Friday, 2016-06-17

« Thursday, 2016-06-16 Index Saturday, 2016-06-18 »
*** zul has joined #openstack-security00:28
*** bpokorny has quit IRC00:41
*** sdake has joined #openstack-security00:58
*** tkelsey has joined #openstack-security01:01
*** austin987 has quit IRC01:03
*** tkelsey has quit IRC01:05
*** vinaypotluri has quit IRC01:11
*** sdake has quit IRC01:14
*** austin987 has joined #openstack-security01:15
*** sdake has joined #openstack-security01:16
*** sdake_ has joined #openstack-security01:22
*** sdake has quit IRC01:24
*** unrahul has quit IRC02:02
*** sdake has joined #openstack-security02:16
*** sdake_ has quit IRC02:19
*** jamielennox is now known as jamielennox|away03:03
*** austin987 has quit IRC03:06
*** austin987 has joined #openstack-security03:07
*** vinaypotluri has joined #openstack-security03:17
*** jamielennox|away is now known as jamielennox03:19
*** markvoelker has quit IRC03:47
*** tkelsey has joined #openstack-security04:03
*** tkelsey has quit IRC04:07
*** yuanying has quit IRC04:41
*** markvoelker has joined #openstack-security04:47
*** sdake_ has joined #openstack-security04:50
*** markvoelker has quit IRC04:52
*** sdake has quit IRC04:53
*** salv-orl_ has joined #openstack-security05:09
*** salv-orlando has quit IRC05:12
*** browne has joined #openstack-security05:25
*** sdake has joined #openstack-security05:27
*** sdake_ has quit IRC05:31
*** sdake_ has joined #openstack-security05:38
*** sdake has quit IRC05:41
*** sdake_ has quit IRC05:50
*** yuanying has joined #openstack-security06:02
*** browne has quit IRC06:07
*** rcernin has joined #openstack-security06:23
*** pcaruana has joined #openstack-security06:29
*** yuanying has quit IRC07:02
*** tkelsey has joined #openstack-security07:05
*** salv-orl_ has quit IRC07:09
*** salv-orlando has joined #openstack-security07:09
*** tkelsey has quit IRC07:09
*** tesseract has joined #openstack-security07:10
*** ccneill_ has joined #openstack-security07:18
*** ccneill has quit IRC07:20
*** dmk0202 has joined #openstack-security07:32
*** dmk0202 has quit IRC07:33
*** salv-orlando has quit IRC07:35
*** rcernin has quit IRC07:45
*** tkelsey has joined #openstack-security07:53
*** yuanying has joined #openstack-security08:05
*** jear has joined #openstack-security08:06
jearabout devstack and tls-proxy, is it really working ?08:07
jearwhen enabling service tls-proxy, stack.sh fails when setting up keystone, with :08:08
jear"Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL."08:08
jear"Could not determine a suitable URL for the plugin"08:08
*** rcernin has joined #openstack-security08:10
*** redrobot has quit IRC08:21
*** v12aml has quit IRC08:22
*** Daviey_ has quit IRC08:23
*** Daviey has joined #openstack-security08:23
jearhow can i say to devstack to use 1 particular proxy to reach internet, and tls-proxy to make the API calls?08:23
*** v12aml has joined #openstack-security08:23
*** redrobot has joined #openstack-security08:24
*** redrobot is now known as Guest3155308:24
*** dmk0202 has joined #openstack-security08:27
*** tristanC_ has joined #openstack-security08:37
*** liverpoo1er has joined #openstack-security08:38
*** woodburn has quit IRC08:39
*** tristanC has quit IRC08:42
*** woodburn has joined #openstack-security08:42
*** mdavidson has quit IRC08:43
*** liverpooler has quit IRC08:43
*** mdavidson has joined #openstack-security08:44
*** tristanC_ is now known as tristanC08:44
*** z has quit IRC08:46
*** vinaypotluri has quit IRC08:46
*** tpeoples has quit IRC08:47
*** z has joined #openstack-security08:48
*** tpeoples has joined #openstack-security08:49
*** vinaypotluri has joined #openstack-security08:49
*** vinaypotluri has quit IRC08:51
*** jear has quit IRC09:17
*** openstackgerrit has quit IRC09:18
*** openstackgerrit has joined #openstack-security09:18
*** openstackgerrit has quit IRC10:03
*** openstackgerrit has joined #openstack-security10:03
*** rcernin has quit IRC10:05
*** Daviey has quit IRC10:29
*** Daviey has joined #openstack-security10:29
*** xsallowed has joined #openstack-security10:50
xsallowedhello friends10:51
