Yoav Aner (2009) Securing the Sage Notebook.
Full text access: Open
This paper looks at some of the information security challenges of Web based Open Source applications through a case study of the Sage Notebook application. Considering the core underlying issues of open source and web based applications, predominately the fact that the source code of the application is exposed to any potential attacker, the paper investigates methodologies to examine and improve upon the security of such applications. The Sage Notebook application provides some unique information security challenges, both in terms of analysis and mitigation. The paper uses a structured threat modelling process based on industry methodologies to identify threats and vulnerabilities to both the Sage open source development process and the application itself. It rates the discovered threats and suggests several mitigation options to consider. The paper analyses the ndings, focusing on several architectural and design mitigation options, and investigates some of the technologies and tools to address the discovered threats and vulnerabilities most eectively. It covers generic open source and web based security challenges as well as issues aecting cloud computing, software as a service, virtualisation, process isolation and containments and others.
This is a Published version This version's date is: 01/09/2009 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/4120e089-8b7a-357b-a507-107ea922402e/1/
Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[1] M.D. Abrams, KW Eggers, L. LaPadula, and I. Olson. A generalizedframework for access control: An informal description. In Proceedings ofthe 13th National Computer Security Conference, pages 135{143, 1990.
[2] Y. Aner. Sage Development Process Threat Model. Available at http://groups.google.com/group/sage-devel/msg/1f851e27f5500712. Lastaccessed, 18 August 2009.
[3] M. Armbrust, A. Fox, R. Grith, A.D. Joseph, R.H. Katz, A. Konwinski,G. Lee, D.A. Patterson, A. Rabkin, I. Stoica, et al. Abovethe clouds: A Berkeley view of cloud computing. EECS Department,University of California, Berkeley, Tech. Rep. UCB/EECS-2009-28,2009. Available at http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf. Last accessed, 28 August 2009.
[4] K. Bennett, P. Layzell, D. Budgen, P. Brereton, L. Macaulay, andM. Munro. Service-based software: the future for exible software. InSoftware Engineering Conference, 2000. APSEC 2000. Proceedings. Sev-enth Asia-Paci c, pages 214{221, 2000.
[5] M. Bishop and M. Dilger. Checking for race conditions in le accesses.Computing systems, 2(2):131{152, 1996.
[6] B. Boehm and V.R. Basili. Software defect reduction top 10 list. IEEEComputer, 34(1):135{137, 2001.
[7] S R Bourne. Unix time-sharing system: The unix shell. Bell SystemTechnical Journal, (57):1971{1990, 1978.
[8] R. Buyya, C.S. Yeo, S. Venugopal, J. Broberg, and I. Brandic. Cloudcomputing and emerging IT platforms: Vision, hype, and reality for deliveringcomputing as the 5th utility. Future Generation Computer Systems,25(6):599{616, 2009.
[9] C. Castelluccia, E. Mykletun, and G. Tsudik. Improving secure serverperformance by re-balancing SSL/TLS handshakes. In Proceedings of the2006 ACM Symposium on Information, computer and communicationssecurity, pages 26{34. ACM New York, NY, USA, 2006.
[10] CERT Coordination Center, Software Engineering Institute,Carnegie MellonUniversity. malicious HTML tags embedded in client web requests.
Technical report, CA-2000-02, 2000. Available at http://www.cert.org/advisories/CA-2000-02.html. Last accessed, 28 August 2009.
[11] O. Certik. notebook rewrite. Available at http://groups.google.com/group/sage-devel/browse_thread/thread/65ca1e0489a0a980/c3abd60f1e13a3a3. Last accessed, 24 August 2009.
[12] P.M. Chen and B.D. Noble. When virtual is better than real. In Proceed-ings of the 2001 Workshop on Hot Topics in Operating Systems (HotOS),pages 133{138, 2001.
[13] B. Chess and G. McGraw. Static analysis for security. IEEE Security &Privacy, pages 76{79, 2004.
[14] S. Christey and R.A. Martin. Vulnerability type distributions in CVE.Common Weakness Enumeration, version, 1.1, 2007. Available at http://cwe.mitre.org/documents/vuln-trends.html. Last accessed, 30 August2009.
[15] A. Chuvakin. Using Chroot Securely. Available at http://www.linuxsecurity.com/content/view/117632/49/, 2007. Last accessed, 21August 2009.
[16] Coverity. Coverity Prevent - Static Analysis. Available at http://www.coverity.com/products/coverity-prevent.html. Last accessed,27 July 2009.
