Slashdot Mirror


DJB Announces 44 Security Holes In *nix Software

generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."

32 of 983 comments (clear)

  1. Misleading Title by __aaitqo8496 · · Score: 4, Insightful

    The title of this article is quite confusing, if I read it correctly. To me, it reads that *nix variants themselves have 44 security holes (as in something in the underlying OS, such as the kernel). However, upon further reading the story indicates that it is actually the 3rd party software that has holes in it. Sounds a little unfair to *nix environments. Consider blaming Microsoft for all holes in ever Win32 program (oh wait, we already do!) How about a better title like "DJB Announces 44 Security Holes In *nix-based Software"

    1. Re:Misleading Title by WIAKywbfatw · · Score: 4, Insightful

      If you want to get technical you could argue that everything apart from the kernel is *nix-based software. Where do you want to draw the line?

      --

      "Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
    2. Re:Misleading Title by Dekke · · Score: 3, Insightful

      Because if it weren't sensationalist, who would ever read it? For the knowledge? Hah! For shame, thinking we want accuracy...

    3. Re:Misleading Title by __aaitqo8496 · · Score: 5, Insightful

      For the sake of argument, what would you consider Windows software? The kernel, the graphics server, the programs that come with every "distribution" of Windows?

      I think that most people would agree that if the program can be *easily* removed from the underlying OS, it's not part of the OS itself. Therefore I would not consider notepad.exe part of the OS, however I would consider explorer.exe (even though it is a seperate application).

      If you don't agree, it's okay, but that's how I think of it.

    4. Re:Misleading Title by FatAlb3rt · · Score: 3, Insightful

      so...why didn't someone just write some intentionally crappy software, stick it on sourceforge, then point out the flaws?

      or better yet, since it sounds as if this is an assignment due at the end of the semester, dive into some code, write up a few paragraphs on what you *think* is a security flaw, and submit it.

      heck, i think the instructor should give credit for explaining 10 good code examples of secure routines.

    5. Re:Misleading Title by stor · · Score: 4, Insightful

      For the sake of argument, what would you consider Windows software? The kernel, the graphics server, the programs that come with every "distribution" of Windows?

      Ahh, this is such stuff that pointless flamewars are made on.

      Cheers
      Stor

      --
      "Yeah well there's a lot of stuff that should be, but isn't"
  2. Re:Don't just take this lying down, IMO by jdray · · Score: 5, Insightful

    I wouldn't get too worked up about it until it happens. I had several college profs who started out the terms saying how they were strict about assignments getting turned in, and how you could fail if you didn't do this or that; I rarely found their bite to be as bad as their bark. Mostly they want to put the fear of them as a deity figure in you, then be gracious later. If they get overwhelmed, they've set a good baseline to fall back on.

    --
    The Spoon
    Updated 6/28/2011
  3. What? by jjshoe · · Score: 3, Insightful

    What no djb tools on the list? That seems the quickest way to fail, find an exploit in a djb tool.

    --
    -- botsex is {grep;touch;strip;unzip;head;mount} /dev/girl -t {wet;fsck;fsck;yes;yes;yes;umount} {/de
  4. Re:Don't just take this lying down, IMO by Marxist+Hacker+42 · · Score: 4, Insightful

    Not disagreeing- but if I was this student, I'd get a few buddies together from the class and point out to the prof:
    1. This is the first term this class has been taught.
    2. Nobody did well with the homework if the entire class of 25 students only found 44 holes.
    3. Even those who were among the best students in the class, getting A's on all the exams, only found 2-3 holes.

    Therefore the grades should be assigned to fit a bell curve based mainly on test scores and minimizing points earned for the homework.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  5. ah, buffer overflows... by Mr.+Slippery · · Score: 4, Insightful

    I see the two specific items linked to are buffer overflow exploits. Anyone learning to program in C needs to have good buffer dicipline beaten into their heads.

    It's like wiping your butt after crapping - mandatory basic hygine. If you can always remember to wipe your butt, you can always remembers to watch your buffer lengths.

    --
    Tom Swiss | the infamous tms | my blog
    You cannot wash away blood with blood
  6. My thoughts. by Anonymous Coward · · Score: 5, Insightful

    Thesis: This professor is retarded.

    Evidence to support this belief:

    1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.

