Slashdot Mirror
DARPA-Funded Linux Security Hub Withers
mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."
If there is a bug in the kernel and nobody notices it, can we still flame Microsoft?
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
NOBODY showed up? I would think having a high Sardonix rating would be a nice piece of "hacker-street-cred", like a low /. ID number, or running Linux on a beowulf cluster of 286s.
You are not the customer.
Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code.
I'm sorry, appreciation does not pay bills.
Well, maybe they needed a little more exposure, eh?
I'm a sysadmin that secures plenty of mission-critical Linux (and FreeBSD) boxes, and I *thought* I kept on top of all the security news, I'd never heard of this project!
Oh well! Try try again...
Auditing is boring. If you've got the skills to audit, you'd probably be much happier writing the code yourself.
Whose time may eventually come. Part of the problems is, as the article mentions, the "Bugtraq" mentality - people are only interested in the flashy big bugs, not the little ones that "only" increase stability. The other problem seems to simply be one of logistics, which the web site apparently didn't sort out. People are already doing this, on a smaller scale. How to get it into a single group under this Sardonix name without duplicating effort? Still difficult. I'd look for it again, in another form, in a few years :)
It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.
Interestingly, the OpenBSD project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?
Perhaps this is because for most of the (incredibly smart) people who make contributions to Linux kernel development, it's not about points? Now if they had attached MONEY value to those points, maybe the result would have been different; I mean at least SOME motivation to play the NSA game.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?
They should have a volunteer review process to catch spelling mistakes...
One line blog. I hear that they're called Twitters now.
What size tin-hat do you wear? You might want to try a larger size.
-- You see, there would be these conclusions that you could jump to
I don't think so. The NSA released SELinux as source code, it has been reviewed by many people and adopted into the 2.6 kernel. It would be rather difficult to sneak in "hundreds if not thousands of pre-programmed exploits" into the Linux kernel.
Check the FAQ
True, but also true of most work being done for Free & Open Source software.
Just look at how many people got seriously enthusiastic about their SETI @ Home rankings. That doesn't pay the bills either, and it uses real electricity.
If they could just find a way to tap into _that_ enthusiasm. Maybe all they need to do is put up a bightly-colored blinking screensaver whenever someone found a bug . . .
I never said they "sneaked" anything into the code. I only suggest that they are aware that Linux is an easier OS for them to root than others, like the aforementioned OpenBSD.
They don't have to touch the code, in fact, for exactly the reasons you offer, it is best that they don't. But that doesn't mean they can't use their considerable CPU resources to catalog its vulnerabilities.
Is this truly the only Earth I can live on?
Your post was Classic misdirection. Also known as FUD.
Tin is a bit expensive and difficult to find these days; I would recommend using aluminum foil.
sardonic (sar-dnk) adj.
Scornfully or cynically mocking.
See Synonyms at sarcastic.
What size blinders do you wear?
It's so incredible, with all the evidence of government deceit and treachery all around us that we would still have people giving them the benefit of the doubt!
Power corrupts, and absolute power corrupts absolutely, and our government is as close to wielding absolute power as anyone ever has.
And you want to trust them to coordinate auditing open-source software? I can't imagine a more naive posture to take!
Is this truly the only Earth I can live on?
Where's the misdirection then?
If they have such considerable resources that they can catalog all the vulnerabilities of Windows and Linux systems, why go through the charade? They can just perform their calculcations heind the scene.
You sound like a typical paranoid nerd.
-- You see, there would be these conclusions that you could jump to
Here's what they were asking for: WANTED- Extremely experienced Linux coders, familiar with all aspects of security, to verify others undocumented code, so that the federal government doesn't have to do it themselves. Salary starts at 0 dollars per year. Benefits include- No health care No 401k
So they wanted people to do possibly the most tedious and unpleasant task in software engineering, over and over, for free, outside of the established (and frankly much more interesting, because they usually involve something besides solitary code reviewing) channels, and they're supprised they didn't get a flood of volunteers?
Not to mention the job is thankless, it's an infinite loop of paranoia and nit-picking.
code.insecure = true;
While(code.insecure) {
geek.paranoia++;
geek.review(code);
}
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
It's so incredible, with all the evidence of government deceit and treachery all around us that we would still have people giving them the benefit of the doubt!
I know! It's very exciting, isn't it!
