Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fix the Bugs, Secure the System

Posted by michael on from the crunchy-on-the-outside dept.

LiquidPC writes: "OpenBSD's Louis Bertrand has put his MUSESS 2002 presentation online, entitled Fix the Bugs, Secure the System. Does an overview of OpenBSD, then explains Format String Ugliness, Buffer Overflows, The Wrong Way to Fix Overflows, along with numerous other things."

15 of 334 comments (clear)

  1. Script Kitties by Mattygfunk · · Score: 4, Interesting

    It was a bit tedious flicking through all those slides but the final one did bring a smile to my face.

  2. The only remaining wish... by __past__ · · Score: 4, Interesting
    The only thing I'd like to see from the OpenBSD guys would be a write-up of the gathered wisdom, in form of a "Code-auditing Howto". Unless everybody starts using OBSD (not due this week, unfortunatly), it would be nice if they would share their knowledge so that other platforms like, say, Linux, could benefit.

    But then I guess producing a high quality operating system keeps then busy enough...

    --
    Programming can be fun again. Film at 11.
    1. Re:The only remaining wish... by Arandir · · Score: 4, Funny

      ask yourself why strlcpy() still isn't part of glibc

      Because if it isn't invented at GNU they won't use it?

      --
      A Government Is a Body of People, Usually Notably Ungoverned
    2. Re:The only remaining wish... by dvdeug · · Score: 4, Interesting

      As if they'd pay attention. And before you mod that as flamebait, ask yourself why strlcpy() still isn't part of glibc..

      There's a few huge winding threads in libc-alpha <http://sources.redhat.com/ml/libc-alpha> on this. One answer is:

      These words make sense. The problem with strlcat and strlcpy is that they
      assume that it's okay to arbitrarily discard data for the sake of preventing a
      buffer overflow. The buffer overflow may be prevented, but because data may
      have been discarded, the program is still incorrect. This is roughly analogous
      to clamping floating point overflow to DBL_MAX and merrily continuing
      in the calculation. ;)

      Agree or disagree, the developers of glibc don't find strlcpy to be an appropriate function based on its merits. Trying to claim otherwise is just trying to stir up trouble.

  3. Re:Buggy by Jerf · · Score: 5, Funny

    Just searching for 'OpenBSD Bug' on Google Groups retrieves over 20,500 queries.

    Searching for "Brian bug" on Google shows 441,000 hits. Clearly you're 20 times buggier then OpenBSD, so I wouldn't be slinging implied accusations around.

  4. Secure programming by Kiwi · · Score: 4, Informative
    One of the most common security problems is buffer overflows; the way I worked around this was to write a special string library where the strings had meta data; including the maxiumum length a given string could have.

    One of the problems with secure programming is the inertia in the computer industry; most of the operating systems in widespread use today (The *nix clones and DOS derivitives, these days) we developed in a time when security did not matter; *nix has a crude root-or-not security model and MS-DOS has no conception of security at all.

    Personally, I think the solution is a model which has a real security model, such as EROS. The "audit the code so that it is perfect code without bugs" approach to security does not always work, even with OpenBSD.

    - Sam

    --

    The secret to enjoying Slashdot is to realize that it should not be taken too seriously.

  5. Re:The real problem with OpenBSD by zulux · · Score: 5, Insightful

    What's the point of a rock-solid operating system if very few are actually using it

    OpenBSD will never show up on my networks - but every packet that gets to my FreeBSD webserves goes through an OpenBSD firewall. I imagine that a lot of packet are touched by OpenBSD - an we'll never know it.

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  6. Secure programming HOWTO for Linux and UNIX by SteelX · · Score: 5, Informative

    While we're on this topic, this Secure Programming HOWTO for Linux and UNIX might be of interest. It's a pretty comprehensive book. And best of all, it's free! :-)

    1. Re:Secure programming HOWTO for Linux and UNIX by dwheeler · · Score: 5, Informative
      Thanks for the plug! My book, Secure Programming for Linux and Unix HOWTO, is free, and it's open source/free software (GNU FDL).