    2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes ... which would lead me to believe "a little bit of both".

    3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.

    Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)

    1. Re:My thoughts. by slavemowgli · · Score: 4, Insightful

      It teaches you that professors can be asshats/idiots/..., too, and that you should not take classes taught by DJB. Furthermore, it teaches you that in life, you will still get treated like shit even when you're paying for things (like your education, in this case), and that having a famous name (like DJB) is more important than what you actually do.

      --
      quidquid latine dictum sit altum videtur.
  7. Fourth year: bird courses only please by Ars-Fartsica · · Score: 4, Insightful
    Who signs up for hard classes in fourth year? Duh! You've practically got your degree. sit back, uncap a cold one and choose from the many many many easy courses every school offers to fourth year students.

    Its well known that every college grinds out the poor students in the first two years...if you've made it to fourth year, its time to ladle up some gravy and bolster your GPA in time for grad school applications, resume bolstering, etc.

    So the real moral is that the most intelligent students are the ones avoiding the course altogether. If you want to get an education in unix security holes, go read the OpenBSD mail archives.

  8. What's the deal? by retro128 · · Score: 4, Insightful

    The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.

    10 for each student? I doubt DJB himself could find 10 on his own inside of a semester.

    In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.

    I guess the whispers I've been hearing about DJB being a complete asshole are true. It is always nice to have your academic future dictated by such people to your disadvantage, even though you may be a cut above the teacher himself. And in the meantime he will take credit for your work while simultaneously failing you. Thank you, sir, for reminding me why I dropped out of college.

    --
    -R
  9. If the majority of the class failed... by JoshMKiV · · Score: 4, Insightful

    If the majority of the class failed, then the professor failed YOU.

  10. Re:Don't just take this lying down, IMO by mateomiguel · · Score: 4, Insightful

    "As a student, I'm the consumer. "

    No, no, and hell no. As a student, you are a student. Leave your stupid consumer victimization routine in suburbia, where it belongs. Don't try to bring that crap to academia.

  11. Re:Don't just take this lying down, IMO by KillerDeathRobot · · Score: 5, Insightful

    As soon as universities start being free, I'll agree with you.

    --
    Thinkin' Lincoln - a web comic of presidential proportions
  12. Re:Don't just take this lying down, IMO by Marxist+Hacker+42 · · Score: 4, Insightful

    Perhaps- I didn't think of this until reading your post- that's exactly what the professor was trying to teach. Though it would be a damned awfull way to do it, I've got to admit that 95% of the projects I've worked on since college have followed that general path. Work obscenely hard- get a product out there- get laid off when the marketing people spend tons on booze to cover their poor marketing skills and drive the company into the ground. Yep- sounds just like this assignment.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  13. Re:Don't just take this lying down, IMO by plopez · · Score: 3, Insightful

    It could be the prof was trying to weed out the riff-raff (those who think they are hot but are not, etc.). But giving such an open ended project at the undergrad level is extreme. It is appropriate for grad school, where research projects sometimes are not completed, but not undergrad (I assume by the number it is undergrad).

    I actually had a class like that, expected to fail but passed becase I actually did a lot of work on the problem and it showed. This may be one of those cases. Remember, research is about trying your best but still failing, actually most of the time.

    --
    putting the 'B' in LGBTQ+
  14. Re:Don't just take this lying down, IMO by Skyshadow · · Score: 4, Insightful
    I don't have any problem with the concept of an entire class failing a course. Why you think that a professor failing his entire class constitutes a failure on the part of the university is a mystery to me: would you be so opposed if a professor failed an astronomy class that failed to put the planets in the correct order or an economics class that couldn't describe how supply and demand affect prices?

    Frankly, I think you're jumping the gun here...

    I didn't jump the gun, I provided a qualified statement. You know, "if he does this then you should do this".

    Now, let me provide another statement which may or may not apply to this specific case (since we haven't seen grades yet): Any time an entire class fails, it is on the professor's shoulders. Since we assume that the people in the class are both mentally competent and reasonably intelligent based on the fact that they're in college, and excepting odd situations (a 1 or 2 person class, for instance), a near-100% failure rate can only be one of three things:

    1. The professor has created a class which cannot be successfully completed given the time constraints and the level of the students.
    2. The professor has completely failed to impart his knowledge to the students.
    3. The professor has based the grades on items which do not accurately reflect what was taught in the class.

