Difference between revisions of "Open Source Security"

From MgmtWiki
Jump to: navigation, search
(Executive Order)
(An Example Exploit)
 
(38 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
==Context==
 
==Context==
 +
* There is an assertion of long standing that [[Open Source Software]] is more secure because of the "Many Eyes" that review the code and local all bugs.
 +
* Currently there is an effort to increase the content of [[Open Source Software]] in DoD software, which has very high security requirements.
 +
* The AF CIO appointed in 2022-05, Lauren Knausenberger, has reprised the "Many Eyes" assertion as<ref>Lauren C. Williams. ''Why the USAF's IT chief is 'bullish' on open source'' FCW (2022-05-11) https://fcw.com/security/2022/05/why-usafs-it-chief-bullish-open-source/366836/</ref><blockquote>The same concerns are there whether it's commercial software or open source. But if it's open source software, you have the power of the crowd looking at it and then you can also run your own tests internally because it is open code…you can redo the work yourself if you so choose, </blockquote>
 +
* Interestingly the DoD has access to the source of code like Microsoft Windows, which would also allow the DoD to "redo the work" of checking the security of the code.
 +
 +
==Executive Order==
 +
The White House [[Executive Order on Cybersecurity]] (2021-05-12)has its own wiki page.
 +
* It focused and several areas that had relevance to OSS.
 +
** Software Bill of Materials, which are available for very few OSS packages today. Developers are used to downloading modules on-the-fly and expect that to be a feature not a bug.
 +
** Requirement that all companies selling to the US Government use secure software development practices which are notably absent in the OSS hacker culture.
 +
* The was [https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/13/readout-of-white-house-meeting-on-software-security/ a White House Meeting with OSS community] on 2022-01-13. The discussion focused on three topics:
 +
# Preventing security defects and vulnerabilities, which is a challenge for developers who are not paid for their work.
 +
# Improving the process for finding and fixing defects, which the participants thought should focus on the most-used code, rather than the code that was shipping to the US government now (odd!)
 +
# Shortening the response time for distributing and implementing fixes, which is a challenge since no one knows where the defective code is being used.
 +
 +
==Problems==
 
* A common problem with code that was developed in closed, even secretive, environments was often buggy and of unknown quality.
 
* A common problem with code that was developed in closed, even secretive, environments was often buggy and of unknown quality.
 
* In fact code like OpenSSL had bugs that persisted for years before they were discovered and patched.
 
* In fact code like OpenSSL had bugs that persisted for years before they were discovered and patched.
 
* An [https://techcrunch.com/2021/07/18/the-end-of-open-source/ effort by the University of Minnesota] has shown that a determined long-term effort could subvert the entire Linux security model. 2021-07-18
 
* An [https://techcrunch.com/2021/07/18/the-end-of-open-source/ effort by the University of Minnesota] has shown that a determined long-term effort could subvert the entire Linux security model. 2021-07-18
==Executive Order==
 
The White House [[Executive Order on Cybersecurity]] has its own wiki page.
 
* It focused and several areas that had relevance to OSS.
 
** Software Bill of Materials, which come is almost no OSS today. Developers are used to downloading modules on-the-fly and expect that to be a feature not a bug.
 
** Requirement that all companies selling the the US Government use secure software development practices which are notably absent in thee OSS hacker culture.
 
*
 
 
==Problem==
 
 
Security problems can be created at development time and at production time. Both are considered here.
 
Security problems can be created at development time and at production time. Both are considered here.
 
* When the code is open sourced, any attacker can look deeply for bugs that other have not discovered.
 
