Security

Detecting String Truncation with GCC 8

msebor
By Martin Sebor

Continuing in the effort to detect common programming errors, the just-released GCC 8 contains a number of new warnings as well as enhancements to existing checkers to help find non-obvious bugs in C and C++ code. This article focuses on those that deal with inadvertent string truncation and discusses some of the approaches for avoiding the underlying problems. If you haven’t read it, you might also want to read David Malcolm’s article Usability improvements in GCC 8.

Why Is String Truncation a Problem?

It is well-known why buffer overflow is dangerous: writing past the end of an object can overwrite data in adjacent storage, resulting in data corruption. In the most benign cases, the corruption can simply lead to incorrect behavior of the program. If the adjacent data is an address in the executable text segment, the corruption may be exploitable to gain control of the affected process, which can lead to a security vulnerability. (See CWE-119 for more on buffer overflow.)

Continue reading “Detecting String Truncation with GCC 8”

Share

Elytron: A New Security Framework in WildFly/JBoss EAP

sidde3
By Siddhartha De

Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.

The Elytron project covers the following: 

  • SSL/TLS
  • Secure credential storage
  • Authentication
  • Authorization

In this article, we are going to explore using SSL/TLS in WildFly with Elytron.

Continue reading “Elytron: A New Security Framework in WildFly/JBoss EAP”

Share

Integrating Intercede RapID with Red Hat Mobile and OpenShift

evanshortiss
By Evan Shortiss

At Red Hat Mobile we understand the need for a flexible product that enables our customers to integrate with the tools they need to build their current and future applications. Our position as a leading contributor to the Kubernetes project ensures that the Red Hat OpenShift Container Platform offers this tremendous flexibility to customers and end users.

Red Hat Mobile also supports highly flexible integrations to a range of 3rd party services and products. In this article, we’ll demonstrate how Red Hat Mobile v4 and OpenShift v3 enable customers to rapidly deploy and secure their mobile applications by integrating with a third party product provided by Intercede. We’ll be using Intercede’s RapID product to enable two-way TLS (often referred to as Client Certificate Authentication or CCA) for our mobile application.

Continue reading “Integrating Intercede RapID with Red Hat Mobile and OpenShift”

Share

Non-root Open vSwitch in RHEL

aconole
By Aaron Conole

In a few weeks, the Fast Datapath Production channel will update the Open vSwitch version from the 2.7 series to the 2.9 series. This is an important change in more ways than one. A wealth of new features and fixes all related to packet movement will come into play. One that will surely be blamed for all your troubles will be the integration of the `–ovs-user` flag to allow for an unprivileged user to interact with Open vSwitch.

Running as root can solve a lot of pesky problems. Want to write to an arbitrary file? No problem. Want to load kernel modules? Go for it! Want to sniff packets on the wire? Have a packet dump. All of these are great when the person commanding the computer is the rightful owner. But the moment the person in front of the keyboard isn’t the rightful owner, problems occur.

Continue reading “Non-root Open vSwitch in RHEL”

Share

3Scale by Red Hat Integration with ForgeRock using OpenID Connect

vbhalera
By Vinay Bhalerao

In my last article, I wrote about how API Management and Identity Management can work together in a complementary fashion to secure and manage the services/endpoints which applications expose as APIs. In that article I covered how Red Hat 3scale API Management can be used to integrate an identity manager, in addition to providing API management functions such as rate limiting and throttling.

Continue reading 3Scale by Red Hat Integration with ForgeRock using OpenID Connect

Share

3scale by Red Hat API and Identity Management Series

vbhalera
By Vinay Bhalerao

Today’s modern infrastructure faces the complex challenge of managing user’s access to the resources. To protect system and data integrity, companies have implemented identity and access management (IAM) solutions for their in-house systems. IAM solutions address three major concepts: identity, authentication, and authorization.  Their job is to ensure that only authenticated and authorized users have access to resources or information. Every IAM solution on the market provides a great set of features such as:

  • Single Sign-On (SSO)
  • Centralized policy-based authentication and authorization
  • Identity federation

Continue reading “3scale by Red Hat API and Identity Management Series”

Share

Annobin – Storing Extra Information in Binaries

nickclifton
By Nick Clifton

Introduction

Compiled files, often called binaries, are a mainstay of modern computer systems. But it is often hard for system builders and users to find out more than just very basic information about these files. The Annobin project exists as means to answer questions like:

  • How was this binary built?
  • What testing was performed on the binary?
  • What sources were used to make the binary ?

The Annobin project is an implementation of the Watermark specification , which details how to record extra information in a binary. One important feature of this specification is that it includes an address range for the information stored. This makes it possible to record the fact that part of a binary was compiled with one set of options and another part was recorded with a different set of options.

Continue reading “Annobin – Storing Extra Information in Binaries”

Share

Integrate RH-SSO 7.x with Liferay DXP using SAML

rzanini
By Ricardo Zanini

The aim of this tutorial is to configure Red Hat Single Sign On (RH-SSO) to work as an Identity Provider (IdP) for Liferay DXP through SAML.

Liferay DXP supports functionalities for Single Sign On (SSO) such as NTLM, OpenID, and Token-based and integration with IdPs like Google and Facebook. But when it comes to enterprise environments, the requirements may be stricter, especially regarding integration with externals IdPs.

Continue reading “Integrate RH-SSO 7.x with Liferay DXP using SAML”

Share

Enabling SAML-based SSO with Remote EJB through Picketlink

sidde3
By Siddhartha De

Lets suppose that you have a remote Enterprise JavaBeans (EJB) application where the EJB client is a service pack (SP) application in a Security Assertion Markup Language (SAML) architecture. You would like your remote EJB to be authenticated using same assertion which was used for SP.

Before proceeding with this tutorial, you should have a basic understanding of EJB and Picketlink.

Continue reading “Enabling SAML-based SSO with Remote EJB through Picketlink”

Share

Dynamically Creating Java Keystores in OpenShift

raffaelespazzolidbove
By Raffaele Spazzoli and Domenic Bove

Introduction

With a simple annotation to a service, you can dynamically create certificates in OpenShift.

Certificates created this way are in PEM (base64-encoded certificates) format and cannot be directly consumed by Java applications, which need certificates to be stored in Java KeyStores.

In this post, we are going to show a simple approach to enable Java applications to benefit from certificates dynamically created by OpenShift.

Continue reading “Dynamically Creating Java Keystores in OpenShift”

Share