[17] W. Die. Risky business: Keeping security a secret. Available at http://news.zdnet.com/2100-9595_22-127072.html, 2003. Last accessed,14 July 2009.
[18] D. Evans and D. Larochelle. Improving security using extensiblelightweight static analysis. IEEE software, pages 42{51, 2002.
[19] D.C. Feldmeier and P.R. Karn. UNIX Password Security-Ten Years Later.In Proceedings of the 9th Annual International Cryptology Conference onAdvances in Cryptology, pages 44{63. Springer-Verlag London, UK, 1989.
[20] V. Felmetsger and G. Vigna. Exploiting OS-level mechanisms to implementmobile code security. In 10th IEEE International Conference onEngineering of Complex Computer Systems, 2005. ICECCS 2005. Pro-ceedings, pages 234{243, 2005.
[21] J. Fisher-Ogden. Hardware support for ecient virtualization. Availableat http://cseweb.ucsd.edu/~jfisherogden/hardwareVirt.pdf, 2006.Last accessed, 25 August 2009.
[22] B. Foote and J. Yoder. Big ball of mud. In Pattern Languages of ProgramDesign, pages 653{692. Addison-Wesley, 1999.
[23] Django Software Foundation. User authentication in Django. Availableat http://docs.djangoproject.com/en/dev/topics/auth/. Last accessed,25 July 2009.
[24] M. Fox, J. Giordano, L. Stotler, and A. Thomas. Selinuxand grsecurity: A case study comparing linux security kernel enhancements.Available at http://www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf, 2003. Last accessed, 27 August2009.
[25] Free Software Foundation. The free software de nition. Available athttp://www.fsf.org/licensing/essays/free-sw.html. Last accessed,14 July 2009.
[26] Free Software Foundation. GNU General Public License. Available athttp://www.gnu.org/licenses/gpl.html. Last accessed, 28 July 2009.
[27] Free Software Foundation. The GNU Privacy Guard. Available at http://www.gnupg.org/. Last accessed, 28 July 2009.
[28] Free Software Foundation. Selling Free Software. Available at http://www.gnu.org/philosophy/selling.html. Last accessed, 28 July 2009.
[29] The GAP Group. GAP - Groups, Algorithms, Programming - a System forComputational Discrete Algebra. Available at http://www.gap-system.org/. Last accessed, 28 July 2009.
[30] J. Gardner. Authkit - WSGI Authentication and Authorization Tools.Available at http://authkit.org/. Last accessed, 25 July 2009.
[31] J.J. Garrett et al. Ajax: A new approach to web applications. Adaptivepath, February 18, 2005. Available at http://www.adaptivepath.com/publications/essays/archives/000385.php. Last accessed, 27 August2009.
[32] C. Gebhardt and A. Tomlinson. Security consideration for virtualization.Technical Report RHUL{MA{2008{16, Department of Mathematics,Royal Holloway, University of London, 2008. Available at http://www.ma.rhul.ac.uk/static/techrep/2008/RHUL-MA-2008-16.pdf. Last accessed,28 August 2009.
[33] A. Ghitza. checklist for reviewing an spkg? Available athttp://groups.google.com/group/sage-devel/browse_thread/thread/030ff5c32e632936#. Last accessed, 18 August 2009.
[34] D. Gollmann. Computer security. John Wiley & Sons, second edition,2005.
[35] G.-M. Greuel, G. P ster, and H. Schonemann. Singular A computeralgebra system for polynomial computations. Available at http://www.singular.uni-kl.de. Last accessed, 28 July 2009.
[36] R. Harrison. Lightweight Directory Access Protocol (LDAP): AuthenticationMethods and Security Mechanisms. RFC 4513, Internet EngineeringTask Force, June 2006. Available at http://tools.ietf.org/html/rfc4513. Last accessed, 28 August 2009.
[37] J.H. Hoepman and B. Jacobs. Increased security through open source.COMMUNICATIONS{ACM, 50:79{84, 2007.
[38] M. Howard and D.E. Leblanc. Writing secure code. Microsoft Press,second edition, 2002.
[39] M. Howard and S. Lipner. The Security Development Lifecycle. MicrosoftPress, 2006.
[40] T. Howlett. Open Source Security Tools: Pratical Guide to Security Ap-plications, A. Prentice Hall PTR Upper Saddle River, NJ, USA, 2004.
[41] Y.W. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, and S.Y. Kuo. Securingweb application code by static analysis and runtime protection.In Proceedings of the 13th international conference on World Wide Web,pages 40{52. ACM New York, NY, USA, 2004.