      I've also just posted my presentation on how to write secure programs; it's the presentation I gave at FOSDEM 2002 last week. Note that these presentations have different (overlapping) goals; Louis Bertrand's presentation is primarily about OpenBSD (e.g., how it's developed), while my presentation is primarily about how developers can develop secure programs. My presentation, like the book, is at http://www.dwheeler.com/secure-programs.

      --
      - David A. Wheeler (see my Secure Programming HOWTO)
  7. Re:Why not just mark the stack non-executable? by Saint+Nobody · · Score: 4, Insightful

    granted, a non-executable stack makes it significantly harder to exploit a buffer vulnerability, but it's not impossible. you can also put your shellcode in environment variables, in the heap, or various other places. if you wanted to follow your line of reasoning to completion, you'd have to have an isolated code segment, marked read-only, and everything else marked non-executable. of course, then we have the issue of how to handle run-time dynamic loading, and programs like vmware--pretty much anything that gets machine code from a source outside of itself and the libraries that are linked in at compile time.

    i do agree with the idea of a non-executable stack, though. it's just regarded far too often as a panacea for buffer overflows.

    --
    #define F(x) int main(){printf(#x,10,#x);}
    F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
  8. Presentation... by sean23007 · · Score: 5, Insightful

    If this had been converted from presentation-style to an actual webpage, it would have been deemed a big waste of time. Where is all the information? There isn't even anything new here, I already knew everything there, and I've only been using OpenBSD for a couple weeks.

    The only thing there was a long list of titles with no information, old or new.

    --

    Lack of eloquence does not denote lack of intelligence, though they often coincide.
  9. Re:Why not just mark the stack non-executable? by YU+Nicks+NE+Way · · Score: 5, Informative

    Standard buffer overflow exploits don't execute the stack. The most common form (so-called single instance exploits) alter the return point from a subroutine so that a particular command (also stored by the malicious code) gets executed. (E.g. in a Unix system, the attacker climbs around until he finds a call to exec, and branches to the exec with a call to /bin/sh in the right place on the stack.) The second most-common form consists of exploits that cause a function pointer to be replaced in a heap variable. Even if these exploits required the insertion of executable code -- and I don't know of any cases where they do -- a non-executable stack won't help against a heap attack.

  10. Security: start in education by LoonXTall · · Score: 5, Insightful

    I'm a CS major, and we just got some sample code from the professor to help us on our first project. The very first thing it does in main is have a buffer overflow.

    #define SZ 100;
    char buf[SZ];
    cout << "Enter courses filename: ";
    cin >> buf; // BAM!!

    This is C++! We have the string datatype for this! There's absolutely no excuse for this--especially in code that will be referenced as "good" code by everyone else in the class.

    So anyway, the point of this rant is that security will remain horrible until we start teaching people to write securely in the first place.

    --

    ~~~LXT~~~
    Life is like a computer program: anything that can't happen, will.

    1. Re:Security: start in education by Kidder · · Score: 4, Funny

      A professor's code is not necessarily the best code in the world. I had a professor who used gets() in the example code he gave us and I had to explain the difference between fork() and vfork() to him (well, not much of a difference anymore...) I had another professor whose code had a MAJOR memory leak in it. I politely emailed the professor about it and he replied to the entire class with the memorable phrase: memory leaks are not important anymore.

  11. Performance and C by Tom7 · · Score: 4, Insightful


    I don't agree with your assessment that safe high-level languages necessarily perform badly. (What is the difference between speed and performance?) But, let's forget about that.

    What is "OS-level" about an ftp daemon? BIND? Mozilla? Gnutella? All sorts of network (and other) applications are written in C, even though there certainly isn't any need for performance or device-level bit manipulation. (At least, I would place security way above performance!)

    Cyclone is actually from Cornell, by the way. It's a good project for moving systemsy people away from C, but there are already mature programming languages that are not slow, and yet are secure by default. (Try SML or O'Caml, for instance.)