Classic Computer Vulnerability Analysis Revisited

redtail writes "The original authors of the classic vulnerability analysis of Multics have revisited the lessons learned almost thirty years later. Their new paper, along with the original vulnerability analysis is published here by IBM. The original vulnerability analysis inspired the self-inserting compiler back door described by Ken Thompson in his Turing Award Lecture. "

How little has changed

[cybaz]

It's disappointing to see that a computer security paper written 30 years ago is still relevant today.

Re:How little has changed

[Theodore+Logan]

It's disappointing to see that a computer security paper written 30 years ago is still relevant today.

Indeed it is. However, if I recall correctly (the link is slashdotted, so I cannot check) the whole point of the paper is that this is a security "hole" (actually, it's not really a hole in itself, but more of a way to ascertain that a hole is not discovered) that cannot be closed. It describes a way of inserting a trojan into a program without it being visible in the source; the bottom line being that you can never trust code you didn't write directly for the machine, from scratch, yourself. And if this sort of bug was implemeted at hardware microcode level, you could not even trust writing directly for the machine.

That summary does not make the paper justice. Read it yourself when someone has posted a mirror. It's fascinating, simple, and absolutely brilliant.

Re:How little has changed

[Squarewav]

It's disappointing to see that a computer security paper written 30 years ago is still relevant today.

well computers havnt changed much in 30 years, least on the hardware lvl anyway sure theres faster have more ram and hd, but on the most basic level they still run the same, they require software to be compiled with the need bootstraping code to get the program running, software tech has grown leaps and bounds, but how the software talks to the hardware hasnt changed much

Re:How little has changed

[Qrlx]

I don't think it's disapppointing. Sun Tzu's

• Art of War

is still relevant thousands of years later.

Some people just hit the nail on the head, that's all.

I see an opportunity for IBM

[DaphunK]

It would be a great opportunity for IBM to look back on its roots and develop another OS that is built for security from the ground up. Too bad the price for that would be ungodly. They could have a new OS platform that would be innovative, yet built on the ideas that got IBM to where they are today. I would honestly like to see ANOTHER alternative to Microsoft/UNIX/ and yes, Linux. Although I am a true believer in old school UNIX, I would like to see a new platform that is interesting, bullet-proof, and innovative. Anyone else? j

Re:I see an opportunity for IBM

Although I am a true believer in old school UNIX, I would like to see a new platform that is interesting, bullet-proof, and innovative.

BeOS was it, and all you fucking geeks ignored it.

Re:I see an opportunity for IBM

[slavemowgli]

A mixture of OpenBSD and AIX? :)

Re:I see an opportunity for IBM

[baldass_newbie]

Plan 9 from Bell Labs.

Have fun.

Re:I see an opportunity for IBM

[DaphunK]

BeOS had it's own problems that were unrelated to the operating system. BeOS had/has potential, but a better business plan would have helped. Perhaps marketing to us geeks ;) I don't know, but they were at least on the right track with the OS.

Re:I see an opportunity for IBM

[windex]

They marketed to marketoids. Music/graphics/shit in BeOS was aimed at music/graphics people and not general purpose geeks. That was the problem, I always liked BeOS but the closed source BeOS after years of opensource *NIX clones proved to be the major downfall for me.

Re:I see an opportunity for IBM

Well Microsoft is working on its patented Palladium system. Is that enough security for you, or does this innovative technology need to come from IBM?

Re:I see an opportunity for IBM

[DaphunK]

IBM was the one considering the security vulnerabilities from 30 years ago. I suppose it really wouldn't matter who the producer is. In keeping with the subject, IBM was the producer of these reports.

Re:I see an opportunity for IBM

have you considered plan 9? its quite advanced.

Re:I see an opportunity for IBM

[Monkelectric]

Speaking as a music geek, BEOS never attracted a single high end music application (Cubase, Cakewalk, Logic etc).

They had a real opportunity at the time to, audio under windows NT wasnt possible (crappy driver model/support), 95/98 was unstable (and dont get me started on macs). *EVERYONE* was looking for a new platform and the consensus was "if it works we'll buy it". If they had gotten any one of the 3 major sequencers on BEOS at this exact moment, they would ahve ruled the roost. But when Win2k came out and was stable, the window of opportunity closed, and thats how BEOS lost the music industry.

Re:I see an opportunity for IBM

I still to this day fail to understand this supposed legendary instability of Windows 95 and 98.

Did Windows 95 and 98 ever crash on me? Sure -- occasionally. More often than not every instance of instability was the result of faulty hardware or drivers but there were plenty of instances where the cause of the crash was a poorly written application or other unknown component and thus reflects poorly on the underlying 95/98 OS design which stressed backwards DOS hardware level type compatibility via direct hardware access over NT's security/HAL.

Of course, I used Windows 95/98 as it was intended to be used and didn't leave it running 24/7 so I'm sure that to some degree that helped make those two OS's look inheirently a bit more stable than their underlying designs would allow.

Windows ME, OTOH, I have yet to meet one person that had Windows ME on a non-OEM system that has anything good to say about it in the stability department. I'm glad I never had to work with that particular abomination.

Now on to Windows NT. Everyone that dares to not tow the "all M$ OS's sux0rs" party line on /. pretty much says Microsoft got things right with W2K. I disagree, I had been using NT 3.51 and NT 4 for years and never had any problems (once again making an exception for faulty hardware/drivers). These OS were out for years before Windows 2000 was released and yet hardly anyone ever mentions the stability of those operating systems.

I can understand where high end music applications would run poorly under NT 4 -- but Microsoft had a decent, stable operating system years before Windows 2000.

Re:I see an opportunity for IBM

[Zeinfeld]

Plan 9 [bell-labs.com] from Bell Labs.

Plan-9 was not designed from the ground up and certainly not for security. Plan-9 had some features beyond the UNIX core but it was certainly not a clean sheet of paper job. The first version even came out with the typesetter and games programs that were long since obsolete under UNIX.

The only O/S that I know of to be designed 'from the ground up' since VM-UNIX came out is Windows NT. UNIX was started before VMS but did not leave the research lab until after VMS launched. OS-X is simply a merger of NeXTStep and Mac-OS.

Windows NT the operating system is designed from the ground up to meet the Orange book B2 security requirements. That statement means less than it might when you find out what B2 means, i.e. almost nothing relevant to the real world. A B2 O/S cannot be connected to any sort of network and remain B2 secure, still interested?

The point is that design of the O/S is irrelevant unless the applications are also designed to be secure. There have been remarkably few security compromises of either UNIX or Windows NT, almost all the bug reports are in the layered applications. Take Outlook off Windows and Sendmail off Unix and the stats look oh so much better. Ten years ago I had a flame war with Eric Altman which later made it to the UNIX Hater's list, basically he said that he had finaly got a grip on the bugs and I pointed out that he still had no process and no clue when it came to security. Guess what, he still hasn't.

There are plenty of good replacements for sendmail that do not introduce arbitrary Turing complete languages for arbitrary purposes. Unfortunately the UNIX world simply won't use them.

There is a company working on a secure O/S, it requires secure hardware and is codenamed Palladium. You still want more security?

Re:I see an opportunity for IBM

j00 sUx0rs! M$ fanb0y! Linux rooles!

Re:I see an opportunity for IBM

[Trepalium]

Then by your own description Windows NT wasn't designed from the ground up, either. Bits of Windows 3.x and BSD protocol stacks made it into NT. No modern OS has ever been developed secluded from the outside world. BeOS also shares many features, but not all, with UNIX OSs. Realtime and embedded OSs are probably the only ones that are even close to have been developed in a vacuum.

As for Sendmail: Yes, there are lots of more secure replacements for sendmail, but most have far few features. The few that don't suffer from the lack of features suffer from sucky licenses. Such as Dan Bernstein's license on all his software, where he's anal retentive about the directory structure and exact functionality of any binaries produced. Many replacements are licensed under the GPL, which many companies still fear. The same is true of DNS, and the venerable BIND. It's still vulnerable to attacks much as it's always been, and although you no longer need to run it as root constantly, there's still potential for trouble.

Re:I see an opportunity for IBM

[redtail]

"A B2 O/S cannot be connected to any sort of network and remain B2 secure, still interested?"
Not true. The network connections simply must be part of the defined security architecture. The DOCKMASTER system ran B2 Multics with Internet connections and was trusted by many commercial vendors to protect proprietary information they were sharing with Government evaluators.

Re:I see an opportunity for IBM

Lucent changed the license in the most recent release of plan 9, it has an "all your base are belong to us" clause that effectively kills it deader than CP/M.

It's a tragedy, but not a surprise. Hopefully the ideas and power of plan9 will re-born in a GPL system a some point in the future. The sad part is, even 5 years from now plan 9 of today will still be cutting edge and futuristic.

Re:I see an opportunity for IBM

Come again? What did it do to make it more secure other than not have any apps or any services or a robust networking stack or anything to make it desirable to use?

Re:I see an opportunity for IBM

[jbolden]

I'm not a security expert but I believe there are configurations of Z-OS (formerly MVS / S390) which are B security.

Re:I see an opportunity for IBM

[Zeinfeld]

Then by your own description Windows NT wasn't designed from the ground up, either. Bits of Windows 3.x and BSD protocol stacks made it into NT.

