Michael Rash, Security Researcher

2006 Blog Archive    [Summary View]

« Previous | Next »

Software Release - gpgdir-0.9.9

The 0.9.9 release of gpgdir is ready for download. Here is the ChangeLog:
  • Added RPM .spec file to build gpgdir as an RPM.
  • Added the --Skip-mod-install command line argument to to allow all perl module installs to be skipped.
  • Added the --force-mod-regex command line argument to to allow a regex match on perl module names to force matching modules to be installed.
  • Updated to TermReadKey-2.30 from 2.21.

fwknop-0.9.7 RPM Available

fwknop-0.9.7 RPM Available An RPM is now available for the fwknop-0.9.7 release (after downgrading to gcc-3.4.6 on my RPM build box because Net::RawIP does not build under gcc-4.x yet). It can be downloaded here.

Richard Bejtlich on Fwknop

Richard Bejtlich on Fwknop Richard Bejtlich, founder of TaoSecurity, has made a posting to his blog about the article I wrote for the USENIX ;login: Magazine entitled "Single Packet Authorization with Fwknop" The SPA concept is catching on!

Linux Kernel String Match Bugfix

I have finally gotten my name into the ChangeLog for the Linux Kernel by fixing an initialization bug in the kernel portion of the Netfilter string match extension. This fix appears in kernel version 2.6.18, and here is the ChangeLog entry:
commit 3ffaa8c7c0f884171a273cd2145b8fbbf233ba22
Author: Michael Rash <>
Date:   Tue Aug 22 00:45:22 2006 -0700

    [TEXTSEARCH]: Fix Boyer Moore initialization bug

    The pattern is set after trying to compute the prefix table, which
    tries to use it. Initialize it before calling compute_prefix_tbl,
    make compute_prefix_tbl consistently use only the data from struct
    ts_bm and remove the now unnecessary arguments.

    Signed-off-by: Michael Rash <>
    Signed-off-by: Patrick McHardy <>
    Signed-off-by: David S. Miller <>

Intrusion Prevention Book Chapter Posted

Intrusion Prevention Book Chapter Posted Syngress Publishing has allowed me to post one of the chapters I wrote for the book "Intrusion Prevention and Active Response: Deploying Network and Host IPS". This chapter is entitled "Network Inline Data Modification" and explores the concept and implications of configuring an Intrusion Prevention System (IPS) to dynamically rewrite application layer data en route over a network. A PDF version of this chapter can be downloaded here. The book has received positive reviews (including one by Richard Bejtlich of on The actual data replacement is accomplished with Snort_inline or with a patch I wrote for the Netfilter string match extension and bundled with fwsnort.

DEF CON SPA Talk Slides Posted

DEF CON SPA Talk Slides Posted Today I gave a talk at the DEF CON 14 conference in Las Vegas. This talk dicussed the concept of routing SPA packets over the Tor network, and slides can be found here in PDF format. All feedback is welcome!

Software Release - fwknop-0.9.7

The 0.9.7 release of fwknop is ready for download. Here is the ChangeLog:
  • Added fwknop_serv to function as minimal TCP server over which SPA packets can be sent. This allows SPA to be compatible with the Tor network, which requires that a virtual circuit is established before traffic can be sent.
  • Updated to Crypt::CBC 2.18 after a vulnerability was discovered in previous versions of Crypt::CBC that caused weak ciphertext to be generated for algorithms that have blocksizes greater than 8 bytes (such as Rijndael used by fwknop). Manually specifying initialization vectors is not necessary now.
  • Updated SSH patch to support OpenSSH-4.3p2.
  • Bugfix to make sure to create /var/* directories if they don't exist (such as when /var is a tmpfs).
  • Bugfix to wrap SPA Rijndael decryption with eval{} so that fwknopd does not die if there are problems trying to decrypt data. This is necessary because of the security vulnerability fix in Crypt::CBC that creates some incompatibilities in different versions of Crypt::CBC.

Black Hat Briefings SPA Tutorial

Black Hat SPA Tutorial Jay Beale is teaching a class at the Black Hat Briefings entitled Unix Aikido - Deflecting Attacks with Hard-Core Defense. He is going to include a tutorial on fwknop and Single Packet Authorization. The word is getting out about SPA!

OSCON slides posted

OSCON slides posted This past week I attended the excellent O'Reilly Open Source Convention (OSCON) in Portland, Oregon. I gave a talk there entitled "Maximum Netfilter", and you can find slides here in PDF format. This talk included coverage of all of the Netfilter-based projects that can be found here: psad, fwsnort, and fwknop. All feedback is welcome!

Software Release - gpgdir-0.9.8

The 0.9.8 release of gpgdir is ready for download. Here is the ChangeLog:
  • Updated to use GnuPG::Interface instead of GnuPG module. This should fix the incompatibility issues seen between the GnuPG module and some GnuPG installations.
  • Added perl module installation code from fwknop (see This allows gpgdir to preferentially use any perl modules that are already installed on the system.
« Previous | Next »