Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security

Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept: "Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.

Yep

I wish I had $600000 on my "basement".

Re:Yep

Exactly. $600K, and two people in a basement doing simple software assessments does not equal a non-profit. It amounts to a very lucrative and profitable government contract. I would even go so far as to venture the idea of laundering.

Former NSA, DARPA funding. "nonprofit" ... Yeah, and the moon is made of cheese.

I bet their house is a fucking mansion.

Re:Yep

They've evaluated 12,000 programs, and they have to purchase the ones that don't have fully functional trial versions available. That isn't going to be cheap. I presume they've set up a decent lab, that could be $50K-$100K just in hardware. Then there's developer time, lawyers, the technical review board that looks at their static analysis methods...

If this effort improves the state of application security (or at least steers users away from products that aren't improved), I'd say $600,000 is a pittance to pay. Preventing just one SCADA compromise could save many times that amount of cash. I'm OK with my tax money going here.

Re:Yep

Steering away users...that's iffy at best. I guarantee you Microsoft is drafting a slew of white papers right now about how those Office results are bunk. Proprietary software companies thrive on disinformation campaigns.

Re:Yep

I bet their house is a fucking mansion.

Wouldn't doubt it. Mudge doesn't even cook.

Re:Yep

[MadX]

Yes, I agree that the costs are going to be huge - ESPECIALLY the lawyers. We all know who gets the lions share

Re:Yep

[arglebargle_xiv]

I bet their house is a fucking mansion.

It's beyond that, it's practically a palace, room for over 300 people.

Re:Yep

Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security

He says vendors are going to hate it.

Measure your code quality with this one weird trick! Vendors hate it.

Re: Yep

You clearly have no idea what the legal definition of a non-profit is. All it means to be a non-profit is that you use your surplus money to further your purpose/mission (including salaries of any size) rather than distribute the surplus money to shareholders.

Re: Yep

Oh I know exactly what a nonprofit is. What I know is that people take salaries. Huge ones. They call it a cost. It is not. It is profit. Let's see the books, how much have this guy and his wife taken as "salary'?

Re:Yep

[Beeftopia]

I was always puzzled about the outrageous rates at which companies billed out software engineers. But when I got into consulting, I found out the hard way how important lawyers are. And then the larger the company gets, the more specialized people are needed. Contracting officers, accountants, site security, hardware, health insurance, unemployment insurance, taxes. All of those costs have to be covered by the revenue from products, services and billed-to-the-client staff. That made the hourly rates suddenly seem much less dazzling, and let me understand why I got such a small slice of them.

Tor browser

bases on firefox, and has (or will get) super ASLR which reshuffles functions at loadtime, makes it almost impossible to use rop.

Re:Tor browser

[AlphaBro]

More expensive? Sure. Almost impossible? No.

ALAN MOORE FOUND!

He is alive and well and living in Hamburg with his wife.

Nonprofit In Basement

Why in the basement? Seems a bit suspicious to me.

Re:Nonprofit In Basement

[Megol]

Too little space in the attic?

Re:Nonprofit In Basement

[arglebargle_xiv]

Why in the basement? Seems a bit suspicious to me.

His mom lives upstairs?

Only tested OSX?

Who cares about the security of apps on OSX anyway? It's swiss cheese to begin with. Tell us about security on an OS where people care about security, please and thanks.

Re:Only tested OSX?

[Desler]

Who cares about security on OS X? 10% of all desktop users I would imagine. And where did you get the idea they were only testing OS X applications. You seem to have invented that out of whole cloth.

Re: Only tested OSX?

"The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says."

Or you can read the fucking summary.

Re: Only tested OSX?

[Desler]

But that's hard and stuff.

bla bla .... security .... bla bla

omg

The usual reason for old tools

The usual reason for old tools is compatibility. Companies just don't rewrite software just because a new compiler meeting recent standards is available.

Specially when the code base is huge.

Why do you think Windows still has vulnerabilities that go back 18 years?