The TCP/IP stack is not part of the NT kernel, nor is it a security subsystem. Microsoft used the reference code released in NET2 under BSD license.

The design of the kernel is designed to support B2 level security without multi-ring security support in the processor.

Re:I see an opportunity for IBM

[Zeinfeld]

"A B2 O/S cannot be connected to any sort of network and remain B2 secure, still interested?" Not true. The network connections simply must be part of the defined security architecture

Which the Orange book gives no information on the analysis of.

If you take Orange book seriously then a B2 computer can only talk to other B2 computers...

Re:I see an opportunity for IBM

BULL$H!T Windows NT is NOT B2 compliant
NT 4.0 is the latest NT version security ceritfied and it only rates C2 ( Without a floppy drive installed and all screen savers disabled )

Re:I see an opportunity for IBM

[Zeinfeld]

BULL$H!T Windows NT is NOT B2 compliant NT 4.0 is the latest NT version security ceritfied and it only rates C2 ( Without a floppy drive installed and all screen savers disabled )

I said that they designed WNT to be B2 compliant, not that the B2 compliant configuration would be worth anything, VMS was not any use in B2 config either.

It would be kinda suprising if anyone continued to work on Orange Book certification now it has been replaced by the Common Criteria.

There is not a tremendous incentive for anyone to get CC certification since the USGovt does not enforce the requirement in most procurement

Re:I see an opportunity for IBM

[redtail]

Again, not true. A B2 system can have single level devices and multilevel devices as described in the Orange Book. A single level connection to a untrusted system is quite simple and practical, and consistent with taking the Orange Book seriouisly. Yes, a multilevel connection would require labels and a basis for believing labels (e.g,. connection to another evaluated system). If you need help with the engineering of it, refer to the TNI.

Re:I see an opportunity for IBM

[Trepalium]

The design of the kernel is designed to support B2 level security without multi-ring security support in the processor.

Okay, I have to admit this statement has confused me somewhat. Are you saying that NT doesn't use the security ring support of processors (it does), or that it could be made not to (which I can't see working). Most .sys drivers, and the kernel all run in Ring 0 on x86 processors, while apps, and printer drivers are segregated at Ring 3. Without the use of the rings, NT could not protect itself from corruption, or the corruption of any other program, and would be just as unreliable as Win95 or Win31. Short of building a sandbox VM like the JVM, I fail to see how a secure OS could exist without the use of a processor's privilege rings.

I have to wonder why Intel chose to use 4 rings, especially since no one ever really uses anything other than ring 0 and ring 3.

Re:I see an opportunity for IBM

[Zeinfeld]

Again, not true. A B2 system can have single level devices and multilevel devices as described in the Orange Book. A single level connection to a untrusted system is quite simple and practical, and consistent with taking the Orange Book seriouisly. Yes, a multilevel connection would require labels and a basis for believing labels (e.g,. connection to another evaluated system). If you need help with the engineering of it, refer to the TNI.

Yeah, yeah, if you take a legalistic view you can kinda sorta say you are compliant, perhaps but in the process you have pretty much demonstrated why B2 and Orange book mean very little.

There is a reason the guidelines are generally considered obsolete.

I remember reading through the guidelines with Ron Rivest and someone pointing out that the guidelines state that cryptographic enforcement mechanisms don't count. Ron summed up the response of the room by calling the requirement 'disappointing'.

The point is that evaluation criteria are only a guide to the security of an O/S, particularly when ther criteria fail to consider major developments since they were written - e.g. networking.

Windows NT was written to be B2 secure and does provide a pretty good foundation for secure applications, that has not prevented the terminally clueless from building what they have on top.

Re:I see an opportunity for IBM

[oh]

The point is that design of the O/S is irrelevant unless the applications are also designed to be secure. There have been remarkably few security compromises of either UNIX or Windows NT, almost all the bug reports are in the layered applications.

I'm not trying to score Linux/NT points, this is a serious question.

I though there was a design flaw in NT that permitted a locally logged on user to gain local administrator access. I can't find a link, but it is something to do with DLL injection. There is a utility called hk.exe that uses it, and I think there L0pht crack 3 also used the same method.

Owen.

Isn't publishing vulnerabilities illegal?

I thought the point of the DMCA was to let technology move faster by encouraging companies to leave their systems unsecure and making it illegal to discuss and exploit the vulnerabilities instead.

Thirty years from now

[slavemowgli]

This kinda makes you wonder how today's security problems / vulnerabilities / exploits will be viewed in 30 years from now, and how these views will differ from today's.

Er, uh, not exactly

[baldass_newbie]

With the growth of individual workstations and personal computers, developers concluded (incorrectly) that security was not as important on minicomputers or single-user computers. As the Internet grew, it became clear that even single-user computers needed security, but those ill-founded decisions continue to haunt us today.

Big shock. AC does not read article. Weakly attempts a troll.

Alan Turing?

[DigitalCrow]

Is this award named after the A.I. theoretician? I remember reading up on him while taking notes of William Gibson's Neuromancer.

""Wintermute is the recognition code for an AI. I've got the Turing Registry numbers. Artificial intelligence."

Can anyone recommend any good books on the subject?

Re:Alan Turing?

The award is named after Albert Turing.

Re:Alan Turing?

[BigGreen03]

Yes! Do you want books about him or his contribution to CS? If you read Sipser's Introduction to computation you can get a lot of info about Turing Machines which are perhaps the backbone of all computing. Thats if you follow graph theory well. Books about his life I'm a little less knowledgeable about, I'd try the local library, bound to have something. I do know he was influential in the WW2 post WW2 period and I believe he committed suicide because he was unaccepted in society for being homosexual.

Re:Alan Turing?

[BigGreen03]

Alan Turing The award is named for Alan Turing. Go to the ACM website (they issue the award) if you don't believe me.

Re:Alan Turing?

[Usquebaugh]

There was an excellent docu film done on his life. http://us.imdb.com/Title?0115749

Re:Alan Turing?

[BigGreen03]

http://www.wikipedia.org/wiki/Alan_Turing
http:// www.acm.org

Links missing in my previous post.
Preview wasn't working...

Re:Alan Turing?

[Chexsum]

Albert Turing - yeah pull the other one, it jinlges!

Hippy!!!

Re: Alan Turing?

[Black+Parrot]

> Is this award named after the A.I. theoretician?

s/A.I. theoretician/computer scientist/

He did have an influence on AI (cf. "Turing test") and on the more general concept of intelligence-as-computation (whether natural or artificial), but we generally think of him for his more fundamental contributions to computer science (cf. "Turing machine").

Re:Alan Turing?

[Theodore+Logan]

You learned about Turing from a Gibson novel? Is this a troll? I am suddenly overcome by a strange and unusual desire to yell something that usually confronts newbies in #linux on undernet when they want help installing Mandrake.

But I will resist it. I don't know what you mean by "the subject," so I'll try different angles.

For a biography, try Hodges' Alan Turing: The Enigma. I've not read it myself, but it has been very well received.

For an intro to some of his most influential ideas, try Introduction to the Theory of Computation by Sipser (the easiest book on the subject I've come across, but might be too hard anyway if you have no background in math or CS).

For his ideas on AI, see his original paper from 1950, which is now since long available online.

Also, you could just do a Google search (and should! Resorting to this kind of off topic questions is usually only defensible when finding information is hard).

Re:Alan Turing?

[Kieri+Phelan]

And if you absolutely need to learn about Turing from a novel, then I suggest Neal Stephenson's Cryptonomicon.

Re: Alan Turing?

[sielwolf]

s/A.I. theoretician/computer scientist/

actually, shouldn't that be s/A.I. theoretician/biologist\/cryptogropher\/computer scientist\/mathematician? I know he was originally a biologist by trade and then was better known for his Bletchley Park which was related to his CS theory but in a more Von Neumann sort of way.

Re:Alan Turing?

[rpg25]

Yeah, but.... While I love Cryptonomicon it was written well past the time of Turing's life and seemed, at least to me, to have a relatively chirpy view of what it would like to be gay at that time. The Hodges biography is much better about that, although possibly inclined to view too much of Turing's life and work through that lens.

...last few lines conclude it well

[jukal]

..."Unfortunately, the mainstream products of major vendors largely ignore these demonstrated technologies. In their defense most of the vendors would claim that the market-place is not prepared to pay for high assurance of security"...

..."In our opinion this is an unstable state of affairs. It is unthinkable that another thirty years will go by without one of the two occurrences: either there will be horrific cyber disasters that will deprive society of much of the value computers can provide, or the available technology will be delivered, and hopefully enhanced, in products that provide effective security. We sincerely hope it will the latter".

Poll: what might they refer to with these "major vendors". Sadly, I think that is very true. These "major vendors" are digging a huge hole behind the average users by just kludging together cheap fixes when the system is fundamentally wrong. As result, many will be in deep - unkludgeable - %&t in some 5-7 years when the system collapses.

Re:...last few lines conclude it well

"It is unthinkable that another thirty years will go by without one of the two occurrences: either there will be horrific cyber disasters that will deprive society of much of the value computers can provide, or the available technology will be delivered, and hopefully enhanced, in products that provide effective security. We sincerely hope it will the latter".

"horrific cyber disasters"

Hahaha!
I should be noted that it is in the best interests of engineers (software designers included) to profisis doom and gloom. Its called job security.

