Tuesday, March 26, 2013

Paper Review:- The most dangerous code in the world: validating SSL certificates in non-browser software


Authors: M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov

SSL is a common standard used by Internet community for secure communication. Now a days SSL provides a critical role in many application like banking, sensitive data transfer etc. The core concepts of of SSL depends on the certificate provided by the server during the initial connection establishment. This paper reveals the security flows in many security critical application and libraries due to the improper use of SSL functions. Many of these vulnerability is due to the badly designed APIs in SSL data transport implementation. Most of SSL implementation APIs expose the low level details to application programmers. The common application developers are unaware of options and other parameters in SSL implementation. These leads to the incorrect use of SSL functionality in the application.
Chain-of-trust verification and Host name verification are the two important steps in SSL handshake. This paper give a detailed analysis on this area based on some commonly used libraries and APIs. OpenSSL and JSSE are the most commonly used libraries for SSL abstraction. But both libraries are only covered certification verification part of SSL handshake. Application programmers are need to implement host name verification part by themselves on their application. The non-standard use of these functionality introduce serious vulnerability in SSL communication. Data transport libraries like cURL and Apache httpclient also use the same libraries to achieve SSL capability. SSL tunels are widely used non-browser environment like Cloud Client API, Merchant payment SDK, Web servicing middle ware etc. These applications are security critical because of the nature of data they are handling . Paper also present a experiment conducted based on the vulnerability found on basic libraries and APIs. They are succeeded to perform man-in the middle attack in many application including Amazone Flexible Paymant Gateway,Lynx,Paypal IPN etc.
These paper tries to convey a warning to application developers and APIs Developers. APIs developers must wrap the basic functionality of underlaying system and application developers must study the APIs functionality and options before using them.

Posted by at No comments:
Labels: , , ,

Thursday, March 21, 2013

Install TinyOS 2.1.1 in ubuntu 12.04

TinyOS is a open source operating system for low power wireless device used in sensor networks,person area network, smart meters etc. You can find more information about tinyos from here

These configurations are done for tiny os  2.1.1 for micaz mote

Open /etc/apt/sources.list and add the following line at the end of file. 

deb http://tinyos.stanford.edu/tinyos/dists/ubuntu karmic main

Update apt-get and install tinyos 

sudo apt-get update
sudo apt-get install tinyos-2.1.1

Change the ownership of tinyos root directory to your user 

sudo chown : -R /opt/tinyos-2.1.1/

Edit .bashrc in user home and add the following lines at the end 

export TOSDIR=$TOSROOT/tos
export CLASSPATH=$TOSROOT/support/sdk/java/tinyos.jar:.$CLASSPATH
export MAKERULES=$TOSROOT/support/make/Makerules
export PATH=/opt/msp430/bin:$PATH
source /opt/tinyos-2.1.1/tinyos.sh

Install the java tools using 

sudo tos-install-jni

Install Java docs 

Go to /opt/tinyos-2.1.1/support/sdk/java 
make
make install
make javadoc 

Common Errors

1.Unexpected operator during tos-jni-install command

Error 

sudo tos-install-jni 
[: 31: =: unexpected operator 

Installing 32-bit Java JNI code in /usr/lib/jvm/java-1.5.0-sun/jre/lib/i386 …

done.

Solution  

Edit /usr/bin/tos-install-jni and change 1st line from “#!/bin/sh” to “#!/bin/bash”
Posted by at 10 comments:
Labels: ,
Subscribe to: Posts (Atom)