Re:The usual reason for old tools

Because you suck dicks for a nickel a piece behind Starbucks every other Tuesday night?

Re: The usual reason for old tools

Who hasn't?

Re: The usual reason for old tools

Your dad. He's too busy taking it up the ass in the stalls.

Re:The usual reason for old tools

This a thousand times over.

I've had to change over to new toolchains quite a few times, and although most code keeps working, there's always the code written by That Guy and that code always breaks in a million different little ways at every perturbation. And a toolchain change tends to be the big perturbation that breaks all fragile code.

And that wouldn't be so bad, perhaps, if you just got a list of compiler errors so you could tell management that there's a hundred problem sites, so it's going to take nine months. No, when you fix one thing, another problem appears, you have no way to get a bound on it. And when you made it compile it turns out that some things have started to work differently in subtle ways, sometimes making the program crash, sometimes just making it do the wrong thing.

And as if that wasn't bad enough there's often politics involved. I've been in a situation where we were ordered my higher management to use a new tool, but That Guy wasn't on board and of course That Guy has a lot of clout in the organisation, otherwise he'd have been fired ages ago. So predictably, the new tool found lots of serious errors in code he was responsible for, some of which actually explained mysterious, hard-to-diagnose problems our clients had been having. But he wouldn't allow any fixes to ‘his’ code because of ‘muh code stability’. We talked to management but they, after letting the situation drag on and fester, eventually decided to... abandon the new tool! (And not fix any of the issues we found.)

Google Goofus Security

Now that you explained how Google does such a great job with security,
perhaps you could spend a few words discussing Stagefright.
And how does this security powerhouse allow the spread of a mobile operating system that offers no security updates for millions of users.
Google offers the bogus reply that it's not their problem - it's a vendor problem.
So today there are millions of Android phones that need security updates, and the vendors couldn't care less.
When these phones are used on WiFi, they pose a threat to everything on the connected network.
Android is Google's baby, and at very least, Google has a responsibility to monitor and act on the way vendors deploy it.
Vendors that stop issuing security updates should be cut off.

Re: Interesting

It's because you use "z" for "s".

Modern compiler protective measures

[khz6955]

"Microsoft's Office suite for OS X, for example, is missing fundamental security settings .. despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default"...

Security is only as good as the underlying Operating System and Memory Management Unit , which is to say in the case of Microsoft Windows running on Intel hardware is non-existent . And nobody in his/her right mind would connect industrial control systems directly to the Internet.

Re:Modern compiler protective measures

[Desler]

Security is only as good as the underlying Operating System and Memory Management Unit , which is to say in the case of Microsoft Windows running on Intel hardware is non-existent

The hell are you talking about? Intel chips have had MMUs for 30 years now.

Re:Modern compiler protective measures

> And nobody in his/her right mind would connect industrial control systems directly to the Internet.

I used to work in the oil & gas industry (I'm retired now).

We used to deal with a lot of eccentric PLCs and other control systems.

A lot of the earlier equipment would just work. Sure, you had to program it using some ancient software package running under pure DOS mode with an equally antiquated laptop, but once you'd done that all you had to do was feed them power and away they'd go.

Then they started including protection systems in the PLCs. I could never figure out why, it just made them all a huge pain in the ass to deal with. I guess it had to do with regulations (since some of that equipment could, conceivably, be used for very nefarious purposes if it landed up on the black market), but it always seemed to me like it had more to do with eliminating the second hand market and ensuring vendor lock-in.

Sometimes it was just a hardware FOB located somewhere on the controller in a proprietary port. Sometimes it was a literal 3.5" floppy drive built straight into the unit itself, sometimes it was a floppy drive that you had to connect temporarily to load up the licensing information off a disk. Sometimes you could "activate" the unit over whatever port you were using to program the thing (sometimes RS-232, sometimes RS-485, sometimes 10 base T ethernet, etc). For the most part, it was all offline, while there were a few systems that required online connectivity you really just had to download a bunch of files to a computer somewhere, then hook that computer up to the PLC and let the software work it's magic.

