DJB Announces 44 Security Holes In *nix Software

generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."

Don't just take this lying down, IMO

[Skyshadow]

Now that's a tough assignment. 44 holes found is an average of less than two a person -- it's possible the *entire* class failed, not just most. At best, probably one person completed the assignment.

As much as I respect profs who are willing to push you to do neat things (finding 44 holes in UNIX and it's standard set of programs is nothing to sneeze at), if you really do fail the class I'd take this straight to the administration. They're letting you down by allowing a professor to fail an entire class, especially since the grades are based on something that doesn't really reflect your understanding of the subject.

I've always had a problem with this sort of behavior in college profs -- it gets away from what I consider to be the basic nature of higher education. As a student, I'm the consumer. I'm paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information at the end of the class. Assignments such as this one or classes which are set up as "cut down classes" just aren't consistant with that.

It works the same way on the other end; I had a few professors in college who would cancel class on a fairly routine basis. Hey, I enjoy the odd day off as much as anyone else, but I'm paying a lot of money based on the assumption that I'm going to be getting something in return -- if I were to subscribe to a magazine and then only get 2/3rds of the issues, do you thing I'd be within my rights to object? Hell, the overly easy classes were bad enough; I actually had a few that graded based mostly on attendance. Yeah, getting the most for my tuition dollar there.

Anyhow, I know there are folks out there who are going to disagree with my view of a University education, and that's fine, but regardless I would really encourage you not to accept this lying down. I know as a student it often seems like you're powerless, but if 25 of you (and your parents -- I know you're an adult, but schools listen to parents) get together and make yourselves heard, you'll probably end up with a satisfactory outcome.

Re:Don't just take this lying down, IMO

[jdray]

I wouldn't get too worked up about it until it happens. I had several college profs who started out the terms saying how they were strict about assignments getting turned in, and how you could fail if you didn't do this or that; I rarely found their bite to be as bad as their bark. Mostly they want to put the fear of them as a deity figure in you, then be gracious later. If they get overwhelmed, they've set a good baseline to fall back on.

Re:Don't just take this lying down, IMO

[Saint+Stephen]

My algorithms class was like this. I aced every test but didn't complete the Travelling Salesman program successfully. I got an "incomplete" and had to come to summer school. Boy was I mad at the time but I see now why they did it. All or nothing.

Re:Don't just take this lying down, IMO

[KillerDeathRobot]

As soon as universities start being free, I'll agree with you.

Re:Don't just take this lying down, IMO

[Punk+Walrus]

Why you think that a professor failing his entire class constitutes a failure on the part of the university is a mystery to me: would you be so opposed if a professor failed an astronomy class that failed to put the planets in the correct order or an economics class that couldn't describe how supply and demand affect prices?

That's different, and it's still bad because that reflects poorly on the professor. If you were a university, would you want to hire a professor of astronomy who couldn't teach people the basics (for whatever reason)?

What most of these posts are saying is that this professor did not grade these students on a reasonable test of their skills. It's kind of like a professor of Art History requiring students to discover a previously undiscovered Picasso. Sure, some may exist in people's basements or garage sales, and sometimes a new piece of art from an expired artist shows up on the auction block from an previously unknown collector of rare things, but would you consider it fair to flunk art students who could not find a new Picasso? How would you rate such a find, grade-wise?

All you need is one more hole...

[Nom+du+Keyboard]

After 300 hours of work and an A average on the exams, I expect to fail the course.

All you need to do is find one more hole, this one in the campus records department, and exploit it for improving your grade. If you have an "A" average otherwise, another "A" will look right in place. It's the "D" average people suddenly getting "A"s and "B"s that draw suspicion.

But you have already found 10 bugs!!!

[jgbustos]

Why take for granted that the number of bugs to be found was expressed in base-10? Why not base-2?

My thoughts.

Thesis: This professor is retarded.

Evidence to support this belief:

1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.

2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes ... which would lead me to believe "a little bit of both".

3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.

Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)

Re:Misleading Title

[__aaitqo8496]

For the sake of argument, what would you consider Windows software? The kernel, the graphics server, the programs that come with every "distribution" of Windows?

I think that most people would agree that if the program can be *easily* removed from the underlying OS, it's not part of the OS itself. Therefore I would not consider notepad.exe part of the OS, however I would consider explorer.exe (even though it is a seperate application).

If you don't agree, it's okay, but that's how I think of it.

Fuzz testing

[ScottMaxwell]

If you want a quick and easy way to find potentially exploitable bugs, try fuzz testing. This is as simple as it could be: feed random data (e.g., from /dev/random) into applications until you crash one. That usually means there's a buffer overflow, which you can then exploit. Re-run the test under a debugger to pinpoint the exact cause of the crash, then craft an attack.

The better approach is to create one or more large files of random data and feed that into the apps; this is better because it gives you a reproducible stream. (Or you can use a Perl script with a known srand() seed.)

The term "fuzz testing" comes from a seminal 1990 paper (and followups in 1995 and 2000) by Barton Miller et al., who, incidentally, found much higher quality in GNU tools than in their proprietary counterparts. Before my tendinitis got too bad, I used to run The Bulletproof Penguin a one-man project devoted to stamping out such bugs (my initial goal, easily achieved, was to eliminate all the bugs reported in the original paper). Ben Woodard was doing something very similar for a while, but I don't know whether he still does.

Incidentally, this makes a certain recent Slashdot story more embarrassing: it seems that free Web browsers crash on malformed input, the kind of case that free software normally handles better than its proprietary competition.

