Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security

Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept: "Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.

Re:Modern compiler protective measures

[Desler]

Security is only as good as the underlying Operating System and Memory Management Unit , which is to say in the case of Microsoft Windows running on Intel hardware is non-existent

The hell are you talking about? Intel chips have had MMUs for 30 years now.

Re:Modern compiler protective measures

> And nobody in his/her right mind would connect industrial control systems directly to the Internet.

I used to work in the oil & gas industry (I'm retired now).

We used to deal with a lot of eccentric PLCs and other control systems.

A lot of the earlier equipment would just work. Sure, you had to program it using some ancient software package running under pure DOS mode with an equally antiquated laptop, but once you'd done that all you had to do was feed them power and away they'd go.

Then they started including protection systems in the PLCs. I could never figure out why, it just made them all a huge pain in the ass to deal with. I guess it had to do with regulations (since some of that equipment could, conceivably, be used for very nefarious purposes if it landed up on the black market), but it always seemed to me like it had more to do with eliminating the second hand market and ensuring vendor lock-in.

Sometimes it was just a hardware FOB located somewhere on the controller in a proprietary port. Sometimes it was a literal 3.5" floppy drive built straight into the unit itself, sometimes it was a floppy drive that you had to connect temporarily to load up the licensing information off a disk. Sometimes you could "activate" the unit over whatever port you were using to program the thing (sometimes RS-232, sometimes RS-485, sometimes 10 base T ethernet, etc). For the most part, it was all offline, while there were a few systems that required online connectivity you really just had to download a bunch of files to a computer somewhere, then hook that computer up to the PLC and let the software work it's magic.

Then, someone (I'm looking at you, Allen Bradley) decided it'd be a great idea to make the PLCs require a live fucking internet connection to activate with some remote server.

I'll never forget the day I was doing field work up in Northern Alberta at a huge oil production facility, and someone forgot to pre-activate the PLCs we were working with at the time. Of course everyone was on a tight deadline and the hardware had to be operational NOW, not tomorrow or the day after, and the PLCs were already installed and wired up in the control cabinets, so we couldn't just yank them out and take them up to the control office and plug them into the internet. We landed up stringing together god knows how many spare CAT5 cables, couplers, and hubs to form a temporary 200m line that ran all the way across the facility floor, through several doorways, up and down at least three stairwells, and into the office where they actually had internet. And even then, the fucking PLC wouldn't activate because the firewall rules were setup for default-deny-all, and nobody could figure out what the hell the thing wanted before it'd activate, so we found someone fairly high up that was desperate enough to basically say "turn around, you don't wanna see this" and plug the thing straight into the modem for a few minutes.

Of course, the likelihood of that system getting pwned at that exact moment was pretty much a statistical impossibility, but still. From what I've heard, there's a lot of control systems out there that now need persistent connections to the internet, and if that connection fails then your licenses will invalidate and everything will grind to a halt.

But... yeah. That's one way critical systems can land up connected to the internet.

Firefox ASLR

[ameen.ross]

Really? Firefox has no ASLR? So when did that regression happen, because it used to have it, even for binary components (addons), see: http://blog.kylehuey.com/post/...

Or am I misunderstanding somehow?

Re:Firefox ASLR

I can confirm that at least on Win7 Firefox uses ASLR. For example, Firefox.exe has an image base of 40 0000h but it's loaded at 10D 0000h. Similar story for some other modules I've checked.

Maybe it's different on OS X though, because that is apparently the only platform this ‘famed hacker’ tested on. His main claim to fame, by the way, is boldly boasting he could bring down the entire internet in 30 minutes. Turns out that was an erm... slight exaggeration.

Re:Modern compiler protective measures

[khz6955]

@Desler: "The hell are you talking about? Intel chips have had MMUs for 30 years now."

Yea, and for 30 years now the Intel MMU has been unable to reliably isolate user processes or at least tell the difference between code and date.