Fix the Bugs, Secure the System

LiquidPC writes: "OpenBSD's Louis Bertrand has put his MUSESS 2002 presentation online, entitled Fix the Bugs, Secure the System. Does an overview of OpenBSD, then explains Format String Ugliness, Buffer Overflows, The Wrong Way to Fix Overflows, along with numerous other things."

Script Kitties

[Mattygfunk]

It was a bit tedious flicking through all those slides but the final one did bring a smile to my face.

The only remaining wish...

[__past__]

The only thing I'd like to see from the OpenBSD guys would be a write-up of the gathered wisdom, in form of a "Code-auditing Howto". Unless everybody starts using OBSD (not due this week, unfortunatly), it would be nice if they would share their knowledge so that other platforms like, say, Linux, could benefit.

But then I guess producing a high quality operating system keeps then busy enough...

Re:The only remaining wish...

[Arandir]

ask yourself why strlcpy() still isn't part of glibc

Because if it isn't invented at GNU they won't use it?

Re:The only remaining wish...

[jrincayc]

Try the Secure Programming for Linux and Unix HOWTO

It explains the basics of secure programming and common problems with a variety of programming languages including buffer overflow and many more tricky problems.

Re:The only remaining wish...

[dvdeug]

As if they'd pay attention. And before you mod that as flamebait, ask yourself why strlcpy() still isn't part of glibc..

There's a few huge winding threads in libc-alpha <http://sources.redhat.com/ml/libc-alpha> on this. One answer is:

These words make sense. The problem with strlcat and strlcpy is that they
assume that it's okay to arbitrarily discard data for the sake of preventing a
buffer overflow. The buffer overflow may be prevented, but because data may
have been discarded, the program is still incorrect. This is roughly analogous
to clamping floating point overflow to DBL_MAX and merrily continuing
in the calculation. ;)

Agree or disagree, the developers of glibc don't find strlcpy to be an appropriate function based on its merits. Trying to claim otherwise is just trying to stir up trouble.

Re:Buggy

[sporty]

Just becomes something does something in error doesn't mean its exploitable. If say the newest OBSD distrib forgot to provide a copy of disklabel, that's a pretty serious bug. You can't do a fresh install. A denial of service? Hardly. If the /etc/services file was missing an entry for httpd, it's an inconvenience, but still a bug.

Maybe I've been trolled, but thought I'd clear that up. A bug is an error in that a piece of functionality isn't right. An exploitable program or process can be a subset of it... that is, if being exploitable isn't part of the original plan.

Re:Buggy

[Jerf]

Just searching for 'OpenBSD Bug' on Google Groups retrieves over 20,500 queries.

Searching for "Brian bug" on Google shows 441,000 hits. Clearly you're 20 times buggier then OpenBSD, so I wouldn't be slinging implied accusations around.

The real problem with OpenBSD

[vlad_petric]

... is definitely neither security nor bugs - it's popularity/acceptance. To sustain my claim, there is no OpenBSD entry in the top requested websites

What's the point of a rock-solid operating system if very few are actually using it (and of course, that happens because of lacking features)? For a server security is always the second issue - the first being the service provided.

(I'm definitely exagerating here, so flame me as you like)

The Raven.

Re:The real problem with OpenBSD

[zulux]

What's the point of a rock-solid operating system if very few are actually using it

OpenBSD will never show up on my networks - but every packet that gets to my FreeBSD webserves goes through an OpenBSD firewall. I imagine that a lot of packet are touched by OpenBSD - an we'll never know it.

Secure programming

[Kiwi]

One of the most common security problems is buffer overflows; the way I worked around this was to write a special string library where the strings had meta data; including the maxiumum length a given string could have.

One of the problems with secure programming is the inertia in the computer industry; most of the operating systems in widespread use today (The *nix clones and DOS derivitives, these days) we developed in a time when security did not matter; *nix has a crude root-or-not security model and MS-DOS has no conception of security at all.

Personally, I think the solution is a model which has a real security model, such as EROS. The "audit the code so that it is perfect code without bugs" approach to security does not always work, even with OpenBSD.