Then, someone (I'm looking at you, Allen Bradley) decided it'd be a great idea to make the PLCs require a live fucking internet connection to activate with some remote server.

I'll never forget the day I was doing field work up in Northern Alberta at a huge oil production facility, and someone forgot to pre-activate the PLCs we were working with at the time. Of course everyone was on a tight deadline and the hardware had to be operational NOW, not tomorrow or the day after, and the PLCs were already installed and wired up in the control cabinets, so we couldn't just yank them out and take them up to the control office and plug them into the internet. We landed up stringing together god knows how many spare CAT5 cables, couplers, and hubs to form a temporary 200m line that ran all the way across the facility floor, through several doorways, up and down at least three stairwells, and into the office where they actually had internet. And even then, the fucking PLC wouldn't activate because the firewall rules were setup for default-deny-all, and nobody could figure out what the hell the thing wanted before it'd activate, so we found someone fairly high up that was desperate enough to basically say "turn around, you don't wanna see this" and plug the thing straight into the modem for a few minutes.

Of course, the likelihood of that system getting pwned at that exact moment was pretty much a statistical impossibility, but still. From what I've heard, there's a lot of control systems out there that now need persistent connections to the internet, and if that connection fails then your licenses will invalidate and everything will grind to a halt.

But... yeah. That's one way critical systems can land up connected to the internet.

Re:Modern compiler protective measures

[phantomfive]

Then, someone (I'm looking at you, Allen Bradley) decided it'd be a great idea to make the PLCs require a live fucking internet connection to activate with some remote server.

They should be publicly shamed and plastered against the wall.

Re:Modern compiler protective measures

[Tom]

And nobody in his/her right mind would connect industrial control systems directly to the Internet.

aka "someone is sure to do exactly that"

Re:Modern compiler protective measures

[arglebargle_xiv]

Security is only as good as the underlying Operating System and Memory Management Unit, which is to say in the case of Microsoft Windows running on Intel hardware is non-existent.

UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT Information is ENCOURAGED.

Re:Modern compiler protective measures

[arglebargle_xiv]

From what I've heard, there's a lot of control systems out there that now need persistent connections to the internet,

Pet feeders, for example.

Re:Modern compiler protective measures

Your Mom swallows Semen disseminated from Sailors .

Re:Modern compiler protective measures

> Of course, the likelihood of that system getting pwned at that exact moment was pretty much a statistical likelihood

Fixed That For You.

I've seen the "for futz sake, just connect it to the interweb and get it working approach". Unfortunately, there are a *lot* of script kiddies out there. Most are incompetent, but they buy/beg/borrow/steal copies of pretty effective tools. And they are *always* scanning for vulnerabilities.

Re:Modern compiler protective measures

[Antique+Geekmeister]

> And nobody in his/her right mind would connect industrial control systems directly to the Internet.

The designer of an industrial system usually has _no_ control over how remote sites configure their local networks. None.

Many admins, and their supervisors, insist on dynamic monitoring of equipment to report its status. The investment in time, energy, and even network hardware to provide better protected network access to that equipment is a real expense which they often choose not to pay. If they think about in a conscious way, they think "my need to monitor or control this equipment at need is more important than maintaining a fragile and resource costly secured access to this and the other equipment we have to deal with".

I must also admit that this is a reason the Internet Of Things is dangerous, and I'm grateful that NAT based access has been used so effectively to extend the lifespan of IPv4. The forced switch to NAT for IPv4 users has enforced a basic defense for most environments against casual network scanning.

Re:Modern compiler protective measures

[steveb3210]

A firewall would do just as well as NAT without the overhead of NAT

Re:Modern compiler protective measures

[khz6955]

@Desler: "The hell are you talking about? Intel chips have had MMUs for 30 years now."

Yea, and for 30 years now the Intel MMU has been unable to reliably isolate user processes or at least tell the difference between code and date.

