Language Selection

English French German Italian Portuguese Spanish

Security: WireGuard, SafeBreach and More

Filed under
Security
  • WireGuard Snapshot `0.0.20191012` Available
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Hello,
    
    A new snapshot, `0.0.20191012`, has been tagged in the git repository.
    
    Please note that this snapshot is a snapshot rather than a final
    release that is considered secure and bug-free. WireGuard is generally
    thought to be fairly stable, and most likely will not crash your
    computer (though it may).  However, as this is a snapshot, it comes
    with no guarantees; it is not applicable for CVEs.
    
    With all that said, if you'd like to test this snapshot out, there are a
    few relevant changes.
    
    == Changes ==
    
      * qemu: bump default version
      * netns: add test for failing 5.3 FIB changes
      
      Kernels 5.3.0 - 5.3.3 crash (and are probably exploitable) via this one liner:
      
      unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1'
      
      We fixed this upstream here:
      
      https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=ca7a03c4175366a92cee0ccc4fec0038c3266e26
      
      This is relevant to WireGuard because a very similar sequence of commands is
      used by wg-quick(8).
      
      So, we've now added some tests to catch this code path in the future. While
      the bug here was a random old use-after-free, the test checks the general
      policy routing setup used by wg-quick(8), so that we make sure this continues
      to work with future kernels.
      
      * noise: recompare stamps after taking write lock
      
      We now recompare counters while holding a write lock.
      
      * netlink: allow preventing creation of new peers when updating
      
      This is a small enhancement for wg-dynamic, so that we can update peers
      without readding them if they've already been removed.
      
      * wg-quick: android: use Binder for setting DNS on Android 10
      
      wg-quick(8) for Android now supports Android 10 (Q). We'll be releasing a new
      version of the app for this later today.
    
    This snapshot contains commits from: Jason A. Donenfeld and Nicolas Douma.
    
    As always, the source is available at https://git.zx2c4.com/WireGuard/ and
    information about the project is available at https://www.wireguard.com/ .
    
    This snapshot is available in compressed tarball form here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.xz
      SHA2-256: 93573193c9c1c22fde31eb1729ad428ca39da77a603a3d81561a9816ccecfa8e
      BLAKE2b-256: d7979c453201b9fb6b1ad12092515b27ea6899397637a34f46e74b52b36ddf56
    
    A PGP signature of that file decompressed is available here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.asc
      Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
    
    If you're a snapshot package maintainer, please bump your package version. If
    you're a user, the WireGuard team welcomes any and all feedback on this latest
    snapshot.
    
    Finally, WireGuard development thrives on donations. By popular demand, we
    have a webpage for this: https://www.wireguard.com/donations/
    
    Thank you,
    Jason Donenfeld
    
  • WireGuard 0.0.20191012 Released With Latest Fixes

    WireGuard is still working on transitioning to the Linux kernel's existing crypto API as a faster approach to finally make it into the mainline kernel, but for those using the out-of-tree WireGuard secure VPN tunnel support, a new development release is available.

  • SafeBreach catches vulnerability in controversial HP Touchpoint Analytics software

    Now the feature is embroiled in another minor controversy after security researchers at SafeBreach said they uncovered a new vulnerability. HP Touchpoint Analytics comes preinstalled on many HP devices that run Windows. Every version below 4.1.4.2827 is affected by what SafeBreach found.

    In a blog post, SafeBreach Labs security researcher Peleg Hadar said that because the service is executed as "NT AUTHORITY\SYSTEM," it is afforded extremely powerful permissions that give it wide access.

    "The CVE-2019-6333 vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass Signature Validation Bypassing," Hadar wrote.

    [...]

    The company has long had to defend HP Touchpoint Analytics against critics who say it gives HP unnecessary access to users' systems. When it first became widely noticed in 2017, dozens of users complained that they had not consented to adding the system.

  • Security Tool Sprawl Reaches Tipping Point
  • How trusted digital certificates complement open source security

    Application developers incorporating open source software into their designs may only discover later that elements of this software have left them (and their customers) exposed to cyber-attacks.

  • Securing the Container Supply Chain

More in Tux Machines

Python Programming and This Week in Rust

  • Adding Notifications to Long-Running Jupyter Notebook Cells

    If you use Jupyter Notebook to run long-running processes, such as machine learning training, then you would probably like to know when the cell finishes executing. There is a neat browser plugin that you can use to help solve this issue called jupyter-notify. It will allow you to have your browser send a pop-up message when the cell finishes executing.

