Slashdot Mirror
Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security (theintercept.com)
Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept:
"Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...
The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.
The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.
Too little space in the attic?
Exactly. $600K, and two people in a basement doing simple software assessments does not equal a non-profit. It amounts to a very lucrative and profitable government contract. I would even go so far as to venture the idea of laundering.
Former NSA, DARPA funding. "nonprofit" ... Yeah, and the moon is made of cheese.
I bet their house is a fucking mansion.
They've evaluated 12,000 programs, and they have to purchase the ones that don't have fully functional trial versions available. That isn't going to be cheap. I presume they've set up a decent lab, that could be $50K-$100K just in hardware. Then there's developer time, lawyers, the technical review board that looks at their static analysis methods...
If this effort improves the state of application security (or at least steers users away from products that aren't improved), I'd say $600,000 is a pittance to pay. Preventing just one SCADA compromise could save many times that amount of cash. I'm OK with my tax money going here.
Who cares about security on OS X? 10% of all desktop users I would imagine. And where did you get the idea they were only testing OS X applications. You seem to have invented that out of whole cloth.
Who hasn't?
"Microsoft's Office suite for OS X, for example, is missing fundamental security settings .. despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default"...
Security is only as good as the underlying Operating System and Memory Management Unit , which is to say in the case of Microsoft Windows running on Intel hardware is non-existent . And nobody in his/her right mind would connect industrial control systems directly to the Internet.
But that's hard and stuff.
This a thousand times over.
I've had to change over to new toolchains quite a few times, and although most code keeps working, there's always the code written by That Guy and that code always breaks in a million different little ways at every perturbation. And a toolchain change tends to be the big perturbation that breaks all fragile code.
And that wouldn't be so bad, perhaps, if you just got a list of compiler errors so you could tell management that there's a hundred problem sites, so it's going to take nine months. No, when you fix one thing, another problem appears, you have no way to get a bound on it. And when you made it compile it turns out that some things have started to work differently in subtle ways, sometimes making the program crash, sometimes just making it do the wrong thing.
And as if that wasn't bad enough there's often politics involved. I've been in a situation where we were ordered my higher management to use a new tool, but That Guy wasn't on board and of course That Guy has a lot of clout in the organisation, otherwise he'd have been fired ages ago. So predictably, the new tool found lots of serious errors in code he was responsible for, some of which actually explained mysterious, hard-to-diagnose problems our clients had been having. But he wouldn't allow any fixes to ‘his’ code because of ‘muh code stability’. We talked to management but they, after letting the situation drag on and fester, eventually decided to... abandon the new tool! (And not fix any of the issues we found.)
Best part of Mudge's wikipedia page is where it describes L0pht as a "hacker think tank." rotfl way to sell yourself.
"First they came for the slanderers and i said nothing."
Yes, I agree that the costs are going to be huge - ESPECIALLY the lawyers. We all know who gets the lions share
I bet their house is a fucking mansion.
It's beyond that, it's practically a palace, room for over 300 people.
Why in the basement? Seems a bit suspicious to me.
His mom lives upstairs?
This is all well and good, but it doesn't really solve the problem. The most severe problem is that conventional C/C++ programming is inherently prone to critical memory access vulnerabilities. And while code analysis tools can help, they don't (and cannot) correctly identify all such memory access bugs. But since the advent of C++11, it is actually possible and practical to substitute C++'s unsafe elements (i.e. pointers, references, arrays, ...) with compatible, (memory) safe replacements, thus eliminating any possibility of invalid memory access. One (nascent) implementation of such replacements is the SaferCPlusPlus library (http://duneroadrunner.github.io/SaferCPlusPlus/). (Note, shameless plug.) The performance cost is quite modest and anyway, imo well worth it given the security costs we're paying now.
Really? Firefox has no ASLR? So when did that regression happen, because it used to have it, even for binary components (addons), see: http://blog.kylehuey.com/post/...
Or am I misunderstanding somehow?
$(echo cm0gLXJmIC8= | base64 --decode)
There's a shell script that'll tell you what is and isn't compiled with these options on your own system.
http://tk-blog.blogspot.com/2009/12/new-version-of-checksecsh.html
Despite what the summary says, you actually have to explicitly tell the compile to enable these security features, otherwise you don't get any of them.
Compile with these options: -fPIE -D_FORTIFY_SOURCE=2 -fstack-protector-all
Link with these options: -Wl,-z,relro,-z,now,-z,noexecstack -pie
When compiling shared libraries, change "PIE" to "PIC" for some reason.
How the Dominance of Microsoft's Products Poses a Risk to Security
I submitted this story since it looked like an interesting approach to a thorny problem of measuring and reporting on software security.
I was hoping that someone would comment on this approach to grading software for potential vulnerabilities.
At 50 comments now, nobody has posted a comment which addresses the topic of the article.
Instead, we have a lot of people who are apparently jealous that someone is getting paid for providing a service.
Other people have taken the opportunity to trash talk various operating systems, languages, hardware and software.
Most benign (but still irrelevant) are war stories how some courageous, smart iconoclast overcame co-worker and institutional stupidity to save the day.
And, of course, personal attacks.
I guess this is a sign of the times. We have no discussion of substance, just flame wars.
Make Slashdot great again!
I really must find something (anything) better to do with my time.
I don't read your sig. Why are you reading mine?
An actual security reason to keep using Gentoo!
First, I have never heard of this "famed" person and I have been in computer security research for quite a while. Second, what they describe is basically worthless: They can identify really, really, really bad code, but if it is better than that their metric is unusable.
Sounds like a con to get attention and funding to me, nothing more, and they do harm by promoting yet another useless metric.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Does not sound like a security expert to me. More like somebody that want so con people out of their money.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says
hahah I went to undergrad with one of the developers. Good to know he hasn't been asked to update it since then. Seriously though, that's kind of the problem with the corporate form and fiduciary duty: companies will nicely box and sell a turd as a wholesome source of fiber if it's the only way they can figure out how to increase profit.
More expensive? Sure. Almost impossible? No.
I was always puzzled about the outrageous rates at which companies billed out software engineers. But when I got into consulting, I found out the hard way how important lawyers are. And then the larger the company gets, the more specialized people are needed. Contracting officers, accountants, site security, hardware, health insurance, unemployment insurance, taxes. All of those costs have to be covered by the revenue from products, services and billed-to-the-client staff. That made the hourly rates suddenly seem much less dazzling, and let me understand why I got such a small slice of them.