( Pollux's blog )

A firewall has to find the difference between good and bad packets, and for this, nothing is better than humans ! (french people could add this is the same difference as for good and bad hunters).

So the next generation firewall will be:

• better than stateful
• better than layer 7 analysis
• compliant with encrypted traffic
• able to detect malware, suspicious traffic, virus, etc.

Preview screenshot:

Source code should be released on monday, on the Netfilter mailing lists. Stay tuned !

Since recent versions (>= 4.0, maybe before), gcc (and ld) has some nice security features. Debian has created a wrapper for the toolchain, to make the use of these features easy.

To install the wrapper, run:

apt-get install hardening-wrapper

To enable the hardening features, you have to export the environment variable:

export DEB_BUILD_HARDENING=1

The features include additional checks for printf-like functions, stack protector, using address-space layout randomization (ASLR), marking ELF-sections as read-only after loading when possible, etc.

Please note that you must compile with -02 if you want the checks to be effective

DEB_BUILD_HARDENING_FORMAT (gcc/g++ -Wformat -Wformat-security)

Ask gcc to make additional checks on format strings, to prevent attacks.

The following code, for ex:

printf(buf);

will result in a warning:

[home ~/harden] DEB_BUILD_HARDENING=1 make
gcc     bad.c   -o bad
bad.c: In function ‘main’:
bad.c:10: warning: format not a string literal and no format arguments

Why is this code vulnerable ? Because the buffer (buf) could contain format characters like %s, and the printf function will interpret these characters to pop arguments from the stack, and can result in the execution of arbitrary code.

Solution:

• Replace previous code by

printf("%s",buf);

• Remember this is also true for other functions like syslog()
• Tell gcc to help ! You can mark your own printf-like functions using gcc attributes, for ex:

void out_log(int level,const char *fmt,...)
#ifdef __GNUC__
  __attribute__((__format__(printf,2,3)))
#endif
;

DEB_BUILD_HARDENING_RELRO (ld -z relro)

When loading a program (which is handled by ld-linux.so), many ELF sections are written and so marked as read-write. However, most of them could be turned read-only after. This options tells the linker to mark as much sections as possible read-only.

[home ~/harden] objdump -x bad | grep RELRO
[home ~/harden] DEB_BUILD_HARDENING=1 make
[home ~/harden] objdump -x bad | grep RELRO
  RELRO off    0x0000000000000df0 vaddr 0x0000000000200df0 paddr 0x0000000000200df0 align 2**

Links

• Format string attacks (Wikipedia)
• Debian wiki page on source hardening

This article explains how to build, install and configure ulogd 2 for use with netfilter/iptables. It explains how to use plugins to store logs in databases (MySQL and PostgreSQL), use plugins to filter data, and gives some iptables rules to log packets.

Get the sources

You can use the official repository:

git clone git://git.netfilter.org/ulogd2.git/

Prerequisites

• libnfnetlink (>= 0.30) http://www.netfilter.org/projects/libnfnetlink/index.html
• libnetfilter_log
• mysql-dev
• postgresql-dev

Build

Use the standard autotools method for configure, build and install:

./autogen.sh
./configure --prefix=/path/to/prefix
make
sudo make install

Configuration

Edit ulogd.conf

1. enable plugins

You will have to choose the input and output plugins according to your setup. NFLOG is present in recent kernels (and iptables installation), and should be preferred if possible.

• Input plugin: ULOG or NFLOG
• Output: MySQL or PostgreSQL

You have to enable the corresponding in the configuration before you can use them:

plugin="/path/to/prefix/lib/ulogd/ulogd_inppkt_ULOG.so"
plugin="/path/to/prefix/lib/ulogd/ulogd_output_MYSQL.so"

See "Stack configuration" later.

2. buid the stack

For MySQL, we will use a very simple plugin stack. As MySQL is quite inefficient in storing IP addresses (and has no standard type for it), we will log the IP addresses in binary format using the IP2BIN plugin. You won't be able to run SQL commands directly, but GUI tools (like Nulog can decode them.

stack=log1:ULOG,base1:BASE,ip2bin1:IP2BIN,mysql1:MYSQL

For PostgreSQL, the stack is similar, except that we choose to log IP addresses using the standard inet type.

stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,pgsql1:PGSQL

3. configure input plugin

[log1]
# netlink multicast group (the same as the iptables --ulog-nlgroup param)
nlgroup=1

4. configure output plugin

[mysql1]
db="ulog2"
host="localhost"
user="ulog2"
table="ulog"
pass="password"
procedure="INSERT_PACKET_FULL"

The configuration is the same as usual and should be easy, except maybe for the last parameter: it is the name of a procedure which will be used to insert data.

For PostgreSQL, you can use the following:

[pgsql1]
db="ulog2"
host="localhost"
user="ulog2"
table="ulog"
pass="ulog2"
procedure="INSERT_PACKET_FULL"

The configuration is the same, assuming you are running on the default port and have configured PostgreSQL, and can connect.