"what might they refer to with these "major vendors". Sadly, I think that is very true. These "major vendors" are digging a huge hole behind the average users by just kludging together cheap fixes when the system is fundamentally wrong. As result, many will be in deep - unkludgeable - %&t in some 5-7 years when the system collapses. "

Hmm perhaps you should look to biology and simple evolution to eliviate your fears. It has solced far more complex problems then anything a vendor or anyone for that matter could "design". like a heart or eyes or the human nervouse system. Its called conservation of utility. Esentially the same thing is happening with software design. These kludges you decribe are findumentally the same type of changes that occure in nature. Just minor changes over time. Trial and error keeping what is good and tossing out what is bad. You would be suprised at how similar the chemistry is for such differning things as photosynthisis and the rods and cones in your eyes. Nature just takes what is readily available and changes it a bit to fit a new function...what you call kludge. It is no qouncidence that linux (which is one giant kludge) is more secure and reliable then windows (which was "designed").

hook

Re:...last few lines conclude it well

[jukal]

> Nature just takes what is readily available
> and changes it a bit to fit a new function...what you call kludge

...evolution...and nature...software business. Monopolies. End of of evolution. Luckily nature has survived of similar bottle-necks of evolution before, like an asteroid here and there. I actually agree with what you write, but you miss one big point - software business is - to a large extent - still driven by monopolies. And that enlarges the scope so that your evolution theory does not work anymore in this context.

Re:...last few lines conclude it well

[xphase]

These "major vendors" probably include Red Hat, SuSE, Debian, Sun Microsystems, SGI, IBM, FreeBSD vendors, OpenBSD vendors, NetBSD vendors, Microsoft and most other "vendors" of operating systems today. It may not be a popular opinion, but both Windows and *nix are insecure(others may debate which is _more_ insecure). Perhaps a system similar to plan 9 will become popular; perhaps new ideas will become a new _better_ system.

It will be interesting to see what the most common OS will be in 30 years.

--xPhase

Re:...last few lines conclude it well

[shess]

Or maybe the poster's evolutionary theory simply doesn't work because we don't want to wait 100 million years for secure software to happen.

Re:...last few lines conclude it well

[ch-chuck]

there will be horrific cyber disasters the system collapses.

You mean like Y2K???? Pfft, predictions of the electronic apocalypse / armeggedon always amuse me. In 5-7 year there will probably STILL be people using Windows 98SE, vendors are STILL selling them, Msft is STILL making them available because it STILL brings in cash.

Re:...last few lines conclude it well

[jukal]

> In 5-7 year there will probably STILL be people u sing Windows 98SE, vendors are STILL selling them

exactly. And the most amusing part is that the Windows 98 will be much more secure than the latest version. You fail to see my (very weak?) point: currently, every kludge added to windows for example - as an instant fix for a vulnerability - further weakens the package in the long run.

Re:...last few lines conclude it well

Poll: what might they refer to with these "major vendors". Sadly, I think that is very true. These "major vendors" are digging a huge hole behind the average users by just kludging together cheap fixes when the system is fundamentally wrong. As result, many will be in deep - unkludgeable - %&t in some 5-7 years when the system collapses.

You, Me, and everyone else who codes. very little coding is done with security in mind. This is what the whole "Security Built-in not Bolted-on" mantra is about. Microsoft may have a lousy track record for security, but that doesn't mean we should rejoice because our record is slightly less shoddy.

Re:...last few lines conclude it well

[Panaflex]

I think someone did try this... it was called Pr1me and it was quite an interesting system... to say the least. Full hardware protection, with ACLs and very restricted socket system.

I know that the BLM (Bureau of Land Management) used it. I worked on one at college.

The "unix" compatibility mode was anything but though.. and the C compiler was written by a chimp.

Pan

Re:...last few lines conclude it well

[jbolden]

I have to disagree. I think the average user is getting pretty much the security : cost trade off they want. Any time a customer actually has to pay extra for security features you see pretty fast how little they care about security. Security in the sense of this paper, being resistant to knowledgeable determined insiders acting as hackers; could easy multiply by 5 the IT budget. That is would easily throw most companies annual budgets well into the red. Quite simply the data that would be stolen is likely worth far less than the cost of protecting it.

People pay lip service about security because its without paying lip service they could get sued. But few agencies care. AFAIK from news stories things like FBI counter intellegence (which are about the most likely places imaginable for a knowledgeable determined attack) don't really have this level of security in place. Lets say 200 computers in the country are setup with that kind of top to bottom security; my guess is that these are the 200 which probably deserve top to bottom security.

Uhhh... Multics?! Yeah, there's a lesson there...

[theonomist]

Isn't Multics the legendary debacle that never turned into a usable product? Wasn't it a Grand Unified Solve-Everything Architecture? Wasn't it some kind of apotheosis of top-down design and other Best Practices?

Right! So, lesson number one from Multics is this: Don't do it that way. That, in fact, is the only lesson to be learned from Multics. You want more detail? Shoot the academics if they dare set foot off campus. Tucked away in their offices honing their algorithms, they do useful work -- but you can't ever, ever, ever let 'em influence the design of anything bigger than an algorithm.

Multics was the Java of operating systems.

What?

[GreyWolf3000]

1) Windows *is* insecure, as many here point out. Those who know what they are talking about are not bitching but discussing. Those who don't have a clue are trolling. They are hardly the majority.
2) *Nix can also be insecure, depending on the software, and more importantly the skills of the person running the show. However (next point),
3) The article is *not* an OS comparison.
4) The article is *about* security flaws.
5) Most anti-"M$" security complaints here are regarding how Outlook automatically allows binary attachments to run unauthorized (and there are no priveleges to prevent anything).
6) The parent posted as an AC.

Re:Heh

[Eric+Damron]

"Funny how you guys bitch about how insecure Windows is .. yet I note with interest that it is not mentioned a single time in this report."

By now I think it is just understood. :-)

Re:Uhhh... Multics?! Yeah, there's a lesson there.

[brunes69]

Multics was the Java of operating systems.

What do you mean by this? Do you mean Multices was originally an operating system marketed for web interoperability but eventually found its foothold in the server application arena, and is now very sucessfull both in this regard as well as a web application platform? No? Didn't think so.

Re:Uhhh... Multics?! Yeah, there's a lesson there.

[Usquebaugh]

Hmm, I think you better run off and get back to class. Kinder garden class that is.

Look up the history of Multics. What came before Multics?

Re:Uhhh... Multics?! Yeah, there's a lesson there.

Yes indeed! Multics was the "Java of operating systems." Later, it evolved into UNIX, and still later into Linux. Some of the old multics commands still work, essentially the same, as the original multics commands.

Multics could well and easily competed with any commercial system on the market -- however,
GE, Bell Labs, et. al. sold the multics system (and the GE computer business) to Honeywell in the early 70's. As a former Honeywell IS employee let me again assert a quote about Honeywell -- "Never underestimate the ability of Honeywell management to snatch defeat out of the jaws of victory."

Cat out of the bag!

[General_Corto]

This Research Report consists of two invited papers for the Classic Papers sectoin of the 18th Annual Computer Security Conference (ACSAC) to be held 9-13 December 2002 in Las Vegas, NV. The papers will be available on the web after the conference at http://www.acsac.org/

Uh, it appears that they're already on the web.

Re:Cat out of the bag!

[hwyguy2]

The papers may be posted, but you should still come and attend that session at the conference, for there you can get the full give and take.

[I'll also note the full program is up for the conference, so you can see what other papers, sessions, and tutorials we'll be having. The conference web page is www.acsac.org]

Daniel

The more things change...

The more they remain the same...

I'm amazed at how many simple problems we've failed to eliminate in the past 30 years. This 'false' laziness is perhaps one of the biggest enemies of security.

Wrong.

[Animats]

Multics was one of the best operating systems ever in terms of reliablity and security. Go read the papers. People are still reusing basic ideas from Multics, like good CPU schedulers. Ease of use was mediocre, but then, this was ten years before DOS.

The big problem was that Multics was tied to a specific model of General Electric computer with custom security hardware. GE built some good early time-sharing systems in the 1960s, but sold off their computing business to Honeywell in the 1970s. Honeywell never marketed the Multics product line seriously, because it competed with other product lines that sold in bigger volume.

Re:Wrong.

[Citizen+of+Earth]

Multics was one of the best operating systems ever in terms of reliablity and security.

If it never saw the light of day, then this statement is definitely true.

Re:Wrong.

Honeywell never marketed the Multics product line seriously, because it competed with other product lines that sold in bigger volume.

Hmm, now why does that sound so familiar?

Re: Wrong.

[davecb]

Sorry lad, but it saw the light of day. As recently as ten years ago there was an ad in the Toronto paper for a Multics person for Bell Canada. Bell, it seems, preferred it to Unix...

--dave (DRBrown.TSDC@Hi-Multics.ARPA) c-b

Re:Wrong.

According to my OS prof, Multics was practically dead on delivery because it was ten years over-schedule. But the concepts developed for it went on to become the basis of modern Unix. Unfortunately Microsoft, has only starting seeing fit to integrate these concepts in the last 5 years or so and they have a long ways to go (things like pre-emptive processing, resource management handled by the OS instead of the program, limiting user rights, etc).

