankers Insurance Company of Florida, an Assurant company. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions, and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions. Product may be updated or modified. Certain features require additional activation. The post Forget the Gym – Start 2023 Right by Getting Your Digital Life in Shape appeared first on Webroot Blog.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content