Security Patch Manager for Gentoo Linux

1
Security Patch Managerfor Gentoo Linux

• Alkesh N. Shah (gth836t)
• Prajakta S. Jagdale (gth853e)
• Nikhil N. Gandhi (gth792g)
• Timothy R. Jackson (gte673z)
• Luke K. Simpson (gte282y)

2
Introduction

• Automate the process of patching software
  vulnerabilities
• Software patches
• Fix bugs
• Address software vulnerabilities
• Software vulnerabilities
• Flaws that can be exploited by a malicious entity

3
Statistics
4
Statistics
5
Patch

• Background
• A patch can be an upgrade, a bug fix, a new
  hardware driver
• The developer will determine which versions of
  their software will be updated
• A patch can be installed over the top of an
  existing program
• Not all vulnerabilities have related patches

6
The Problem!

• Reasons why users dont download a patch
• The overhead of updating patches regularly
• Lack of realization of importance of a patch
• Risk of a patch developing a new vulnerability
• A high degree of technical skill is required to
  successfully exploit vulnerabilities, making the
  probability of attack unlikely.

7
Gentoo LINUX

• Automatically optimized
• Extreme configurability, performance and a
  top-notch user and developer community
• Gentoo Linux is an ideal secure server,
  development
  
  workstation, professional
  desktop, gaming system
• Gentoo Linux uses an enhanced BSD ports-style
  package system.
• Gentoo has a package system reminiscent of BSD's
  ports.
• The packages are distributed as source, in the
  form of "ebuild" auto-build scripts

8
Portage

• Portage is the software distribution system for
  Gentoo Linux
• Portage allows you to set up Gentoo Linux the way
  you like it.
• A GNOME 2 desktop running under
  Gentoo Linux

9
Commands

• emerge --sync. This command tells Portage to
  update your local "Portage tree" over the
  Internet.
• Local Portage tree contains a complete collection
  of scripts that can be used by Portage to create.
• Install a package - emerge packagename, at which
  point Portage automatically builds a custom
  version of the package to the exact
  specifications
• emerge -u world -- ensures that all the packages
  that are on the system are updated automatically.
  

10
Our Approach

• XML database
• Vulnerability Information
• Parser
• Integration with emerge

11
Sample XML File

• ltpackage grouppkg_grp namepkg_namegt
• ltverrange ver1.0.1gt
• ltvuln vidVulnerability IDgt
• ltdescriptiongt Description of
  Vulnerability lt/descriptiongt
• ltdatesgt
• ltdiscoverygt yyyy-mm-dd lt/discoverygt
• ltentrygt yyyy-mm-dd lt/entrygt
• lt/datesgt
• lt/vulngt
• lt/verrangegt
• lt/packagegt

12
Parser Implementation

• Using PyXML package
• Why SAX Parser model?
• Output Data Structure

13
Integration

• Compare with list of installed packages
• Invoke emerge p command

14
Future Directions

• Integration with Portage
• Interface for updating the security database

15
References

• National Vulnerability Database
• NIST www.csrc.nist.gov/publications/nistpubs/800
  -40-Ver2/SP800-40v2.pdf
• Gentoo Linux www.gentoo.org
• US-CERT - CERT/CC Statistics 1988-2005.