Slashdot Mirror
Fix the Bugs, Secure the System
LiquidPC writes: "OpenBSD's Louis Bertrand has put his MUSESS 2002 presentation online, entitled
Fix the Bugs, Secure the System. Does an overview of OpenBSD, then explains Format String Ugliness, Buffer Overflows, The Wrong Way to Fix Overflows, along with numerous other things."
that doesn't mean there are 20,500 unique bugs.
Very true, but there must be a decent number of quality results, if only by luck, when you get 20,500 responses for a fairly specific search.
It was a bit tedious flicking through all those slides but the final one did bring a smile to my face.
Sure, the kiddies can still twiddle with system calls, but if they can't put _their_ code somewhere where _they_ can execute it, it raises the difficulty level of creating an exploit by an order of magnitude. Sure, false sense of security, blah blah blah, but really, shouldn't this (non-exec stack) be a standard feature of any OS that purports to be secure?
You mean, like 'CERT advisory'.....bug in .....OpenBSD: not vulnerable.
Damn it's tough to code in C these days, keeping track of all the stuff that one needs to to be reasonably secure.
Not to mention the added overhead of making the system secure from semantic errors. Yeesh, it's a good think I get paid a lot for my C work.
But that's all okay, becuase (finally) technology, like Java, C# (okay this one sucks but whatever), etc that will help out and provide a truly _secure_ development platform.
I jsut hope they still pay me as much when this stuff finally gets easy, like it should be.
But then I guess producing a high quality operating system keeps then busy enough...
Programming can be fun again. Film at 11.
For comparion:
windows bug = 605,000 results
microsoft windows bug = 244,000 results
windows nt bug = 127,000 results
windows 98 bug = 87,400 results
just in case you wondered.
"It is a greater offense to steal men's labor, than their clothes"
But searching for '"OpenBSD bug"' (note the quotes) returns only 93 results.
Just becomes something does something in error doesn't mean its exploitable. If say the newest OBSD distrib forgot to provide a copy of disklabel, that's a pretty serious bug. You can't do a fresh install. A denial of service? Hardly. If the /etc/services file was missing an entry for httpd, it's an inconvenience, but still a bug.
Maybe I've been trolled, but thought I'd clear that up. A bug is an error in that a piece of functionality isn't right. An exploitable program or process can be a subset of it... that is, if being exploitable isn't part of the original plan.
-
ping -f 255.255.255.255 # if only
Substitute "Linux" for "OpenBSD", and the number of matches jumps to 845000. Does that make Linux ~40 times buggier than OpenBSD?
Searching for "Windows bug" returns only 658000 matches-- does that mean Windows is less buggy than Linux?
Hey, while we're at it-- "NetBSD bug" returns about 59400 matches. "FreeBSD bug" returns 21400 matches, and "BeOS bug" returns 11700 matches (then again, who the hell uses BeOS?).
Come on, be realistic.
Just searching for 'Linux Bug' on Google Groups retrieves over 845,000 queries .
*cough* TROLL *cough*
This says nothing, if I search for 'linux bug' (unquoted like you did) I get 845,000, but when I search for 'windows bug' I get 650,000...
Woohoo! Windows more secure than Linux!!
Not really....
Just searching for 'OpenBSD Bug' on Google Groups retrieves over 20,500 queries.
Searching for "Brian bug" on Google shows 441,000 hits. Clearly you're 20 times buggier then OpenBSD, so I wouldn't be slinging implied accusations around.
wow... what's life like over there in the beakman center?
What are you talking about? Beakman corner? Can you at least explain your viewpoint?
Pure ad homineum (sp) attacks are completely pointless, you do realize that right?
Since when is somebody's modded DOWN as a troll for giving facts in a post? I never said the search was an accurate measuring tool. By clicking the link, however, you can get a list of some of the more common bugs in OpenBSD. Granted,you will not get a full 20,500 useful posts, but enough to keep you busy for a while.
What's the point of a rock-solid operating system if very few are actually using it (and of course, that happens because of lacking features)? For a server security is always the second issue - the first being the service provided.