    Implying that a professor who fails all or nearly all of a given class has competently done his/her job is nonsense. It's not "part of the learning experience", it's a professional failure on the part of the professor and needs to be treated as such. In any event, when this sort of extraordinary event occurs, the University itself is responsible for allowing that failure to occur.

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
  15. Re:Don't just take this lying down, IMO by Punk+Walrus · · Score: 5, Insightful
    Why you think that a professor failing his entire class constitutes a failure on the part of the university is a mystery to me: would you be so opposed if a professor failed an astronomy class that failed to put the planets in the correct order or an economics class that couldn't describe how supply and demand affect prices?

    That's different, and it's still bad because that reflects poorly on the professor. If you were a university, would you want to hire a professor of astronomy who couldn't teach people the basics (for whatever reason)?

    What most of these posts are saying is that this professor did not grade these students on a reasonable test of their skills. It's kind of like a professor of Art History requiring students to discover a previously undiscovered Picasso. Sure, some may exist in people's basements or garage sales, and sometimes a new piece of art from an expired artist shows up on the auction block from an previously unknown collector of rare things, but would you consider it fair to flunk art students who could not find a new Picasso? How would you rate such a find, grade-wise?

  16. Re:It's just an assignment - Did you even go to un by prockcore · · Score: 5, Insightful

    If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.

    Makes sense.

    The requirements are to exploit 10 holes in unix software. Nowhere does it say that the unix software must come standard with any distros, and it doesn't say that you can't write it yourself.

    Write a simple program with 10 holes in it, point them out, and boom you win.

    We are talking about finding vulnerabilities and exploiting them aren't we? I'd get extra credit for finding and exploiting holes the class requirements.

  17. Re:Don't just take this lying down, IMO by Anonymous Coward · · Score: 3, Insightful
    Mostly they want to put the fear of them as a deity figure in you...
    Wrong. Mostly they want to get the lazy and uninterested students to drop their course.
  18. Re:Most people will pass by winwar · · Score: 3, Insightful

    "So guy-I-knew approached Parnas, and asked why.

    "Becuase I don't like you".

    And that was the end of it."

    I wonder why? Disliking someone is NOT a valid reason to assign low grades. Thinking their work is crap is a valid reason. That statement pretty much could have enabled the student to have his grade reevaluated by an outside observer. I would have complained to academic affairs. After all, if the professor already dislikes you, that bridge is already burned.

    If the story is true, of course.

  19. Re:Modern education sunken to a new low by be-fan · · Score: 3, Insightful

    I think the point of contention is that people are saying that grades and learning *should* be related. Grades should reflect what you know --- they are utterly useless otherwise.

    --
    A deep unwavering belief is a sure sign you're missing something...
  20. Re:Misleading "Exploits" (Was Re:Misleading Title) by Anonymous Coward · · Score: 5, Insightful

    No. You're wrong.

    A video player, say, should be completely immune to bad input. It should not be possible to craft an input file that causes my vide player to delete files or anything like that.

    There is a very limited class of data (scripts, executables) that need to be "dangerous". Viewing a jpeg, even a jpeg hand-crafted by Dr. Evil, should never have the ability to do anything bad [well, OK, seeing the goatse guy is abd, but you know what I mean].

  21. Re:Don't just take this lying down, IMO by Gherald · · Score: 4, Insightful

    Not wanting to fail a class hardly qualifies as being "obsessed with grades."

  22. Re:Good idea? by idontgno · · Score: 4, Insightful
    I know more about C, computer internals, and security than most professionals now, so I'm not too sad :)

    You also know more about IT management, unrealistic goals, undeserved punishment, and PHBs than most professionals now. I don't know whether to rejoice in your hardwon jumpstart on corporate wisdom or mourn the inevitable early onset of cynicism.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  23. Re:Don't just take this lying down, IMO by jdray · · Score: 3, Insightful

    Right. Forgot that part.

    1) Make wildly overstated demands.
    2) Watch 1/3 of students abandon class.
    3) Hold class
    4) Back off on demands and grade fairly.

    (Sorry, this is academia. No profit involved.)

