Amit Singh's Challenge: Find a Decade-Old Bug

dreicodan writes "Well this has too many juicy Mac OS X nuggets in one bag! All details are on this page, but I'll summarise. Apparently Amit Singh discovered a 10+ year old serious bug in OS X. The bug started in Nextstep and is still in Panther (and apparently Tiger, too). Then Amit wrote a program to demo the bug, but also made the program capable of hiding what it does using some complicated Mach kernel voodo! He then threw a challenge open to OS X experts to figure out the bug. It turns out that a week and some 1000 downloads later, three brilliant hackers (Alexy Proskuryakov, Andrew Wellington, Graham Dennis) were able to solve the puzzle. Also looks like other than these guys, nobody got anywhere with the problem. Be ready for extremely gory details of how the program was written and how it was decoded. Its a thrilling read, and OS X hacking doesn't get any more hardcore than this! Hopefully Apple fixes this bug now at last."

What's impressive

[fm6]

It is impressive that these uber-hackers could figure out why the kernel was panicking. It is not impressive that NextStep and Apple have known about this panic bug for 10 years but haven't been able to fix it!

Re:What's impressive

[b-baggins]

More likely it wasn't serious enough to warrant the time to fix it.

Re:What's impressive

[falcon5768]

yeah from the look of it he found the bud then traced it back OS by OS till he figured out NeXT had the bug as well. It doesnt seem that Apple or even NeXT knew about the bug ever.

Re:What's impressive

[SteeldrivingJon]

"How is a kernel panic not serious? "

If you never, ever encounter it, it's not serious.

You could probably cause a kernel panic by driving an iron spike through the boot drive during some critical OS-level operation.

But it'd be daft to write iron-spike-handling code, to prevent a kernel panic in that rare situation.

Re:What's impressive

[SteeldrivingJon]

If it was perfectly ordinary, it would have been discovered long ago.

If it's gone 10 years without being discovered, if Bank of America's NeXTSTEP trading systems never broke because of it in all the years they've been in use, then it's not a significant bug.

A reason why there weren't 1000 submissions

I think one of the reasons why only a few people submitted their analysis was because of how the contest was structured.

Singh said he was going to give the prize to the first person with a correct submission. Not the best submission, nor the most complete submission, or the most creative submission.

So I think people just gave up after the first couple of submissions were posted. He shouldn't have displayed the number of submissions that had been received.

Also, this challenge didn't hit Slashdot until after it was finished. I know I didnt' hear about it until after the first two submissions were submitted.

It was fun to track down though.

Re:10 years?

Would you care to submit an example of a similar or worse M$ (note clever use of $) bug that they couldn't find or fix for 10 years?

Why is it that M$ (dollar sign, LOL!) gets brought up every time Linux or Apple fucks up big time, when it's not related and usually worse than any similar issues that M$ (clever!) has ever had, let alone left unfixed?

Re:To be honest

[xenocide2]

Its not like there is any software immune to ancient bugs. Debian had an outstanding bug in apt-get that was recently fixed. Apparently, for seven years there was a lurking 'ignore random files while removing a package' bug in their linked list program. Of course, it wasn't random at all, it simply skipped every other node in the linked list under certain conditions (such as having a list with more than one item).

I don't think the person behind the challenge meant to imply that macs are toys. Only that very few people outside of Apple know much about the inner workings of their beast named OS X. As far as exploits go, a kernel panic is one of the safest out there. No way of intentionally damaging specific files, no remote execution of code. Of course, as one of the many people who doesn't know much about OSX internals, I suppose its possible that the vulnerability could lead to such things. I just don't know, and given that your name wasn't on the list, I surmise you don't either.

Re:10 years?

[KingBahamut]

I believe that, and a few others might qualify. Win32 API Shatter Attack, have they fixed that yet? Will they?