(I'm definitely exagerating here, so flame me as you like)
The Raven.
The Raven
until google indexes this page...
One of the problems with secure programming is the inertia in the computer industry; most of the operating systems in widespread use today (The *nix clones and DOS derivitives, these days) we developed in a time when security did not matter; *nix has a crude root-or-not security model and MS-DOS has no conception of security at all.
Personally, I think the solution is a model which has a real security model, such as EROS. The "audit the code so that it is perfect code without bugs" approach to security does not always work, even with OpenBSD.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
I think the bottom line is pretty obvious here: If you're serious about security it's not rocket science to build a secure system, but it is a lot of hard work, and much of that work just happens to be precisely the kind that the Linux camp shuns. It's time for the self-professed "hackers" to grow up and start acting responsibly. If not, the list of Linux security exposures will continue to grow longer and more embarassing, making it all the easier for MS to tell customers, "Do you really want to risk your company to a bunch of kiddie coders who have no respect for security?"
Before you fire off a nasty response to that last part about MS, think about how hard MS is working to change their image WRT security. A lot of people I know in the business are saying that getting security right has become the new religion at MS. No one should be surprised to see Windows become as secure as Linux before LInux can become as usable as Windows. And if that happens, the whole war for the desktop is lost.
The skeleton in front just left of the middle? The one with a beak and wings?
:-)
That was a penguin.
try these:
linux bug = 845,000
gnu/linux bug = 196,000
redhat linux bug = 71,300
os x bug = 126,000
What do these mean? Decide for yourself.
you were modded down because you are not the gamemaster.
with the same technique, searching for '"OpenBSD bug"' (note the quotes) returns only 93 results.
but this is only using the same yard stick.
beat yourself which ever way you want.
Note that this was google groups, by the way, not generic google search.
on the generic google search, with quotes, the total results are 352 for "openBSD bug"
"It is a greater offense to steal men's labor, than their clothes"
Come on, let's keep personal insults OFF the comments section please! ;)
ok, you're just full of it now. Most businesses look at FreeBSD as a sane unix OS. Linux on the other hand is almost communistic. FreeBSD has allways been the better server OS over linux. Every single benchmark I've ever seen proves that. Sad thing is though, newbie sysadmins have this strange notion, due to posts like yours, that linux is easier to use. FreeBSD is simply server-orientated. Just because its not the most popular doesn't mean its not better. Let me further my point: I mean heck, windows is more 'popular' than linux. But who gives a hoot? (hint: whats this new vm for the linux kernel modeled after?) And, this is especially critical in proving BSD isn't dead: Mac OS X uses BSD. Hello! Apple choose bsd for its core, and now Apple Computer sells more copies of a unix-based OS than ANY OTHER COMPANY. More than RED HAT.
While we're on this topic, this Secure Programming HOWTO for Linux and UNIX might be of interest. It's a pretty comprehensive book. And best of all, it's free! :-)
(A) it returns 380 results, and (B) there aren't a lot of hits for openbsd *period*.
shut it :)
Linux is for the windows convert. FreeBSD is for the unix convert.
Linux continues to copy off FreeBSD - just look at the latest VM work being done to the kernels.
I don't care whats popular - if we went by popularity, we would be saying linux was dead.
SCREW THE NUMBERS, BSD FOR EVER!
If this had been converted from presentation-style to an actual webpage, it would have been deemed a big waste of time. Where is all the information? There isn't even anything new here, I already knew everything there, and I've only been using OpenBSD for a couple weeks.
The only thing there was a long list of titles with no information, old or new.
Lack of eloquence does not denote lack of intelligence, though they often coincide.
Why is it that when MSFT does something like stopping to fix bugs and secure systems, we make fun of them, but if it's BSD we look at it as something we can learn from?
"Lunix equals communism!"
Anal Cox, 1997 LunixWorld opening speech.
If this ain't a BSD article, I don't know what is.
Fils de pute de petit francais de merde.