[42] IBM Internet Security Systems. X-Force R2008 Midyear Trend Statistics.Available at http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf. Last accessed, 17August 2009.
[43] Open Source Initiative. Available at http://www.opensource.org. Lastaccessed, 14 July 2009.
[44] ISO/IEC. ISO/IEC 27005:2008 Information technology - Security techniques- Information security risk management. First edition, InternationalOrganization for Standardization, Geneva, Switzerland., 2008.
[45] S. Jain, F. Sha que, V. Djeric, and A. Goel. Application-level isolation andrecovery with solitude. In Proceedings of the 3rd ACM SIGOPS/EuroSysEuropean Conference on Computer Systems 2008, pages 95{107. ACMNew York, NY, USA, 2008.
[46] M. Jakobsson. Modeling and Preventing Phishing Attacks. In Financialcryptography and data security: 9th international conference, FC 2005,Roseau, The Commonwealth of Dominica, February 28-March 3, 2005:revised papers, page 89. Springer Verlag, 2005.
[47] M. Jawurek. RSBAC{a framework for enhanced Linux system security.In Dependable Distributed Systems, Laboratory of dependable distributedsystems, RWTH Aachen University, 2006. Available at http://rsbac.org/doc/media/rsbac-marek2006.pdf. Last accessed, 28 August 2009.
[48] A. Joshi, S.T. King, G.W. Dunlap, and P.M. Chen. Detecting past andpresent intrusions through vulnerability-speci c predicates. In Proceedingsof the twentieth ACM symposium on Operating systems principles, pages91{104. ACM New York, NY, USA, 2005.
[49] E. Kenneally. Stepping on the digital scale{Duty and Liability for NegligentInternet Security. ;login: The Magazine of USENIX & SAGE,26(8):62{77, 2001.
[50] Auguste Kerckho s. "la cryptographie militaire". Journal des sciencesmilitaires, vol. IX, 1883. available at http://www.petitcolas.net/fabien/kerckhoffs/, Last accessed, 14 July 2009.
[51] N. Kiyanclar. A survey of virtualization techniques focusing on secure ondemandcluster computing. Arxiv preprint cs/0511010, 2005. Availableat http://arxiv.org/pdf/cs/0511010. Last Accessed, 30 August 2009.
[52] Klocwork. Klockwork Insight. Available at http://www.klocwork.com/products/insight.asp. Last accessed, 27 July 2009.
[53] J. Kohl and C. Neuman. The Kerberos network authentication service(v5). RFC 1510, Internet Engineering Task Force, 1993. Available athttp://tools.ietf.org/html/rfc1510. Last accessed, 28 August 2009.
[54] Vassiliki Koutsonikola and Athena Vakali. LDAP: Framework, Practices,and Trends. IEEE Internet Computing, 8(5):66{72, 2004.
[55] K.A. Kozar. Representing systems with data ow diagrams. Available athttp://spot.colorado.edu/~kozar/DFD.html, 1997. Last accessed, 27August 2009.
[56] P.G. Larsen, N. Plat, and H. Toetenel. A formal semantics of data owdiagrams. Formal aspects of Computing, 6(6):586{606, 1994.
[57] N. Li, Z. Mao, and H. Chen. Usable mandatory integrity protection foroperating systems. In IEEE Symposium on Security and Privacy, 2007.SP'07, pages 164{178, 2007.
[58] Mailman, the GNU Mailing List Manager. Available at http://www.gnu.org/software/mailman/index.html. Last accessed, 18 July 2009.
[59] A. Martelli and D. Ascher. Python cookbook. O'Reilly Media, Inc., 2005.
[60] C. McDonough. repoze.who - wsgi authentication middleware. Availableat http://docs.repoze.org/who/. Last accessed, 25 July 2009.
[61] G. McGraw and Viega J. Software security principles: Part 3. Availableat http://www.ibm.com/developerworks/library/s-priv.html, 2000.Last accessed, 21 August 2009.
[62] Gary McGraw. Software security. IEEE Security & Privacy, March/April2004.
[63] Microsoft. Windows Server 2008 Active Directory. Availableat http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx. Last accessed, 5 August 2009.
[64] G. Narea. repoze.what - authorization for wsgi applications. Availableat http://what.repoze.org/docs/1.x/. Last accessed, 25 July 2009.
[65] National Security Agency. Security-Enhanced Linux. Available at http://www.nsa.gov/research/selinux/index.shtml. Last accessed, 21 August2009.
[66] R.M. Needham and M.D. Schroeder. Using encryption for authenticationin large networks of computers. COMMUNICATIONS{ACM, 21(12):993{999, 1978.
[67] Net lter.org. The net lter.org iptables project. Available at http://www.netfilter.org/projects/iptables/index.html. Last accessed,28 July 2009.
[68] Novell. Project AppArmor. Available at http://forge.novell.com/modules/xfmod/project/?apparmor. Last accessed, 21 August 2009.
[69] OpenBSD. OpenSSH. Available at http://www.openssh.com/. Lastaccessed, 28 July 2009.
[70] OpenLDAP Foundation. OpenLDAP - community developed LDAP Software.Available at http://www.openldap.org/. Last accessed, 5 August2009.
[71] T. Ormandy. An empirical study into the security exposure to host ofhostile virtualized environments. In CanSecWest 2007: Applied SecurityConference, 2007.
[72] A. Ott. RSBAC { Rule Set Based Access Control. Available at http://www.rsbac.org/. Last accessed, 22 August 2009.
[73] M.P. Papazoglou. Service-oriented computing: Concepts, characteristicsand directions. In Proceedings of the Fourth International Conferenceon Web Information Systems Engineering, pages 3{12. NW Washington:IEEE Computer Society, 2003.
[74] LD Paulson. Building rich web applications with Ajax. Computer,38(10):14{17, 2005.
[75] V. Prevelakis and D. Spinellis. Sandboxing applications. In Proceedings ofthe USENIX Technical Annual Conference, Freenix Track, pages 119{126,2001.
[76] Python Software Foundation. pickle - Python Object Serialization. Availableat http://docs.python.org/library/pickle.html. Last accessed,28 July 2009.
[77] N.A. Quynh, R. Ando, and Y. Takefuji. Centralized security policy supportfor virtual machine. In LISA '06: Proceedings of the 20th conferenceon Large Installation System Administration, pages 79{87, Berkeley, CA,USA, 2006. USENIX Association.
[78] E. Raymond. The cathedral and the bazaar. Knowledge, Technology, andPolicy, 12(3):23{49, 1999.
[79] J.S. Reuben. A Survey on Virtual Machine Security. Helsinki University ofTechnology, 2007. Available at http://www.tml.tkk.fi/Publications/C/25/papers/Reuben_final.pdf. Last accessed, 30 August 2009.
[80] R. Sailer, E. Valdez, T. Jaeger, R. Perez, L. Van Doorn, J.L. Grif-n, and S. Berger. sHype: Secure hypervisor approach to trustedvirtualized systems. IBM Research Report RC23511, 2005. Availableat http://domino.watson.ibm.com/library/cyberdig.nsf/papers/265c8e3a6f95ca8d85256fa1005cbf0f/$file/rc23511.pdf.Last accessed, 30 August 2009.
[81] J.H. Saltzer and M.D. Schroeder. The protection of information in computersystems. Proceedings of the IEEE, 63(9):1278{1308, 1975.
[82] J. Scambray, M. Shema, and C. Sima. Hacking Exposed Web Applications.McGraw-Hill Osborne Media, second edition, 2006.
[83] Bruce Schneier. Open source and security. Crypto-Gram. CounterpaneInternet Security, Inc., September 15, 1999. Available at http://www.counterpane.com/crypto-gram-9909.html. Last accessed, 25 July 2009.
[84] D. Scott and R. Sharp. Specifying and enforcing application-level websecurity policies. IEEE Transactions on Knowledge and data Engineering,pages 771{783, 2003.
[85] Michael Scovetta. YASCA - Yet Another Source Code Analyzer. Availableat http://sourceforge.net/projects/yasca/. Last accessed, 27 July2009.
[86] Secure Software Inc. RATS - Rough Auditing Tool for Security. Availableat http://www.fortify.com/security-resources/rats.jsp. Lastaccessed, 27 July 2009.
[87] S. Shankland. Novell lays o AppArmor programmers. Availableat http://news.cnet.com/8301-13580_3-9796140-39.html?part=rss&subj=news&tag=2547-1_3-0-5, 2007. Last accessed, 21 August2009.
[88] A. Shostack. Experiences Threat Modeling at Microsoft. In ModelingSecurity Workshop. Dept. of Computing, Lancaster University, UK, 2008.Available at: http://blogs.msdn.com/sdl/attachment/8991806.ashx. Lastaccessed, 27 August 2009.
[89] S. Smalley and T. Fraser. A Security Policy Con guration for the Security-Enhanced Linux. 2001. Available at http://www.artware.qc.ca/~fil/banned/selinux/policy-200012181053.pdf. Last accessed, 28 August2009.
