Rootconf is a professional conference on security and systems and this was their first time in pune. I chose to spoke about TLS 1.3 and also did a BoF on fuzzing. Rootconf is typically a single track conference, which means that everyone has only one talk to go to at a time. This was my first time i spoke at a single track event. My talk was the first one in the day. I started with talking about the importance of SSL/TLS , then talked about few of the security flaws, described key difference between TLS 1.3 and its previous versions and ended with lot of questions. Eventually ran out of time with people catching me in the hallway to ask tons of questions ranging from security, asking how Red Hat identifies, fixesflaws etc to people even asking if we have vacancies at Red Hat. The second talk was about automating security workflow using docker. This was given by a security engineer from appsec, and had some important points about how he conducted pentesting and how bits of it can be automated. Next two talks were by devops engineers from a company called Hotstar. Hotstar is a disney company and deals with streaming TV/sports/movies etc via their app. They talked about how during the recent cricket world cup the number of peak connections increased to 24 million and it used 70% of all AV bandwidth available to India. The talks were interesting,since they spoke about how they scale their infra at this massive level. The digital skimming talk mainly spoke about how attackers can use a combination of social engineers and web app flaws to hack mainly e-commerce websites, spoke about recent attacks and what protections can be used. Post-lunch, there was a talk on using DNS as a layer of defense. The talk was mainly on using RPZ zones in bind etc to stop malicious domains inside the DNS server itself and to create a firewall filtering only DNS contents, not on the network layer but on the DNS application layer. The talk about briefly described the DNS over HTTPS initiative by Mozilla. I took a BoF later in the day on fuzzing. However it turned out more to be a talk, since i did most of the talking. Spoke about my experiences with fuzzing and how one could get started. There were a few talks about that, but i was not feeling too well, so i left. Overall the conference turned out to be a great experience and being a first of its kind (serious security talks, rather than hacking android phones) was good as well.
Mathew Miller, Fedora Project Leader gave a brief key note about how Fedora was generally doing with his usual graphs to show download stats per version. This was followed by a talk on how functional teams work and how to convert a failing team to a functional team. There was been a trend in flock for a few years now to get someone to give an inspirational or a some kind of management talk to contributors.
Two people from Facebook spoke about Fedora deployment in facebook. Seems like they replaced most of the Ubuntu desktops with Fedora which seems like a big win to me. Being the person who designed/worked internal builds used in Red Hat i totally synced with they were saying including the hurdles etc they faced.
Post lunch, there were back to back sessions of podman, buildah and skopeo. Sadly Dan Walsh could not come, because his tickets were from India and he had issues with getting an Indian visa. Talks were taken by Valentin and took a deep technical dive into the above 3 tools. Talking about features which are normally not used but quite useful, how they
work and several advance features as well. Overall extremely useful, It would be nice to have Dan hear about them, but Valentin did good work as well.
Dominik spoke about packaging horror's which i totally relate to, because i have seem some horribly packaging with RHEL packages as well
Denise Dumas gave a talk called "Fedora, Red Hat and IBM". Her aim was to get across the whole idea across to Fedora contributors that, post acquisition "Red Hat is still Red Hat" and therefore "Fedora will still be Fedora".
After that Brenden Conoboy, Paul Frields, Denise Duman and Aleksandra Fedorova spoke about how rhel-8 was different from Fedora and discuss other details about rhel-8. They also mentioned that Red Hat is trying to ensure that we release a major version of RHEL every 3 years.
Post lunch, i gave my talk on "State of Fedora Security". I gave them a demo of security review tool which we use internally to conduct automated security review. This tool is based on Fedora review
(https://pagure.io/FedoraReview) tool and told them that we will contribute the patches upstream soon.
There was a lot of interest and excitement on seeing the demo. After the talk, it lead to a discussion specially with folks from FESCO.
I attended a few talks on Fedora Silverblue and flatpaks which looking at the way things are going, may very well be the default fedora desktop soon
Last talk of the day were a few students from India, talking how it was difficult for students in developing nations to contribute to Fedora and get their universities to give them credits for the same.
Day 3 and 4:
I was a lot relaxed since my talk was done. So i attended a talk by GSoc and outreachy students, where they talked about various projects they were doing for Fedora.
Post lunch i attended the Packit work shop. (https://packit.dev/) Packit is a tool for packaging upstream projects. And spoke to a few devels specially talking about flatpaks, rpm-ostree and security around these products. Day 3 ended with a walking tour of Budapest.
Last day, i attended a talk on "Automatic Bug reporting for dummies" where they discussed abrt, faf, and retrace server.
Post lunch there was a panel discussion with FESCO, i asked questions about several concerns of mine specially the ones related to:
The conference ended with a quick wrap up session.
Overall an extremely productive conference.
