Hi,
I'm a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.
Thanks
Jorge
--
"To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master"
I'm a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.
I'd recommend maybe asking some members of the metasploit project ( http://metasploit.com/development/ ), a penetration testing framework written in Ruby (originally done in Perl). That's an excellent mix of Ruby and security in my opinion.
- Chris ( @cwgem )
OWASP Projects:
Ruby-ESAPI.
AppSensor.
http://code.google.com/p/appsensor/source/browse/#svn%2Ftrunk%2FAppSensor
MarkT
On Sun, Oct 23, 2011 at 8:55 AM, Jorge Bo <jorgebo10@gmail.com> wrote:
Hi,
I'm a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Head on over to http://www.securityfocus.com/archive/105/description
and get in touch with security experts. 
On Sat, Oct 22, 2011 at 11:55 PM, Jorge Bo <jorgebo10@gmail.com> wrote:
Hi,
I'm a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.
--
Phillip Gawlowski
gplus.to/phgaw | twitter.com/phgaw
A method of solution is perfect if we can forsee from the start,
and even prove, that following that method we shall attain our aim.
-- Leibniz
Hello,
Hi,
I'm a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.
One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.
This is less of an issue with full machine virtualization becoming
commonplace but still poses barrier to entry in implementing Ruby as
an alternative to PHP.
A good security topic might be evaluating security of shared PHP
hosting and either refute there is any security at all or implement
comparably secure Ruby plugin suitable for shared hosting in
Apache/nginx/other web server.
Thanks
Michal
On 22 October 2011 23:55, Jorge Bo <jorgebo10@gmail.com> wrote:
Hey there Jorge,
may i ask for some clarification?
What kind of "Ruby-security related" topic are you heading for?
- enhance ruby's security itself (at the interpreter level)
- enhance the security of a given system by using ruby (like metasploit,
selinux-ruby-bindings or even freebsd)
- enhance the security of any ruby application (maybe even with ruby?
meta programmed recursion rules *where's my mind?*)
Greets, Chris
On 10/22/2011 11:55 PM, Jorge Bo wrote:
Hi,
I'm a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.Thanks
Jorge
I have actually recently become quite interested in these sorts of topics.
Since it does seem that these topics are of some interest at the moment to
the community. I notice that most pieces in this area are rather on the end
of being more application oriented. Have their been much in terms of
theoretical developments outside of cryptography?
On Mon, Oct 24, 2011 at 9:23 AM, Michal Suchanek <hramrach@centrum.cz>wrote:
Hello,
On 22 October 2011 23:55, Jorge Bo <jorgebo10@gmail.com> wrote:
> Hi,
>
> I'm a student at the University and currently searching for a
> topic for my diploma thesis. I would really like to do something
> Ruby-security related. However, i dont have much knowledge about ruby
> security i think pehhaps those much involve in Ruby could give me an
advice.One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.This is less of an issue with full machine virtualization becoming
commonplace but still poses barrier to entry in implementing Ruby as
an alternative to PHP.A good security topic might be evaluating security of shared PHP
hosting and either refute there is any security at all or implement
comparably secure Ruby plugin suitable for shared hosting in
Apache/nginx/other web server.Thanks
Michal
Just for curiosity: what exactly do you mean by "user isolation" and
what features are missing in Ruby?
Kind regards
robert
On Mon, Oct 24, 2011 at 12:23 AM, Michal Suchanek <hramrach@centrum.cz> wrote:
One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.
--
remember.guy do |as, often| as.you_can - without end
http://blog.rubybestpractices.com/
Hi Chris, thanks for your answer
Honestly, im just evaluating different approaches.I'm finding very
interesting the Ruby metaprogramming model,i posted a crazy idea in a
previous message yesterday, that was crossing my mind, but it seems to be
imposible to achive. But it could serve as a point of start.
You mention one topic about enhancing the security of any Ruby application.
I guess it would be a good idea start reading some documents about Rubys
security model.
Thnaks,
Jorge
2011/10/24 Christian Pedaschus <chris@s-4-u.net>
On 10/22/2011 11:55 PM, Jorge Bo wrote:
> Hi,
>
> I'm a student at the University and currently searching for a
> topic for my diploma thesis. I would really like to do something
> Ruby-security related. However, i dont have much knowledge about ruby
> security i think pehhaps those much involve in Ruby could give me an
advice.
