Slashdot Mirror


DJB Announces 44 Security Holes In *nix Software

generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."

7 of 983 comments (clear)

  1. Re:Don't just take this lying down, IMO by jdray · · Score: 5, Insightful

    I wouldn't get too worked up about it until it happens. I had several college profs who started out the terms saying how they were strict about assignments getting turned in, and how you could fail if you didn't do this or that; I rarely found their bite to be as bad as their bark. Mostly they want to put the fear of them as a deity figure in you, then be gracious later. If they get overwhelmed, they've set a good baseline to fall back on.

    --
    The Spoon
    Updated 6/28/2011
  2. My thoughts. by Anonymous Coward · · Score: 5, Insightful

    Thesis: This professor is retarded.

    Evidence to support this belief:

    1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.

    2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes ... which would lead me to believe "a little bit of both".

    3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.

    Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)

  3. Re:Misleading Title by __aaitqo8496 · · Score: 5, Insightful

    For the sake of argument, what would you consider Windows software? The kernel, the graphics server, the programs that come with every "distribution" of Windows?

    I think that most people would agree that if the program can be *easily* removed from the underlying OS, it's not part of the OS itself. Therefore I would not consider notepad.exe part of the OS, however I would consider explorer.exe (even though it is a seperate application).

    If you don't agree, it's okay, but that's how I think of it.

  4. Re:Don't just take this lying down, IMO by KillerDeathRobot · · Score: 5, Insightful

    As soon as universities start being free, I'll agree with you.

    --
    Thinkin' Lincoln - a web comic of presidential proportions
  5. Re:Don't just take this lying down, IMO by Punk+Walrus · · Score: 5, Insightful
    Why you think that a professor failing his entire class constitutes a failure on the part of the university is a mystery to me: would you be so opposed if a professor failed an astronomy class that failed to put the planets in the correct order or an economics class that couldn't describe how supply and demand affect prices?

    That's different, and it's still bad because that reflects poorly on the professor. If you were a university, would you want to hire a professor of astronomy who couldn't teach people the basics (for whatever reason)?

    What most of these posts are saying is that this professor did not grade these students on a reasonable test of their skills. It's kind of like a professor of Art History requiring students to discover a previously undiscovered Picasso. Sure, some may exist in people's basements or garage sales, and sometimes a new piece of art from an expired artist shows up on the auction block from an previously unknown collector of rare things, but would you consider it fair to flunk art students who could not find a new Picasso? How would you rate such a find, grade-wise?

  6. Re:It's just an assignment - Did you even go to un by prockcore · · Score: 5, Insightful

    If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.

    Makes sense.

    The requirements are to exploit 10 holes in unix software. Nowhere does it say that the unix software must come standard with any distros, and it doesn't say that you can't write it yourself.

    Write a simple program with 10 holes in it, point them out, and boom you win.

    We are talking about finding vulnerabilities and exploiting them aren't we? I'd get extra credit for finding and exploiting holes the class requirements.

  7. Re:Misleading "Exploits" (Was Re:Misleading Title) by Anonymous Coward · · Score: 5, Insightful

    No. You're wrong.

    A video player, say, should be completely immune to bad input. It should not be possible to craft an input file that causes my vide player to delete files or anything like that.

    There is a very limited class of data (scripts, executables) that need to be "dangerous". Viewing a jpeg, even a jpeg hand-crafted by Dr. Evil, should never have the ability to do anything bad [well, OK, seeing the goatse guy is abd, but you know what I mean].