Re: Wrong.

[Animats]

NSA ran DOCKMASTER, their external-access system, on MULTICS until 1998. The hardware was donated to the Computer Museum after its retirement.

Re:The earth is round.

Erm a circle *IS* a flat 2D shape. Only a sphere is 3D You cant just infer sphere from circle...

You've just countered your own argument...

Re:Uhhh... Multics?! Yeah, there's a lesson there.

[Brian_Ellenberger]

>Isn't Multics the legendary debacle that never >turned into a usable product?

Nope. Multics begat Unix. Thompson took many of the lessons learned from Multics and used them in writing Unix.

Brian Ellenberger

Greek cosmology

[Latent+Heat]

C'mon, everyone with any education in the classical world knew the Earth to be a sphere. The controversy was about not having Earth at the center of things -- you know, the Copernican/Galilean/Keplerian cosmology.

Re:Greek cosmology

[jbolden]

Actually the classical world was split if we were at the center of things or if the sun was. The real controversy for Kepler... was that the earth didn't orbit the sun in a perfect circle but rather in irregular ellipse. A perfect circle implied a divine hand, an irregular ellipse looks more like chance.

DoD use of Multics

[Animats]

DoD used Multics for a long, long time. DOCKMASTER, the NSA's public access Multics machine, ran until 1998. They couldn't find something secure enough to replace it. Finally, Honeywell just wouldn't supply parts any more.

Self-inserting compiler.

[Black+Parrot]

> The original vulnerability analysis inspired the self-inserting compiler back door described by Ken Thompson in his Turing Award Lecture.

This is a nifty concept, but I remain skeptical that it would ever work in practice, at least for an open-source produce such as gcc.

For starts, the compiler would have to detect that it was compiling itself. I.e., if you compile your favorite flight similator and the resulting program is a compiler rather than a flight simulator, the game is up already.

But recognizing itself isn't going to be such an easy task. For instance, if it just compressed the input and compared the result to a saved target, you could easily defeat it by something as simple as changing the names of identifiers in the source code. (If the match was done on just part of the code, you would merely need to do global string substitutions on the identifiers.)

So AFAICT, the trojan would have to identify itself by looking at the structure or semantics of the source file. But that's going to be tricky too. If I add a feature to the compiler or fix a bug in it, recompile, and discover that the feature is missing or the bug is still present, the game is up (after a bit of vigorous head-scratching). So it looks to me like the trojan must not only detect structure or semantics reliably, it must also limit detection to a very small block of code, to reduce the risk that it will be modified and break the trojan. That block of code must be specific enough that the trojan is never triggered when compiling other programs, and non-arbitrary enough that no one will re-write it in a zeal of code clean-up.

And, as others have pointed out in the past, the trojan has no way of slipping past if you use another compiler to compile it with. Even with two untrusted compilers, you can get a clean compile so long as the two compilers don't support each others' trojans.

Re:Self-inserting compiler.

[Squarewav]

Its totaly posible to write a virus/trojan that can modify gcc so that no matter what you compile has a trojan atached that monitors keyboard input and broadcasts possible usernames and passwords back to a server, of corse you would need permession to write to gcc but it could still be done, by the time you notice you system broadcasting it could be to late, if your super parinoid security type person it wont happen to you but most people are not , hell most people run win9x or xp in single user mode

Re:Self-inserting compiler.

[The+Raven]

Skepticism is irrelevant... it *did* work. I believe it simply checked the name of the output file... if it was creating an output target called 'gcc' (or the equivalent, whatever it had back then) then it compiled in the hack. I do not know how robust it was, but from what I remember reading, it worked, so it was obviously robust enough.

Re:Self-inserting compiler.

[dan501]

So it looks to me like the trojan must not only detect structure or semantics reliably, it must also limit detection to a very small block of code

if I had to think of one task that a compiler would be good at doing in a small block of code (by resuing function already part of the source code of the compiler), that would probably be it.

I mean, if you were trying to build this same kind of back door into a video game, you'd have to write a language and semantics analyzer to recognize all the semantics and language structure. but hey, for this compiler backdoor project, we've already got a handy engine for just that task.

Re:Self-inserting compiler.

[Citizen+of+Earth]

For starts, the compiler would have to detect that it was compiling itself. I.e., if you compile your favorite flight similator and the resulting program is a compiler rather than a flight simulator, the game is up already.

I thought that he had made it so that if the compiler detected a certain special string in the source code that it inserted the trojan-horse code into the compiler-input stream. Not only is this extremely easy to implement, but it inserts the code at the right point in the compiler's source code even if other parts of the compiler are modified. And it should be pretty easy to make the trigger string unique and innocuous-looking.

So AFAICT, the trojan would have to identify itself by looking at the structure or semantics of the source file.

I believe that making a computer understand the semantics of a source file would first require solving the Halting Problem.

Re:Self-inserting compiler.

Not only did it work, but it worked so well that years later Ken was embarrassed that a system out in the wild had his trojaned login ("kent" I think)... somehow the code had escaped the lab.

Re: Self-inserting compiler.

[Black+Parrot]

> Skepticism is irrelevant... it *did* work. I believe it simply checked the name of the output file... if it was creating an output target called 'gcc' (or the equivalent, whatever it had back then) then it compiled in the hack. I do not know how robust it was, but from what I remember reading, it worked, so it was obviously robust enough.

There's a big difference between working for a demo and working in the face of active countermeasures by a well-informed security administrator. In the example you cite, it would be sufficient for the SA to rename the source file before compiling it.

Also, notice that I'm not offering "skepticism" as "proof" of anything. I am skeptical that it would work in practice for very long against even fairly trivial countermeasures, but you'll notice that part of my post was an analysis of what it would take to make it work in the face of countermeasures on the user's part.

It looks to me like the basic requirement is "a very stable block of code that is only used in this compiler". And the result is probablistic, since we all know what "very stable block of code" means in practice. But presumably you could hide it fairly well if you could limit both detection and trojanized output to a single function, so that arbitrary changes elsewhere in the code would neither give a false trigger of the trojan nor disable it during ordinary maintenance. But even then there could be detections, e.g. if I decided to hack gcc to write a Pascal compiler and got stangeness in the output.

What would be fun, as well as educational, would be to get volunteers to form a Red team and a Blue team, to see whether the Red team could design such a compiler that the Blue team couldn't trip up, and vice versa. I would probably bet on Blue, though that might depend on the details of the rules of the game.

Re:Self-inserting compiler.

[agurkan]

I think you are missing the point. This is more of a theoretical argument than a real threat. I am pretty sure none of the compilers I had used had this kind of bug. It is a very clever and sophisticated attack. And of course, it is hard to implement. The very interesting conclusion is, opensourcing cannot help this kind of attack. This attack moves the broken link in security chain out of the source.

It is not impossible though. Realize that if you are actually planning to attack someone by this method you must be a trusted party by your victim-to-be. You must be the party that provides the compiler, so you probably also have the manpower to implement this.

Your suggestion of discovering this during a patch can be bypassed very simply by putting the trojan code into initialization or cleanup part of the code which nobody would dare to change because it would break compatibilities.Also probably we are talking about a well established compiler that comes as the standard compiler with the OS itself. Those compilers have huge areas which are (believed to be) bug-free so will typically never be patched.

This kind of attack can be prevented though, by monitoring. "Secrets and Lies" by Bruce Schneier deals with this issue. If you cannot stop someone at the gates, you can always catch them inside :-)

Re:Self-inserting compiler.

[imnoteddy]

> The original vulnerability analysis inspired the self-inserting compiler back door described by Ken Thompson in his Turing Award Lecture.

This is a nifty concept, but I remain skeptical that it would ever work in practice, at least for an open-source produce such as gcc.

Before you dismiss the possibility, why not read Thompson's lecture?

So AFAICT, the trojan would have to identify itself by looking at the structure or semantics of the source file.

Yes, he did, in very clever way, which he explains. And his trick recognizes both the compiler and login command.

After descibing the trick, he goes on to say, "First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere."

Whether one could get away with this in gcc (or whatever is questionable, but at some point every compile must be done with a binary. So if the first binary on a system was trojaned, it is possible that future ones could inherit the bug.

Re: Self-inserting compiler.

[The+Raven]

Trojans and their ilk succeed when people do not know they exist. Do you go around renaming every source file? That's not as easy when you also have to rename every reference to it in the makefile and other related files. Making changes like the name of the output and input files can get annoying... why would you do it for EVERY compile you do just because MAYBE, just MAYBE, this compile contains a trojan based on the input filename.

The answer is that you would not.

Even technically savvy professionals can get taken in by a suitably complicated trojan. The saving grace usually is the fact that in this Internet age, we have instant communication disseminating known viruses, trojans, and hacks.

But even a savvy individual who keeps up on the lists could be the first dupe. Targeted hacks aimed at a single company are even more difficult, since no mailing list will tell you about a hack that is going to be used nowhere else but on your network. A network administrator cannot scan the source of every file from every thing that gets inside their network... assuming the source is available, assuming it is not obfuscated.

Would you refuse using a well known and useful tool just because you couldn't understand what one function did? What if that tool only activated and became a trojan if it detected YOUR domain on the local computer's reverse resolve?

There is no security.

Re:Self-inserting compiler.