  • #100DaysOfCode, Day 015 – Quick and Dirty Web Page Download

    I wanted to write a program that would just get the latest comic from turnoff.us and save the picture to a file.

  • Mozilla and Chan Zuckerberg Initiative to support pip
  • Creating Palindromes -- if possible -- from a string of letters.

    I don't like the idea of Union[str, int] as a return type from this function. Yes, it's valid Python, but it seems like a code smell. Since the intent is to build lists, a None would be more sensible than a number; we'd have Optional[str] which seems better overall. The solution that was posted was interesting. It did way too much work, but it was acceptable-looking Python. (It started with a big block comment with "#" on each line instead of a docstring, so... there were minor style problems, but otherwise, it was not bad.)

  • Functional programming design pattern: Nested Iterators == Flattening

    Here's a functional programming design pattern I uncovered. This may not be news to you, but it was a surprise to me. It cropped up when looking at something that needs parallelization to reduced the elapsed run time.

  • List Comprehensions in Python

    A list is one of the fundamental data types in Python. Every time you come across a variable name that's followed by a square bracket [], or a list constructor, it is a list capable of containing multiple items, making it a compound data type. Similarly, it is also a breeze to declare a new list and subsequently add one or more items to it.

  • Python if else demo

    A simple kata from codewars will show us how to use the if-else statement in python. The wide mouth frog is particularly interested in the eating habits of other creatures. He just can’t stop asking the creatures he encounters what they like to eat. But then he meets the alligator who just LOVES to eat wide-mouthed frogs! When he meets the alligator, it then makes a tiny mouth.

  • This Week in Rust 315

    Hello and welcome to another issue of This Week in Rust! Rust is a systems language pursuing the trifecta: safety, concurrency, and speed. This is a weekly summary of its progress and community. Want something mentioned? Tweet us at @ThisWeekInRust or send us a pull request. Want to get involved? We love contributions.

Kernel: LWN Articles (Outside Paywall Today), F2FS and BPF

  • LSM stacking and the future

    The idea of stacking (or chaining) Linux security modules (LSMs) goes back 15 years (at least) at this point; progress has definitely been made along the way, especially in the last decade or so. It has been possible to stack "minor" LSMs with one major LSM (e.g. SELinux, Smack, or AppArmor) for some time, but mixing, say, SELinux and AppArmor in the same system has not been possible. Combining major security solutions may not seem like a truly important feature, but there is a use case where it is pretty clearly needed: containers. Longtime LSM stacker (and Smack maintainer) Casey Schaufler gave a presentation at the 2019 Linux Security Summit Europe to report on the status and plans for allowing arbitrary LSM stacking. LSMs allow adding more restrictions to Linux than those afforded by the traditional security policies. For the most part, those policies reflect the existing mechanisms, such as permissions bits on files. But there are also other security concerns, such as binding to a network socket, that are outside of the usual permissions, so mechanisms to restrict access to them have been added to the LSM interface.

  • Some near-term arm64 hardening patches

    The arm64 architecture is found at the core of many, if not most, mobile devices; that means that arm64 devices are destined to be the target of attackers worldwide. That has led to a high level of interest in technologies that can harden these systems. There are currently several such technologies, based in both hardware and software, that are being readied for the arm64 kernel; read on for a survey on what is coming.