* When the code is open sourced, any attacker can look deeply for bugs that other have not discovered.
* Must of the code that s created in the Open Source community is built with open source tools and libraries that may not have high security ratings.
+
* When contributors are solicited, anyone can offer to help. Generally, the motives of the contributors are not examined. With the advent of the Ukraine war, [https://www.wired.com/story/open-source-sabotage-protestware protest-ware is starting to inflect widely used packages].  "In some cases, open-source software has been modified to display anti-war overlays or other messages of solidarity with Ukraine. In at least one instance, though, a popular software package was modified to deploy a malicious data wiper on Russian and Belarusian computers. This wave of protests in open source comes just a couple of months after a seemingly unrelated incident in which a maintainer sabotaged two of his widely used open-source projects out of apparent frustration stemming from feeling overworked and under-compensated."
* Dev tools like gcc or even Powershell installed on production computers can make life easy for attackers. When dev tools are installed they typically come with many support tools that also help attackers.
+
* Must of the code that s created in the Open-Source community is built with open-source tools and libraries that may not have high security ratings.
* [https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html Open source User and Risk Analysis Report] published annually by Synopsys shows that in 2020 there were 528 open source components per App. And that 84% of OSS codebases carried some vulnerability. The more an industry depended on high-growth and OSS, the more likely they were to having vulnerabilities in their applications.
+
* Dev tools like GCC or even PowerShell installed on production computers can make life easy for attackers. When dev tools are installed, they typically come with many support tools that also help attackers.
 +
* [https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html Open-source User and Risk Analysis Report] published annually by Synopsys shows that in 2020 there were 528 open-source components per App. And that 84% of OSS codebases carried some vulnerability. The more an industry depended on high-growth and OSS, the more likely they were to having vulnerabilities in their applications.
 +
* The "[https://www.wired.com/story/lo4j-ftc-vulnerability/ The FTC Wants Companies to Find Log4j Fast. It Won't Be Easy]" article makes it clear that no one really knew the full extent of their exposure to vulnerabilities in open-source code after this was reported. But in February 2022 a [https://www.nextgov.com/cybersecurity/2022/02/new-cyber-safety-board-pivots-tackle-log4j-vulnerabilities/361626/ New Cyber Safety Board Pivots to Tackle log4j Vulnerabilities] (2022-02-04) in NextGov.
 +
===An Example Exploit===
 +
The unreferenced quotes in the section come from the CISA Safety Review<ref>CISA Safety Review Board, ''Review of the December 2021 Log4j Event'' DHS CISA (2022-07-11)
 +
https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf</ref> in July 2022, also see the wiki page on the [[Executive Order on Cybersecurity]] <blockquote>The infrastructure on which we rely daily has become deeply interconnected through the use of shared communications, software, and hardware, making it susceptible to vulnerabilities on a global scale. While the computing industry is maturing, our ability to handle risk and incidents in our digital ecosystems is not keeping pace. To address this gap, and to begin driving necessary systemic improvements, President Biden directed the establishment of the Cyber Safety Review Board (CSRB, or the Board) to review significant cyber incidents and provide “advice, information, or recommendations for improving cybersecurity and incident response practices and policy.”</blockquote>
 +
* Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. Version2 was released in the Apache Logging Service under the ownership of the Apache Software Foundation. In 2013  the Log4j team accepted a community-submitted feature intended to ease data storage and retrieval called “JNDI [Java Naming and Directory Interface™]  On 2021-12-09, a zero-day vulnerability involving arbitrary code execution in this addition was published by the Alibaba Cloud Security Team and given the descriptor "Log4Shell".<ref>What's the Deal with the Log4Shell Security Nightmare?". Lawfare. (2021-12-10) https://www.lawfareblog.com/whats-deal-log4shell-security-nightmare</ref> After that more vulnerabilities were discovered in Log4j It has been characterized by Tenable as "the single biggest, most critical vulnerability of the last decade".<ref>"Recently uncovered software flaw 'most critical vulnerability of the last decade'". The Guardian 2021-12-11 https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell</ref> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 CVE-2021-44832] is the fourth attempt at a fix by Apache.
 +
* Still this code is deeply embedded in many products which may not even be aware of their dependency on it. The CISA Cyber Safety Review Board release on 2022-97-11 a [https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf Review of the December2021 Log4j Event] that told us that "vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer."
 +
* The major take-away is that we cannot assume that open-source code is more secure just because it is open-sourced and widely deployed.
 +
* Without complete [[SBOM|Software Bill of Materials]] this will be a recurrent problem as more implementations embedding open-source code are seen to have unsuspected embeds.
  
 
==Development Solutions==
 
==Development Solutions==
Line 79: Line 96:
  
 
==References==
 
==References==
 +
<references />
 +
===Other Material===
 
* For details on OSS and FOSS see the wiki page [[Open Source Software]].
 
* For details on OSS and FOSS see the wiki page [[Open Source Software]].
  