Flock started with a short welcome address by Fedora project leader Mathew Miller, followed by a keynote address from Gijs Hillenius, who is a journalist. He spoke about the adoption of Free and Open Source software in Europe. He also discussed the various hurdles faced in acceptance of open source software by various administrative agencies. After this i attended a talk on Fedora QA, which ended with some information about what to do if any one was interested in joining. After lunch Mathias Clasen spoke about Wayland which is progressing quite well, it seems Fedora 21 would ship with Wayland, though not enabled by default, because a lot of work is still on-going. There were two kernel talks after that, one of them was by Josh Boyer. I asked about including grsec patches into the kernel, and josh replied that it could very well end up in a copr repository, but not the main fedora kernel.
The second day started with a talk by Stephen Gallagar about the fedora server spin in upcoming fedora 21. I particularly like RoleKit. He also gave a demo about cockpit, sounds pretty interesting. Adam Williamson spoke about UEFI after that, i had a few question about secure boot, which Peter Jones answered. The Novena project spoke about building a laptop from scratch after that, though i was not particulary interested in knowing!. After lunch there was a Q&A session with FESCo, they tried to answer how it works on a day to day basis and how decisions are usually taken. The day ended with a session on docker.
The first talk on the third day was Arun SAG talking about Docker. Dennis Gilmore gave an excellent presentation about Fedora infrastructure. Second half of the day i looked at 3D printing and then ended up in the Package Review hackfest. Sadly almost everyone there was either a proven packager or a FPL member, there was no one who needed sponsorship. Though i spent that time in trying to update some of the packages i maintain to their newer upstream versions, so i did end up doing packaging during that time :)
I gave a talk on "Secure Programming Practices". It was well attended, though i feel i should have started a bit late, because most of the people were tired after dancing most of the night before that. There were some pretty good questions asked and i tried to answer the best i could, there is a youtube video available here. After that Michael spoke about Security Audit, he gave a few interesting examples how upstream failed to respond to him, untll he made the issue public. Kamil spoke about using static analyzers in Fedora. His csmock tool seems to be just a wrapper around some of the static analyzers available like cppcheck and clang, however he has some big plans of integrating it with bodhi and even making it available as a hosted solution in the near future. Should be really interesting to watch what happens. There were two fedora.next related workshops after that, i only briefly sat for them, but rather used that time to talk with other contributors and my fellow Red Hat collegaues whom i speak with on irc. It was nice to put faces on those irc nicks and email addresses!
All in all, flock was pretty good, my only complain the scheduling. There were multiple talks on Fedora next and people eventually lost interest. Some of the popular talks were full, if they were put in a bigger room, more people could take part.
So if you are interested in how we keep fedora secure and are in prague on 9th August, drop by and say hello!
More details available at:
I just wrote a blog post on TLS, details at:
(I took me some time to remember all of the flaws which i had found!)
For my $DAYJOB i work for the Red Hat Security Response Team. But i like to do some of my own
security research in my time off. All of the flaws listed here were reported ethically. They have been
found by using various techniques such as code auditing, fuzzing, static analysis etc.
|Product||Date||Reference||Flaw type||More info|
|wireshark||31-May-2011||CVE-2011-1958||Null pointer deref.||link|
|libreoffice||05-Oct-2011||CVE-2011-2713||Memory corruption||link1 link2|
Most developers (at least some of them), seem to think that if a program is compiled with fortify_source enabled, it was protected against, any format string flaw, This however is not completely true, a lot of glibc functions in fact are not protected. One example is the warn() function.
As per the man page:
The err() and warn() family of functions display a formatted error message on the standard error output. In all cases, the last component of the program name, a colon character, and a space are output. If the fmt argument is not NULL, the printf(3)-like formatted error message is output. The output is terminated by a newline character.
Both err() and warn() and other functions described in that man page, take printf() like "formatted" data as its input. And since its not protected by FORTIFY_SOURCE, something like warn(message) could be exploited.
There may be other glibc functions which take formatted user-arguement, and are not protected as well. I leave finding this as an excercise for the reader :)
In the mean time the following bugs were filed:
1. glibc upstream
2. Red Hat Bugzilla
Sorry for not blogging for a long time now. I had promised to myself that i will blog regularly but just could not make it :(
Anyways, Myself and my colleague Eugene Teo are going to speak at the upcoming FUDCon in Pune about open-source security. We will cover the basics of how software security works, and how vendors like Red Hat go about fixing things.
Since the conference is going to be conducted in a college, we expect most of the audience to be students, hence the presentation is going to be pretty simple and straight forward, nothing too fancy :)
If you are really interested in learning something or just want to meet me or Eugene, then be there :)
Initially i thought this would be a manual process, just trying to copy paste stuff from one place to another and make sure things are indented correctly. But it turned out to be a whole new learning experience for me.
Firstly i learnt how things are differently handled in userspace and kernel space, like the kernel has limited stack size, so if you are using a struct, you declare that as a pointer and kmalloc memory for it, so that when its pushed on the stack, only the pointer is pushed. However userspace does not have that limitations.
So around 10/12 ioctl ports later, i finished doing it and now we are ready to do some testing and perhaps deprecate
v4l1-compat driver in the kernel.
As always thanks a lot to Hans de Goede for guiding and helping me on this.