  • Keeping memory contents secret

    One of the many responsibilities of the operating system is to help processes keep secrets from each other. Operating systems often fail in this regard, sometimes due to factors — such as hardware bugs and user-space vulnerabilities — that are beyond their direct control. It is thus unsurprising that there is an increasing level of interest in ways to improve the ability to keep data secret, perhaps even from the operating system itself. The MAP_EXCLUSIVE patch set from Mike Rapoport is one example of the work that is being done in this area; it also shows that the development community has not yet really begun to figure out how this type of feature should work. MAP_EXCLUSIVE is a new flag for the mmap() system call; its purpose is to request a region of memory that is mapped only for the calling process and inaccessible to anybody else, including the kernel. It is a part of a larger address-space isolation effort underway in the memory-management subsystem, most of which is based on the idea that unmapped memory is much harder for an attacker to access. Mapping a memory range with MAP_EXCLUSIVE has a number of effects. It automatically implies the MAP_LOCKED and MAP_POPULATE flags, meaning that the memory in question will be immediately faulted into RAM and locked there — it should never find its way to a swap area, for example. The MAP_PRIVATE and MAP_ANONYMOUS flags are required, and MAP_HUGETLB is not allowed. Pages that are mapped this way will not be copied if the process forks. They are also removed from the kernel's direct mapping — the linear mapping of all of physical memory — making them inaccessible to the kernel in most circumstances. The goal behind MAP_EXCLUSIVE seems to have support within the community, but the actual implementation has raised a number of questions about how this functionality should work. One area of concern is the removal of the pages from the direct mapping. The kernel uses huge pages for that mapping, since that gives a significant performance improvement through decreased translation lookaside buffer (TLB) pressure. Carving specific pages out of that mapping requires splitting the huge pages into normal pages, slowing things down for every process in the system. The splitting of the direct mapping in another context caused a 2% performance regression at Facebook, according to Alexei Starovoitov in October; that is not a cost that everybody is willing to pay. Elena Reshetova indicated that she has been working on similar functionality; rather than enhancing mmap(), her patch provides a new madvise() flag and requires that the secret areas be a multiple of the page size. Her version will eventually wipe any secret areas before returning the memory to general use in case the calling process doesn't do that.

  • F2FS File-System Gets More Fixes With Linux 5.5

    The Flash-Friendly File-System continues to be refined and with the forthcoming Linux 5.5 kernel are more improvements albeit largely bug fixes. F2FS in Linux 5.5 improves the in-place updating I/O flow, ensures no garbage collection for pinned files, avoids a needless data migration within the garbage collection code, fixes a potential memory leak, and has a number of other fixes.

  • Netflix: BPF is a new type of software we use to run Linux apps securely in the kernel

    There's growing interest in a new type of software for Linux machines called BPF, which allows the user to run a program in the kernel and enjoy "observability super powers", according to Brendan Gregg, a senior performance architect at Netflix. BPF isn't something an average computer user would know about or even use, but for network and software engineers it promises value. At Facebook, for example, engineers use BPF as part of a network load balancer. Facebook software engineer Alexei Starovoitov is credited with creating Extended BPF, which is now used in Android for collecting statistics from the kernel, monitoring, or debugging. And Google is using it as part of its Kernel Runtime Security Instrumentation to improve detection of security threat signals, such as a kernel module that loads and hides itself.

The Yocto Project 3.0 release

The Yocto Project recently announced its 3.0 release, maintaining the spring/fall cadence it has followed for the past nine years. As well as the expected updates, it contains new thinking on getting the best of two worlds: source builds and prebuilt binaries. This fits well into a landscape where reproducibility and software traceability, all the way through to device updates, are increasingly important to handle complex security issues. This update contains the usual things people have come to expect from a Yocto Project release, such as upgrades to the latest versions of many of the software components including GCC 9.2, glibc 2.30, and the 5.2 and 4.19 kernels. But there is more to it than that. One major development in this release was the addition of the ability to run the toolchain test suites. The project is proud of its ability to run builds of complete Linux software stacks for multiple architectures from source, boot them under QEMU, and run extensive software tests on them, all in around five hours. In that time we can now include tests for GCC, glibc, and binutils on each of the principal architectures. As a result, the test report for the release now has around two-million test results. Read more

Librem Boot Freedom and Purism Closes $2.5m Note Series

  • coreboot 4.11: Leaving No Librem Behind

    One of Purism’s core beliefs is to ensure that to the best of our ability, all new features, fixes, and improvements will be applied to all products, past and present.

  • Purism Closes $2.5m Note Series

    Purism as a Social Purpose Company (SPC) ensures the rights of humanity by creating products that fully respect people, and that mission has garnered a lot of attention and growth. One of the reasons Purism registered as an SPC was so that we could accept inbound investment without the risk that a toxic investor could force us to violate our values for profit (a common problem in C corporations). As a social purpose company Purism enshrines in its articles of incorporation that we must do what is good for society, therefore avoiding any and all toxic funding by virtue of the strictness of those articles. Funding growth—in addition to the triple-digit (yes that is over doubling) shipped revenue growth year-over-year since 2014 that Purism has been fortunate to see—can come in many forms, be that inventory financing, lines of credit, investment, and equity financing, to name a few.