huzaifas

Rootconf is a professional conference on security and systems and this was their first time in pune. I chose to spoke about TLS 1.3 and also did a BoF on fuzzing.

Rootconf is typically a single track conference, which means that everyone has only one talk to go to at a time. This was my first time i spoke at a single track event. My talk was the first one in the day. I started with talking about the importance of SSL/TLS , then talked about few of the security flaws, described key difference between TLS 1.3 and its previous versions and ended with lot of questions. Eventually ran out of time with people catching me in the hallway to ask tons of questions ranging from security, asking how Red Hat identifies, fixesflaws etc to people even asking if we have vacancies at Red Hat.

The second talk was about automating security workflow using docker. This was given by a security engineer from appsec, and had some important points about how he conducted pentesting and how bits of it  can be automated.

Next two talks were by devops engineers from a company called Hotstar. Hotstar is a disney company and deals with streaming TV/sports/movies etc via their app. They talked about how during the recent cricket world cup the number of peak connections increased to 24 million and it used 70% of all AV bandwidth available to India. The talks were interesting,since they spoke about how they scale their infra at this massive level.

The digital skimming talk mainly spoke about how attackers can use a combination of social engineers and web app flaws to hack mainly e-commerce websites, spoke about recent attacks and what protections can be used.

Post-lunch, there was a talk on using DNS as a layer of defense. The talk was mainly on using RPZ zones in bind etc to stop malicious domains inside the DNS server itself and to create a firewall filtering only DNS contents, not on the network layer but on the DNS application layer. The talk about briefly described the DNS over HTTPS initiative by Mozilla.

I took a BoF later in the day on fuzzing. However it turned out more to be a talk, since i did most of the talking. Spoke about my experiences with fuzzing and how one could get started.

There were a few talks about that, but i was not feeling too well, so i left. Overall the conference turned out to be a great experience and being a first of its kind (serious security talks, rather than hacking android phones) was good as well.

I attended the annual Fedora Flock conference this year at Budapest, and has been one of the most productive conferences so far. Here is a brief trip report.

Day 1:
Mathew Miller, Fedora Project Leader gave a brief key note about how Fedora was generally doing with his usual graphs to show download stats per version. This was followed by a talk on how functional teams work and how to convert a failing team to a functional team. There was been a trend in flock for a few years now to get someone to give an inspirational or a some kind of management talk to contributors.

Two people from Facebook spoke about Fedora deployment in facebook. Seems like they replaced most of the Ubuntu desktops with Fedora which seems like a big win to me. Being the person who designed/worked internal builds used in Red Hat i totally synced with they were saying including the hurdles etc they faced.

Post lunch, there were back to back sessions of podman, buildah and skopeo. Sadly Dan Walsh could not come, because his tickets were from India and he had issues with getting an Indian visa. Talks were taken by Valentin and took a deep technical dive into the above 3 tools. Talking about features which are normally not used but quite useful, how they
work and several advance features as well. Overall extremely useful, It would be nice to have Dan hear about them, but Valentin did good work as well.

Dominik spoke about packaging horror's which i totally relate to, because i have seem some horribly packaging with RHEL packages as well

Day 2:
Denise Dumas gave a talk called "Fedora, Red Hat and IBM". Her aim was to get across the whole idea across to Fedora contributors that, post acquisition "Red Hat is still Red Hat" and therefore "Fedora will still be Fedora".

After that Brenden Conoboy, Paul Frields, Denise Duman and Aleksandra Fedorova spoke about how rhel-8 was different from Fedora and discuss other details about rhel-8. They also mentioned that Red Hat is trying to ensure that we release a major version of RHEL every 3 years.

Post lunch, i gave my talk on "State of Fedora Security". I gave them a demo of security review tool which we use internally to conduct automated security review. This tool is based on Fedora review
(https://pagure.io/FedoraReview) tool and told them that we will contribute the patches upstream soon.

There was a lot of interest and excitement on seeing the demo. After the talk, it lead to a discussion specially with folks from FESCO.

I attended a few talks on Fedora Silverblue and flatpaks which looking at the way things are going, may very well be the default fedora desktop soon

Last talk of the day were a few students from India, talking how it was difficult for students in developing nations to contribute to Fedora and get their universities to give them credits for the same.