*** xsallowed has quit IRC10:51
*** xsallowed has joined #openstack-security11:11
*** xsallowed has quit IRC11:22
*** rcernin has joined #openstack-security11:47
*** zigo has joined #openstack-security12:01
*** dave-mccowan has joined #openstack-security12:04
*** markvoelker has joined #openstack-security12:04
*** dmk0202 has quit IRC12:05
*** edmondsw has joined #openstack-security12:34
*** ametts has joined #openstack-security13:50
*** edtubill has joined #openstack-security13:52
*** sigmavirus24_ is now known as sigmavirus2414:06
*** sdake has joined #openstack-security14:12
*** mvaldes has joined #openstack-security14:13
*** zul has quit IRC14:16
*** zul has joined #openstack-security14:16
*** SGGF has joined #openstack-security14:19
*** SGGF has quit IRC14:20
*** zul_ has joined #openstack-security14:21
*** zul has quit IRC14:23
*** pcaruana has quit IRC14:54
*** tesseract has quit IRC15:05
*** rcernin has quit IRC15:07
*** mvaldes has quit IRC15:11
*** browne has joined #openstack-security15:15
*** sdake has quit IRC15:20
*** unrahul has joined #openstack-security15:20
*** Trueghxst has joined #openstack-security15:26
Trueghxstjjjj15:27
*** Trueghxst has left #openstack-security15:27
*** mvaldes has joined #openstack-security15:32
*** vinaypotluri has joined #openstack-security15:39
*** bpokorny has joined #openstack-security15:49
*** Guest31553 is now known as redrobot15:50
*** sdake has joined #openstack-security15:51
*** bpokorny has quit IRC16:01
*** bpokorny has joined #openstack-security16:02
*** ccneill_ is now known as ccneill16:03
*** sdake has quit IRC16:07
*** dmk0202 has joined #openstack-security16:09
*** mdavidson has quit IRC16:11
*** tkelsey has quit IRC16:14
*** tkelsey has joined #openstack-security16:35
*** tkelsey has quit IRC16:40
*** ccneill_ has joined #openstack-security16:53
*** ccneill has quit IRC16:56
*** ccneill_ is now known as ccneill16:58
*** mdong has joined #openstack-security16:58
*** bpokorny has quit IRC17:06
*** bpokorny has joined #openstack-security17:16
*** browne has quit IRC17:19
*** mvaldes has quit IRC17:24
*** sdake has joined #openstack-security17:40
*** bpokorny has quit IRC17:44
*** mvaldes has joined #openstack-security17:53
openstackgerritCharles Neill proposed openstack/syntribos: Creates SynSignal and SignalHolder classes  https://review.openstack.org/33128618:06
ccneillmdong, unrahul, vinaypotluri: just pushed up a CR with the basics (SynSignal and SignalHolder), with an empty checks folder18:07
*** browne has joined #openstack-security18:08
ccneillmdong: I'm about to take a look at your CR18:08
*** al_loew has joined #openstack-security18:12
openstackgerritMichael Dong proposed openstack/syntribos: Moved SSL test out of BaseFuzzTestCase  https://review.openstack.org/33128818:17
mdongsounds goo ccneill, let me know what you think of the output schema18:18
*** tsufiev has joined #openstack-security18:19
tsufievhello, folks!18:19
tsufievI have a commit for Horizon which enhances its Create Image wizard with CORS support and allows to upload local image files directly to Glance18:20
tsufievit works smoothly, but I have some security-related concerns that I'd like to discuss with you (whoever it may be)18:21
tsufievhere is the link: https://review.openstack.org/#/c/317365/11/openstack_dashboard/api/glance.py18:21
tsufievsummary: to allow JS to upload file using CORS it needs to pass Keystone token to glance, so Horizon server-side returns the token in a response to JS (client-side) code18:22
tsufievthat was seemed as a potential weak point of the feature security-wise, at least in the Horizon community18:23
tsufievwhat do you think?18:23
tsufievif you'd like to opine, please leave your feedback in the above patch :)18:31
ccneillmdong: commented on your CR18:46