[2000+Britneys]

I did not know one can run win98 ( and I assume win95, and ME) in multi-user mode. Could you please elaborate a little more on this subject plz.

Re:Self-inserting compiler.

[rgmoore]

Whether one could get away with this in gcc (or whatever is questionable, but at some point every compile must be done with a binary.

Not necessarily. It's possible to understand the code that goes into a compiler, so it's theoretically possible to step through a compilation manually by looking through the source of the compiler and the code it's trying to compile. Obviously your first target would be the simplest compiler you could write, which you could then use to compile something more complete like GCC.

Alternately, you could write a new compiler in a different language and compile the source using that. There's no perfect guarantee that this will protect you against a Trojan, but it can get the risk low enough to be acceptable to anyone but the most diehard paranoid. After all, what's the chance that somebody's Trojaned Java (or Perl, or Visual Basic, or Pascal, or Emacs Lisp) so that it will created a Trojan when it's used to compile gcc using your home-built C compiler?

Re:Self-inserting compiler.

[spitzak]

You are talking about the wrong thing. Such an infected compiler, if told to compile the compiler, would make a new program that had the keyboard monitor in it, but the new program would not have the keyboard-monitor *INSERTING* code in it. Using the new compiler might transmit your keystrokes, but would not infect other programs.

The trick is to recognize that you are compiling the compiler and insert the *inserting* code. You can also infect other programs (and copy this infecting code when compiling the compiler) but that is trivial once you figure out this hard part.

I agree with the original poster that this is interesting in theory but impossible in practice. I would expect it to quickly fail in that either the inserted code becomes non-effective, or the resulting compiler does not work or crashes.

Re:Self-inserting compiler.

[Squarewav]

I ment win98 or (winxp in single use mode) not that there was multi user win98

Re: Self-inserting compiler.

[oh]

There's a big difference between working for a demo and working in the face of active countermeasures by a well-informed security administrator. In the example you cite, it would be sufficient for the SA to rename the source file before compiling it.

The story I was told was that not only did it work while he was testing it, it tripped up people. He wrote this "bug" into the code, tested it, and then removed this version of the complier.

Some time later, one of his co-workers came up to him and said that they had noticed something strange with one of the programs they were building, and could he help them figure out what was wrong.

He was working on this on a system, and somebody else must have been logged on and compiling things. Some how the modified compiler was sitting on a system somewhere, and people were using it to write code. This was unintentional, but how sure are you that something similar hasn't happened to some one at RedHat, Mandrake, Microsoft, Apple, Sun, IBM, HP etc? :-) You'ld notice it if you were looking for it I'm sure, but have YOU ever looked?

Before you say this can't be done, this guy writes compilers by himself, which put him in RMS league. The person who told me this story (and he may have been embellishing this) worked closely with Ken Thompson, and would have had ample opportunity to hear the story first hand.

Re: Self-inserting compiler.

[Tony-A]

There is no security.

Sure there is. You do things so that the attacker has to pass everybody's scrutiny to get to you at the same time you compartmentalize everything so as to minimize potential damage.

One cheap shot is to just download from a random mirror. From a different system.
Another cheap shot is to NEVER blindly apply ANY purported patches. One uncrackable IBM system was cracked by leaving behind an official looking IBM patch tape.
Yet another cheap shot is to never have just one vendor.

A well-known and useful tool is extremely unlikely to be targeted at you. Something claiming to be that tool is much more likely, particularly if you can be targeted to receive the "special package".

Re:Self-inserting compiler.

[Kynde]

So AFAICT, the trojan would have to identify itself by looking at the structure or semantics of the source file. But that's going to be tricky too.

For a compiler? Really? Get real...

That block of code must be specific enough that the trojan is never triggered when compiling other programs, and non-arbitrary enough that no one will re-write it in a zeal of code clean-up.

You don't think that the GCC source base has enough such blocks that are relatively static as to uniquely identify it's GCC souce? Especially when the identifier is a compiler itself? Many Ansi C features haven't changed and for a grande part won't.

How much do you know about programming to begin with? Did you read the article? Did you understand it? Who the fsck moderated you up?

Re:Self-inserting compiler.

[armb]

> For instance, if it just compressed the input and compared the result to a saved target, you could easily defeat it by something as simple as changing the names of identifiers in the source code.

_If_ you thought there was a Trojan in there to defeat. Until Ken's lecture nobody had thought of it (or if they had, they kept quiet).

It wouldn't work _now_. Back when there was only one Unix, which had only one C compiler, used to compile the single login source, it could have worked. And apparently did.

Back doors

[ceswiedler]

Ken's back door program is most definitely the most interesting hack ever devised, IMO. Read about it here.

At the bottom, ESR claims that he "has heard two separate reports that suggest that the crocked login did make it out of Bell Labs, notably to BBN, and that it enabled at least one late-night login across the network by someone using the login name `kt'."

Re:The earth is round.

The book of Isiah dates to roughly 750-700 B.C. according to overwhelming scholarly consensus. God revealed to us that the earth was a circle(or sphere) over 700 years before the birth of Christ.

While it may be true that the earth was thought to be flat in the popular imagination, it was long understood by educated classes going back to some of the earliest seafaring civilizations that the world was indeed spherical.

Next time you pick a straw-man argument to pitch your faith, do us all a favor and pick a better one. In this case, your Liberty U. education is clearly showing.

Plan 9 seems really cool to me...

But the real question is:

Is anyone using it?

Is anyone seriously considering using it?

There's way too many wonderful, innovative technologies that never really get off the ground because of sociological adoption issues.

*Sigh*...

[theonomist]

Do you mean Multices was [blah blah web web blah McNealy marketing blah blah]...?

No, I mean it was a grotesquely overengineered fiasco which never had any practical use, just like Java. In both cases, the design was finalized before it was implemented. In both cases, hubris took over. Compare to successful operating systems like UNIX (or even Windows: Windows may be a dog, but people do at least find it usable), or to successful programming languages like C or that ugly little monstrosity Perl.

The verdict of history seems to be that good software designs start out relatively modest, and then they grow and change as people use them in the real world. Neither Multics nor Java was designed that way, and it shows.

Some people have found Java useful for some applications. So? That's also true of Smalltalk. It's true of batch files, for God's sake. Sun's multimillion-dollar advertising push has produced a resounding indifference among damn near everybody who actually writes code.

Java had two reasons for existing. One: Cross-platform binaries. That was a total failure. So they want us to use it on servers now -- where cross-platform binaries are irrelevant and the order-of-magnitude speed penalty of the JVM over native code is therefore totally unnecessary (yes, and Sun's marketing always did, and still does, conflate the AWT, the JVM, and the language itself, which is just plain annoying). Two: An OOP language with garbage collection and with a crude pretense of having no pointers. Well, okay, Point Two may have some value, if you've got a real low forehead and you can't cope with pointers or the delete operator, but it's not worth all that much in the end. Let's face it, pointers aren't hard to deal with. If you can't cope with pointers, you've got no business calling yourself a programmer anyhow. The "no-pointers" gibberish suggests that Java was aimed at the idiot market, but the idiots are saturated with Visual Basic already.

Java was a product of the reality-proof Internet hype of the late '90's. It was on life-support from day one. Let it die in peace.

Re:*Sigh*...

I am sorry Java was on life support from day one. Please. The Java platform, and along with it the Java language, has become an incredibly important part of most large corporate IT environments. It is often the default choice for writing custom applications within many businesses. It has spawned an entire group of companies dedicated to writing tools and components for server side Java. As far as pointers and the garbage collector goes it isn't an issue of my being able to deal with pointers, the issue is why should have to. The platform isn't aimed at idiots, it is aimed at people who want to develop code that is be used for business, as opposed to developing code to show the world how smart I am. Wake up and join the real world, Java is a tool to be used in the appropriate situation, just like C, C++, Perl, and every other real world language out there. Would I use Java to write a TCP/IP stack no, just like I wouldn't use C++ to write a web based purchase order system.

Re:The earth is round.

[Smelslykfish]

You shouldn't believe everything the teach you in school.

Compare: B begat C. C is not B.

[theonomist]

Ken Thompson stole some cool ideas from Multics, like for example command-line plumbing and a hierarchical filesystem.

Nevertheless, Unix was an entirely new and much less ambitious system. See Thompson's thoughts on the subject here.

Yes, AI among other things

[xenocide2]

Turing was an old computer theoritician, responsible for most of the foundations of computing, like the concept of a language to describe an algorithm more complex than simple standard algebraic symbols, and the "Turing Machine." Of course there were others in the field, like von Neumann. He was also noted for being gay during which it was not only discriminated against, but outright illegal. Finally, I believe there's a statue in England of him eating an apple; noteworthy because he committed suicide by eating a poisoned apple. Quite a morbid statue, huh?

Yes, he did come up with the original Turing Test but compared to his groundwork in Computers, the turing test is like a book of science fiction: somewhat innovative, but mostly inspired by other people's (Asimov) work.

Re:Uhhh... Multics?! Yeah, there's a lesson there.

Actually UNIX owes as much to the Berkeley Timeshring System developed for Project Genie running on the hacked SDS 930 that became the SDS 940 as it does to Multics.

The UNIX name pun and the command names like "ls" are Multicisms but fork() is from Project Genie

30 years?

[I+didn't]

The lecture was given in 1983...