Re:It's just an assignment - Did you even go to un

[prockcore]

If you read the slides from the first lecture, it says the findings of holes amounts to 60% of your grade.

Makes sense.

The requirements are to exploit 10 holes in unix software. Nowhere does it say that the unix software must come standard with any distros, and it doesn't say that you can't write it yourself.

Write a simple program with 10 holes in it, point them out, and boom you win.

We are talking about finding vulnerabilities and exploiting them aren't we? I'd get extra credit for finding and exploiting holes the class requirements.

Re:Misleading Title

[SquadBoy]

RTFA in all the emails he gives full credit to the students.

James Longstreet and Tom Indelli, two students in my Fall 2004 UNIX
Security Holes course, have discovered a remotely exploitable security
hole in bsb2ppm, a program to convert BSB image files to PPM image
files. I'm publishing this notice, but all the discovery credits should
be assigned to Longstreet and Indelli.

Re:It's just an assignment - Did you even go to un

[SetupWeasel]

That kind of stuff usually doesn't work. In an Astronomy class (toward an Astronomy major, not that gen-ed crap) the professor did not tell us we would have to remember constants, and he asked them as questions. They were short questions, and weren't worth a lot.

One of them was: What is the orbital period of Saturn? (2 pts/100)

I started thinking about Bode's law and the posibility I could calculate it from an approximate radius I would get from that law... if I could remember it. But when you expect a 72% to be an A on a test, you have bigger fish to fry.

Then I got it. It was right, it should work, and no one would have to be nailed to anything.

I wrote: One Saturn-Year

I didn't get credit for it. A couple years later a sophmore was telling me about this funny question he had in the same class. He showed it to me. It read:

What is the orbital period of Saturn? (Do not put one Saturn-Year)

I was so right that it had to be guarded against. Yet those were 2 points I would never have.

Re:Misleading "Exploits" (Was Re:Misleading Title)

No. You're wrong.

A video player, say, should be completely immune to bad input. It should not be possible to craft an input file that causes my vide player to delete files or anything like that.

There is a very limited class of data (scripts, executables) that need to be "dangerous". Viewing a jpeg, even a jpeg hand-crafted by Dr. Evil, should never have the ability to do anything bad [well, OK, seeing the goatse guy is abd, but you know what I mean].

Re:It's just an assignment - Did you even go to un

[rawb]

Sir Ernest Rutherford, President of the Royal Academy, and recipient of the Nobel Prize in Physics, related the following story.

Some time ago I received a call from a colleague. He was about to give a student a zero for his answer to a physics question, while the student claimed a perfect score. The instructor and the student agreed to an impartial arbiter, and I was selected.

I read the examination question: "Show how it is possible to determine the height of a tall building with the aid of a barometer." The student had answered: "Take the barometer to the top of the building, attach a long rope to it, lower it to the street, and then bring it up, measuring the length of the rope. The length of the rope is the height of the building."

The student really had a strong case for full credit since he had really answered the question completely and correctly! On the other hand, if full credit were given, it could well contribute to a high grade in his physics course and certify competence in physics, but the answer did not confirm this.

I suggested that the student have another try. I gave the student six minutes to answer the question with the warning that the answer should show some knowledge of physics. At the end of five minutes, he hadn't written anything. I asked if he wished to give up, but he said he had many answers to this problem; he was just thinking of the best one. I excused myself for interrupting him and asked him to please go on.

In the next minute, he dashed off his answer, which read: "Take the barometer to the top of the building and lean over the edge of the roof. Drop the barometer, timing its fall with a stopwatch. Then, using the formula x=0.5*a*t^2, calculate the height of the building." At this point, I asked my colleague if he would give up. He conceded, and gave the student almost full credit.

While leaving my colleague's office, I recalled that the student had said that he had other answers to the problem, so I asked him what they were.

"Well," said the student, "there are many ways of getting the height of a tall building with the aid of a barometer.

For example, you could take the barometer out on a sunny day and measure the height of the barometer, the length of its shadow, and the length of the shadow of the building, and by the use of simple proportion, determine the height of the building."

"Fine," I said, "and others?"

"Yes," said the student, "there is a very basic measurement method you will like. In this method, you take the barometer and begin to walk up the stairs. As you climb the stairs, you mark off the length of the barometer along the wall. You then count the number of marks, and this will give you the height of the building in barometer units." "A very direct method."

"Of course. If you want a more sophisticated method, you can tie the barometer to the end of a string, swing it as a pendulum, and determine the value of g [gravity] at the street level and at the top of the building. From the difference between the two values of g, the height of the building, in principle, can be calculated."

"On this same tack, you could take the barometer to the top of the building, attach a long rope to it, lower it to just above the street, and then swing it as a pendulum. You could then calculate the height of the building by the period of the precession".

"Finally," he concluded, "there are many other ways of solving the problem. Probably the best," he said, "is to take the barometer to the basement and knock on the superintendent's door. When the superintendent answers, you speak to him as follows: 'Mr. Superintendent, here is a fine barometer. If you will tell me the height of the building, I will give you this barometer."

At this point, I asked the student if he really did not know the conventional answer to this question. He admitted that he did, but said that he was fed up with high school and college instructors trying to teach him how to think.

The name of the studen

Urban legend

[bharlan]

When an anecdote is a little too perfect (and this one is way over the top), then you need to google for it at site:snopes.com. http://www.snopes.com/college/exam/barometer.asp