The Right Performance Tool for the Task
As an engineer who works on performance tools at Red Hat, I often get seemingly simple questions along the lines of, "How do I get performance tool X to collect Y data?" Unfortunately, many times the answer is that "tool X does not measure Y." This leads to a dicussion about the performance problem being investigated. With additional background information, it becomes much easier to suggest more promising tools and techniques to get the desired measurements. Given the number of performance...Determining Whether an Application Has Poor Cache Performance
Modern computer systems include cache memory to hide the higher latency and lower bandwidth of RAM memory from the processor. The cache has access latencies ranging from a few processor cycles to 10 or 20 cycles, rather than the hundreds of cycles needed to access RAM. If the processor must frequently obtain data from the RAM rather than the cache, performance will suffer. With Red Hat Enterprise Linux 6 and later distributions, the system use of cache can be measured with the perf utility...Examining Huge Pages or Transparent Huge Pages Performance
All modern processors use page-based mechanisms to translate the user-space processes virtual addresses into physical addresses for RAM. The pages are commonly 4KB in size, and the processor can hold a limited number of virtual-to-physical address mappings in the Translation Lookaside Buffers (TLB). The number of TLB entries ranges from tens to hundreds of mappings. This limits a processor to a few megabytes of memory it can address without changing the TLB entries. When a virtual-to-physical...Enhance application security with FORTIFY_SOURCE
The FORTIFY_SOURCE macro provides lightweight support for detecting buffer overflows in various functions that perform operations on memory and strings. Not all types of buffer overflows can be detected with this macro, but it does provide an extra level of validation for some functions that are potentially a source of buffer overflow flaws. It protects both C and C++ code. FORTIFY_SOURCE works by computing the number of bytes that are going to be copied from a source to the destination. In...Introducing Red Hat Access Labs!
We are thrilled to announce Red Hat Access Labs! Red Hat Access Labs is a new way for Red Hat engineers to deliver tools to help improve performance, quickly troubleshoot issues, identify security problems, or assist with any other issue we see our customers experiencing in their IT environments. Go to the Access Labs landing page to check out the five applications we've launched so far. Here's the inaugural group: SCSI Decoder: Quickly detect, decode, and resolve SCSI error messages...The trouble with snprintf
At least historically, misuse of functions like strcpy, strcat, and sprintf was a common source of buffer overflow vulnerabilities. Therefore, in 1997, the Single UNIX Specification, Version 2, included a new interface for string construction that provided an explicit length of the output string: snprintf. This function can be used for string construction with explicit length checking. Originally, it could be used in the following way: /* buff is a pointer to a buffer of blen characters...Security audits through reimplementation
For many networking protocols and file formats exist which interoperate with each other. Developing an implementation for a protocol or format diverges from previous implementations in subtle ways, at least initially. Such differences can uncover previously unnoticed corner cases which are not handled properly, and sometimes reveal security vulnerabilities. For example, in the mid-90s, it was discovered that Samba's SMB client, smbclient, did not restrict user name length in the same way...Embedded Vulnerability Detection command line tool
The Victims project is a Red Hat initiative that aims to detect known vulnerable dependencies in Java projects and deployments. Our initial focus was Java projects that were built using Maven. The victims-enforcer plug-in for Maven provides developers with immediate feedback if any of their project dependencies contain known vulnerabilities. However, until recently we did not have a good solution for scanning deployments or tools that work outside of a typical build and release cycle. The alpha...Java deserialization flaws: Part 2, XML deserialization
All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. In the first part of this two-part series, we looked at some of the unexpected security consequences which can arise from usage of binary deserialization in Java applications. This second part of the series will focus on security issues related to XML deserialization. XML Deserialization An alternative approach to Java's native binary serialization is...CWE Vulnerability Assessment Report 2013
Common Weakness Enumeration (CWE) is a list or dictionary of common software weaknesses. Red Hat has adopted CWE as a common language for describing and classifying vulnerabilities, used as a base for evaluation and prevention of weaknesses. Results of classifications are reviewed periodically and are used to direct our efforts in strengthening security of development practices, tools, assessment services, education programs and documentation. As a part of this effort Red Hat Customer Portal...Securing Openstack's Dashboard using Django-Secure
When it comes to security it is an unfortunate reality that technologies are rarely straight forward to use or easy to deploy. So it is quite refreshing to find something that breaks that mould. There is a fantastic project called django-secure which I believe does just this. The idea is to provide a way to enforce secure defaults for django projects. It achieves this in two key ways. The first being a deployment check that you can run as a part of typical django-admin manage.py workflow, the...TLSv1.1 and TLSv1.2 now available in RHEL
Background In the mid-1990s Secure Sockets Layer (SSL) was introduced for securing network communications. The released version, version 2, contained several security holes and was quickly updated to version 3. Transport Layer Security (TLS) became the next generation of PKI-based network encryption and was released in January of 1999. Since the release of TLSv1, many changes have happened to both the development of TLS and the known attacks against the cryptographic protocol. TLSv1.1 and...November: What have we been doing for you?