Or am I missing something?

Re:30 years?

[sup4hleet]

The speec refernces a paper written in 1974 that describes the hack in greater detail and axpands on variations. The Multics article Ken referenced can be found HERE and the trapdoor he discusses is around page 52 or so.

Stacks

[Spazmania]

Third, stacks on the Multics processors grew in the positive direction, rather than the negative direction. This meant that if you actually accomplished a buffer overflow, you would be overwriting unused stack frames rather than your own return pointer, making exploitation much more difficult.

How hard would this be to integrate this into GNU C and Linux? As I understand it, growing the heap from the bottom and growing the stack from the top with the yet unused space in the middle is just a matter of convention. How much trouble would it be to reverse the two so that the heap grows from the top and the stack from the bottom?

Seems like it ought to be a simple patch to the most vexing class of security problems we all experience.

Re:Stacks

[dbrower]

two words: interrupts stacks.

-dB

Re:Stacks

[Crispy+Critters]

You don't need to reverse the stack direction. All the matters is that arrays/strings are written in the same direction the stack grows. In other words, leave the stack the same and write the strings backward. An overflow would run off the stack, and it could not overwrite the return address of the routine and force execution of malicious code. Instead, it would just run into empty space reserved for the stack.

It can't be that easy, can it? (It wouldn't stop all possible stack smashing attacks, but many.)

Re:Stacks

[oldunixguy]

There have been *nix systems with upward growing stacks. I worked on two (Perkin-Elmer's Edition VII, based on Version 7, and XELOX, based on System V).

There were several problems in making this work: (1) you need hardware support, (2) you end up fighting code that assumes stack growth is downwards.

WRT the first, on the PE hardware, the stack *had* to grow up, because the memory management hardware wouldn't give a proper interrupt if you ran off the bottom of a page in the middle of an instruction, but would if you ran off the top of the page. So there was no choice.

WRT the second, there was (and probably still is!) a lot of code in the UNIX utilities that assumed the order variables were put on the stack, and used that in figuring out when the end of an array had been reached. So even if it's trivial to add positive stacks to the Linux kernel, I'd bet you'll break an awful lot of applications.

And that's assuming you go to the trouble to modify the compiler to generate upward growing stacks, and recompile everything to get the new prologues/epilogues.

Ob-trivia: PE's computers were originally Interdata, which was bought by PE, which then spun them out as Concurrent Computer. Concurrent has gone through several iterations, and I'm quite certain the old systems are no longer sold.

Re:Stacks

[jstott]

Seems like it ought to be a simple patch to the most vexing class of security problems we all experience.

Addresses on the stack should not be executable in the first place. That's the real fix.

-JS

Re:Stacks

[Spazmania]

There were several problems in making this work: (1) you need hardware support,

OKay, so what are the hardware issues on an x86 platform as it pertains to a positive or negative growing stack? Are their particular instructions used to maintain the stack for which no positive-direction instruction exists?

Does the situation change if we use RISC machines instead of x86 machines?

(2) you end up fighting code that assumes stack growth is downwards.

Outside of compiler optimizations, I'd bet there isn't much of this out there. More troubling would be the slew of one-off errors that suddenly showed up due to the change.

Re:Stacks

[oldunixguy]

I don't know whether the x86 or RISC processors can support positive growth stacks. Haven't kept up on hardware architectures.

As for fighting code that assumes stack growth downwards, you might be surprised. Any time code compares an address to another address, assuming the order of the variables in memory, you've got a possible stack order dependency. I'm blanking an example (it's been almost 20 years since I worked on this stuff!), but there were definitely cases where several variables were declared on the stack, and then a comparison between a pointer and one of the variables would be used to determine whether the end of an array had been reached. Sort of like this (although it's not a positive stack example):

char *p, a[20], b; for (p = a; p < b; p++) { ... }

Depending on the stack growth direction, and the order variables get put on the stack, this might or might not terminate at the end of the array. Of course the right way to avoid this is using sizeof(), but I saw plenty of code that didn't do it correctly.

Re:Stacks

[Spazmania]

Addresses on the stack should not be executable in the first place. That's the real fix.

Half a fix: it doesn't protect the return pointer, so it can be used to bridge off into other code even if it can't be used to input arbitrary code.

Besides, there is already a patch for Linux which implements that.

Re:Uhhh... Multics?! Yeah, there's a lesson there.

The UNIX name pun and the command names like "ls" are Multicisms but fork() is from Project Genie

Some commands came from Project Genie into Multics and then UNIX. Ken Thompson's QED begat /bin/ed and his RUNOFF was the ancestor of nroff.

Re:The earth is round.

This merely refutes point 2, which may not refute point 1, but one that makes the +3 a joke. A claim based on manufactured evidence is not a +3 insightful comment, is it?

Not to put too fine a point on it, but your original post tends to confirm point 1 -- which I don't, btw, happen to agree with. Complaining about another idiotic post by responding with same merely adds even more weight to the assertion in 1. Whining about lame moderation doesn't help either. In fact, I think it would be better for Christians everywhere if you took a little hiatus from the Internet for a while.

Re:Uhhh... Multics?! Yeah, there's a lesson there.

80md! Glad to see you back in the habit! :)

At any rate, you speak the truth; those of us in the moral community have long known that academics are only good for three things: sociology, folk dancing, and guzzling expensive cappucino paid for by taxpayer dollars.

Re:Heh

Yeah right. He was trolling... The :-) couldn't possibly mean that he was joking!

I hate pdf

I tried to read it but after scrolling up and down over and over for a few pages thanks to that damn layout they chose I stoped after a few pages, why do people think that pdf is a good format for the web it doesnt scroll well, the font typicly look like crap, if your going to post pdf least have the damn sence to chose a one colom layout so you dont have to scroll and zoom constintly just to read it

Re:I hate pdf

[jbolden]

Buy a bigger monitor. Heck I was on a laptop and it read fine.

Technically, it's an Oblate Spheriod . . .

[ghibli]

Technically, it's an Oblate Spheriod, slightly flattened at the poles.

Pythagoras theorized in the 6th century BCE that the earth must be a sphere. However, those same "educated classes" continued to worship numerous astrological deities that today are recognized as false. But 200 years before Pythagoras, Isaiah 40:22 referred to the 'circle of the earth', using a Hebrew term 'chugh' which is defined as round or spherical object.

It is amazing that the Bible presented a scientifically sound statement, free from mythological ideas, thousands of years before the invention of UNIX . . . Quite amazing!

Re:Technically, it's an Oblate Spheriod . . .

Only faggots use BCE instead of BC

Oops . . . that's spelled SPHEROID!

[ghibli]

sorry!

And one other thing...

Training the college students of America to play video games when they should be taking a bath.

If the Montana Freemen can be tortured and killed in the Gulags of North Carolina while their once-brave children mindlessly vegetate in front of their Pong games (ATARI IS A JAPANESE ORGANIZATION! ATARI IS NEITHER AMERICAN NOR CHRISTIAN!), who, indeed, can claim to be FREE?

I love my country, but I fear the Coca-Cola corporation. Surely, God will provide.

Re:And one other thing...

It should come as no surprise that liberals are encouraging the children of America to gorge themselves on potato chips and fudge in front of all sorts of mindless and banal "video entertainment." Liberals cry crocodile tears as they endlessly blabber on about the "obesity epidemic" among our youth while at the same time promoting all the activities (or lack of activities) that have resulted in said "epidemic" in the first place.

The moral community knows why. Liberals eat children, and plump, rounded youngsters are far more tasty (and much easier to catch) than the physically-fit and God-fearing offspring of right-thinking real Americans. They pursue a culture of decadence, slovenliness, and sloth because they know that at the end of the day, it is the only way that they will get the delicacy that they so crave: the flesh of American youngsters.

Programming in PL/I for Better Security

[nutznboltz]

and it's just so straightforward too!

Re:Programming in PL/I for Better Security

[michael_cain]

Never trust a compiler that eats your source file:
105. The statement has been truncated.
120. An identifier or constant has been truncated.
149. Text was deleted from this statement.

Ah, I remember writing PL/I extensively on IBM mainframes. IIRC, the language could not be represented using any of the grammar types available at that time (as an example of the difficulty, there were no reserved keywords, "if" could be a variable name, and some people used it that way). The ad hoc parser in IBM's compiler did not like to give up, so when it got desperate it would delete text until it reduced the offending statement to something that would parse.

You had to declare all your variables in advance, and if the statement that got truncated happened to be a declaration, it would typically be followed by dozens of pages of error messages about using undeclared variables.

I did get my 15 minutes of fame when I found an error in the optimizer that caused it to emit illegal op codes...

Sort of BeOS meets Amiga, right?

They could write the kernel in LISP, or maybe Smalltalk. It could be a walking museum of really great ideas which somehow got left behind for no reason at all -- I mean, aside from the fact that they were shit. Yeah, that's one small point to consider, but really, all also-rans turn out to be shit in the end, don't they?

Look at Linux! The darling of Wall Street for three weeks, until everybody realized it was a toy operating system with no tech support, no QA, and no future.

If it can't survive in the marketplace, it's garbage. Charles Darwin never sleeps. IBM isn't going to bother writing this magic SnakeOilOS for you because they know perfectly well that they can't compete with Windows. IBM just can't make a product that good. They'd be fools to waste money trying. IBM is a business, not a charity. They care more about their obligations to their stockholders matter than they do about your bong dreams. Get that through your thick head, Beavis.