Day 3 and 4:
I was a lot relaxed since my talk was done. So i attended a talk by GSoc and outreachy students, where they talked about various projects they were doing for Fedora.

Post lunch i attended the Packit work shop. (https://packit.dev/) Packit is a tool for packaging upstream projects. And spoke to a few devels specially talking about flatpaks, rpm-ostree and security around these products. Day 3 ended with a walking tour of Budapest.

Last day, i attended a talk on "Automatic Bug reporting for dummies" where they discussed abrt, faf, and retrace server.
Post lunch there was a panel discussion with FESCO, i asked questions about several concerns of mine specially the ones related to:

https://pagure.io/fesco/issue/1935
https://fedoraproject.org/wiki/Changes/HardenedCompiler


The conference ended with a quick wrap up session.

Overall an extremely productive conference.

As i mentioned in my previous blog post, the Fedora project sponsored me to attend and talk in Flock this year in August in the beautiful city of Prague, here is a short report of how it went:

Day 1:
Flock started with a short welcome address by Fedora project leader Mathew Miller, followed by a keynote address from Gijs Hillenius, who is a journalist. He spoke about the adoption of Free and Open Source software in Europe. He also discussed the various hurdles faced in acceptance of open source software by various administrative agencies. After this i attended a talk on Fedora QA,  which ended with some information about what to do if any one was interested in joining. After lunch Mathias Clasen spoke about Wayland which is progressing quite well, it seems Fedora 21 would ship with Wayland, though not enabled by default, because a lot of work is still on-going. There were two kernel talks after that, one of them was by Josh Boyer.  I asked about including grsec patches into the kernel, and josh replied that it could very well end up in a copr repository, but not the main fedora kernel.

Day 2:
The second day started with a talk by Stephen Gallagar about the fedora server spin in upcoming fedora 21. I particularly like RoleKit. He also gave a demo about cockpit, sounds pretty interesting. Adam Williamson spoke about UEFI after that, i had a few question about secure boot, which Peter Jones answered. The Novena project spoke about building a laptop from scratch after that, though i was not particulary interested in knowing!. After lunch there was a Q&A session with FESCo, they tried to answer how it works on a day to day basis and how decisions are usually taken. The day ended with a session on docker.

Day 3:
The first talk on the third day was Arun SAG talking about Docker. Dennis Gilmore gave an excellent presentation about Fedora infrastructure. Second half of the day i looked at 3D printing and then ended up in the Package Review hackfest. Sadly almost everyone there was either a proven packager or a FPL member, there was no one who needed sponsorship. Though i spent that time in trying to update some of the packages i maintain to their newer upstream versions, so i did end up doing packaging during that time :)

Day 4:
I gave a talk on "Secure Programming Practices". It was well attended, though i feel i should have started a bit late, because most of the people were tired after dancing most of the night before that. There were some pretty good questions asked and i tried to answer the best i could, there is a youtube video available here. After that Michael spoke about Security Audit, he gave a few interesting examples how upstream failed to respond to him, untll he made the issue public. Kamil spoke about using static analyzers in Fedora. His csmock tool seems to be just a wrapper around some of the static analyzers available like cppcheck and clang, however he has some big plans of integrating it with bodhi and even making it available as a hosted solution in the near future. Should be really interesting to watch what happens. There were two fedora.next related workshops after that, i only briefly sat for them, but rather used that time to talk with other contributors and my fellow Red Hat collegaues whom i speak with on irc. It was nice to put faces on those irc nicks and email addresses!

All in all, flock was pretty good, my only complain the scheduling. There were multiple talks on Fedora next and people eventually lost interest. Some of the popular talks were full, if they were put in a bigger room, more people could take part.

I am going to talk about Security at Flock 2014 in Prague. My talk will start with a focus on developers and discuss common programming pitfalls in C code. Giving examples of actual security flaws found in opensource code, including the famous "heartbleed" and the ways these could be fixed and even avoided. I will them try to shift focus a bit and talk about how package maintainers, QE and even Fedora users can make a difference at the overall security of the operating system.

