Security thesis advice

Hi,

I’m a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an
advice.

Thanks

Jorge

I’m a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.

I’d recommend maybe asking some members of the metasploit project (
http://metasploit.com/development/ ), a penetration testing framework
written in Ruby (originally done in Perl). That’s an excellent mix of
Ruby and security in my opinion.

  • Chris ( @cwgem )

OWASP Projects:
Ruby-ESAPI.
AppSensor.
http://code.google.com/p/appsensor/source/browse/#svn%2Ftrunk%2FAppSensor

MarkT

Hello,

On 22 October 2011 23:55, Jorge Bo [email protected] wrote:

Hi,

I’m a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.

One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.

This is less of an issue with full machine virtualization becoming
commonplace but still poses barrier to entry in implementing Ruby as
an alternative to PHP.

A good security topic might be evaluating security of shared PHP
hosting and either refute there is any security at all or implement
comparably secure Ruby plugin suitable for shared hosting in
Apache/nginx/other web server.

Thanks

Michal

On Sat, Oct 22, 2011 at 11:55 PM, Jorge Bo [email protected] wrote:

Hi,

I’m a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.

Head on over to http://www.securityfocus.com/archive/105/description
and get in touch with security experts. :slight_smile:


Phillip G.

gplus.to/phgaw | twitter.com/phgaw

A method of solution is perfect if we can forsee from the start,
and even prove, that following that method we shall attain our aim.
– Leibniz

Actually, i had an idea about building security on-demand…sounds a
little
weird, but i was thinking about building security in an application in
an
spiral way. Lets say starting with minimum security and based on the
attacks
patterns allow the application to modify its own code to apply security
contermeasures, relying on Ruby metaprogramming…
I guess it could be of more theoretical value than practical one,
however
its something which has been revolving my mind for a long time…

2011/10/23 Carter C. [email protected]

I have actually recently become quite interested in these sorts of
topics.
Since it does seem that these topics are of some interest at the moment
to
the community. I notice that most pieces in this area are rather on the
end
of being more application oriented. Have their been much in terms of
theoretical developments outside of cryptography?

What kind of thesis is this for? I suspect that any thesis type project
would have to mix both elements to make an effective thesis.

On 24 October 2011 02:45, Jorge Bo [email protected] wrote:

Actually, i had an idea about building security on-demand…sounds a little
weird, but i was thinking about building security in an application in an
spiral way. Lets say starting with minimum security and based on the attacks
patterns allow the application to modify its own code to apply security
contermeasures, relying on Ruby metaprogramming…
I guess it could be of more theoretical value than practical one, however
its something which has been revolving my mind for a long time…

This is fundamentally impossible.

Once your application starts insecure it cannot be secured.

Thanks

Michal

On Mon, Oct 24, 2011 at 12:23 AM, Michal S. [email protected]
wrote:

One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.

Just for curiosity: what exactly do you mean by “user isolation” and
what features are missing in Ruby?

Kind regards

robert

On 24 October 2011 10:47, Robert K. [email protected]
wrote:

On Mon, Oct 24, 2011 at 12:23 AM, Michal S. [email protected] wrote:

One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.

Just for curiosity: what exactly do you mean by “user isolation” and
what features are missing in Ruby?

It is common to see shared hosting where one Apache instance runs
multiple separate PHP enabled sites.

It relies on security built into PHP (disabling certain features) to
isolate these sites from each other. They live in one filesystem on
one server but supposedly cannot access any data of each other, there
is CPU and real time limit on execution of every page to prevent DoS,
etc. Technically each site is associated with an UID - think of a web
site stored in your home directory on a shared server.

I don’t know of any Ruby enabled web server that can run multiple
sites like that.

Thanks

Michal

On Mon, Oct 24, 2011 at 11:08 AM, Michal S. [email protected]
wrote:

It relies on security built into PHP (disabling certain features) to
isolate these sites from each other. They live in one filesystem on
one server but supposedly cannot access any data of each other, there
is CPU and real time limit on execution of every page to prevent DoS,
etc. Technically each site is associated with an UID - think of a web
site stored in your home directory on a shared server.

I don’t know of any Ruby enabled web server that can run multiple
sites like that.

Actually, this relies on Apache’s features: Apache spawns off a PHP
thread for each site with mod_php (it’s more complicated than that,
but that’s essentially it, IIRC).

I’m pretty sure mod_passenger does that, too, for Sinatara, Rails,
and, I think, Rack middleware.