Re:Modern compiler protective measures

[Antique+Geekmeister]

I must say, from long experience, that maintaining a pure firewall does _not_ do as well as NAT. The network overhead of NAT is unnoticeable with even the most modest household modems and routers of the last few decades. Maintaining even a modest firewall is often fragile, vulnerable to profound configuration errors, and likely to cut off expected services at the most inoportune moments. This is compounded by the genuinely awful interfaces and management tools for many firewalls. Simply activating NAT is so vastly simpler and reduces the attack surface so profoundly that it leaves time and money to do more effective internal firwalls, to configure as desired. that I find myself alarmed at _any_ environment that insists on putting all its devices on publicly routable IP addresses and relying, on correct and consistent configuration of firewalls to protect those systems.

Re:Modern compiler protective measures

I did an installation at a Big Three facility, and they required a hard coded connection to their main servers hundreds of miles away just to be able to run. Because corporate required the ability to monitor production. I left a bypass mode in for such idiocy.

Re:Modern compiler protective measures

[Jeremi]

A firewall would do just as well as NAT without the overhead of NAT

... but only if it was actually installed, which I believe is the parent poster's point. Because NAT has become largely necessary for IPv4 access, people have a motivation to install and use it. (People should be motivated by security concerns as well, of course, but all too often they are not, because good security isn't necessary to get the system working ASAP, and sometimes gets in the way of getting the system working)

Re:Modern compiler protective measures

[steveb3210]

People didn't choose NAT - it just came with whatever home router they bought and thats just how the world works for them. If NAT hadn't been needed, I think the world would have evolved perfectly fine with home routers that came with a proper default firewall without the need for NAT.

Code security?

It is all secure until you network it. What does code security help if your entire network is a US Government spy trap?

All over you see them posting stories about how so and so MP in bumfuck wants to ban encryption or allow back doors.

You people pay attention to the wrong shit.

Mudge - famed hacker

[phantomfive]

Best part of Mudge's wikipedia page is where it describes L0pht as a "hacker think tank." rotfl way to sell yourself.

Yay for transparent marketeering offensives

And then there's the wife, "former NSA mathematician". As long as Snowden isn't pardoned, in writing, any such "former"-ity is to be taken a front.

DARPA funded? Sure. There's times when DARPA funding is okay, but as soon as we're talking "cyber", which we are as soon as "hacker" s'kiddies pop up, we're really talking NSA again. So either this is a convenient pork barrelling exercise, or a front. I'm betting on "both". Two people, see? Hah, no, but it's still both, yeah. It even fits as a mender for the contemporary perception of NSA having taken a bunch of blows by dint of having several of their schemes blow right up in their faces, and this here initiative is "cyber" and "security" and isn't involving the tainted crypto that they diddled until it blew up.

So this is a lullaby for the masses: "We're not so bad, see? We support grass-roots initiatives!" All in all it's a rather clumsy "hearts and minds" offensive, that likely will work too, because the general populace is indeed gullible like that. Most of the geeks fancying themselves up-to-date and web-two-dot-oh and all that are as gullible, if not moreso. In fact, the entire current new new /. editorship is gullible like that. Just look at the frequency with which they insist on posting "hacker" s'kiddie stories and other breathless crap. Point in case, on the front page, right below and right above this very story.

helpful perhaps, but doesn't solve the problem

This is all well and good, but it doesn't really solve the problem. The most severe problem is that conventional C/C++ programming is inherently prone to critical memory access vulnerabilities. And while code analysis tools can help, they don't (and cannot) correctly identify all such memory access bugs. But since the advent of C++11, it is actually possible and practical to substitute C++'s unsafe elements (i.e. pointers, references, arrays, ...) with compatible, (memory) safe replacements, thus eliminating any possibility of invalid memory access. One (nascent) implementation of such replacements is the SaferCPlusPlus library (http://duneroadrunner.github.io/SaferCPlusPlus/). (Note, shameless plug.) The performance cost is quite modest and anyway, imo well worth it given the security costs we're paying now.

