Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fix the Bugs, Secure the System

Posted by michael on from the crunchy-on-the-outside dept.

LiquidPC writes: "OpenBSD's Louis Bertrand has put his MUSESS 2002 presentation online, entitled Fix the Bugs, Secure the System. Does an overview of OpenBSD, then explains Format String Ugliness, Buffer Overflows, The Wrong Way to Fix Overflows, along with numerous other things."

6 of 334 comments (clear)

  1. Script Kitties by Mattygfunk · · Score: 4, Interesting

    It was a bit tedious flicking through all those slides but the final one did bring a smile to my face.

  2. The only remaining wish... by __past__ · · Score: 4, Interesting
    The only thing I'd like to see from the OpenBSD guys would be a write-up of the gathered wisdom, in form of a "Code-auditing Howto". Unless everybody starts using OBSD (not due this week, unfortunatly), it would be nice if they would share their knowledge so that other platforms like, say, Linux, could benefit.

    But then I guess producing a high quality operating system keeps then busy enough...

    --
    Programming can be fun again. Film at 11.
    1. Re:The only remaining wish... by dvdeug · · Score: 4, Interesting

      As if they'd pay attention. And before you mod that as flamebait, ask yourself why strlcpy() still isn't part of glibc..

      There's a few huge winding threads in libc-alpha <http://sources.redhat.com/ml/libc-alpha> on this. One answer is:

      These words make sense. The problem with strlcat and strlcpy is that they
      assume that it's okay to arbitrarily discard data for the sake of preventing a
      buffer overflow. The buffer overflow may be prevented, but because data may
      have been discarded, the program is still incorrect. This is roughly analogous
      to clamping floating point overflow to DBL_MAX and merrily continuing
      in the calculation. ;)

      Agree or disagree, the developers of glibc don't find strlcpy to be an appropriate function based on its merits. Trying to claim otherwise is just trying to stir up trouble.

  3. Re:Buggy by sporty · · Score: 3, Interesting

    Just becomes something does something in error doesn't mean its exploitable. If say the newest OBSD distrib forgot to provide a copy of disklabel, that's a pretty serious bug. You can't do a fresh install. A denial of service? Hardly. If the /etc/services file was missing an entry for httpd, it's an inconvenience, but still a bug.

    Maybe I've been trolled, but thought I'd clear that up. A bug is an error in that a piece of functionality isn't right. An exploitable program or process can be a subset of it... that is, if being exploitable isn't part of the original plan.

    --

    -
    ping -f 255.255.255.255 # if only

  4. The real problem with OpenBSD by vlad_petric · · Score: 3, Interesting
    ... is definitely neither security nor bugs - it's popularity/acceptance. To sustain my claim, there is no OpenBSD entry in the top requested websites

    What's the point of a rock-solid operating system if very few are actually using it (and of course, that happens because of lacking features)? For a server security is always the second issue - the first being the service provided.

    (I'm definitely exagerating here, so flame me as you like)

    The Raven.

    --

    The Raven

  5. Re:Secure programming by glenmark · · Score: 3, Interesting

    ...or take the approach taken by OpenVMS from the beginning: any time a system call needs a string, that string is passed by descriptor. Of course, when the programmer is sloppy and uses null-terminated strings for his own calls, a buffer overflow in OpenVMS would only crash the program. Overflowing data would be discarded rather than executed. It boggles my mind that this flaw in Unix still has not been corrected after all these years.

    --
    *** Quantum Mechanics: The Dreams of Which Stuff is Made ***