Troopers ’17 – the 10th edition – madness is over and hopefully all of you are well rested and recovered after this special week. Of course the rest of the world did not stand still and thus Google lifted the curtains on a new public portal collecting and promoting the Open Source Software projects developed by employees of Google: opensource.google.com. There are a lot of interesting projects that might incubate new interesting developments. And even security oriented tools and projects (51 at the time of writing to be precise) are publically available [1].
Amongst them to be found is the badssl project [2] providing a multitude of SSL/TLS related test cases for SSL clients and their behavior to SSL configuration best practices.
Another interesting tool is syzkaller [3]. Syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer. Unsupervised means that it does not need further feedback from the user, but can just be run with any Linux kernel that can be compiled with coverage instrumentation. This means every mainline kernel since 4.6 or one that has a certain patch [4]. Coverage-guided means that it is able to measure how much of the code has been executed so far and modifies the input to try to hit code that has not. It is meant to be used with KASAN [5] to find kernel out of bound memory accesses, KTSAN [6] to kernel detect race conditions, and KUBSAN [7] to find general undefined behavior. So far it has found various vulnerabilities amongst countless of kernel bugs.
Firing Range [8] is a test case suite developed for benchmarking web application security scanners. The tests are mostly focused on XSS vulnerabilities. However, also cross-origin resource sharing, clickjacking, and flash injection test cases are available. The code is mostly well documented so that web application developers could learn from the test cases how to identify and prevent some of the common vulnerabilities on their own.
OSS-Fuzz [9] could be a service from Google already known to you. If you have an open source project, which is ‘widely-used’, you can apply at OSS-Fuzz. When the project is accepted, Google will integrate it into its fuzzing farm and provide for new releases automatically generated fuzz reports covering identified crashes from your application. However, you should be aware that your project is subject to Google’s standard disclosure policy [10], which means that reported issues will be made public after 90 days or 30 days after a fix has been released.
The Sandbox Attack Surface Analysis Tools [11] are a collection of Windows security analysis tools developed by our fellow Trooper James Forshaw. The tool suite can be used to test Windows sandbox properties by checking e.g. which registry or device accesses are performed by the sandbox to be analyzed. It is thus a low-level inspection toolset that comes in very handy for analyzing the security of applications in the Windows space — we immediately added it to our Windows Application Assessment tool suite.
We’re always happy to see that more helpful security tools are open sourced and available to everybody! Enjoy your weekend, explore the project repository, and happy hacking!
[1] https://opensource.google.com/projects/search?q=security
[2] https://badssl.com/
[3] https://opensource.google.com/projects/syzkaller
[4] https://github.com/torvalds/linux/commit/5c9a8750a6409c63a0f01d51a9024861022f6593
[5] https://www.kernel.org/doc/html/latest/dev-tools/kasan.html
[6] https://github.com/google/ktsan
[7] https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html
[8] https://opensource.google.com/projects/firing-range
[9] https://github.com/google/oss-fuzz
[10] https://googleprojectzero.blogspot.de/2015/02/feedback-and-data-driven-updates-to.html
[11] https://opensource.google.com/projects/sandbox-attacksurface-analysis-tools