Power corrupts, and absolute power corrupts absolutely, and our government is as close to wielding absolute power as anyone ever has.
I know! Who knows, they may even invent a device that allows them to maintain communictation even in the event of a nuclear war, allowing them to continue to assemble and attack some more !
And you want to trust them to coordinate auditing open-source software? I can't imagine a more naive posture to take!
Tell me about it! Letting them get their hands on Open-Source software where everyone can look at and review the code ! It's downright scary !
-- You see, there would be these conclusions that you could jump to
The question I have is this: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?
Furthermore, how are we to be certain that OpenBSD (oft touted as the most secure OS in the world, and I'll certainly grant it's one of the most secure out of the box OS's I've ever seen) isn't some clandestine creation of the NSA created to lull paranoid psychotics into believing that they were secured against intrusion?
Thinking outside my Head
Ah give me a break!
As someone who has written open source software, I can tell you that there is no enthusiasm that you "tap into".
When you are an agency that is part of a department of the government whose budget is in the billions (or is it trillions?), no sane "enthusiast" is going to do jack for you for "appreciation", especially when you are a military organization...
But even if this wasn't DOD we were talking about, I find the assumption that people will perform valuable services for simple recognition just plain weird. People who think this way just don't get it - you want someone to do something for you, you pay for it.
When I feel like releasing code to the public is a good idea, I will do it, but don't think that I am some sort of an OSS monkey who jumps at every opportunity to work for free!
Read, L
So you assert that SELinux fixes trivial security issues...
I never asserted anything of the kind. SELinux is about implementing access control, which has little if anthing to do with enhancing the kind of security being discussed here, i.e., getting root.
: If there are hundreds of invisible exploits in the SELinux kernel, how are we to know that the same situation doesn't exist in OpenBSD?
OpenBSD has made a big deal about auditing its code, looking for all the potential vulnerabilities. Linux tends to be more focused on utility and performance. There may indeed (probably are) exploits they are aware of in OpenBSD, but since so much more focus in placed on security, their expectations may be that the window of opportunity is closing.
Furthermore, how are we to be certain that OpenBSD (oft touted as the most secure OS in the world, and I'll certainly grant it's one of the most secure out of the box OS's I've ever seen) isn't some clandestine creation of the NSA created to lull paranoid psychotics into believing that they were secured against intrusion?
The question you should be asking yourself is why organizations like the NSA and DARPA, which are after all dedicated to eavesdropping and intelligence gathering, would want to spend time and resources making the computer systems of target nations more secure.
Is this truly the only Earth I can live on?
I follow the security community pretty closely, monitor a fair number of techie news sites and otherwise try to stay aware of this sort of thing. The first I heard of the project was this story - I must have missed it the last time it was mentioned two years ago. Not many sites linked to sardonix.org after the initial news stories, either.
A lot of government and military projects have the sole purpose of attracting money to, or showing deference to whatever fashioanble political/buzzword compliant initiative that has sway that week. This isn't news to slashdotters, I know, but I wonder what real hopes the project had, or was it one of those "impress the boss and get a cheque to swell the department" projects. It seems that's the way things work in the government service and industry these days. Whatever happened to doing the bloody job?
Hands up everyone who refuses to obey orders.
I didn't create an account on slashdot until almost a year after I'd first started visiting and I have this horribly high UID to show for it. Who could have known that, years later, a low UID would be such a symbol of power, fear, and respect!
:-)
I'm glad I didn't have to say that in person; I couldn't possibly have kept a straight face
A preposition is a terrible thing to end a sentence with.
But access control is very much related to stopping exploits. A good set of access controls (SELinux or LIDS or RSBAC or the like) means that when, say, apache gets exploited, the attacker can't do any real damage and certainly can't fork a command shell.
It means that when your mail client gets exploited through an attachment type hole, the executed attachment can't access your address book or send mail itself. All good stuff.
It also means that very few programs need to be run as root thus providing even fewer avenues for the attacker to use.
- Muggins the Madit's really boring shit work, so let's spice it up by making it competitive. Tommy, Jane, how fast can you clean your rooms?
How do you know that the NSA is only supporting Linux so that you will suspect them of malicious intent and therefore making it more likely that you will use FreeBSD which the NSA actually has critical exploits for.
You've fallen right into their trap.
You've fell victim for one of the classic blunders. The most famous is never get involved in a land war in Asia.