[90] S. Soltesz, H. Potzl, M.E. Fiuczynski, A. Bavier, and L. Peterson.Container-based operating system virtualization: A scalable, highperformancealternative to hypervisors. In Proceedings of the 2nd ACMSIGOPS/EuroSys European Conference on Computer Systems 2007,pages 275{287. ACM New York, NY, USA, 2007.
[91] B. Spengler. grsecurity. Available at http://www.grsecurity.net/index.php. Last accessed, 22 August 2009.
[92] W. A. Stein et al. Sage Components. The Sage Development Team.Available at http://www.sagemath.org/links-components.html. Lastaccessed, 28 July 2009.
[93] W. A. Stein et al. Sage Notebook Public Server. The Sage DevelopmentTeam. Available at http://www.sagenb.org/. Last accessed, 28 July2009.
[94] W. A. Stein et al. Sage Mathematics Software (Version 4.1.1). TheSage Development Team, 2009. http://www.sagemath.org. Last accessed,25 August 2009.
[95] Z. Su and G. Wassermann. The essence of command injection attacks inweb applications. In Annual Symposium on Principles of ProgrammingLanguages, pages 372{382. ACM New York, NY, USA, 2006.
[96] F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004.
[97] A.S. Tanenbaum. Modern Operating Systems. Prentice Hall Press, UpperSaddle River, NJ, USA, third edition, 2007.
[98] G. Tassey. The economic impacts of inadequate infrastructure for softwaretesting. National Institute of Standards and Technology RTI Project, 2002.Available at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.122.3316&rep=rep1&type=pdf. Last accessed, 30 August 2009.
[99] The codenode group. codenode. Available at http://codenode.org/.Last accessed, 24 August 2009.
[100] G. Tornaria. Question about notebook server setup in a VM.Available at http://groups.google.com/group/sage-devel/browse_thread/thread/3927795c8f1c8a8f/2f21594bd6486d6. Last accessed,29 August 2009.
[101] P. Torr. Demystifying the threat-modeling process. IEEE Security &Privacy, pages 66{70, 2005.
[102] TrueCrypt Foundation. Truecrypt - Free open-source disk encryptionsoftware for Windows Vista/XP, Mac OS X, and Linux. Available athttp://www.truecrypt.org/. Last accessed, 28 July 2009.
[103] K. Tsipenyuk, B. Chess, and G. McGraw. Seven pernicious kingdoms: Ataxonomy of software security errors. IEEE Security & Privacy, 3(6):81{84, 2005.
[104] G. van Rossum and T. Peters. PEP-307 Extensions to the pickle protocol.Available at http://www.python.org/dev/peps/pep-0307/. Lastaccessed, 28 July 2009.
[105] J. Viega. The myth of open source security. Available at http://www.developer.com/tech/article.php/10923_626641_1, 2000. Lastaccessed, 18 July 2009.
[106] J. Viega. The Myths of Security: What the Computer Security IndustryDoesn't Want You to Know. O'Reilly Media, Inc, 2009.
[107] M.A. Vouk. Cloud computing{Issues, research and implementations. InInformation Technology Interfaces, 2008. ITI 2008. 30th InternationalConference on, pages 31{40, 2008.
[108] P. Watkins. Cross Site Request Forgeries (CSRF). BugTraq posting, 2001.Available at http://www.tux.org/~peterw/csrf.txt. Last accessed, 27August 2009.
[109] Y. Wilajati Purna. LIDS Trusted Domain Enforcement (TDE):An Introduction. Available at http://www.lids.org/document/LIDS-TDE-feature.txt, 2004. Last accessed, 21 August 2009.
[110] B. Witten, C. Landwehr, and M. Caloyannides. Does open source improvesystem security? IEEE SOFTWARE, pages 57{61, 2001.
[111] H. XIE. LIDS Hacking HOWTO. Available at http://www.lids.org/lids-howto/lids-hacking-howto.html, 2000. Last accessed, 21 August2009.
[112] H. XIE, P. Biondi, Y. Wilajati Purna, S. Klein, and K. Omo. LIDS {Linux Intrusion Detection System. Available at http://www.lids.org/.Last accessed, 21 August 2009.
[113] T. Ylonen. The Secure Shell (SSH) Authentication Protocol. RFC 4252,Internet Engineering Task Force, January 2006. Available at http://tools.ietf.org/html/rfc4252. Last accessed, 28 August 2009.