So if you are interested in how we keep fedora secure and are in prague on 9th August, drop by and say hello!

Some time back, i got an opportunity to teach Application Security, to an online Graduate level class in India. In my knowledge this is the first and perhaps the only course which teaches you open source technology. Topics in the course range from web languages, databases to even mobile and cloud. Classes are conducted online via web conferencing. Students can ask questions and gets their doubts cleared and the semesters end with a project. I would really recommend this course to any one in India who want to make a career in open source.
More details available at:
http://cde.annauniv.edu/MSCFOSS/

Hi,

I just wrote a blog post on TLS, details at:

http://securityblog.redhat.com/2013/07/24/transport-layer-security/

Enjoy!!!!

I was thinking of writing this list down for some time, for various reasons including record-keeping.
(I took me some time to remember all of the flaws which i had found!)
For my $DAYJOB i work for the Red Hat Security Response Team. But i like to do some of my own
security research in my time off. All of the flaws listed here were reported ethically. They have been
found by using various techniques such as code auditing, fuzzing, static analysis etc.

Product	Date	Reference	Flaw type	More info
wireshark	09-Feb-2011	CVE-2011-0538	Memory corruption	link
wireshark	03-March-2011	CVE-2011-1139	Memory corruption	link
wireshark	31-May-2011	CVE-2011-1958	Null pointer deref.	link
wireshark	31-May-2011	CVE-2011-1959	Memory corruption	link
wireshark	31-May-2011	CVE-2011-2175	Memory corruption	link
flash-plugin	21-Sept-2011	CVE-2011-2428	logic error	link
libreoffice	05-Oct-2011	CVE-2011-2713	Memory corruption	link1 link2
wireshark	01-Nov-2011	CVE-2011-4102	Memory corruption	link
Openjpeg	24-Aug-2012	CVE-2012-3535	Memory corruption	link
libtiff	07-July-2012	CVE-2012-3401	Memory corruption	link

A few days back while investigating a particular security flaw, i discovered something about glibc's FORTIFY_SOURCE format string protection which i did not know earlier.

Most developers (at least some of them), seem to think that if a program is compiled with fortify_source enabled, it was protected against, any format string flaw, This however is not completely true, a lot of glibc functions in fact are not protected. One example is the warn() function.

As per the man page:

The  err() and warn() family of functions display a formatted error message on the standard error output.  In all cases, the last component of the program name, a colon character, and a space are output.  If the fmt argument is not  NULL,  the  printf(3)-like formatted error message is output.  The output is terminated by a newline character.

Both err() and warn() and other functions described in that man page, take printf() like "formatted" data as its input. And since its not protected by FORTIFY_SOURCE, something like warn(message) could be exploited.

There may be other glibc functions which take formatted user-arguement, and are not protected as well. I leave finding this as an excercise for the reader :)

In the mean time the following bugs were filed:

1. glibc upstream
2. Red Hat Bugzilla

Sorry for not blogging  for a long time now. I had promised to myself that i will blog regularly but just could not make it :(

Anyways, Myself and my colleague Eugene Teo are going to speak at the upcoming FUDCon in Pune about open-source security. We will cover the basics of how software security works, and how vendors like Red Hat go about fixing things.

Since the conference is going to be conducted in a college, we expect most of the audience to be students, hence the presentation is going to be pretty simple and straight forward, nothing too fancy :)

If you are really interested in learning something or just want to meet me or Eugene, then be there :)

For some days now i have been trying to port kernel code from linux-2.6/drivers/media/video/v4l1-compat.c to libv4l1 which is a part of v4l-utils.
Initially i thought this would be a manual process, just trying to copy paste stuff from one place to another and make sure things are indented correctly. But it turned out to be a whole new learning experience for me.
Firstly i learnt how things are differently handled in userspace and kernel space, like the kernel has limited stack size, so if you are using a struct, you declare that as a pointer and kmalloc memory for it, so that when its pushed on the stack, only the pointer is pushed. However userspace does not have that limitations.

So around 10/12 ioctl ports later, i finished doing it and now we are ready to do some testing and perhaps deprecate
v4l1-compat driver in the kernel.

As always thanks a lot to Hans de Goede for guiding and helping me on this.