    --
    The Spoon
    Updated 6/28/2011
  24. Re:Good idea? by geekoid · · Score: 4, Insightful

    you given an undoiable assignment, thats the problem.
    Welcome to astronomy 101, 60% of your grade will depend on finding 10 new planets in our solar system

    "and security than most professionals now,"

    I have my doubts.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  25. Re:Varying levels of seriousness... by jonadab · · Score: 3, Insightful

    > Blanket statements like this (and like "Goto is evil") do nothing to help
    > improve the quality of software as we know it. strcat() is not evil. Using
    > strcat on uncontrolled/unmonitored input on buffers whose memory allocation
    > we are unsure of IS.

    No. The problem here (either way) is not what *functions* the programmer is
    using; the problem is what *language* the programmer is using. C was great
    in the 1970s, when computers filled whole rooms and needed every instruction
    per second that could be squeezed out of them. At the time, more robust
    languages (such as lisp) were just too darned slow, and if a feature required
    the computer to do a little too much (or waste too much storage), it just
    wasn't implemented. Word wrap was an optional _extra_ in word processing
    software, because it required the whole line to be (gasp) recopied while the
    user waited! C was great because it allowed programs that would otherwise
    have to be written in assembly language for efficiency reasons to be more
    portable -- and Unix directly benefitted from this, outstripping and leaving
    in the dust a number of otherwise better systems (TOPS-20 for example) that
    were unfortunately tied to specific hardware. Languages that allocated string
    space dynamically and did other things to coddle the programmer, such as
    lisp or BASIC, were only good for specific tasks where performance was less
    critical. The real VHLLs didn't even exist.

    Today, there are still things that need to be written in a low-level language
    such as C. Device drivers are an excellent example. The performance and the
    efficiency really matter there. The kernel's scheduler is another example.
    But these things should be written by experienced programmers who know the
    heck what they're doing. (Yeah, I know, it doesn't always work out that way,
    and even experienced programmers still make mistakes...) But we still have
    every noob and his kid brother trying to write high-level applications in C
    for no good reason, and *this* is why we still have buffer overruns -- it's
    because we still have fixed-size buffers.

    Will better languages eliminate all bugs? No. But they will, eventually,
    as they are gradually adopted, eliminate certain whole *classes* of bugs
    that have been plagueing us for 30+ years, buffer overruns being one of the
    most obvious. Pointer errors are another thing you don't have in VHLLs,
    because you don't have unsafe pointers or pointer arithmetic. (You can still
    make the mistake of treating a return value that may be undef as if it's
    definitely a reference, but the bug that results is easier to track down,
    because instead of happily writing bits into an unrelated piece of storage
    and possibly smashing something that will haunt you six hundred lines of
    code later it immediately complains that you can't use that value as a
    reference.) You don't get a fencepost error on the max value of an array
    index when you've replaced your legacy C-style for loops with foreach loops
    that don't use indices, for example. (Legacy for loops have been deprecated
    in Perl for virtually ever now, and in Perl6 they are going away completely;
    for will always mean foreach and will always operate on a list. The other
    VHLLs that haven't done this already will eventually.)

    Your correct, cheaper code is still horribly needlessly long for what it
    accomplishes: with the brace style fixed for terseness and the superfluous
    blank lines removed, it still comes to seven lines (lines!), just to
    concatenate a couple of strings, which shouldn't take seven characters.
    And yes, I know it's a contrived example, but it's still illustrative.

    --
    Cut that out, or I will ship you to Norilsk in a box.
  26. Re:Good idea? by Civil_Disobedient · · Score: 3, Insightful

    We're not blaming DJB for our failure.

    Well, then perhaps you do deserve to fail. He's the one doing the grading, and he's the person responsible for giving you an assignment where success is based as much on luck as on technical prowess.

    He tells you what he means and sticks with it. That's something to respect.

    This is called begging the question. Why, exactly, is this something to respect?

    "Hey, I'm going to kill you if you don't give me your money."

    "Well, I don't have any money."

    "Sorry, gotta kill you."

    "That's cool. I totally respect that."

    Perhaps if you didn't idolize him as much, you might realize the practical consequences of a failing grade for your GPA, and potential employment future. But at least you got to learn from a kick-ass prof, right? Or rather, an ass-kicking prof.