>
> Thanks
>
> Jorge
>Hey there Jorge,
may i ask for some clarification?
What kind of "Ruby-security related" topic are you heading for?
- enhance ruby's security itself (at the interpreter level)
- enhance the security of a given system by using ruby (like metasploit,
selinux-ruby-bindings or even freebsd)
- enhance the security of any ruby application (maybe even with ruby?
meta programmed recursion rules *where's my mind?*)Greets, Chris
--
"To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master"
'thin' and 'unicorn' (just to name some examples) both have built in
support for chrooting under another uid/gid, and even if they wouldn't,
nothing is stopping their root from chrooting them manually, so it has
nothing to do with php at all.
Greets, Chris
On 10/24/2011 12:23 AM, Michal Suchanek wrote:
Hello,
On 22 October 2011 23:55, Jorge Bo <jorgebo10@gmail.com> wrote:
Hi,
I'm a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.This is less of an issue with full machine virtualization becoming
commonplace but still poses barrier to entry in implementing Ruby as
an alternative to PHP.A good security topic might be evaluating security of shared PHP
hosting and either refute there is any security at all or implement
comparably secure Ruby plugin suitable for shared hosting in
Apache/nginx/other web server.Thanks
Michal
Actually, i had an idea about building security on-demand...sounds a little
weird, but i was thinking about building security in an application in an
spiral way. Lets say starting with minimum security and based on the attacks
patterns allow the application to modify its own code to apply security
contermeasures, relying on Ruby metaprogramming...
I guess it could be of more theoretical value than practical one, however
its something which has been revolving my mind for a long time...
2011/10/23 Carter Cheng <cartercheng@gmail.com>
I have actually recently become quite interested in these sorts of topics.
Since it does seem that these topics are of some interest at the moment to
the community. I notice that most pieces in this area are rather on the end
of being more application oriented. Have their been much in terms of
theoretical developments outside of cryptography?On Mon, Oct 24, 2011 at 9:23 AM, Michal Suchanek <hramrach@centrum.cz > >wrote:
> Hello,
>
> On 22 October 2011 23:55, Jorge Bo <jorgebo10@gmail.com> wrote:
> > Hi,
> >
> > I'm a student at the University and currently searching for a
> > topic for my diploma thesis. I would really like to do something
> > Ruby-security related. However, i dont have much knowledge about ruby
> > security i think pehhaps those much involve in Ruby could give me an
> advice.
>
> One thing where Ruby is lacking compared to PHP is user isolation on
> shared web hosting.
>
> This is less of an issue with full machine virtualization becoming
> commonplace but still poses barrier to entry in implementing Ruby as
> an alternative to PHP.
>
> A good security topic might be evaluating security of shared PHP
> hosting and either refute there is any security at all or implement
> comparably secure Ruby plugin suitable for shared hosting in
> Apache/nginx/other web server.
>
> Thanks
>
> Michal
>
>
--
"To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master"
It is common to see shared hosting where one Apache instance runs
multiple separate PHP enabled sites.
It relies on security built into PHP (disabling certain features) to
isolate these sites from each other. They live in one filesystem on
one server but supposedly cannot access any data of each other, there
is CPU and real time limit on execution of every page to prevent DoS,
etc. Technically each site is associated with an UID - think of a web
site stored in your home directory on a shared server.
I don't know of any Ruby enabled web server that can run multiple
sites like that.
Thanks
Michal
On 24 October 2011 10:47, Robert Klemme <shortcutter@googlemail.com> wrote:
On Mon, Oct 24, 2011 at 12:23 AM, Michal Suchanek <hramrach@centrum.cz> wrote:
One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.Just for curiosity: what exactly do you mean by "user isolation" and
what features are missing in Ruby?
I've read your proposal, and it immediatelly reminded me about openbsd's
securelevel(7). Wouldn't Openbsd count as an example, where a
potentially unsafe system is booted, and secured it has booted? Doesn't
it all depend on the kernel/interpreter?
Compare:
http://www.openbsd.org/cgi-bin/man.cgi?query=securelevel&sektion=7
With:
http://www.rubycentral.com/pickaxe/taint.html
For me, it sounds quite comparable, 'same old procedure', and the same
result: "start an untrusted system and secure it afterwards...