And, well, if you have to disable features to make something secure,
it really isn’t designed with security in mind. :wink:


Phillip G.

gplus.to/phgaw | twitter.com/phgaw

A method of solution is perfect if we can forsee from the start,
and even prove, that following that method we shall attain our aim.
– Leibniz

On 10/22/2011 11:55 PM, Jorge Bo wrote:

Hey there Jorge,

may i ask for some clarification?

What kind of “Ruby-security related” topic are you heading for?

  • enhance ruby’s security itself (at the interpreter level)
  • enhance the security of a given system by using ruby (like metasploit,
    selinux-ruby-bindings or even freebsd)
  • enhance the security of any ruby application (maybe even with ruby?
    meta programmed recursion rules where’s my mind?)

Greets, Chris

Hi Chris, thanks for your answer

Honestly, im just evaluating different approaches.I’m finding very
interesting the Ruby metaprogramming model,i posted a crazy idea in a
previous message yesterday, that was crossing my mind, but it seems to
be
imposible to achive. But it could serve as a point of start.
You mention one topic about enhancing the security of any Ruby
application.
I guess it would be a good idea start reading some documents about Rubys
security model.

Thnaks,
Jorge

2011/10/24 Christian P. [email protected]

On 10/25/2011 12:30 AM, Jorge Bo wrote:

Hi Chris, thanks for your answer

Honestly, im just evaluating different approaches.I’m finding very
interesting the Ruby metaprogramming model,i posted a crazy idea in a
previous message yesterday, that was crossing my mind, but it seems to be
imposible to achive. But it could serve as a point of start.
I’ve read your proposal, and it immediatelly reminded me about openbsd’s
securelevel(7). Wouldn’t Openbsd count as an example, where a
potentially unsafe system is booted, and secured it has booted? Doesn’t
it all depend on the kernel/interpreter?

Compare:
http://www.openbsd.org/cgi-bin/man.cgi?query=securelevel&sektion=7
With:
http://www.rubycentral.com/pickaxe/taint.html

For me, it sounds quite comparable, ‘same old procedure’, and the same
result: "start an untrusted system and secure it afterwards…

Or am i missing something? (right now, that’s quite possible lol)

Greets, Chris

On 25 October 2011 00:43, Christian P. [email protected] wrote:

One thing where Ruby is lacking compared to PHP is user isolation on

Thanks

Michal

‘thin’ and ‘unicorn’ (just to name some examples) both have built in
support for chrooting under another uid/gid, and even if they wouldn’t,
nothing is stopping their root from chrooting them manually, so it has
nothing to do with php at all.

I don’t think this has anything to do with chrooting.

The mod_php is supposed to work in environment where you have 1000s of
users and each has PHP pages in their home directory.

I don’t think spawning 1000s chrooted instances just in case somebody
requested a page of that particular user is viable.

Sure, you can start a chrooted interpreter only when you need one
started as that user.

However, as I understand mod_php it disallows executing external
programs and filters arguments to functions that can open files
instead of chrooting.

Then when one script ends the interpreter can be reset and can run
another script, possibly of completely different web site.

This probably makes it possible to run the web server as single
non-root user, too. That’s quite different from saying “yeah, you can
chroot anything”.

There are guides on installing mod_php so that such environment works
reasonably. It can be used for both bolt-on “user home pages” on a
shared server and web-hosting only.

Thanks

Michal

On 10/24/2011 12:23 AM, Michal S. wrote:

shared web hosting.
Thanks

Michal

‘thin’ and ‘unicorn’ (just to name some examples) both have built in
support for chrooting under another uid/gid, and even if they wouldn’t,
nothing is stopping their root from chrooting them manually, so it has
nothing to do with php at all.

Greets, Chris

On 10/25/2011 01:08 AM, Michal S. wrote:

potentially unsafe system is booted, and secured it has booted? Doesn’t
Or am i missing something? (right now, that’s quite possible lol)

Thanks

Michal

Sounds reasonable, gonna check it out.
Thanks,

Chris

On 25 October 2011 00:53, Christian P. [email protected] wrote:

it all depend on the kernel/interpreter?

Compare:
http://www.openbsd.org/cgi-bin/man.cgi?query=securelevel&sektion=7
With:
http://www.rubycentral.com/pickaxe/taint.html

For me, it sounds quite comparable, ‘same old procedure’, and the same
result: "start an untrusted system and secure it afterwards…

Or am i missing something? (right now, that’s quite possible lol)

Yes, there some things that you are missing.

While the OpenBSD secure levels aren’t very good security mechanism
you missed a few important points.

  1. You boot a trusted system, not an untrusted one. Booting untrusted
    system is quite pointless.

  2. You enter a higher secure level before allowing access from the
    outside. The securing is pre-emptive, not reactive as in the proposal.

Thanks

Michal

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs