October 1, 2016

Coverity releases open source library to help developers fix XSS issues in Java web applications

(LiveHacking.Com) – A new, open source library has been released to help developers easily fix cross-site scripting (XSS) security defects in Java web applications. The library, which gives developers a range of  free escaping and encoding functions, has been released by Coverity, a development testing company who invented a new way to test source code to reveal critical software defects.

The idea is that the new library will enable developers with limited security expertise to quickly fix XSS security defects in Java web applications. It does this by providing a set of functions for data escaping and encoding.

“Asking developers to write their own data escaping routines is a recipe for getting it wrong,” said Andy Chou, Coverity co-founder, CTO and head of the Security Research Laboratory. “The incomplete set of escapers in some libraries encourages developers to use the wrong ones. We need to empower developers to be part of the security solution with the right technologies and actionable information to help them fix defects quickly and without slowing them down. With the Coverity Security Library, developers now have a powerful and easy-to-use library to help them plug some of the most common security holes early in the development process when they are easiest to fix.”

The company has released the Coverity Security Library to the open source community on  GitHub and Maven as a standalone repository. The important question is why do developers need another security library?  Coverity’s answer is that many existing libraries are incomplete and the one that are complete are too  complex and inefficient. The end result was that Coverity couldn’t find a freely available library that it felt comfortable recommending to users.

Coverity is also looking for contributions from the community as it expands the library in the future. It hopes to earn the trust of users and believes that making the library available under a liberal BSD-like open source license will help increase the transparency.

Although the library is open source, the advantage for Coverity is that the library can also be used in conjunction with the Coverity® Security Advisor, a commercial product within the Coverity Development Testing Platform that can further analyze security defects and assist in finding fixes.

Kaspersky Lab developing secure OS for industrial control systems

(LiveHacking.Com) – In a blog post for Kaspersky Lab, Eugene Kaspersky has confirmed that the security company is working on a new, secure operating system on top of which  industrial control systems (ICS) can be installed. The aim is to provide a secure environment that incorporate all the latest security technologies available and is built to tackle the realities of 21st century cyber-attacks.

The motivation behind such an ambitious project is the inevitable future of mass cyber-attacks on nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems. Until a few years ago cyber attacks were limited to web servers and emails server, however that has changed and now the very infrastructure that controls our countries is open for attack.

Industrial IT systems are different to office system and internet facing server for three very important reasons:

  1. The system must always be running. If a web server is under attack, worst case scenario is that the server is shutdown until everything can be resolved. You can’t do that with the control system running a nuclear power station!
  2. Because of the “always on” nature of the systems, performing software upgrades are difficult and often undesired by those running the systems.
  3. Traditionally the ICS manufacturers have been less willing to provide updates to existing control system.

The result is that when an exploit is found in the control system, fixing it can be very hard.

The fact that the majority of control systems aren’t connected to the Internet could lull us into a false sense of security as how could a hacker possibility get to the system if it isn’t connected to anything. Unfortunately the reality is quite different. Kaspersky gives the following example from twelve years ago:

An employee of a third-party contractor who was working on the control systems of Maroochy Shire Council (in  Australia) carried out 46 (!) attacks on its control system, which caused the pumps to stop working or work not as they should have. No one could understand what was happening, since the communication channels inside the system had been breached and the information traveling along them distorted. Only after months did companies and the authorities manage to work out what had happened. It turned out that the worker really wanted to get a job at the sewage firm, was rejected, and so decided to flood a huge area of Queensland with sewage!

And this long before the rise of cyber espionage malware like Stuxnet, Duqu, Flame, miniflame and Gauss.

“Ideally, all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyber-attacks,” wrote Kaspersky.

However, such a huge project effort would still not guarantee sufficiently stable operation of systems. The alternative is to create a a secure operating system, one onto which ICS can be installed. To do this Kaspersky Lab are developing a highly tailored operating system for a specific narrow task. It is not, as Kaspersky put it “for playing Half-Life on, editing your vacation videos, or blathering on social media.”

Also the company is working on methods of writing software which, by design, won’t be able to carry out any behind-the-scenes, undeclared activity.

“It’s a sophisticated project, and almost impracticable without active interaction with ICS operators and vendors. We can’t reveal many details of the project now because of the confidentiality of such cooperation. And we don’t want to talk about some stuff so competitors won’t jump on our ideas and nick the know-how. And then there are some details that will remain for certain customers’ eyes only forever, to ward off cyber-terrorist abuses,” added Kaspersky.

More details about the system, its requirements and background to its development can be read here.

Why Has Google Released the Source Code For Two New Hash Functions?

Google has released some of the source code for the new CityHash family of hash functions. In the initial offering Google has published the code, with a friendly MIT license, for CityHash64 and CityHash128. These functions hash strings to 64-bit and 128-bit hash codes, respectively.

64-bit and 128-bit hashes are considered weak by today’s standards and as such Google say that these functions aren’t suitable for cryptography, but do work well for hash tables. The release of this code raises several questions: Why would Google develop new hash functions? Why only 64- and 128-bit? Are there more functions that Google are using and developing? Will CityHash ever be used for cryptography?

On why Google would create new hash functions, the simple answer is speed. Google processes huge amounts of data and every fraction of a millisecond shaved off runtime over heads is essential in keeping computing costs down. Google are claiming that “under real-life conditions we expect CityHash64 to outperform previous work by at least 30% in speed, and perhaps as much as a factor of two”. That is a significant speed boost for Google. What is also interesting is that Google mention optimizing the code for CPUs that are common in Google’s datacenters. This can lead us also to conclude that Google are turning their attention to hashing, indexing and probably cryptography functions using specialized hardware. It is not uncommon today for hackers to use the power of GPUs in cracking codes and part of that work is in the generation of hash tables using GPUs.

As for the other questions, Google call these two functions “a family” of hash functions. Two hardly constitutes a family and in fact Google admit to using “variants of CityHash128” internally. It is most likely that Google have CityHash256, CityHash512 and CityHash1024 tucked away somewhere. If this is so, then these new functions could have a future in cryptography.

Jif: Security-typed Programming Language

Researchers at Comell University has developed a security-typed programming language that extends Java with support for information flow control and access control, enforced at both compile time and run time.

Jave+Information Flow or Jif and its source code for the Jif compiler and run-time system is now available for download. Jif is written in Java and is built using the Polyglot extensible Java compiler framework with reference to the project website.

Jif compiler tracks the correspondence between information the policies that restrict its use, enforcing security properties end-to-end within the system. The information flow within Jif programs will be checked first and then the Jif compiler translates them to Java programs and uses an ordinary Java compiler to produce secure executable programs.

Jif provides important features like selective, robust downgrading, language-based access control, and dynamic labels and principals.

More information is available at project website: http://www.cs.cornell.edu/jif/