But only slightly less well known is this never go in against a Sicilian when (FreeBSD) death is on the line.
and yet no one shows. I guess we have to wait until someone finds something with negative intent before a bug is fixed.
Mod me down -50....I don't care anymore, my faith is lost.
It's true, people would rather write code than fix people's broken shit.
Rather than fixing borken code, why don't we teach some people how to write decent programs? Maybe put up some documentation of some common security flaws and how people could have avoided coming near them by structuring their code differently.
I know some code needs to be fixed, but lets face it, most people aren't willing to do it. There are a few unappreciated people out there who do this, and their job would be easier if people knew how to program better.
I'm not talking just about the kernel, for what I know the kernel is excellently structured. Most of the security holes stand in userland code and that's the area where most of the programmers who lack good programming skills are.
Who can blame the project for having failed, when it was named for the famous "stone of all bad" Sardonyx, i.e. Chtrag Sardius, the opposite of the Orb, or Chtrag Yaska?
Who 'lead' the project, Ctuchik The Grolim High Priest?
------>
Ok, ok... I'm a dork. Read David Eddings' "Belgariad" and "Malloreon" though - they make for a great read.
Sardonix got me interested in source code auditing, but I didn't like the reputation model. It's been more interesting to just do it; while so far I haven't found anything in the packages I've audited (and haven't bothered to report), it's taught me a lot about auditing in general and so I've found multiple vulnerabilities in various web packages I use both personally and professionally.
If you want to encourage source code auditing, then the current system needs to be mended just a bit: as long as researchers are disdained by vendors who don't want to give credit for the problem or even prosecute folks who were kind enough to let them know about the vulnerability of their software, then there's going to be a chilling effect. That's what leads to the disclosure impasse that many find themselves in: disclose to the vendor first and not get credit, or disclose to the public first and get criticized?
"You can never have too many elephants on your team."
Well, this would indicate to me that you have no idea what issues SELinux might or might not address. Perhaps you should research the topics of your closely held opinions somewhat. From the FAQ:
I would say this rather soundly addresses the concept of "getting root", wouldn't you?
This is exactly the situation that SELinux hopes to address, isn't it?
Come on, that one is too easy... the security of the parent system has absolutely nothing to do with the security of an isolated data stream - i.e., email, instant messenger, http, ftp - you name it. SELinux also does little to address the security of daemons like, say, MySQL - it simply isolates the components so that a compromise of the apache code doesn't translate to a compromise of the system.
There is also the fact that the NSA and DARPA don't have to work to compromise our security - after all, the RIAA and MPAA may engineer us into a government-controlled cryptographic system with government (or copyright holder!) held keys - for Intellectual Properties enforcement, of course.
Thinking outside my Head
The question you should be asking yourself is why organizations like the NSA and DARPA, which are after all dedicated to eavesdropping and intelligence gathering, would want to spend time and resources making the computer systems of target nations more secure.
Perhaps because their mission also includes improving the information security of their own nation?
I visited the site a few times, but didn't see anything to help me get started. Just some "we need to get project X reviewed". Then a complex point system that sounded motivating, but didn't do anything.
I just wanted to get started. All they said was "read this code and look for problems". No duh, but how about some examples. Some help. I'd learn much more if 30 people read one file, each commented on it, and I could read them all. Once I learn to think of everything 30 people think of (who have expirence reading code) I'll do some more on my own. Nothing gets me started though. I'm an okay programer (better than most really, but that isn't saying much considering the typical programer I've seen), and I need to learn how to do this. How do expert code reviewers think?
I just got back from wineconf, Alexander personally reads every single line that is commited to Wine. I know it can be done, but I need expirence before I could possibly do that, and noone bootstraps me to get the expirence.
I understand this is a hard thing. I've developed before, and I can't document my code any better than anyone else. They made it their stated goal to help me, but then never did anything useful.
1. Read some router code
2. Document all critical security vulnerabilities
3. Do not report any bugs
4. ???
5. Profit!
There you are, staring at me again.