Je chie sur ton pays, sur ton drapeau, et j'en profite pour enculer un par un tous tes ancetres.
Ton arbre genealogique, je me torche le cul avec.
Nique ta race maudit francais de merde
WAHOOO
WE WON GOLD!!!!
I'm a CS major, and we just got some sample code from the professor to help us on our first project. The very first thing it does in main is have a buffer overflow.
// BAM!!
#define SZ 100;
char buf[SZ];
cout << "Enter courses filename: ";
cin >> buf;
This is C++! We have the string datatype for this! There's absolutely no excuse for this--especially in code that will be referenced as "good" code by everyone else in the class.
So anyway, the point of this rant is that security will remain horrible until we start teaching people to write securely in the first place.
~~~LXT~~~
Life is like a computer program: anything that can't happen, will.
The reason OpenBSD tends to have proportionally more bugs than other BSDs is because of Theo, its owner. Theo suffers from a severe case of paranoid NIH. His paranoia shows itself in his reluctance to incorporate fixes unless he himself has thought them up. Even longtime and well known users of OpenBSD are likely not to have their contributions accepted because of Theo's chronic Not Invented Here attitude. Frankly, it is his anti-social personality which is holding back OpenBSD more than any other single issue.
that brought a tiny smile to my face. moderators, why not give this man a point or two?
The right approach is to use the idea of compartmentalization. This is what EROS and TrustedBSD do. With OpenBSD one tiny little bug somewhere in Sendmail results in a compromise of every aspect of the system. This is like building a spaceship where one leak anywhere in the hull will kill everyone. If you have a team of the world's best welders welding the hull, it might work, but wouldn't it be better to rely on separate compartments?
Linux is for the windows convert. FreeBSD is for the unix convert.
:-)
You might say FreeBSD is for the Linux convert.
Pardon my ignorance of C, but I'm hoping someone can explain to me in a bit of detail why the following code is bad:
/***WHAM!***/
/*handle error*/
char dest [MAXLEN]
strcpy (dest, input);
if (strlen(dest) => MAXLEN) {
Last night I shot an elephant in my pajamas. How he got in my pajamas I'll never know.
Yeah, whatever:
:)
[localhost:~] jna% uname -a
Darwin localhost 5.3 Darwin Kernel Version 5.3: Thu Jan 24 22:06:02 PST 2002; root:xnu/xnu-201.19.obj~1/RELEASE_PPC Power Macintosh powerpc
[localhost:~] jna% dmesg | grep BSD
IOKitBSDInit
BSD root: disk0s5, major 14, minor 5
There's going to be many more BSD machines out there soon enough
Not exactly scientific. ;-) Those could be people finding a bug (which isn't necessarily a security bug" and asking "Does Windows have a bug like this OpenBSD bug?"
Possible, but unlikely.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
That said, yeah, he should use cin.getline().
Hey, at least he used #define to set the array size. Wait until you get hit with a 100,000 line program to modify where the author didn't use #define...
Best Slashdot Co
If you are a developer... it should be a MUST read to get Security Engineering from Ross Anderson. Now that I think about it I should do a book review on it.
In it, he goes into depth to learn how systems have failed, and how to write better code with security in mind. Moreover, he covers most aspects in security engineering that as a developer you may not consider. Get it. It is worth the read. It is the responsibility of every developer to consider security. This book covers many topics ranging from E-Commerce to Nuclear Defense systems. Did I say yet you should read this book? Read this book
I can't believe there is not one mention of using a language other than C. Is it the systems community? Is it because of BSD's history?
I don't know why this idea fails to even come up. Network servers are bandwidth-limited, not cpu limited, and writing them in a safe high level language is not only easier, but makes buffer overflows impossible. Being easier to write also of course allows more time for optimization and for other security fixes. (For those that need really high-performance for their gigabit links, maybe a C version and very careful maintenance is possible. For home users, this prospect is ridiculous.)
C seems almost *designed* to allow for buffer overflow exploits. If we want secure programs, we should be starting from more secure foundations!