In fact, let me just say this right now: I am absolutely sickened, I am disgusted, I am nauseated by your whimpering welfare-mother demand for the moon on a platter. Are you offering to donate one instant of your time or one penny of your own funds to this foredoomed catastrophe? No, of course not. Even if you were so willing, your time is worthless and you have no funds to speak of. You're just sitting on your fat ass in a dorm room somewhere with a can of cheap beer in your hand, gnawing on cold pizza with congealed grease on your chin. And food stamps paid for it all! Listen up, you lousy, filthy, adipose, flatulent, pock-marked, verminous parasite: If this were a just nation, we'd feed scum like you to the wolverines.

Re:Sort of BeOS meets Amiga, right?

Now let's hear from someone who isn't a total idiot...

MAIN, MAIN

that's right, the backdoor will go in main(), all programs have main() in C/C++. The backdoor will be the first piece of code that executes when you run the program, so if you run the program and it doesn't see a compiler environment, it continues. Pretty simple.

Segmond

Re:MAIN, MAIN

The question is not where to put the backdoor, but how to detect accurately if you're compiling the compiler. How do you see whether or not you're in a "compiler environment"?

You ain't foolin', brother.

plump, rounded youngsters are far more tasty (and much easier to catch) than the physically-fit and God-fearing offspring of right-thinking real Americans.

It's more than just fleetness of foot, my friend: How popular is the Junior NRA in liberal hellholes like Cambridge, MA and Madison, Wisconsin? Don't make me laugh!

My children are armed and trained. They shoot straight and they know how to stay safe. Just let Susan Sontag or Marlon Brando come salivating after the tender little Christian delicacies I'm raising! They'll get a hollow-point between the eyes for their trouble. My little Lisa just got a new CZ .40 S&W for her birthday, and boy does she love that gun! She's like a kid in a candy store, shooting everything in sight.

God's been good to us, and as long as the youngsters keep their powder dry (and believe me, they will!), there won't be any leftist cannibals chowing down on my family.

Wrong, boycott them

[Billly+Gates]

WHy? Well first off they are first vendor to introduce pallidium. The proof is in the pudding. Here are some nice crippled laptops, with the ultra secure TCPA security subsystem clearly advertised. ALso here are some nice netvista workstations with the TCPA security 2.0 subsystem all nicely installed for the RIAA oops I mean your convience.

We all talk about HP comming out with drm pc's this christmass yet IBM has been selling them to the public for several months already! THe difference between the TCPA vs the Pallidium standard is that the TCPA has a protected boot sector. Meaning without a key you can not boot any other OS but WindowsXP. IBM is an enemy of Linux and should righteously be boycotted. They care more about the profits of software developers and hollywood then opensource.

A1

[Amazing+Quantum+Man]

What I found interesting was the reference to the Holy Grail... A1.

They referenced GEMSOS and a VMS variant as having reached that point. I thought it was only theoretical. Doesn't A1 cert require mathematical proof of security (as well as the usual auditing)?

Re:A1

[hwyguy2]

If you check out the Historical Evaluated Products List at http://www.radium.ncsc.mil/tpep/epl/historical.htm l, you'll see that quite a few products made it to the A1 rating:

• Boeing's MLS LAN Secure Network Server System
• Boeing's MLS LAN Network Component MDIA, Version 2
• Gemini's Gemini Trusted Network Processor
• Honeywell's SCOMP Version STOP Release 2.1

The BLACKER system also made A1, but wasn't a commercial product. The VMS varient was designed for A1, but I"m not sure if it ever completed evaluation (I don't see it on the EPL).

Yes, a mathematical proof of security was required, at least for the mandatory access control policy (folks typically didn't model DAC).

Daniel

Re:A1

[oldunixguy]

A1 requires a mathematical proof of the model, and also requires that you show conformance between the source code and the model. It's not easy, but it's not proving the code correct.

To quote from http://www.radium.ncsc.mil/tpep/epl/epl-by-class.h tml: "The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. This assurance is developmental in nature, starting with a formal model of the security policy and a formal top-level specification (FTLS) of the design. In keeping with the extensive design and development analysis of the TCB required of systems in class (A1), more stringent configuration management is required and procedures are established for securely distributing the system to sites. A system security administrator is supported."

There haven't been many A1 systems: GEMSOS, SCOMP, and Boeing's MLS LAN are the only that completed (see http://www.radium.ncsc.mil/tpep/epl/historical.htm l for the full list of every product). The VAX project referred to in the paper never got the A1 approval, although it was clearly designed to meet the requirements.

Security tools

[cant_get_a_good_nick]

One thing I find missing for C programming is a generally accepted security tool. In the rush to get things out the door with new and whizbang features, little is done on security tools. This is true of both commercial and OpenSource environments. People still use gets, people still take things from the environment unsafely. Taintperl is great, why isn't there TaintC or the equivalent? Why is there not a single tool that has a database of past exploits and knows how to detect at least a subset of these? yes, I realize that a program can never replace a good set of eyes looking at a program, but I also keep my compiler warnings cranked up high to detect "I'm a dumb-ass" mistakes. Why can't we hook this into the optimizer, since it must do lexical and data analysis anyway? Get these mistakes caught early before they get stuck in released in the wild code. Why is sling still such vapor? AFAIK, they still haven't updated lint to work with C++ code yet, we're still in someways in the sticks and stones era of tools for programming.

And no flame wars on language choice, please.

Re:Security tools

[oldunixguy]

There are tools that find many of the exploits through source code analysis. For example, ITS4 (available from http://www.cigital.com) finds some, and RATS (available from http://www.securesoftware.com). Coincidentally, the ITS4 paper won the "best paper" award at ACSAC (http://www.acsac.org) a few years ago... the same conference where the Multics paper that's the subject of this discussion will be presented in December!

that's just the tip of the iceberg

[tomlord]

How many people contribute Open Source or Free Software to the world? How many opportunities have been created by the existence of successful, minimally reviewed GNU/Linux distributions for professional cracker community members to quietly introduce bugs? How many sites now run Red Hat, for example? How many of those installations are mission or security critical?

The security problems pointed at (ever so esoterically) in the cited articles are vast, serious, real, and pressing. They are made worse by vendors who persue dubious features and broken, overly complex architectures rather than remembering to KISS and empower customers to differentiate their installations and (especially in a disaster) manage their own source.

The good news: using plenty of available technologies and techniques to reduce the RISKS here can, as a side effect, radically improve the overall quality of the Free/Open Source software being vended these days. We need fewer, but much better features, managed by much better software engineering practices.

That (in my opinion), rather than panicing over security issues, is where our various corporate friends ought to focus in response to this and similar articles.

-t

Security bugs should be openly published

[Great_Geek]

Even then, they understood that bugs should be published openly. To quote section 1.3.1 "Concealment of such penetrations does nothing to deter a sophisticated penetrator and can in fact impede technical interchange and delay the development of a proper solutions. A system which contains nulnerabilities cannot be protected by keeping those vulnerabilities secret. It can only be protected by the constraining (sic) of physical access to the system."

Check out KeyKOS and EROS

[Wesley+Felter]

KeyKOS solved a lot of the problems this paper describes in the 80s, and its descendent EROS is solving them today (and open source, too!).

Unfortunately, in the 80s people were so infatuated with micros that secure timesharing wasn't a big market, and today people have been living with insecure systems so long they have stopped caring.

Price of security

[0x0d0a]

Unfortunately, the mainstream products of major vendors largely ignore these demonstrated technologies. In their defense most of the vendors would claim that the market-place is not prepared to pay for high price for high assurance of security

Keep in mind that the price to pay for security is often not simply a higher initial purchase price.

It can be in difficulty maintaining code. If you write something in Eiffel or SML, you avoid buffer overflow attacks on the stack, but you have a much smaller pool of programmers to hire from.

It can be in performance. Java is the most popular "safe" (array and pointer deref checked) language, but you pay a severe performance hit when using Java over C/C++.

It can be in convenience. I'm used to troubleshooting my system by just booting into single-user mode. If I was really secure, I'd have the bootloader passworded and an encrypted filesystem. But that's enough of an irritation to me that it's just not worth it.

And it's very difficult to get a good, objective overview of security. Most security analysts don't really know all that much -- they're working off their own biases and feelings as well. They tend to try to sell companies on one-time-cost, backed-by-a-big-name products like firewalls or expensive IDS systems, because that's what companies want to hear. Also, *so* many products are so insecure that it's really painful and can feel futile to try to secure a system -- you might fix one problem with your device only to find that an IC manufacturer that's one of your vendors has some testing mode that breaks all your security guarantees.

We need people willing to pay the price, a wider bed of knowledgeable security consultants, software written from scratch in a safe language, with strong constraints on it, components that one can build secure products out of, and a decade to put everything into place before we can really get secure products.

Not that hard

[devphil]

I remain skeptical that it would ever work in practice, at least for an open-source produce such as gcc.

The technique works fine and not difficult to do -- as long as it isn't GCC. And the rest of your post assumes that GCC is in use. (How many other compilers are out there which have source available (you mention changing contents of the source code) and are designed to be built by multiple arbitrary compilers (the GCC bootstrap mechanism)?