Stack configuration

Each module is a plugin which is dynamically loaded during ulogd start. A module has:

• Input keys: It defined the entry which are needed (mandatory or not) by the module to be able to work (ie output other keys)
• Output keys: The module outputs key->value association with key in the output list.

Each key has a type and may have a default value.

To have a working stack, you will need to provide an input module and filter which will be able to modify the initial set of key->value provided by the input module in a set of key->value which will contain all the input keys which are mandatory for the output plugin.

Information about a given module can be obtained through the info command of ulogd:

# /opt/ulogd2/sbin/ulogd --info /opt/ulogd2/lib/ulogd/ulogd_filter_IP2STR.so
Name: IP2STR
Input keys:
       Key: oob.family (unsigned int 8)
       Key: oob.protocol (unsigned int 16)
       Key: ip.saddr (IP addr)
       Key: ip.daddr (IP addr)
       [...]
Output keys:
       Key: ip.saddr.str (string)
       Key: ip.daddr.str (string)
       [...]

From this output, we see that the IP2STR module output IP in string format and take in input IP in rw format and some additional information (oob.family and oob.protocol).

Input plugins

• ULOG: get packet select via the iptables target ULOG
• NFLOG: get packet from NFLOG target which is the successor of ULOG
• NFCT: get flow information from Netfilter connection tracking via libnetfilter_conntrack

Output plugins

• LOGEMU: log packet/flow into a file
• OPRINT: log packet/flow to a file in multiline format
• SYSLOG: log packet/flow to syslog system
• MYSQL: log packet/flow to a MySQL database
• PGSQL: log packet/flow to a PGSQL server
• SQLITE3: log packet to a SQLITE3 file
• PCAP: log packet to a Pcap file
• IPFIX: log flow via IP Flow Information Export
• NACCT: log flow to a nacct compatible format (accounting)

Create database schema

PostgreSQL

1. create user and database

# su - postgres
$ createuser -P ulog2
$ createdb -O ulog2 ulog2

2. add support for plpgsql language (for procedures)

$ createlang plpgsql ulog2

3. insert schema

$ psql -U ulog2 -h localhost ulog2 -f doc/pgsql-ulogd2.sql

MySQL

1. create user and database

# mysql -uroot mysql
> CREATE DATABASE ulog2;
> GRANT ALL PRIVILEGES TO 'ulog2'@'localhost' IDENTIFIED BY 'password';

2. insert schema

$ mysql -uulo2 -ppassword ulog2 < doc/mysql-ulogd2.sql

Start ulogd2

As root, start the process:

/path/to/prefix/sbin/ulogd

If an error happens, it will only print:

Fatal error, check logfile.

Edit /var/log/ulogd.log (be careful, you will have to scroll many lines, so be sure not to use tail).

Wed Mar 26 22:19:54 2008 <7> ulogd.c:698 cannot find key `timestamp' in stack
Wed Mar 26 22:19:54 2008 <1> ulogd.c:807 destroying stack

Add iptables rules

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ULOG

Check the result

mysql> select count(*) from ulog2;
+--+
| count(*) |
+--+
|        5 |
+--+
1 row in set (0.00 sec)

So now, we are logging to the database. Next time, we will detail the SQL schema: how to get information, how to insert data, tables, view, procedures, etc.

References

• http://software.inl.fr/trac/wiki/ulogd2/user
• ulogd 2 articles, part 1

The Black Hat Europe 2008 Media Archives are now online. I wasn't there, but the archives contains some interesting materials:

• Spam-Evolution
• LDAP Injection & Blind LDAP Injection (see my post)
• New Viral Threats of PDF Language
• 0-Day Patch -Exposing Vendors (In)Security Performance
• Client-side Security
• Attacking Anti-Virus (there was a presentation on the same subject at CanSecWest and Hack.lu)
• Investigating Individuals and Organizations Using Open Source Intelligence
• DTRACE: The Reverse Engineer's Unexpected Swiss Army Knife
• ...

Related links:

• Hack.lu presentations
• USENIX Proceedings online
• Defcon Media Archives

Sébastien and I were giving a presentation on IDS Correlation: A Weapon of Mass Investigation at CanSecWest.

Most of the presentations were very interesting, including attacks against the anti-virus software (they are the most interesting targets, imho : run with system privileges, include parser for many protocols, are present on almost all machines, etc.), secure programming with gcc and glibc, snort 3 (our presentation was just after Marty's), fuzzing with Peach, and some others I do not remember at the moment.

We also gave two lightning talks, one on the Authenticating Firewall NuFW (slides here) and one on the Signatures.NU project (slides here).

We even won a beer for doing the presentation :)

After so much work (and eating so much sushis with a delicious wild salmon), we went to Whistler for skiing, that was great.

Many thanks to all the people from the conference and to all who helped us !

Some links:

• Our photos
• Photos from Hirosan
• Photos from Sid
• CanSecWest last events and materials