Monday Aug 04, 2008

NEW: Solaris Package Companion v0.8.1 / Testing Tool v0.1

On the heels of the v0.8 release, Clive King was able to find a new bug introduced as a result of my attempting to make the code a little more in line with Korn Shell conventions. Clive, thank you for reporting the details! I have published an updated version as v0.8.1. As always, you can get all of the details at the OpenSolaris Solaris Package Companion Project Page

As is my tradition when a bug is found, I try and publish a little something extra as a mea cupla. This time is no different. In addition to version 0.8.1 of the Solaris Package Companion, I have also published a testing tool for the same.

The testing tool, called spc-test-v0.1.ksh is also available from the project page. This tool can test multiple versions of the tool against multiple repositories which is pretty cool when checking for regressions. There are currently 48 tests although tests can be easily added or removed as needed. It can optionally display the results to the screen, but by default it records them in a directory where a basic consistency check is performed to detect differences in output (for the same repository) resulting from the use of different versions of the tool. This is not intended to be an all encompassing test suite or even a piece of production code, but rather a basic sanity check to make sure the key functions are working as expected.

Thanks again, Clive!

Keep the suggestions, reports and fixes coming!

Glenn

Technorati Tag:

Friday Aug 01, 2008

NEW: Solaris Package Companion v0.8

Wow, has time passed since my last posting. I promise to do a quick update soon as a lot has been happening over the last six months! In the meantime, I wanted to tell you all about a new version of the Solaris Package Companion (version 0.8) that is now available.

For those not familiar with the tool, here is a brief overview:

   The Solaris Package Companion is a small Korn shell script that allows you to ask
   quite a number of interesting questions about the relationships between Solaris 
   metaclusters, clusters and packages as well as their respective dependencies. Very
   often, answers to these kinds of questions are essential for the construction of 
   minimized systems as well as more generally for OS golden images.

   The goal of the Solaris Package Companion, or SPC for short, is to do all of the 
   hard work so you don't have to. SPC will create a cache of important facts by mining
   information from the various packaging files and directories to allow you to quickly 
   and easily obtain answers to a variety of questions such as:

     \* What clusters or packages are contained in a given metacluster?
     \* What packages are contained in a given cluster?
     \* What metacluster or cluster contains a given package?
     \* On what other packages does a given package or cluster depend?
     \* Which packages depend on a given package?
     \* … and so on…

New to this release is a tree view display method that allows you to list the contents of metaclusters and clusters in a more eye-friendly tree-view. Thanks to Fredrich Maney for contributing the idea and code! Here are a few examples from the project page showing what this looks like:

To see what packages are included in a cluster, just use the "-t" option:

$ ./spc-v0.8.ksh -v -r ./myrepository -t SUNWCssh
   [C] SUNWCssh                  Secure Shell
      [P] SUNWsshcu                 SSH Common, (Usr)
      [P] SUNWsshdr                 SSH Server, (Root)
      [P] SUNWsshdu                 SSH Server, (Usr)
      [P] SUNWsshr                  SSH Client and utilities, (Root)
      [P] SUNWsshu                  SSH Client and utilities, (Usr)

To see what packages and clusters are included in a metacluster, just use the "-T" option:

$ ./spc-v0.8.ksh -v -r ./myrepository -T SUNWCmreq | head -10
[M] SUNWCmreq                 Minimal Core System Support
   [C] SUNWCfca                  Sun ISP Fibre Channel Device Drivers
      [P] SUNWqlc                   Qlogic ISP 2200/2202 Fibre Channel Device Driver
      [P] SUNWemlxs                 Emulex-Sun LightPulse Fibre Channel Adapter (FCA) driver (root)
   [C] SUNWCfct                  Sun Fibre Channel Transport Software
      [P] SUNWfcsm                  FCSM driver
      [P] SUNWfctl                  Sun Fibre Channel Transport layer
      [P] SUNWfcp                   Sun FCP SCSI Device Driver
      [P] SUNWfcip                  Sun FCIP IP/ARP over FibreChannel Device Driver
   [C] SUNWCfmd                  Fault Management Daemon and Utilities
[…]

I would also like to thank Peter Pickford for sharing a fix for a bug that resulted in the tool not properly recording all dependencies under certain circumstances. Thank you! While I was at it, I also took a little time to clean up the code a bit.

You can find more information, examples and the source code on the project page.

Keep the suggestions, reports and fixes coming!

Glenn

Technorati Tag:

Friday Jan 04, 2008

UPDATED: Solaris - Now With More Fuzz

Every six months or so, I try to do a run of my fuzz tests against the Solaris OS. The first test was conducted a year ago with build 42 followed by a test during our summer break on build 68 of Nevada. It should come as no shock then that I conducted another test during the winter break on build 80.