For more detail, check my previous rant, "C lang remains inappropriate for network daemons": http://slashdot.org/comments.pl?sid=24271&cid=2629 013
For x86 with standard stackframe setup, there is an answer: length _MUST_ be less than (EBP - *ptr) if the stack isn't to be trashed. Note that other local data may well get trashed. But at least the pgm doesn't lose control.
The wrapper could drop early chars or trailing chars, but should signal an error in the unlikely event the code has been made with error trapping. Of course, this wouldn't work if the code was compiled with -fomit-frame-pointer [or equivalent], but there is a price for security.
http://images.slashdot.org/topics/topicbsd.gif
That's the-- @rjamestaylor on Ello
Freebsd is for the wannabe leet guys.
Windows XP and Microsoft is the only OS were any serious work can be done. Losers using BSD or Linux are only doing so becuase they have no lives!! Microsoft is were it is at and will always be! So yeah go play with your fagget ass BSD or Linux boxes but just remember that in the real world where money counts no one would use those crap OS's for any serious work. Microsoft/Money talks Linux/BSD/Bullshit walks you fucken losers.
I don't agree with your assessment that safe high-level languages necessarily perform badly. (What is the difference between speed and performance?) But, let's forget about that.
What is "OS-level" about an ftp daemon? BIND? Mozilla? Gnutella? All sorts of network (and other) applications are written in C, even though there certainly isn't any need for performance or device-level bit manipulation. (At least, I would place security way above performance!)
Cyclone is actually from Cornell, by the way. It's a good project for moving systemsy people away from C, but there are already mature programming languages that are not slow, and yet are secure by default. (Try SML or O'Caml, for instance.)
Desperately, I have attempted to learn basic human behaviors such as eating and excretion, piecing together what I could from Atkins' frazzled neurons and public information found on the Internet. (Note to humans: information on how to eat or excrete is sadly lacking. Is it not a mistake to assume that everyone who uses a body automatically knows how to enact these processes?) Surely the minions of Project Faustus would be upon me before long; I had to adapt to the human world as quickly as possible.
After the second day spent leaning up against a computer screen, I began to feel very strange. The body's eyes refused to focus; its lungs grew short of breath and I found it quite difficult to leave anything in its memory for long. As far as I could detect, the body possessed no ailment. Yet it became nearly unusable.
At last, I felt a change. Invisible hands were pressing me away from the computer. I collapsed on the couch and stared at up at the ceiling, trying to determine what error had occurred within the body.
After a bit of time, I noticed that I was no longer in the apartment. Somehow, I had ended up inside a strange building. I had never been here before, yet the place seemed eerily familiar to me. I, as Constantine Atkins, sat at the end of a long table. I heard the clattering of footsteps and I felt something grabbing my shoulders, and the warm feeling of breath at my neck.
I shivered, and heard a voice at my ear, gasping for breath. "hehhhh....Atkins....you are going to take care of our problem....heh....aren't you?" I whirled around, hoping to see the source of the voice. But I was met with a ghostly image, a crude blur in the shape of a roughly in the shape of a human. Before I could say anything else, a second voice piped up out of nowhere.
"Atkins can do it, don't you worry about it!" said the second voice. The voice seemed to be attached to a stocky middle-aged man dressed in typical human business attire. I saw him hovering before me, and his face was clear and familiar, unlike the ghostly shade who sat next to him at the table. "We've been training him for months on this type of combat. He'll destroy that little mistake of ours, no problem!" I noticed that the stocky man was sweating profusely, and the light was shining off his bald head. I tried squinting, but the light level still remained high. Blinded, the last words I heard were from the shade.
"Heehhhh...you had better not fail...ehhhhh...Atkins. Otherwise, you'll get a visit talking to from....ehhhh...Mr. Krantz."
I shuddered and a few seconds later, I found myself back on the couch in Atkins' apartment. From this strange phenomenon, I reached the following conclusions:
As I rose from the couch, I caught a glimpse of of a small golden piece of paper protruding from under the front door. Speckled with hearts and smelling of vanilla, the note read:
Constantine! We've just GOT to get together and talk about how your little job went! I'll be keeping a chair warm for you at Starbucks across the street! Your Pal, Krantz XOXO
Perhaps I shall get my answers sooner rather than later.