Re:helpful perhaps, but doesn't solve the problem

> The most severe problem is that programming is inherently prone to access vulnerabilities.

Fixed That For You

> But since the advent of C++11, it is actually possible and practical to substitute C++'s well known and stable elements (i.e. pointers, references, arrays, ...) with complex, untestable abstractions vulnerable to compiler specific and destabilizing re-interpretation of what the source code actually said..

Fixed That For You, Too.

Re:helpful perhaps, but doesn't solve the problem

The problem with browsers, is having a massive attack surface, and various ways that the APIs can be punched through or reveal too much information.

Re:helpful perhaps, but doesn't solve the problem

] > The most severe problem is that programming is inherently prone to access vulnerabilities.
]
] Fixed That For You

Remote code execution (https://en.wikipedia.org/wiki/Arbitrary_code_execution) exploits require the program to have an "invalid memory access" bug. There are, of course, many other types of severe vulnerabilities, but if your program never accesses invalid memory, then it is not vulnerable to "remote code execution" exploits. Right?

And remote code execution exploits are particularly severe. That's why most of the mitigation techniques these guys are addressing, like ASLR and "no execute" designations, are designed specifically to make exploiting remote code execution vulnerabilities more difficult (or at least tedious).

] > But since the advent of C++11, it is actually possible and practical to substitute C++'s well known and stable elements (i.e. pointers, references, arrays, ...) with complex, untestable abstractions vulnerable to compiler specific and destabilizing re-interpretation of what the source code actually said..
]
] Fixed That For You, Too.

I agree with you here, and that's what makes this library different (and why it couldn't be implemented before C++11). The library is not about adding abstractions or "reinterpreting" conventional C/C++ code. It is a collection of direct, (largely) compatible drop-in replacements for existing "unsafe" C/C++ elements. Making existing C/C++ code safer using the library should be a glorified "search and replace" exercise.

For example, the library contains a safe implementation of std::vector, with the exact same interface. Making your std::vectors memory safe literally just requires replacing any instance if "std::vector" with "mse::mstd::vector" and including the "msemstdvector.h" header file.

By "safe" here, I mean it will throw an exception on any attempt to access invalid memory, either through the "[]" operator or through an iterator. (So at present this library does require exceptions to be enabled.)

And hopefully you're not still using raw pointers, but if you are, code like

auto string_pointer = new std::string("some text");

becomes

auto string_pointer = mse::registered_new("some text");

or

auto string_pointer = mse::rnew("some text");

for short.

Again, "string_pointer" will throw an exception on any attempt to access invalid memory. And it works even if "string_pointer" is (or was) pointing to an object declared on the stack.

Unlike (the claims of) the Rust language, this library does have some run-time cost, but far less than, say, Java or C#. Plus, the library's safety features can be disabled with a compile directive, so it's easy to generate both a "fast and unsafe" executable as well as a "slightly less fast but memory safe" version.

Re:helpful perhaps, but doesn't solve the problem

Sorry, it should be

auto string_pointer = mse::registered_new < std::string > ("some text");

and

auto string_pointer = mse::rnew < std::string > ("some text");

Apparently slashdot interprets the template parameters as html tags.

Re:helpful perhaps, but doesn't solve the problem

Yeah, revealing too much information is bad, and I don't have a general solution for that. But "remote execution" vulnerabilities are generally worse. And I do have a general solution for those, regardless of the size of the attack surface. Namely the library in my original comment.

Note that the metric referred to in the article seems to focus on "remote execution" mitigation techniques like ASLR and "no execute" flags. Perhaps because they also consider remote execution exploits to be the more pressing (and addressable) issue at the moment.

Firefox ASLR

[ameen.ross]

Really? Firefox has no ASLR? So when did that regression happen, because it used to have it, even for binary components (addons), see: http://blog.kylehuey.com/post/...

Or am I misunderstanding somehow?

Re:Firefox ASLR

I can confirm that at least on Win7 Firefox uses ASLR. For example, Firefox.exe has an image base of 40 0000h but it's loaded at 10D 0000h. Similar story for some other modules I've checked.