The tools and methodology are the same (although there are still some kinks to be worked out to make it fully automated), but for those who have not read my earlier post, I will summarize. The tests were conducted on a fresh installation of Nevada build 80 built with the SUNWXCall (Entire + OEM) installation cluster. A sparse-root, non-global zone (called "fuzz") was created for the tests and the software was loaded into the zone. Next, the names of all of the ELF binaries were collected, using the make-exec-list script run from within in the non-global zone. Next, the make-fuzz-tests script was run to generate the 36 different fuzz files to be used as input for each binary tested. Lastly, the test was kicked off using the exec-fuzz-tests script. The script pretty much runs unattended except when I need to kill off runaway processes. I still need to add some code to kill off anything started at the end of each test so you do not end up with tons of extra processes running and consuming memory.

At any rate, the test run completed and I have posted my results in Bugster and the bugs are also available in the OpenSolaris Bug Database Search using the keyword fuzz. The programs impacted can be viewed using this query.

While I tend to do this kind of work for fun as a holiday distraction, it does have real benefit. Programs that fail during a fuzz test (usually core dumping although a runaway or two have also been found) fail due to unvalidated input that leads to a buffer overflow or arithmetic exception of some kind. Input validation is not to be taken lightly and should be performed by every program and service. In fact, on the CERT Top 10 Secure Coding Practices list, validate input is item #1 and with good reason.

Take care,

Glenn

Technorati Tag:

Tuesday Nov 13, 2007

NEW: Hack-Fu - Deconstructing the Security Capabilities of the Solaris 10 OS

For the Sun CEC 2007 conference this year, I revamped my originalPractical Solaris 10 Security presentation that I had originally mentioned here. The new version of the presentation is titled Hack-Fu - Deconstructing the Security Capabilities of the Solaris 10 OS.

While the title is a little more "catchy", the real change is that the presentation was enhanced to provide a more complete practical demonstration of Solaris 10 security capabilities. The presentation is structured from the viewpoint of a potential attacker examining the system from the network. As each new capability is discussed, barriers are lifted -- one by one -- until the attacker is given root access inside a Solaris 10 non-global zone.

While I have not had a chance to record the talk putting audio to the slides, you can still follow along as many of the examples in the presentation are based upon Sun BluePrints and HOWTOs that have already been published such as:

and a few others. I am always tuning and tweaking these presentations to address new features, improve their clarity, and make the examples more realistic. So, be sure to give it a look and send along your feedback. Also, don't forget to check out the OpenSolaris Security Community Presentations Library for other presentations featuring Solaris 10 and OpenSolaris content!

Take care,

Glenn

Technorati Tag:

Friday Nov 02, 2007

NEW: Solaris Package Companion v0.7

This one must have slipped my mind. Please accept my apologies. Back in September (2007), I published an updated version of the Solaris Package Companion. For those not familiar with the tool, here is a brief overview:

   The Solaris Package Companion is a small Korn shell script that allows you to ask
   quite a number of interesting questions about the relationships between Solaris 
   metaclusters, clusters and packages as well as their respective dependencies. Very
   often, answers to these kinds of questions are essential for the construction of 
   minimized systems as well as more generally for OS golden images.

   The goal of the Solaris Package Companion, or SPC for short, is to do all of the 
   hard work so you don't have to. SPC will create a cache of important facts by mining
   information from the various packaging files and directories to allow you to quickly 
   and easily obtain answers to a variety of questions such as:

     \* What clusters or packages are contained in a given metacluster?
     \* What packages are contained in a given cluster?
     \* What metacluster or cluster contains a given package?
     \* On what other packages does a given package or cluster depend?
     \* Which packages depend on a given package?
     \* … and so on…

New to this release is the tag before the item description to inform the user of the type of object being dispayed. [P] indicates a package while [C] is a cluster and [M] is a metacluster. Another new feature is the ability to fold packages back into their respective clusters (where possible). This can be helpful when trying to create a complete list of items for a standard OE image or JumpStart configuration. Essentially, this will report the cluster name in which the package is found. This can be accomplished using the -F (folding) option. The new -Z option will display the list of packages that depend on a specific cluster. There is also an new experimental option -f that will allow you to map a file to a package or cluster (with the -F option). This only works for local files reliably right now. Finally, special thanks to Dave Comay for reporting a bug - that has been fixed in this version too!

You can find more information, examples and the source code on the project page.

Technorati Tag:

About

This area of cyberspace is dedicated the goal of raising cybersecurity awareness. This blog will discuss cybersecurity risks, trends, news and best practices with a focus on improving mission assurance.

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today