I think I remember hearing that unless M$ restructures the Sec model, there really isnt a way for them to stop it from happening.

and why do I use M$, well, because Bill Gates exemplified Greed to me. The Largest software developer in the world, Oracle not far behind, M$ exudes Greed, Avarice, and Exclusionism (w?). And that dear friends comes from a 30 developer , not a 13yo, like so many critics of Slashdot seem to think.

exploits for dummies

[epine]

The flaw used by panpipes has existed unnoticed for over a decade. If attackers were indeed actively looking for flaws all along, did they miss this one? If nobody was ever looking for any flaws, could there be more exploitable flaws lurking?

The rest of the article is good fun, but this passage is a brain fart. There are millions of lines of source code in any modern operating system. Exploits don't sprout overnight like mana from heaven. The most useful skill for divining exploits is to notice the existence of edge cases in how various subsystems interact with one another. There is also the important case where "chance favors the prepared mind". This is where something funny happens as a result of an honest mistake, then the "prepared mind" notices (and pursues) the chance event's darker implications.

Serious bugs that lurk for decades are hardly unknown. The ASN.1 bug springs to mind. It's hard to image a bug more widely deployed that escaped detection for such a long time. The question here is why, for such a long time, this simple flaw evaded interactions with dark energy. It's for precisely the same reason that experts rarely make the best testers. There are certain kinds of elementary programming mistakes that the "prepared mind" will habitually avoid. This distribution has a slim tail. If the minions of evil fail to stumble into any telltale clues after five years, chances are good it will remain hidden for a long time yet.

This is in fact the same mistake that Kurweil makes in predicting the imminent singularity: that intellectual power is a fully ordered function, based on the premise that a really smart person can achieve any interesting result that any person much less smart can achieve. To put this in perspective, consider the recently discovered AKS primality test. This is what AKS achieved by some clever tricks using concepts of undergraduate algebra and a 15-year old theorem.

http://www.flonnet.com/fl1917/19171290.htm

Undergraduate concepts in algebra exploited to achieve mathematical immortality. That ought to frame a tiny, unnoticed flaw in OS/X.

Re:To be honest

[guet]

This adds up to the toy image _some_ claim the Macs have. Why would someone play around with a serious security bug there for 10 years? Well, a mitigating fact is that it was there for 10 years, but still it's bad to delay a fix because of a game.

Well, apart from the attempt to disclaim responsibility for a statement whilst still presenting it as credible (the '_some_ claim' statement), there's the gratuitous insult aimed at provoking others - 'toy'.

Why bother claiming Macs are toys in a story about an obscure bug? What does a toy mean to you? Ironically one of the most persistent criticisms of Macs is that current games don't play well on them, so they are in fact not very good toys.

If there's one person Apple should hire

[theolein]

Apple should hire, even if they never hire another person for their OSX team, Amit Singh. It is truly rare that someone as gifted as this appears on the scene and then even has a passion for the intricacies of a kernel that does not garner much attention in the OSS scene.

Given that all the immense amount of detail that Amit has given on OSX as shown on kernelthread and in his upcoming book has been done in his spare time, could you imagine what he could achieve if this was his job. Granted, I'm no HR person, but I would think that Apple should be chafing at the bit to get him on board. I know that if it was up to me, I would offer him an almost blank cheque to write his own salary on.

He is the person who could get OSX into the enterprise.

Of course, if he did work for Apple, then his website would surely suffer, what with NDAs and such. Perhaps it's better that he doesn't work at Apple.

Re:If there's one person Apple should hire

[loudgazelle]

i've been thinking the same exact thing since I started reading his articles.
Not only is he a brilliant computer scientest who knows his shit in-and-out, but he's a very gifted writer with an uncanny ability to write articles targeted at manny different levels of ability. He also does a great job of staying out of the OS flame war by always looking at OS's from an objective point of view.
As far as I can tell by looking at the dates on his resume, he's only in his late-twenties or early-thirties, which makes his level of expertise even more impressive.

I'm almost willing to bet that apple has contacted him but he turned down the offer- he has a research position with IBM, and you can tell from his writing that research is where his passion is. If I were him, there wouldn't be a whole lot that could drag me away from that job.

Re:If there's one person Apple should hire

[suitepotato]

Seconded. His website was a dizzying assault on my sense of being in IT and like standing under a clear moonless starry night, it made me feel real small for a moment. I am in awe. Bookmarked.