Of those, how may are meant to be modified by the user? (Where "meant" == "it's possible".)

So, reminding the rest of /. readers that most compilers in use are not gcc (unfortunately), we proceed:

Compilers that detect special semantics would be easy, because you don't know what the semantics are, only I do. My compiler can perform some completely useless action with no side-effects (i.e., you can't detect it), and while compiling itself, would a) realize that its own code is being compiled, and b) throw out the useless actions, like any other optimizing compiler would.

Remember that the special thing being detected doesn't have to be detectable at runtime, only at compile time. That opens the doors much wider.

So, use GCC and prevent this trojan. :-) Otherwise, yes, it's very possible.

YHBT YHL HAND

BigGreen03 & Chexsum, you are two A1 schmucks!

Facts, anyone?

[bensonm]

Multics had significant commercial success, both in secure timesharing applications in the US and in Europe. In the end, Honeywell placed its bets elsewhere, and Multics withered away. To those of us who worked in it, the sneering comments about 'top down debacle' are an ongoing demonstration of Gresham's law as it applies to information on the Internet. Ignorance is never, seemingly, an impediment to a smart-ass comment. Try using, perchance, a system in which all the command line arguments were consistent and predictable, and the command names were meaningful. Or, for that matter, a system in which the fundamental data access model was mapping into memory. Or in which there are more security domains than 'all-powerful-root' and 'everyone else'. Unix was born as an effort to get some approximation of Multics onto minicomputer hardware. It worked pretty well. The authors of Unix weren't too fond of our rather structured development process. They didn't need the security and reliability that we did all that work to try to get, and they did want heaps of functionality from unpaid grad students in no time flat. Over the years, many of Multics' ideas have slowly leaked back into Unix: dynamic linking, memory mapping, command args with names and not just letters, etc. No surprise: they were good ideas, and Unix has absorbed them as processor power, memory prices, and the slow pace of rediscovery of the wheel has allowed. There's quite a platoon of Multics alumni in the industry, applying the lessons we learned, good and bad, wherever we go.

Re:I am not first but,

I believe that you are the first.

Well done!

(/me reads at -1)

+ORC

[sweet+'n+sour]

Remember what he did? Disassembly was one important thing... reverse engineering being a more appropriate name for it.

Face it... if it was assembled, it can be disassembled. Once disassembled, the secrets implanted by a compiler or programmer are revealed. DeCSS is a good example of disassembly finding something hidden.

Worried about your login program being trojaned? Open it up in a disassembler and check near the login part of the code. Hell, open the program up in a debugger and just step through the code. That would trivially show you any "if password = backdoorpassword" statements. In many ways this is even faster than looking at the source itself. For those paranoid about the OS itself, there is even hardware you can buy that'll debug the os itself.

What really worries me isn't this kinda security issue... what worries me is not being able to legally look for these kind of security issues at all. (read: DMCA)

What's IBM's position on Palladium, I wonder?

[evbergen]

From the introduction of the new paper: "However, the bottom line conclusion was that 'restructuring is essential' around a verifiable 'security kernel' before using Multics (or any other system) in an open environment (as in today's internet)".

Paragraph 3: "We hypothesised that professional penetrators would find that distribution of malicious software would prove to be the attack of choice."

Dropped in as a random sentence in paragraph 5, without much relation to the surrounding text: "Multics source code was readable by any user on the MIT site, much as source code for open source systems is generally available today."

From the conclusion of the new paper: "In nearly thirty years since the report, it has been demonstrated that the technology direction that was speculative at the time can actually be implemented and provides an effective solution to the problem of malicious software employed by well-motivated professionals. [...] And customers have said they have never been offered mainstream commercial products that give them such a choice, so they are left with several ineffective solutions [...]".

If you look at what is actually being demonstrated in the original paper, is that a monitor is needed that governs every memory access, without bypasses. The new paper admits that the VAX was the first to have this, and of course all modern MMUs do exactly that.

So what's the big deal? Why was this published at this time? If you read carefully, you can correctly conclude that we don't need no steenkin' Palladium to get secure systems today; we already have all the hardware features needed. However, if you skim the new paper, you could be led to believe that Palladium is absolutely essential...

Re:What's IBM's position on Palladium, I wonder?

[bensonm]

This poster is completely correct. There's nothing magic about hardware. It's particularly hard to tamper with, and that's it.

If someone wanted to relaunch the Multics gate/ring inter-domain call mechanism on X86, (say, to give a meaningful alternative to setuid) I'd recommend against using the incredible hair-ball for the purpose built into the X86 architecture. You can't 'read the source' and it would take an immense amount of testing.

Instead, I'd suggest isolating a very carefully written and reviewed microkernel to take responsibility for validating inter-protection-domain calls and copying parameters.

Re:What's IBM's position on Palladium, I wonder?

[evbergen]

Actually, x86's architecture for call gates and segment descriptors isn't that bad. To some extent, they are always needed; even the Linux kernel (which uses only paging, no segmentation) has to supply correct code, data and stack segment descriptors, and has provide interrupt gates (very similar to call gates) for the syscall and hardware interrupts.

The only drawbacks is that you have only four rings and that it's non-portable as hell. But it's very well documented, and works, too.

A setuid program is the exact software equivalent of a call gate, BTW. You need a certain privilege level to use the call gate, and after that, the routine uses the (possibly higher) privilege level set by the call gate. Exactly the same as having a setuid program that's executable only by a certain group. It's a very common (and useful) concept in both hard- and software.

There's nothing fundamentally wrong with the concept of setuid programs on Unix; you use them to check untrusted input before submitting it to higher privileged programs that need to trust it. The problem is that a lot of setuid programs don't do their job of checking input properly, or worse, don't treat environment variables as untrusted input as well.

(Aside: I've sometimes thought that Unix' way to connect applications to devices (read/write, seek, ioctl, that's it) is still so successful because it mimicks the way a CPU is connected to periferial devices in hardware: a data bus, an address bus and a few out-of-band control lines.)

Re:What's IBM's position on Palladium, I wonder?

[bensonm]

Well ... The author has me dead to rights. If there's a complaint here, it's that Unix has only two rings (user and kernel), not that setuid is inflexible. I don't have any complaint, by the way, with the X86 system. My only point was that a significantly simpler system (e.g. that on Multics) is all you need burned into the chip.

Resource for the curious

[bensonm]

I hope not to get trolled for posting a reference that is probably not too hard to find on search engines. However, if any of the readers of this would like to see a much broader range of information on Multics, I can recommend:
The reference web site for Multics history

So wrong

So, use GCC and prevent this trojan. :-) Otherwise, yes, it's very possible.

How do you compile gcc? You build it from source using a binary of gcc and ...

Even gcc isn't safe.

Re:So wrong

[devphil]

How do you compile gcc? You build it from source using a binary of gcc and

When will /. get it through its skull that you don't have to use GCC to build GCC? And in fact, that most people don't use GCC to build GCC?

Re:So wrong

And in fact, that most people don't use GCC to build GCC?

Yaya, I also heard that Linux runs on non x86 hardware also. :)

It's a sliver of truth, so you win this one -- just barely.

Stratus VOS is still around

[alext]

About 1980 Paul Green and (I think) other multicians started a successful fault-tolerant computer company called Stratus, an effective competitor to Tandem. VOS, the OS, was clearly inspired by Multics and had, or rather has, a consistency and reliability unparalleled in Unix.

Its Multics traits include PL/1 as the systems programming language (actually a subset), transparent networking (attach to any device or file anywhere, rather like Apollo Domain), an ancient Emacs port (or clone?) and other useful features like a transactional file system with indexing.

Lots of these expensive machines were sold to banks and other demanding users in the late 80s, there are plenty still around and indeed they're still available.

The boxes were large and well engineered. Quality seemed to be taken very seriously since any crash was a major event - I only remember one OS crash bug in 6 years of working with them. Machines were connected via dialup to the service centre, and core dumps uploaded for analysis automatically (security settings permitting).

All items of hardware, disks, CPU, memory, networking cards were duplicated - except the real-time clock (!) monitored for failures. Any failed device would be removed from service and could be replaced while the system was running - 'go on, pick a board to unplug' demos were always popular.

Coming back to Unix after platform was a pretty rude shock. What horribly eccentric and buggy shell commands! Why does it keep crashing? In many ways I'd quite like to have one today, certainly something like Java would complement it quite nicely.

Re:Stratus VOS is still around

[bensonm]

Paul had a platoon of fellow Multicians at Stratus. For that matter, THVanVleck was a major force at Tandem.

Re:Stratus VOS is still around

[alext]

Right, of course, I met TVV in a later life so I should have remembered. Can't find a corporate history at Stratus.com though there is some at Tandem/Compaq/HP.

Re:Uhhh... Multics?! Yeah, there's a lesson there.

Multics was still in use in installations for high-security military use as recently as 1987.

When I did an '87 summer course on compiler design on the Stanford campus, one of my classmates was from a Canadian company that had taken over some portion of the software maintenance for it. I'm sure by that time they had a hell of a time repairing the hardware, but it was still in use.

They had also spent the intervening years on auditing the system for security and finding and fixing ever more subtle holes and privilege escalation problems.... Part of the moral should be don't ever assume you're done finding bugs, because you can always find some more.