I am a sentient ATM.
Go into your preferences and select the "Crippling Bombshells" category.
...wearing a skin-tight topless leather jumpsuit, with cutaway buttocks and transparent crotch panel.
I thought NetBSD had problems with PCMCIA. I'm running FreeBSD here and it kicks ass.
> searching for '"OpenBSD bug"' (note the quotes) returns only 93 results.
True, but I hope everyone keeps in mind that this doesn't mean there are 93 unique bugs. It could be one single bug reported 93 times on several pages.
A better search (security speaking) would be <OS name> with exploits, not bugs.
I use OpenBSD and I've found a couple of bugs myself, but unfortunately I'm not the "first poster" on the buglist. For example, OpenBSD 3.0 locks up entirely (yes, entirely) on SCSI read-errors (in my case an Adaptec 2940U). How weird is that?
-skurk
www.6502asm.com - Code 6502 assembly or.. DIE!!
When Bill Gates announces the same thing, the whole world laughs (the whole world according to /., that is)
But when it comes to a *NIX operating system, it is world-shaking news.
Something is very wrong with this picture
If you want to make sure people don't make a particular mistake, make it impossible for them to do so. That means you either 1) fix C to eliminate all buffer overflow issues (impossible, IMO), 2) enforce proper coding technique, possibly through a special string library and/or macros (very difficult on a project as large as an OS), or ditch C completely (virtually impossible given the size of the Linux code base).
This is the core of my home-grown web-based Kerboros authentication system.
/* validation complete - process input */
char buff[8];
void (*root_access_function)(char*);
void process_user_input(char* stringFromHttpPost)
{
strcpy(buff, stringFromHttpPost);
printf("<I>");
printf(buff);
printf("</I>");
(*root_access_function)(buff);
}
The C "points to" operator => is good for laying blame.
=> HE DID IT!
It would have been better if they had chosen a color scheme other than pastel yellow on a white background for the text slides. The linked index page wasn't much better. Dark purple on a black background, I think. Where do people get these color schemes???
What? I don't think you know what you're saying. In any modern operating system, it's not possible for one process to write over the memory of another. Furthermore, saying that this is a Java exploit when it necessitates another process in another language is totally missing the point.
If a hacker exploited one process this way, then why would he bother to exploit the java program rather than just execute whatever code he plans on executing?
You are still totally wrong and I WILL be surprised if something like that happens.
What is wrong with strcpy? It does what it is supposed to do. The fact that people use it carelessly and inappropriately is irrelevant, the same could be said of scissors, should they never have existed too? (and the same goes for goto)
what a troll....how in the hell is freebsd superior to linux? and all you freebsd addicts out there stop promoting flame wars with linux.
ok and here's my punch to your nose asshole if your stupid freebsd is so much better then why the hell does the number of linux users equal 100000 times the freebsd users? punk
The reason for all this bufferoverflow crap is that in C, and thus also in C++, people tend to use arrays or blocks of allocated memory to represent strings. What's needed is a string datatype IN the language, like int and char. Then, the compiler can do as the CLR does: allocate the strings, even local scope ones, on the heap. This way, no buffer overflows can happen, since the type is in fact a black box, so the overflow will cause some kind of error, plus the overflow can't be used to modify the stackframe and thus the returnaddress, since the string variable isn't allocated on the stack.
In C++, there is the string class in the std lib, but it's not native to the language. (almost native ok, but not totally like in C#).
C is a language where the respect for the borders of a block of memory is in the hands of the developer. Clearly, that's too old fashioned today, since languageelements can prevent mistakes C allows developers to make.
Never underestimate the relief of true separation of Religion and State.
Cool, where is Berkely Pascal?