- Sam

Re:Secure programming

[glenmark]

...or take the approach taken by OpenVMS from the beginning: any time a system call needs a string, that string is passed by descriptor. Of course, when the programmer is sloppy and uses null-terminated strings for his own calls, a buffer overflow in OpenVMS would only crash the program. Overflowing data would be discarded rather than executed. It boggles my mind that this flaw in Unix still has not been corrected after all these years.

Re:Secure programming

[rgmoore]

Auditing code so it is perfect and without bugs does work for security, it just has to take place in the libraries rather than the applications.

But it doesn't really work. It's better than nothing, but if there's one thing that years of security bugs should have taught us, it's that there are always new classes of undiscovered bugs out there. You can eliminate every known bug, but that doesn't guarantee that there are no clever exploits that you haven't figured out but that somebody else has (or will) find out how to use. What you really need is a level of security that's orthogonal to code level security. That can be something like capabilities, mandatory access controls, or even just finer grained control over what the code is allowed to do than Unix's all or nothing model.

Right now, if I want my computer's CD burning software to be able to set itself at high priority to avoid buffer underruns, I have to run it SUID root. That's insane; it means that a single programming error in what reasonably should be a user accessable program could give somebody complete access to the system. That isn't security, it's a nightmare. We need a system where I can assign that program only the right to reset its own priority, and not complete run of the system. Yes, it's better if the code is audited and potential bugs are eliminated, but a system in which a single bug can completely compromise the whole system is badly designed.

Look very closely at that picture

The skeleton in front just left of the middle? The one with a beak and wings?

That was a penguin. :-)

Re:Look very closely at that picture

[Harpagon]

On the shirt which have a bigger version of this picture. You can see more than that.

• Stripe of right top fish is made of Sun logos
• Yellow left top fish is covered with Windows logos

Of course, only the blowfish will not get eaten by the cat (because of its spikes).

Re:You [censored] moron.

[Alien54]

"Windows Bug" = 4,290 "Linux Bug" = 5,840 If I leave the quotes off, I get: Windows Bug= 1,540,000 Linux Bug = 1,690,000

with the same technique, searching for '"OpenBSD bug"' (note the quotes) returns only 93 results.

but this is only using the same yard stick.

beat yourself which ever way you want.

Note that this was google groups, by the way, not generic google search.

on the generic google search, with quotes, the total results are 352 for "openBSD bug"

Secure programming HOWTO for Linux and UNIX

[SteelX]

While we're on this topic, this Secure Programming HOWTO for Linux and UNIX might be of interest. It's a pretty comprehensive book. And best of all, it's free! :-)

Re:Secure programming HOWTO for Linux and UNIX

[dwheeler]

Thanks for the plug! My book, Secure Programming for Linux and Unix HOWTO, is free, and it's open source/free software (GNU FDL).

I've also just posted my presentation on how to write secure programs; it's the presentation I gave at FOSDEM 2002 last week. Note that these presentations have different (overlapping) goals; Louis Bertrand's presentation is primarily about OpenBSD (e.g., how it's developed), while my presentation is primarily about how developers can develop secure programs. My presentation, like the book, is at http://www.dwheeler.com/secure-programs.

Re:Why not just mark the stack non-executable?

[Saint+Nobody]

granted, a non-executable stack makes it significantly harder to exploit a buffer vulnerability, but it's not impossible. you can also put your shellcode in environment variables, in the heap, or various other places. if you wanted to follow your line of reasoning to completion, you'd have to have an isolated code segment, marked read-only, and everything else marked non-executable. of course, then we have the issue of how to handle run-time dynamic loading, and programs like vmware--pretty much anything that gets machine code from a source outside of itself and the libraries that are linked in at compile time.

i do agree with the idea of a non-executable stack, though. it's just regarded far too often as a panacea for buffer overflows.

Presentation...

[sean23007]

If this had been converted from presentation-style to an actual webpage, it would have been deemed a big waste of time. Where is all the information? There isn't even anything new here, I already knew everything there, and I've only been using OpenBSD for a couple weeks.

The only thing there was a long list of titles with no information, old or new.

Fix the bugs?

[Jucius+Maximus]

Why is it that when MSFT does something like stopping to fix bugs and secure systems, we make fun of them, but if it's BSD we look at it as something we can learn from?

Re:Fix the bugs?