Maybe it's different on OS X though, because that is apparently the only platform this ‘famed hacker’ tested on. His main claim to fame, by the way, is boldly boasting he could bring down the entire internet in 30 minutes. Turns out that was an erm... slight exaggeration.

Airbags? Anti-lock brakes?

"are really the equivalent of airbags or anti-lock brakes [in cars]" No, i no way, function or form are the like that. This is a security expert you say?

Re:Airbags? Anti-lock brakes?

[gweihir]

Does not sound like a security expert to me. More like somebody that want so con people out of their money.

Test your own code for these features.

There's a shell script that'll tell you what is and isn't compiled with these options on your own system.

http://tk-blog.blogspot.com/2009/12/new-version-of-checksecsh.html

Despite what the summary says, you actually have to explicitly tell the compile to enable these security features, otherwise you don't get any of them.

Compile with these options: -fPIE -D_FORTIFY_SOURCE=2 -fstack-protector-all

Link with these options: -Wl,-z,relro,-z,now,-z,noexecstack -pie

When compiling shared libraries, change "PIE" to "PIC" for some reason.

CyberInsecurity: The Cost of Monopoly

[khz6955]

How the Dominance of Microsoft's Products Poses a Risk to Security

Fairly dismal community here

[mspohr]

I submitted this story since it looked like an interesting approach to a thorny problem of measuring and reporting on software security.
I was hoping that someone would comment on this approach to grading software for potential vulnerabilities.

At 50 comments now, nobody has posted a comment which addresses the topic of the article.
Instead, we have a lot of people who are apparently jealous that someone is getting paid for providing a service.
Other people have taken the opportunity to trash talk various operating systems, languages, hardware and software.
Most benign (but still irrelevant) are war stories how some courageous, smart iconoclast overcame co-worker and institutional stupidity to save the day.
And, of course, personal attacks.
I guess this is a sign of the times. We have no discussion of substance, just flame wars.
Make Slashdot great again!
I really must find something (anything) better to do with my time.

Re:Fairly dismal community here

[gweihir]

The metric is pretty worthless. It can identify extremely bad code, but that it is. It will however con people into thinking it is much better than that and as such do a disservice to software security. Yet another worthless metric that delivers a mostly meaningless number.

The only way at this time to get a good assessment of code-quality is still having an experienced and capable expert look at it manually. Unless we get strong AI at some time (highly doubtful) that will very likely remain the only way.

Re:Fairly dismal community here

[mspohr]

It seems to me that it identifies code which uses unsafe programming practices (such as compilers without security settings set) and code which uses unsafe libraries. The code itself might be OK but the environment might be dangerous.
For instance, they mentioned that the Windows version of MS Office uses the latest version of the compiler with security settings and is therefore scored highly but the OSX version uses an old "unsafe" compiler and scores poorly.
I agree that the methodology has its limits but don't think it's "worthless". If you have a program which scores low on their scale, it's probably best to avoid it if possible. If you have a program which scores high then it's probably more secure (but not guaranteed secure). This metric has some value.
There is no guarantee of bulletproof code but there are good programming practices which can lead to better code.
I agree that the only current way to really be certain about code is to look at it manually but it seems that they are starting to put together an AI engine which over time could become more capable.

Re:Fairly dismal community here

[gweihir]

Well, this is a judgment call. I personally find metrics that may give people a false sense of security a very bad thing. The thing here is that this is a decidedly "experts-only" metric because most people cannot interpret it. Metrics are however routinely used by non-experts (a.k.a. "managers") and that makes any kind of expert-only metric dangerous.

Re:Fairly dismal community here

So first of all, this is a great development for security in general and I appreciate the post. The current state of things is that it's obvious to almost everyone that security is a major problem that is woefully under-addressed, but as the article points out, for software developers, there are essentially no (near term) consequences for security shortcomings of any degree, and consequently, no incentive to prioritize security. Exploited vulnerabilities aren't usually discovered until well after the developers have gotten paid, and it's not like they have to return the money if an exploit occurs at some point in the future. The most practical solution is to try to evaluate the software quality with respect to security, before the developer gets paid.