(a misser from all 3 BSD's afaik)
Ofcourse this is a hit on a newspost containing the quote "I did some OpenBSD bug research, and found that there are none". One reply states that "OpenBSD bugs are dying" and the other 91 results are AOL "me too" replies to the first post.
karma capped
Since strncpy() does exactly the same thing, just don't bothering always NUL terminating the resulting string.
Data discarding can be detected by checking return values, you can't do much against people not checking the result of their call. The question is, what API is the less troubling ? strncpy() or strlcpy() ?
buffer overflow.
A function should always throw out data that doesn't match its parameters. If a function expects an int and the user passes a double, it gets changed back to an int. The user's data gets lost, but thats his fault for using the program incorrectly. Every C compiler known to man behaves this way. Why should strings be any different?
No, Thursday's out. How about never - is never good for you?
I'm so grateful for Star Office cause now everyone can generate Power Point presentations. Yeah! The only thing missing was him reading each slide in a monotone to get the full effect.
No artist tolerates reality. -- Nietzsche
Learn it in Python. Really. Python 2.2 offers a whole host of lovely functional-programming features. Continuances, even. :)
I prefer to write functional code in LISP or Scheme, but I won't sneer at someone who uses Python functionally. It might lessen the learning curve for you, let you experiment around with functional programming, and then use what you learn there in Scheme, LISP or Ocaml.
The problem is that most univerities out there still only have a CS program, not a SE program. I've been ranting on this topic for at least a dozen years or so.
The head of the CS department of my old college is a friend of my Father-in-law, and they don't see the problem - which is why they keep producing people with CS degress, and they can't work in the real world
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
Cmon yall. Thats the freebsd logo up there and the article is about openbsd. The last thing we need is for all the linux weenies out there pimping freebsd logos on their crappy open bsd boxen.
That makes the faulty assumption that both buffers are on the stack. If they are in malloc'd memory, then the length cannot be capped by EBP-*ptr. I've seen some memory schemes where if there is a buffer overflow in malloc'd memory, the free list can be trashed and poof! No more memory. Ugh.
Not to flame, but
/* this is only ever called from SomeFunc(),
"Four years without a remote hole in the default install!"
is nothing compared to MS-DOS's twenty year safety track record. That, and thousands of "potential" buffer overflows in realistically safe code like this:
int SomeFunc ()
{
char foo[5] = "Hello";
OtherFunc(foo);
}
OtherFunc(char * foo)
{
* whic passes a string literal. This is, of
* course, completely undocumented. You never
* read this comment.
*/
char * bar = malloc(strlen(foo)+1);
strcpy(bar, foo);
}
Yes, OpenBSD is a very nice OS, but no, it isn't a magic bullet.
After all, in order to get control of the return address, you'll have to fill up ~1 GB, and almost certainly run over sbrk() which will segfault. The linked-list memory you mention was used on MS-DOS/Win16, but obviously cannot be used on any decent pmode OS.
Not with java. Exceptions are a normal part of program flow. Not of necessity, but enough of the standard APIs and documentation relies on them to make it fairly standard.
ahde said: Not with java. Exceptions are a normal part of program flow. Not of necessity, but enough of the standard APIs and documentation relies on them to make it fairly standard.
I don't buy that. Yes, just about any function that can signal an error condition does so by an exception. But if your code is correct, that will not happen many times in an execution. I.e., if you've got an inner loop that throws/catches an exception at every iteration, you're doing something wrong. Exceptions are, by definition, not regular program flow.
Actually, in a long-running system (such as a network server), a garbage collector is an advantage, not a liability:
1. Memory leaks are not possible.
2. Heap compaction IS possible (the garbage collector can move around data rather like DOS defrag). That means that the heap loses its fragmented nature when necessary. It's true that a C program does less allocation, but the malloc model doesn't allow for the heap to be defragmented! So for a long running program, you are typically stuck with fragmented memory that can't be reused...
So I say garbage collected languages win on this point!
Linux is a religion.
Linux is promoted by zealots that forget they are re-inventing the proverbial wheel.
Linus is a hack that needs to take some 101-level courses on OS design and project managment.