 
[[Category: Profile]]
 
[[Category: Profile]]
 
[[Category: Best Practice]]
 
[[Category: Best Practice]]

Latest revision as of 12:13, 2 August 2022

Full Title or Meme

Open Source Security technically applies to all software where the source code is available. In practice it typically means software that is developed using open source libraries and tools.

Context

  • There is an assertion of long standing that Open Source Software is more secure because of the "Many Eyes" that review the code and local all bugs.
  • Currently there is an effort to increase the content of Open Source Software in DoD software, which has very high security requirements.
  • The AF CIO appointed in 2022-05, Lauren Knausenberger, has reprised the "Many Eyes" assertion as[1]
    The same concerns are there whether it's commercial software or open source. But if it's open source software, you have the power of the crowd looking at it and then you can also run your own tests internally because it is open code…you can redo the work yourself if you so choose,
  • Interestingly the DoD has access to the source of code like Microsoft Windows, which would also allow the DoD to "redo the work" of checking the security of the code.

Executive Order

The White House Executive Order on Cybersecurity (2021-05-12)has its own wiki page.

  • It focused and several areas that had relevance to OSS.
    • Software Bill of Materials, which are available for very few OSS packages today. Developers are used to downloading modules on-the-fly and expect that to be a feature not a bug.
    • Requirement that all companies selling to the US Government use secure software development practices which are notably absent in the OSS hacker culture.
  • The was a White House Meeting with OSS community on 2022-01-13. The discussion focused on three topics:
  1. Preventing security defects and vulnerabilities, which is a challenge for developers who are not paid for their work.
  2. Improving the process for finding and fixing defects, which the participants thought should focus on the most-used code, rather than the code that was shipping to the US government now (odd!)
  3. Shortening the response time for distributing and implementing fixes, which is a challenge since no one knows where the defective code is being used.

Problems

  • A common problem with code that was developed in closed, even secretive, environments was often buggy and of unknown quality.
  • In fact code like OpenSSL had bugs that persisted for years before they were discovered and patched.
  • An effort by the University of Minnesota has shown that a determined long-term effort could subvert the entire Linux security model. 2021-07-18

Security problems can be created at development time and at production time. Both are considered here.

  • When the code is open sourced, any attacker can look deeply for bugs that other have not discovered.
  • When contributors are solicited, anyone can offer to help. Generally, the motives of the contributors are not examined. With the advent of the Ukraine war, protest-ware is starting to inflect widely used packages. "In some cases, open-source software has been modified to display anti-war overlays or other messages of solidarity with Ukraine. In at least one instance, though, a popular software package was modified to deploy a malicious data wiper on Russian and Belarusian computers. This wave of protests in open source comes just a couple of months after a seemingly unrelated incident in which a maintainer sabotaged two of his widely used open-source projects out of apparent frustration stemming from feeling overworked and under-compensated."
  • Must of the code that s created in the Open-Source community is built with open-source tools and libraries that may not have high security ratings.
  • Dev tools like GCC or even PowerShell installed on production computers can make life easy for attackers. When dev tools are installed, they typically come with many support tools that also help attackers.
  • Open-source User and Risk Analysis Report published annually by Synopsys shows that in 2020 there were 528 open-source components per App. And that 84% of OSS codebases carried some vulnerability. The more an industry depended on high-growth and OSS, the more likely they were to having vulnerabilities in their applications.
  • The "The FTC Wants Companies to Find Log4j Fast. It Won't Be Easy" article makes it clear that no one really knew the full extent of their exposure to vulnerabilities in open-source code after this was reported. But in February 2022 a New Cyber Safety Board Pivots to Tackle log4j Vulnerabilities (2022-02-04) in NextGov.