[Malcontent]

Because we area able to learn from the openbsd team. Their goal is to help everybody build more secure systems. MS security practice takes place behind closed doors and can not help anybody else.

In the end we will see if MS is able to actually execute their goal. OpenBSD already has.

Re:Why not just mark the stack non-executable?

[YU+Nicks+NE+Way]

Standard buffer overflow exploits don't execute the stack. The most common form (so-called single instance exploits) alter the return point from a subroutine so that a particular command (also stored by the malicious code) gets executed. (E.g. in a Unix system, the attacker climbs around until he finds a call to exec, and branches to the exec with a call to /bin/sh in the right place on the stack.) The second most-common form consists of exploits that cause a function pointer to be replaced in a heap variable. Even if these exploits required the insertion of executable code -- and I don't know of any cases where they do -- a non-executable stack won't help against a heap attack.

Security: start in education

[LoonXTall]

I'm a CS major, and we just got some sample code from the professor to help us on our first project. The very first thing it does in main is have a buffer overflow.

#define SZ 100;
char buf[SZ];
cout << "Enter courses filename: ";
cin >> buf; // BAM!!

This is C++! We have the string datatype for this! There's absolutely no excuse for this--especially in code that will be referenced as "good" code by everyone else in the class.

So anyway, the point of this rant is that security will remain horrible until we start teaching people to write securely in the first place.

Re:Security: start in education

[Kidder]

A professor's code is not necessarily the best code in the world. I had a professor who used gets() in the example code he gave us and I had to explain the difference between fork() and vfork() to him (well, not much of a difference anymore...) I had another professor whose code had a MAJOR memory leak in it. I politely emailed the professor about it and he replied to the entire class with the memorable phrase: memory leaks are not important anymore.

Re:Can't wait for this all to get sorted out

[Chris+Burke]

But no one actually believes C is a good language?

C is a great language for the thing it was designed for -- system level (ie OS) programming. It turns out that it is mostly decent (and at least functional) at other programming tasks, and this helped it become ubiquitous.

Most of the problems in C that arise at the system level are a function of the standard library that it came with. For example, strcpy() should have never existed.

As to whether or not C is any good anywhere else... *shrug*. Minus easy-to-use regexp's, I think once you learn how to write good C code it can be a "good" language for just about anything. Still, I'm not saying I wouldn't mind seeing Java become more common in applications... So long as I can get a good static compiler and libraries for it.

Re:Why is this code bad?

[Sivar]

strcpy (dest, input); /***WHAM!***/

Here the code copies the input string to the destination, regardless of what size the input string is.

if (strlen(dest) => MAXLEN) {}

Here the code checks to see if the input data is larger than the buffer that it is being copied to, which is great and all except that it is being done AFTER the cpy took place. It's like drinking a bottle of clear liquid in a chemistry lab and THEN checking the label to see if it's sulfuric acid.
I'm no C expert either, so I may have missed something.

Secure the system: get rid of C

[Tom7]

I can't believe there is not one mention of using a language other than C. Is it the systems community? Is it because of BSD's history?

I don't know why this idea fails to even come up. Network servers are bandwidth-limited, not cpu limited, and writing them in a safe high level language is not only easier, but makes buffer overflows impossible. Being easier to write also of course allows more time for optimization and for other security fixes. (For those that need really high-performance for their gigabit links, maybe a C version and very careful maintenance is possible. For home users, this prospect is ridiculous.)

C seems almost *designed* to allow for buffer overflow exploits. If we want secure programs, we should be starting from more secure foundations!

For more detail, check my previous rant, "C lang remains inappropriate for network daemons": http://slashdot.org/comments.pl?sid=24271&cid=2629 013

Re:Secure the system: get rid of C

[Tom7]

I agree with you in theory, but in reality we have seen very few compiler flaws and very many application flaws. Writing compilers for high-level languages isn't all that hard, anyway.

I disagree that buffer overflows can be easily avoided. If they are so easy to avoid, why do we continue to see them? Practically every popular network software written by anyone has fallen to a buffer overflow at one time. I also disagree that C code is easy to audit and verify. Wu_FTPD is over 24,000 lines long, and I can't imagine ever trying to think through the security of such a large system on pure willpower. Safe languages give you the benefit of computer checking, and this frees up your mind to think about more important things (such as the security problems that compilers can't check!)