ccneillmdong: I think I had something else in mind from our design session, and that may not have been others' impression, but I want to make sure we all agree before moving forward18:46
ccneillcomparing the two reports, it's pretty clear that one is a lot shorter than the other, and I'm not sure we get much benefit from the way report18:47
ccneillreport_by_issue arranges things currently18:47
ccneillbut I like several aspects of it18:47
ccneillhttps://gist.github.com/anonymous/2a0e12ac23bc8b7d3936608ac600168d18:47
ccneillcomparison of the two reporting styles ^18:47
ccneilllol oops, didn't realize I wasn't logged in18:48
mvaldesccneill:  i thought you documented the format we were looking for18:49
mvaldesis it the same as that gist?18:49
ccneillsec18:50
ccneillergh18:51
ccneillhttps://gist.github.com/cneill/147c05bdb4fd239ca552f1a4745a1e8418:51
ccneillso I think this might fall squarely in the "my bad" category18:52
ccneillthat gist is awful lol18:52
ccneillI kind of had a half-thought and wrote it down18:52
ccneillbut didn't write down the OTHER way of doing it that I was imagining18:52
ccneillI was thinking of the difference as "by endpoint" versus "by issue"18:52
ccneillnot "by issue" vs "by test"18:52
ccneillthat isn't immediately clear from that gist, so that's my fault >_<18:53
ccneillI described what I was imaginging on mdong's CR https://review.openstack.org/#/c/330244/318:53
mdonghmm, yeah I was going off what was documented18:54
ccneillbut! I do like several things in the other method, e.g. listing severities vs. "errors / successes / failures" since in most cases we really don't care about "successes"18:54
mdongbut is this option still valuable?18:54
ccneillwell, what are your thoughts on the two formats?18:55
ccneillI think that once we move towards 1 test = 1 issue, this distinction mostly becomes irrelevant, other than the differences between the two formats in terms of severity vs. success/fail, and getting rid of the "test_type" vs "defect_type" nesting18:56
ccneillright?18:57
mdongI think this option stops us from repeating BUFFER_OVERFLOW_HEADER and BUFFER_OVERFLOW_BODY18:57
mdongetc18:57
ccneillright18:57
ccneillI think we should do that in both cases18:57
ccneillI don't think we care about that information, since nothing materially changes between the two18:57
ccneillit's purely a "where did this payload go" question, not a "what test ran because _HEADER vs. _BODY is a different test"18:57
mdongit’s also a bit verbose since I made the param its own json object18:58
mdonginstead of the string like it was18:58
ccneillagain, I may've just had all this in my head and not said it out loud, or not written it down adequately, so my apologies for the confusion of what I was thinking18:58
ccneillright18:58
mdongbut I think no matter what its gonna be more verbose than the old option18:59
mdongsince we’re associating information per payload18:59
ccneillright18:59
ccneillI think what I had in mind was, if all the info in the "param" object is the same19:00
ccneilland instead of having "string": "blah", having "strings": ["blah", "bblah"]19:00
ccneillsince otherwise it's just wasteful repetition19:00
ccneilland if the object DIFFERS, then we can differentiate19:01
ccneill..that was a meaningful statement lol19:01
mdongah I see19:01
ccneillalso19:02
ccneilldo we need "variables" to be a list vs. a string?19:02
ccneillwe don't ever edit more than 1 variable at a time, at least for fuzz tests19:03
ccneillmaybe we would need that in the future though..19:03
ccneillI'm re-writing something more in the format I had in mind19:03
mdongno, it’s more that if a payload fails in both the username and the password19:03
mdongthen the username and password both get added to the variables list19:03
ccneillhttps://gist.github.com/cneill/29a59040a6282751ce2dc54a6a65594c19:06
ccneillah19:06
ccneillthat makes sense19:06
ccneillmdong: ^ that's kind of more what I had in mind19:06