I would note that, from a developer's point of view, this metric, developed by a "hacker", seems to be heavily skewed to toward a hacker's perspective. I mean, the impression that the article gives is that it focuses heavily on the presence of the latest (remote execution vulnerability) mitigation techniques (ASLR, "no execute", etc.). The analogy used is seat belts and air bags on a car. But I think for that analogy to be appropriate, the car would have to be a Tesla on autopilot while the driver's reading /. on his phone. I mean, air bags and crumple zones are important, but it would be way better if the autopilot just worked reliably. Similarly, these mitigation techniques are great, but it would be way better if the software just didn't have "invalid memory access" bugs. From a hacker's perspective, pretty much all sufficiently complex software seems to have remote execution vulnerabilities, so they might assume it's just inevitable. But from a developer's point of view, we know it's a choice. Remote execution vulnerabilities are essentially optional. They are the result of a security versus performance trade-off made by developers that almost always prioritize performance. Because performance is immediately measurable, while, up 'til now, security has not been.

Specifically, essentially all remote execution vulnerabilities are a result of the (mis)use of unsafe C/C++ memory/object access elements. In particular, (unchecked) pointers, references and arrays. At this point we, the development community, could just stop using those unsafe elements (in favor of safe smart pointers and bounds checked arrays). But that would cost a little performance. Now to anyone with a little perspective, that modest performance cost would be well worth the improvement in security. Even a lot of developers might agree in principle. But like I said, up until now, they have had no direct incentive to sacrifice any performance whatsoever in the name of (unmeasurable) security.

Note that Java and C# (which are (at least in theory) much safer) do exist for situations perceived to be less performance critical. And Rust (and D I guess) are coming along for performance critical situations. So some developers do value memory safety. But they seem to be a small minority in the world of internet infrastructure. As a developer, I think the metric should be adjusted to have a bigger incentive to avoid using C/C++'s unsafe elements, the source of the worst problems, instead of just handing out prizes for using the latest band-aids.

Re: Fairly dismal community here

[mspohr]

I agree that many people will misunderstand the limitations of the metric (managers are a good example).
However, it may help push good programming practice.

Re: Fairly dismal community here

[gweihir]

I doubt it. Those that use good programming practices use them because they realize their worth. The others are a lost cause IMO.

Gentoo

[omkhar]

An actual security reason to keep using Gentoo!

WTF?

[gweihir]

First, I have never heard of this "famed" person and I have been in computer security research for quite a while. Second, what they describe is basically worthless: They can identify really, really, really bad code, but if it is better than that their metric is unusable.

Sounds like a con to get attention and funding to me, nothing more, and they do harm by promoting yet another useless metric.

Re:WTF?

[ebvwfbw]

What is quite a while? 5 years? That's really nothing, I go back 30 years. Maybe you're in the windows world? Here, let me google that for you - http://lmgtfy.com/?q=mudge . If you don't know him, don't take it too hard. We can't know everything and everyone after all.

Check out l0pht, etc. Stuff that was done about 20 years ago. I've met him, he's a really smart guy. Just look at his work with l0pht crack. If he's coming up with it I bet it's good.

Office for Mac

[JesseEnjaian]

The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says

hahah I went to undergrad with one of the developers. Good to know he hasn't been asked to update it since then. Seriously though, that's kind of the problem with the corporate form and fiduciary duty: companies will nicely box and sell a turd as a wholesome source of fiber if it's the only way they can figure out how to increase profit.

effin

rat

High SPY STORY COUNT on Slashdot now.

Everything is either NSA, CIA, FBI, hackers, Russia, or Pokemon GO.

Smells like a skunk lived off fish for life and was attacked by a rottweiler.

Microslop office

...You mean Microsoft Office is a bit rotted, bloated piece of ****?! Whoda thought.