The Red Hat Product Security Team is constantly working behind the scenes to protect our customers. Here are just a few things that we’ve been working on in November: victi.ms project - We're now using victi.ms data to help check our JAR files for embedded vulnerabilities. This helps identify vulnerabilities and keeps them out of Red Hat products. Security Feature Matrix – We reported on the Security Feature Matrix last month and we continue to do research and make changes in our products...Enterprise Linux 6.4 to 6.5 risk report
Red Hat Enterprise Linux 6.5 was released last week (November 2013), nine months since the release of 6.4 in February 2013. In this report we take a look back over the vulnerabilities and security updates since that last update, specifically for Red Hat Enterprise Linux 6 Server. Red Hat Enterprise Linux 6 is in its fourth year since release, and will receive security updates until November 30th 2020. Errata count The chart below illustrates the total number of security updates issued for Red...Java Deserialization Flaws: Part 1, Binary Deserialization
Serialization is a feature of programming languages that allows the state of in-memory objects to be represented in a standard format, which can be written to disk or transmitted across a network. Java includes powerful serialization capabilities as a core feature of the language. All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. Serialization is now widely used in Java applications as a mechanism...Automated auditing the system using SCAP
We live in an electronic age. Nowadays, more and more manifestations of human identity are available via electronic media. Besides advantages, this facility brings challenges to us as well. As computer systems are getting more capable and complex, it is ever more important to set and keep the underlying computer system secure against security threats. The objective to secure a computer system is a complex and continuous process. Besides the requirement the system to be designed with security in...October: What have we been doing for you?
The Red Hat Product Security Team is constantly working behind the scenes to protect our customers. Here are just a few things that we've been working on in October: Auditing packages - One of the big tasks our team members work on is reviewing software packages to make sure they meet our high standards. Prelink is dead - We worked closely with the Fedora community to have prelink removed from the distribution (by default). Prelink disables address space layout randomization (ASLR) which...Debugging stack protector failures
Co-contributors: Dhiru Kholia and Florian Weimer GCC upstream and Fedora 19 recently improved the stack smashing protector. Each time we add more security instrumentation, we also uncover some previously hidden bugs. This post shows how to debug stack protector failures. Our example debugging session is based on a GNOME bug report for Evolution. Vadim Rutkovsky reported that Evolution 3.9.4 in Fedora rawhide crashed during the initial setup when built with -fstack-protector-strong flag. The...Symmetric Encryption
So far we have looked at what cryptography is and have taken a brief look at the history of cryptography; it's time for us to take a dive into how cryptography works. Cryptography often involves two important and complimentary processes called encryption and decryption. The process of encryption and decryption involves a secret key which is known only to the sender and the receiver of the message. Needless to say, the secrecy of the message depends on the secrecy of the key. This is analogous...Enterprise Linux 5.9 to 5.10 risk report
Red Hat Enterprise Linux 5.10 was released this month (October 2013), ten months since the release of 5.9 in January 2013. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Red Hat Enterprise Linux 5 is in its seventh year since release, and will receive security updates until March 31st 2017. Errata count The chart below illustrates the total number of security updates...We are not who we are
In authentication, we generally talk about three "factors" for determining identity. A "factor" is a broad category for establishing that you are who you claim to be. The three types of authentication factors are: Something you know (a password, a PIN, the answer to a "security question", etc.) Something you have (an ATM card, a smart card, a one-time-password token, etc.) Something you are (your fingerprint, retinal pattern, DNA) Historically, most people have used the first of these three...Reproducible Builds for Fedora
It should be possible to reproduce every build of every package in Fedora (strong, long-term goal). It should be possible for the users to verify that the binary matches what the source intended to produce, in an independent fashion. This is the basic nature of open source, the source code is available, so what can we do with it? I want to be able to show that our binary was the result of our source code from our compiler and nobody added anything to the binary along the way. Can we show that...Tweaking integer overflows
Integer overflows when calculating the memory size for data structures (such as to hold image data from an image file) is a common source of security vulnerabilities. Often, such integer overflows are initially reported as denial-of-service issues, as the result of an arbitrarily large memory allocation. But with some tweaking, they can be turned into the successful allocation of a memory area that is too small because the integer overflow results in the wrong computed allocation size....A Brief History of Cryptography
Cryptology is a young science. Though it has been used for thousands of years to hide secret messages, systematic study of cryptology as a science (and perhaps an art) just started around one hundred years ago. The first known evidence of the use of cryptography (in some form) was found in an inscription carved around 1900 BC, in the main chamber of the tomb of the nobleman Khnumhotep II, in Egypt. The scribe used some unusual hieroglyphic symbols here and there in place of more ordinary ones....Apache Tomcat and JBoss Web security flaws
Apache Tomcat and JBoss Web are two closely-related components that have a large amount of code in common. This article explains the difference between these components and examines how security flaws affect them. Apache Tomcat and JBoss Web Apache Tomcat is a popular open source implementation of the Java Servlet and JavaServer Pages specifications. It is commonly used as a container to host Java-based web applications. Tomcat is distributed as part of both Red Hat Enterprise Linux and Red Hat...