ccneillso the differentiator is having 2 signals vs. 1, thus changing the confidence between the two19:07
ccneilldoes that look reasonable?19:07
ccneillI actually like the param stuff being a dict instead of a messy string19:07
ccneillbecause it was always kind of hard to tell what the heck that string meant19:07
mdongyeah, I like that better19:08
*** al_loew has quit IRC19:09
mdongso is the first level still the endpoint?19:09
ccneillhmm19:10
ccneillI think the differences should be pretty minor between the "by endpoint" vs "by test" styles19:10
ccneillbut I don't know what that difference looks like yet..19:11
ccneillmy thought is maybe we just make the changes to report_by_test, remove report_by_issue, and then maybe we loop back on "by endpoint" vs. "by test" later?19:11
mdongso get rid of report_by_issue altogether?19:12
ccneillbecause I think this specifically solves for something relevant to signals, whereas differentiating by endpoint vs. test is more of a convenience thing19:12
ccneillwell, I think there are some pieces of it that we want to keep19:13
ccneillbut as a distinction between "by_test" and "by_issue", yeah, I don't think we need both :\19:13
mdongthen I think I’d rather have by_issue rather than by_test19:13
*** shakamunyi has joined #openstack-security19:13
mdongI like the schema that you had in your gist19:13
ccneillyeah19:13
ccneillyeah, so whichever is closer to that, just take that and run with it19:14
ccneillI think it does make more sense being by issue19:14
ccneillbecause I don't think the end-user cares about the test, they care about the issue19:14
ccneillspecifically, they don't care about SQL_INJECTION_BODY vs. SQL_INJECTION_HEADER19:15
mdongright19:15
ccneillcool19:15
ccneillI'll try not to put up confusing gists during meetings for us to puzzle over in the future lol >_<19:16
mdongso I’m gonna make the changes to report_by_issue to make it match the gist19:16
ccneillsounds good19:16
mdonghaha no worries19:16
ccneillthen I think you can remove the cli flag and report_by_test19:16
mdongyeah19:17
*** al_loew has joined #openstack-security19:18
*** mvaldes has quit IRC19:27
unrahulccneill: mdong vinaypotluri Guys, this is the kind of approach I was taking in writing checks, https://gist.github.com/rahulunair/3a5a449027be9ba0f2723c6f11426a2d , here, if  the check fails it does not return none, but a slug . What do you guys think>?19:27
ccneillhmmmm19:28
ccneillI'm still trying to figure that one out in my head19:28
ccneillI agree that returning None isn't great..19:29
ccneillbut at the same time it's a nice and tidy way to say "I did not find what I was looking for"19:30
ccneillwhereas if we return a signal and have to introspect on it.. it just makes the logic of checking for a signal harder19:30
ccneilltoday, if you take the SignalHolder.register(check()) approach, it will just throw away any Nones19:30
ccneillbut if we make it return a signal with some kind of "UNKNOWN" slug, we have to have a way to figure that out19:30
ccneillone way we COULD do it19:31
ccneillis by setting the signal's strength to 019:31
ccneillbut I'm not sure if there's any use in saying "I ran this check and nothing interesting came back19:31
ccneilllike, I don't think we would put that signal in the JSON output at the end19:32
ccneilland since checks are atomic, you wouldn't run one check, then run another, and retroactively go change the results of the first check based on that19:32
ccneillwell.. maybe "atomic" isn't the word, but once a check is run, that's it19:33
ccneillother checks can take the information generated by that check and do something with it, but the original signal doesn't change19:33
ccneillso once we know "signal strength = 0", we know "we don't care about this"19:33
unrahulmm... that make sense ccneill ,  either there should be a standard that should be followed, so that we dont return diff things for the same 'not found' check.. aah.. i am not sure.19:33
unrahulsignal_strength = 0 is one way to do it..19:34