Or am i missing something? (right now, that's quite possible *lol*)
Greets, Chris
On 10/25/2011 12:30 AM, Jorge Bo wrote:
Hi Chris, thanks for your answer
Honestly, im just evaluating different approaches.I'm finding very
interesting the Ruby metaprogramming model,i posted a crazy idea in a
previous message yesterday, that was crossing my mind, but it seems to be
imposible to achive. But it could serve as a point of start.
I don't think this has anything to do with chrooting.
The mod_php is supposed to work in environment where you have 1000s of
users and each has PHP pages in their home directory.
I don't think spawning 1000s chrooted instances just in case somebody
requested a page of that particular user is viable.
Sure, you can start a chrooted interpreter only when you need one
started as that user.
However, as I understand mod_php it disallows executing external
programs and filters arguments to functions that can open files
instead of chrooting.
Then when one script ends the interpreter can be reset and can run
another script, possibly of completely different web site.
This probably makes it possible to run the web server as single
non-root user, too. That's quite different from saying "yeah, you can
chroot anything".
There are guides on installing mod_php so that such environment works
reasonably. It can be used for both bolt-on "user home pages" on a
shared server and web-hosting only.
Thanks
Michal
On 25 October 2011 00:43, Christian Pedaschus <chris@s-4-u.net> wrote:
On 10/24/2011 12:23 AM, Michal Suchanek wrote:
Hello,
On 22 October 2011 23:55, Jorge Bo <jorgebo10@gmail.com> wrote:
Hi,
I'm a student at the University and currently searching for a
topic for my diploma thesis. I would really like to do something
Ruby-security related. However, i dont have much knowledge about ruby
security i think pehhaps those much involve in Ruby could give me an advice.One thing where Ruby is lacking compared to PHP is user isolation on
shared web hosting.This is less of an issue with full machine virtualization becoming
commonplace but still poses barrier to entry in implementing Ruby as
an alternative to PHP.A good security topic might be evaluating security of shared PHP
hosting and either refute there is any security at all or implement
comparably secure Ruby plugin suitable for shared hosting in
Apache/nginx/other web server.Thanks
Michal
'thin' and 'unicorn' (just to name some examples) both have built in
support for chrooting under another uid/gid, and even if they wouldn't,
nothing is stopping their root from chrooting them manually, so it has
nothing to do with php at all.
What kind of thesis is this for? I suspect that any thesis type project
would have to mix both elements to make an effective thesis.
On Mon, Oct 24, 2011 at 11:45 AM, Jorge Bo <jorgebo10@gmail.com> wrote:
Actually, i had an idea about building security on-demand...sounds a little
weird, but i was thinking about building security in an application in an
spiral way. Lets say starting with minimum security and based on the
attacks
patterns allow the application to modify its own code to apply security
contermeasures, relying on Ruby metaprogramming...
I guess it could be of more theoretical value than practical one, however
its something which has been revolving my mind for a long time...2011/10/23 Carter Cheng <cartercheng@gmail.com>
> I have actually recently become quite interested in these sorts of
topics.
> Since it does seem that these topics are of some interest at the moment
to
> the community. I notice that most pieces in this area are rather on the
end
> of being more application oriented. Have their been much in terms of
> theoretical developments outside of cryptography?
>
> On Mon, Oct 24, 2011 at 9:23 AM, Michal Suchanek <hramrach@centrum.cz > > >wrote:
>
> > Hello,
> >
> > On 22 October 2011 23:55, Jorge Bo <jorgebo10@gmail.com> wrote:
> > > Hi,
> > >
> > > I'm a student at the University and currently searching for a
> > > topic for my diploma thesis. I would really like to do something
> > > Ruby-security related. However, i dont have much knowledge about ruby
> > > security i think pehhaps those much involve in Ruby could give me an
> > advice.
> >
> > One thing where Ruby is lacking compared to PHP is user isolation on
> > shared web hosting.
> >
> > This is less of an issue with full machine virtualization becoming
> > commonplace but still poses barrier to entry in implementing Ruby as
> > an alternative to PHP.
> >
> > A good security topic might be evaluating security of shared PHP
> > hosting and either refute there is any security at all or implement
> > comparably secure Ruby plugin suitable for shared hosting in
> > Apache/nginx/other web server.
> >
> > Thanks
> >
> > Michal
> >
> >
>--
"To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master"
This is fundamentally impossible.
