In this podcast episode of Security Headlines our host talks with Kristaps Dzonsons, a long time
OpenBSD user, writer of beautiful software and deep water diver.
We cover a lot of software development, security, the BSD space and of course diving.
Enjoy the episode here:
Join us in this episode as we walk throw the jungles of security, programming, BSD, diving and a lot more!
Security is something that is very hard, we are all human and mistakes happen.
In 2014 at a EuroBSD conference, Kristaps
gave a great talk about what we should think about when we want to
produce safe code.
One of the things he highlights is that ideally, we should:
* Write defensive code, use a team of code auditors, QA
* Use up-to-date, audited libraries with a history of attention to security
* use a language with formal underpinnings and proof of correctness
* run on systems supporting your defensive strategy
And while we’re at it, we might as well ride our unicorns to work.
Unfortunately this workflow is not yet adopted. But since the tools are getting
smarter and smarter, more and more people are adopting fuzzing and the ecosystem is evolving.
There is a lot of reasons to be optimistic about the future!
One thing we can do to make our programs a bit safer is to look at each
part of the program and ask ourselves, does this part really need
privileges to do these things? Luckily a great new innovation from OpenBSD comes riding
in like a knight in shine armor, like a hero in a medieval movie.
And its name is Pledge, pledge allows your program to easily predefine the access rights it
needs and if it breaks the promise, the process dies.
It’s an easy to use way to approach the entire Mandatory Access Control swamp…
Mandatory Access Control
Mandatory Access Control is a way to provide more security for a program.
You basically write a ruleset for what your application is allowed to do.
In theory, this is great, because if a process is only allowed to read files, it can not be
manipulated to download some malicious and scary virus because it’s only allowed to do one thing.
Several systems have been created that do this such as Selinux, sandbox init, systrace and a lot more.
Unfortunately, these programs are very hard to use, you have to spend a lot of time writing
and learning how to adapt the configuration files in order to get it to work :/
Luckily there is a simpler approach to do this. Let’s talk about Pledge!
Originally implemented as Tame in OpenBSD, but rebranded as Pledge in OpenBSD’s 5.9 release.
Pledge makes security a lot easier for the developer! If you want a function you have to
only have the privileges of being able to open files or something similar. Pledge makes it super-easy for
you as a developer to in 3 lines of code, in order to only allow a function to do what its suppose to do and
nothing more, so when attackers come and manipulate your function to do other things, Pledge comes riding in
and kills the process, no questions asked!
Kristaps has implemented both Tame and Pledge into production and we get to hear his advice
on how to do it.
Pledge adoption is growing and growing, and you can use it with a large number of programming
languages. Just search for pledge and the programming language of your choice and someone has
most likely made a library for it.
Another good tool to have in your belt is a newer one called unveil.
Unveil fools your program to think that the only file paths and directories
that exists are the once you tell the program exists.
This is great when you don’t want a program that handles untrusted input to have access to
your password files or all your vacation photos that you are supposed to make a backup of
soon. Kristaps has implemented unveil in some of his programs as well, such as in rsync
where you download a file from the internet as the root user. Then unveil can magically
make all the directories except the download directory accessible to your program.
It’s not every day we have a photographer and deep water diver that has over 10 years of experrience
of scuba diving in the trunk.
So we of course had to dive into this topic as well.
Going below land and into the water is something we sometimes forget about.
The deepwater is not only home to big shipwrecks, amazing sea life but also a
great place to be. You put on a diver’s mask and jump into the waters, your body is adapting
to the temperature. The mammalian diving reflex kicks in!
You are absorbing less oxygen and your heart rate goes down and everything goes slower, more peaceful
and more space for awareness.
What you should bring from this episode is:
If you make software: make sure your program does what it is supposed to do and not more.
Use pledge and even try to use unveil, it will make your users life so much better
and last but not least go diving!
ps. We also cover using C for web applications, kcgi which is amazing and can be used for a lot of things such as hacking a way to adding support for http reverse proxy in httpd, as yours truly, do.