ccneill>_< so much ambiguity to resolve19:34
unrahulshould we just go with that..??19:34
unrahulor as in pascal and stuff signal_strength = 99 :D19:34
unrahulI will put it up for review on gerrit.. so that we can collect all the views..19:35
openstackgerritMichael Dong proposed openstack/syntribos: Added command line option for reporting by issue rather than by test  https://review.openstack.org/33024419:37
ccneillsounds good19:38
ccneillI think signal strength is maybe not the best approach, because we end up carrying a fair amount of "state" around that we never actually do anything with19:38
ccneillright?19:38
ccneilllike, subsequent checks would have to say19:38
openstackgerritMichael Dong proposed openstack/syntribos: Formatter now reports by issue rather than by test  https://review.openstack.org/33024419:38
ccneilllook for this signal AND make sure its strength isn't 019:38
ccneillversus just look for this signal, which we already know has a signal strength != 019:38
mdongso turns out the reporter change was a really simple change19:38
ccneillnice19:39
ccneillglad to hear it mdong19:39
ccneillmdong: re: using strings for confidence, I think we should take the bandit approach and define some global constants in syntribos' __init__.py potentially19:44
ccneillor somewhere19:45
ccneilland convert those into strings in the reporter19:45
ccneillmakes things much simpler19:45
ccneiller sorry, strings for severity*19:45
ccneillfor confidence, I think we'll want to calculate some number that maps to a confidence interval19:46
ccneillbut we haven't gotten that far yet, so we can leave that alone for now19:46
ccneillbut the confidence should be easily modifiable based on additional signals19:46
ccneillwithout some kind of logic like "if low, now medium; if medium, now high", etc.19:46
ccneillso like += 519:47
ccneillwith anything >= 10 = high, anything [5, 10) = medium, anything (0, 5) = low, and 0 = throw it away19:48
ccneillor something like that19:48
ccneillmaybe 100 instead of 1019:48
ccneill¯\_(ツ)_/¯19:48
ccneillI don't think severity will really be modified like that though, so just doing a like severity=syntribos.HIGH should suffice19:49
ccneillbut that will require re-writing things, so we might want to save that for a different patch in the future19:49
ccneillfor now, I would say just solve for the strings "High", "Medium", etc., and we'll loop back and do the constants later19:50
ccneillbut I really just don't want us to have the dependency on CaseInsensitiveDicts19:50
*** markvoelker has quit IRC19:55
openstackgerritMichael Dong proposed openstack/syntribos: Formatter now reports by issue rather than by test  https://review.openstack.org/33024420:08
*** markvoelker has joined #openstack-security20:10
*** edtubill has quit IRC20:12
openstackgerritRahul U Nair proposed openstack/syntribos: signals check-file to fingerprint the SUT  https://review.openstack.org/33134020:23
*** ediardo has joined #openstack-security20:37
*** mdong has quit IRC20:48
*** ametts has quit IRC21:13
*** edtubill has joined #openstack-security21:19
*** markvoelker has quit IRC21:21
*** edtubill has quit IRC21:22
*** dave-mccowan has quit IRC21:26
*** dmk0202 has quit IRC21:33
*** dmk0202 has joined #openstack-security21:34
*** dmk0202 has quit IRC21:50
*** edtubill has joined #openstack-security21:56
*** edtubill has quit IRC21:58
*** sdake has quit IRC22:38
*** sdake has joined #openstack-security22:41
*** edtubill has joined #openstack-security22:44
*** edtubill has quit IRC22:51
*** edtubill has joined #openstack-security22:52
*** edmondsw has quit IRC22:59
*** unrahul has quit IRC23:02
*** edtubill has quit IRC23:08
*** markvoelker has joined #openstack-security23:16
*** dave-mccowan has joined #openstack-security23:22
*** dave-mccowan has quit IRC23:26
*** al_loew has quit IRC23:51
« Thursday, 2016-06-16 Index Saturday, 2016-06-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!