Re:Secure the system: get rid of C

[NonSequor]

Somehow I knew someone would say something like this. Which do you think would be easier: making sure that a compiler generates safe code, or making sure that no buffer overflows, memory leaks, or any other such things are in ANY programs or libraries. Why not fix things once rather than having to fix them everywhere?

Fixing buffer overflows by *ptr EBP

[redelm]

Granted good programming practice [fixed length buffers] is the best solution. But while waiting for code clean-up, wouldn't it be a fairly simple fix to wrapper the offending variable-length libc calls with fixed length calls? The problem is how long a length.

For x86 with standard stackframe setup, there is an answer: length _MUST_ be less than (EBP - *ptr) if the stack isn't to be trashed. Note that other local data may well get trashed. But at least the pgm doesn't lose control.

The wrapper could drop early chars or trailing chars, but should signal an error in the unlikely event the code has been made with error trapping. Of course, this wouldn't work if the code was compiled with -fomit-frame-pointer [or equivalent], but there is a price for security.

Performance and C

[Tom7]

I don't agree with your assessment that safe high-level languages necessarily perform badly. (What is the difference between speed and performance?) But, let's forget about that.

What is "OS-level" about an ftp daemon? BIND? Mozilla? Gnutella? All sorts of network (and other) applications are written in C, even though there certainly isn't any need for performance or device-level bit manipulation. (At least, I would place security way above performance!)

Cyclone is actually from Cornell, by the way. It's a good project for moving systemsy people away from C, but there are already mature programming languages that are not slow, and yet are secure by default. (Try SML or O'Caml, for instance.)

Re:Performance and C

[Tom7]

No, I'm not nuts!

I can saturate my 100 megabit link and not go above a few percent of processor usage using my SML FTP daemon. The bottlenecks are definitely the disk and network. (I am using the system call to copy file descriptors, anyway, so that part happens just as fast as the C version.) Honestly, I would estimate that my server uses at most 30% more processor time than wu_ftpd. If I actually thought that was slow, I'm sure I could bring it within 10% without much effort. If you think I'm wrong, you're going to have to give me some evidence.

For the vast vast majority of users, nobody needs even close to 100 megabits. For the people runing cdrom.com, or whatever, well, maybe a high performance ftp server is in order. These people hopefully have someone who can maintain it and keep up to date on patches. But for the 99.99% of users who install linux and the default FTP server on a sub-100mbit link (ESPECIALLy home users), the security liabilities of the C version far outweigh the imperceptible speed difference.

Wrong!!

[Tom7]

What? I don't think you know what you're saying. In any modern operating system, it's not possible for one process to write over the memory of another. Furthermore, saying that this is a Java exploit when it necessitates another process in another language is totally missing the point.

If a hacker exploited one process this way, then why would he bother to exploit the java program rather than just execute whatever code he plans on executing?

You are still totally wrong and I WILL be surprised if something like that happens.

C/C++ should have a native string datatype.

[Otis_INF]

The reason for all this bufferoverflow crap is that in C, and thus also in C++, people tend to use arrays or blocks of allocated memory to represent strings. What's needed is a string datatype IN the language, like int and char. Then, the compiler can do as the CLR does: allocate the strings, even local scope ones, on the heap. This way, no buffer overflows can happen, since the type is in fact a black box, so the overflow will cause some kind of error, plus the overflow can't be used to modify the stackframe and thus the returnaddress, since the string variable isn't allocated on the stack.

In C++, there is the string class in the std lib, but it's not native to the language. (almost native ok, but not totally like in C#).

C is a language where the respect for the borders of a block of memory is in the hands of the developer. Clearly, that's too old fashioned today, since languageelements can prevent mistakes C allows developers to make.

Learning functional programming

[rjh]

Learn it in Python. Really. Python 2.2 offers a whole host of lovely functional-programming features. Continuances, even. :)

I prefer to write functional code in LISP or Scheme, but I won't sneer at someone who uses Python functionally. It might lessen the learning curve for you, let you experiment around with functional programming, and then use what you learn there in Scheme, LISP or Ocaml.