Once your application starts insecure it cannot be secured.
Thanks
Michal
On 24 October 2011 02:45, Jorge Bo <jorgebo10@gmail.com> wrote:
Actually, i had an idea about building security on-demand...sounds a little
weird, but i was thinking about building security in an application in an
spiral way. Lets say starting with minimum security and based on the attacks
patterns allow the application to modify its own code to apply security
contermeasures, relying on Ruby metaprogramming...
I guess it could be of more theoretical value than practical one, however
its something which has been revolving my mind for a long time...
Actually, this relies on *Apache's* features: Apache spawns off a PHP
thread for each site with mod_php (it's more complicated than that,
but that's essentially it, IIRC).
I'm pretty sure mod_passenger does that, too, for Sinatara, Rails,
and, I think, Rack middleware.
And, well, if you have to *disable* features to make something secure,
it really isn't designed with security in mind. 
On Mon, Oct 24, 2011 at 11:08 AM, Michal Suchanek <hramrach@centrum.cz> wrote:
It relies on security built into PHP (disabling certain features) to
isolate these sites from each other. They live in one filesystem on
one server but supposedly cannot access any data of each other, there
is CPU and real time limit on execution of every page to prevent DoS,
etc. Technically each site is associated with an UID - think of a web
site stored in your home directory on a shared server.I don't know of any Ruby enabled web server that can run multiple
sites like that.
--
Phillip Gawlowski
gplus.to/phgaw | twitter.com/phgaw
A method of solution is perfect if we can forsee from the start,
and even prove, that following that method we shall attain our aim.
-- Leibniz
Yes, there some things that you are missing.
While the OpenBSD secure levels aren't very good security mechanism
you missed a few important points.
1) You boot a trusted system, not an untrusted one. Booting untrusted
system is quite pointless.
2) You enter a higher secure level before allowing access from the
outside. The securing is pre-emptive, not reactive as in the proposal.
Thanks
Michal
On 25 October 2011 00:53, Christian Pedaschus <chris@s-4-u.net> wrote:
On 10/25/2011 12:30 AM, Jorge Bo wrote:
Hi Chris, thanks for your answer
Honestly, im just evaluating different approaches.I'm finding very
interesting the Ruby metaprogramming model,i posted a crazy idea in a
previous message yesterday, that was crossing my mind, but it seems to be
imposible to achive. But it could serve as a point of start.I've read your proposal, and it immediatelly reminded me about openbsd's
securelevel(7). Wouldn't Openbsd count as an example, where a
potentially unsafe system is booted, and secured it has booted? Doesn't
it all depend on the kernel/interpreter?Compare:
securelevel(7) - OpenBSD manual pages
With:
http://www.rubycentral.com/pickaxe/taint.htmlFor me, it sounds quite comparable, 'same old procedure', and the same
result: "start an untrusted system and secure it afterwards...Or am i missing something? (right now, that's quite possible *lol*)
Sounds reasonable, gonna check it out.
Thanks,
Chris
On 10/25/2011 01:08 AM, Michal Suchanek wrote:
On 25 October 2011 00:53, Christian Pedaschus <chris@s-4-u.net> wrote:
On 10/25/2011 12:30 AM, Jorge Bo wrote:
Hi Chris, thanks for your answer
Honestly, im just evaluating different approaches.I'm finding very
interesting the Ruby metaprogramming model,i posted a crazy idea in a
previous message yesterday, that was crossing my mind, but it seems to be
imposible to achive. But it could serve as a point of start.I've read your proposal, and it immediatelly reminded me about openbsd's
securelevel(7). Wouldn't Openbsd count as an example, where a
potentially unsafe system is booted, and secured it has booted? Doesn't
it all depend on the kernel/interpreter?Compare:
securelevel(7) - OpenBSD manual pages
With:
http://www.rubycentral.com/pickaxe/taint.htmlFor me, it sounds quite comparable, 'same old procedure', and the same
result: "start an untrusted system and secure it afterwards...Or am i missing something? (right now, that's quite possible *lol*)
Yes, there some things that you are missing.
While the OpenBSD secure levels aren't very good security mechanism
you missed a few important points.1) You boot a trusted system, not an untrusted one. Booting untrusted
system is quite pointless.2) You enter a higher secure level before allowing access from the
outside. The securing is pre-emptive, not reactive as in the proposal.Thanks
Michal