cipherdyne.org

27 August, 2006

Richard Bejtlich, founder of TaoSecurity, has made a posting to his blog about the article I wrote for the USENIX ;login: Magazine entitled "Single Packet Authorization with Fwknop" The SPA concept is catching on!

22 August, 2006

I have finally gotten my name into the ChangeLog for the Linux Kernel by fixing an initialization bug in the kernel portion of the Netfilter string match extension. This fix appears in kernel version 2.6.18, and here is the ChangeLog entry:

commit 3ffaa8c7c0f884171a273cd2145b8fbbf233ba22
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Aug 22 00:45:22 2006 -0700

    [TEXTSEARCH]: Fix Boyer Moore initialization bug

    The pattern is set after trying to compute the prefix table, which
    tries to use it. Initialize it before calling compute_prefix_tbl,
    make compute_prefix_tbl consistently use only the data from struct
    ts_bm and remove the now unnecessary arguments.

    Signed-off-by: Michael Rash <mbr@cipherdyne.org>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

14 August, 2006

Syngress Publishing has allowed me to post one of the chapters I wrote for the book "Intrusion Prevention and Active Response: Deploying Network and Host IPS". This chapter is entitled "Network Inline Data Modification" and explores the concept and implications of configuring an Intrusion Prevention System (IPS) to dynamically rewrite application layer data en route over a network. A PDF version of this chapter can be downloaded here. The book has received positive reviews (including one by Richard Bejtlich of taosecurity.com) on amazon.com. The actual data replacement is accomplished with Snort_inline or with a patch I wrote for the Netfilter string match extension and bundled with fwsnort.

05 August, 2006

Today I gave a talk at the DEF CON 14 conference in Las Vegas. This talk dicussed the concept of routing SPA packets over the Tor network, and slides can be found here in PDF format. All feedback is welcome!

04 August, 2006

The 0.9.7 release of fwknop is ready for download. Here is the ChangeLog:

• Added fwknop_serv to function as minimal TCP server over which SPA packets can be sent. This allows SPA to be compatible with the Tor network, which requires that a virtual circuit is established before traffic can be sent.
• Updated to Crypt::CBC 2.18 after a vulnerability was discovered in previous versions of Crypt::CBC that caused weak ciphertext to be generated for algorithms that have blocksizes greater than 8 bytes (such as Rijndael used by fwknop). Manually specifying initialization vectors is not necessary now.
• Updated SSH patch to support OpenSSH-4.3p2.
• Bugfix to make sure to create /var/* directories if they don't exist (such as when /var is a tmpfs).
• Bugfix to wrap SPA Rijndael decryption with eval{} so that fwknopd does not die if there are problems trying to decrypt data. This is necessary because of the security vulnerability fix in Crypt::CBC that creates some incompatibilities in different versions of Crypt::CBC.

01 August, 2006

Jay Beale is teaching a class at the Black Hat Briefings entitled Unix Aikido - Deflecting Attacks with Hard-Core Defense. He is going to include a tutorial on fwknop and Single Packet Authorization. The word is getting out about SPA!