An Example Exploit

The unreferenced quotes in the section come from the CISA Safety Review[2] in July 2022, also see the wiki page on the Executive Order on Cybersecurity
The infrastructure on which we rely daily has become deeply interconnected through the use of shared communications, software, and hardware, making it susceptible to vulnerabilities on a global scale. While the computing industry is maturing, our ability to handle risk and incidents in our digital ecosystems is not keeping pace. To address this gap, and to begin driving necessary systemic improvements, President Biden directed the establishment of the Cyber Safety Review Board (CSRB, or the Board) to review significant cyber incidents and provide “advice, information, or recommendations for improving cybersecurity and incident response practices and policy.”
  • Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. Version2 was released in the Apache Logging Service under the ownership of the Apache Software Foundation. In 2013 the Log4j team accepted a community-submitted feature intended to ease data storage and retrieval called “JNDI [Java Naming and Directory Interface™] On 2021-12-09, a zero-day vulnerability involving arbitrary code execution in this addition was published by the Alibaba Cloud Security Team and given the descriptor "Log4Shell".[3] After that more vulnerabilities were discovered in Log4j It has been characterized by Tenable as "the single biggest, most critical vulnerability of the last decade".[4] CVE-2021-44832 is the fourth attempt at a fix by Apache.
  • Still this code is deeply embedded in many products which may not even be aware of their dependency on it. The CISA Cyber Safety Review Board release on 2022-97-11 a Review of the December2021 Log4j Event that told us that "vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer."
  • The major take-away is that we cannot assume that open-source code is more secure just because it is open-sourced and widely deployed.
  • Without complete Software Bill of Materials this will be a recurrent problem as more implementations embedding open-source code are seen to have unsuspected embeds.

Development Solutions

The Supply Chain must be fully documented so that software builds and audits can both succeed in improving security of the software packing to be delivered to the production machine.

  • Make itself is fine. make is merely a dependency tracking and automation framework. It is typically used in conjunction with compilers, though, and those preferrably should not be available on a production system, as they're completely un-necessary. The same holds true for all un-needed packages, whether those be shared libraries, interpreters, etc.

Production Solutions

Configuration of Solution

Configuration of Server

Some people will argue that the presence of development tools on a production machine will make life easier for an attacker. This however is such a tiny roadbump to an attacker, that any other argument you can find for or against installing the development tools will weigh more.

If an attacker was able to penetrate the system so far, that they could invoke whatever tools are present on the server, then you already have a serious security breach. Without development tools there are many other ways to write binary data to a file and then run a chmod on that file. An attacker wanting to use a custom build executable on the system at this point could just as well build that on their own machine and transfer it to the server.

There are other much more relevant things to look out for. If an installed piece of software contains a security bug, there is a few ways it could be exposed to an attacker:

  • The package could contain a suid or sgid executable.
  • The package could be starting services on the system.
  • The package could install scripts that are invoked automatically under certain circumstances (this includes cron jobs, but scripts could be invoked by other events for example when the state of a network interface changes or when a user logs in).
  • The package could install device inodes.
  • I would not expect development tools to match one of the above, and as such is not a high risk package.

If you have workflows in which you would make use of the development tools, then you first have to decide whether those are reasonable workflows, and if they are, you should install the development tools.

If you find that you don't really need those tools on the server, you should refrain from installing them for multiple reasons:

  • Saves disk space, both on the server and on backups.
  • Less installed software makes it easier to track what your dependencies are.
  • If you don't need the package, there is no point in taking the additional security risk from having it installed, even if that security risk is tiny.

If you decide that for security reasons, you won't allow unprivileged users to put their own executabels on the server, then what you should avoid is not the development tools but rather directories writable to those users on file systems mounted with execute permissions. There may still be a use for development tools even under those circumstances, but it is not very likely.

Other Projects

DARPA Open Source

Many branches of the US military are interested in open source.

NSA Open Source

The National Security Agency | Open Source Software & The Ghidra decompiler project, an interview of Jacob & Emily from the agency’s community team, as well as a software developer from the open source decompiler project Ghidra.

While most of what the NSA does is top secret, they actually have 40 open source projects and an active community team and public education programs. We talked about how they support open source at the NSA, cybersecurity, career paths in technology, learning new skills, and our tech origin stories.

Links mentioned in this episode:

Links related to this episode

References

  1. Lauren C. Williams. Why the USAF's IT chief is 'bullish' on open source FCW (2022-05-11) https://fcw.com/security/2022/05/why-usafs-it-chief-bullish-open-source/366836/
  2. CISA Safety Review Board, Review of the December 2021 Log4j Event DHS CISA (2022-07-11) https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
  3. What's the Deal with the Log4Shell Security Nightmare?". Lawfare. (2021-12-10) https://www.lawfareblog.com/whats-deal-log4shell-security-nightmare
  4. "Recently uncovered software flaw 'most critical vulnerability of the last decade'". The Guardian 2021-12-11 https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell

Other Material