Very interesting attitude. I've gotten into several very heated exchanges on Slashdot concerning copyrights. The universal answer was copyright laws favor the artists too much and they should do it out of love and there's nothing wrong with downloading music and movies for free even if it robs the artist. I was given the pious example of people writing open source code for free. I was never given an example of how they were suppose to feed themselves while they worked for free. Now I hear code writers should aways be paid for their work even if it's for the benefit of all. Feels different when the shoes on the other foot. If all intellectual property should be free why aren't code writers working for free and working at the local 7 eleven to pay their bills? I realize no one wants to hear this and I'm sure this post will get a low mod because it's tradition to kill the messenger but you can't have it both ways. Everyone has a right to earn a living and working for free or giving away your work ain't going to pay the bills. I'm thrilled people write open source code for free. Artist often work for free and work a disturbing number of unpaid hours. The hardest thing for an artist is generally getting some one to pay for their work in the first place. Free market basically works, inspite of a few bumps. Change the law and allow people to go into a famer's field and pick the crops without paying and see how quick people give up on farming. Sorry there's no difference.
Crispin
----
Crispin Cowan, Ph.D.
CTO, Immunix Inc.
I would say it's a strech to call the Defence Advanced Research Projects Agency an organization dedicated to eavesdropping and intelligence gathering. Their entire purpose is simply to research things that might be useful to the Department of Defence; however, I will grant you that a large part of what the DoD does is intelligence gathering and eavesdropping -- but it's part of their job, and they don't really shy away from telling the citizens that. On top of all that, if you're going to be so overly paranoid about government involvement in public projects, then why in the hell are you using the internet anyways? It began its life as a DARPA project, as research into self-healing networks.
Also, the NSA isn't dedicated to eavesdropping or intelligence gathering. If you read their original charter, it seems that it was originally created to help organize and distribute intelligence information gathered from the various intelligence agencies working for the US. That isn't all they do either, as this country has changed and their existence become more widely known, their role has changed somehwat as well. Specifically, they also play a role in securing this country (meaning it's citizens, businesses and government) from foreign attack, espionage, and intelligence gathering/manipulation. They are, after all, the National Security Agency.
So, as part of the ideal of securing the nation, they decided that it would be a good idea to make a highly securable operating system available to the public (meaning it's citizens, businesses and government) for free. Given that, it's not too hard to see why they chose Linux as their candidate: It's already available freely, it's already somewhat securely designed, and already implements a unix-style user-based security model. Not only that, but they realized for the system to be truly secure, that it's source code and thus it's development also had to be open to the public and freely available.
I don't think there is any doubt that the NSA has been entirely up front with everyone on this. If it weren't the case, there is no way that the SELinux security model would be included in Linux today, and I don't see any directives from the Ministry Of Coding demanding it's implementation. On the other point, the DARPA was just throwing around some research money (it's what they do best) and decided that this project might turn out something useful; they were wrong, but it didn't really seem as if they had any opportunity for misdirection anyways.
First, they widely advertised it and then took forever to get the site going. I think most people had forgotten about it or given up on it by that point. And then they never publicized it again. (Specifically, it was initially slashdotted on 6 Feb 2002. On 13 Oct 2002, a message on the Sardonix mailing list mentioned that it had been mostly live for a couple weeks, and that the point system still wasn't online. No wider announcement.)
Second, all the packages listed there for review were fairly well-respected blocks of code written by skilled coders. Consequently, most of the reviews were of the form "yup, this code essentially looks good". They were also extremely large projects, so people said "I didn't do a full review; I just tried this automated tool". It doesn't really mesh up with what he said in the article:
There was no "making software more secure [...] eventually finding no bugs"; I don't think anyone ever really found a significant bug through this project.
If they had targeted lots of small projects on freshmeat (like web stuff - PHP, mod_perl, JSP/servlet, etc.), it would have been much more interesting. Those projects have all kinds of security bugs. They could have taught the people in question some good security practices and actually accomplished what they set out to do. Maybe they would have eventually branched out into certifying these infrastructure projects, but it wasn't a good initial goal.
Lastly, who knows they did with that DARPA funding. Plenty of open source projects with no funding do much more impressive works than that website, and in much less time, too.
Maybe people in the security community didn't forget about DARPA's decision not to fund OpenBSD anymore. It doesn't pay to mix politics with research...
cpghost at Cordula's Web.
This is then the 3rd or 4th Linux code audit project to fail. (I was a participant in 2 others)
Why? Because auditing code is
* difficult and tricky
* unrewarding
* lots of hard work
It simply isn't something you want to do unless you are as passionate and fanatic about your project as the OpenBSD guys are.
Assorted stuff I do sometimes: Lemuria.org