Slashdot Mirror

← Back to Stories (view on slashdot.org)

Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security (theintercept.com)

Posted by EditorDavid on from the Underwriters-Laboratory-for-code dept.

Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept: "Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.

13 of 77 comments (clear)

  1. Re:Yep by Anonymous Coward · · Score: 3, Insightful

    They've evaluated 12,000 programs, and they have to purchase the ones that don't have fully functional trial versions available. That isn't going to be cheap. I presume they've set up a decent lab, that could be $50K-$100K just in hardware. Then there's developer time, lawyers, the technical review board that looks at their static analysis methods...

    If this effort improves the state of application security (or at least steers users away from products that aren't improved), I'd say $600,000 is a pittance to pay. Preventing just one SCADA compromise could save many times that amount of cash. I'm OK with my tax money going here.

  2. Modern compiler protective measures by khz6955 · · Score: 2, Insightful

    "Microsoft's Office suite for OS X, for example, is missing fundamental security settings .. despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default"...

    Security is only as good as the underlying Operating System and Memory Management Unit , which is to say in the case of Microsoft Windows running on Intel hardware is non-existent . And nobody in his/her right mind would connect industrial control systems directly to the Internet.

    1. Re:Modern compiler protective measures by Desler · · Score: 3, Informative

      Security is only as good as the underlying Operating System and Memory Management Unit , which is to say in the case of Microsoft Windows running on Intel hardware is non-existent

      The hell are you talking about? Intel chips have had MMUs for 30 years now.

    2. Re:Modern compiler protective measures by Anonymous Coward · · Score: 5, Informative

      > And nobody in his/her right mind would connect industrial control systems directly to the Internet.

      I used to work in the oil & gas industry (I'm retired now).

      We used to deal with a lot of eccentric PLCs and other control systems.

      A lot of the earlier equipment would just work. Sure, you had to program it using some ancient software package running under pure DOS mode with an equally antiquated laptop, but once you'd done that all you had to do was feed them power and away they'd go.

      Then they started including protection systems in the PLCs. I could never figure out why, it just made them all a huge pain in the ass to deal with. I guess it had to do with regulations (since some of that equipment could, conceivably, be used for very nefarious purposes if it landed up on the black market), but it always seemed to me like it had more to do with eliminating the second hand market and ensuring vendor lock-in.

      Sometimes it was just a hardware FOB located somewhere on the controller in a proprietary port. Sometimes it was a literal 3.5" floppy drive built straight into the unit itself, sometimes it was a floppy drive that you had to connect temporarily to load up the licensing information off a disk. Sometimes you could "activate" the unit over whatever port you were using to program the thing (sometimes RS-232, sometimes RS-485, sometimes 10 base T ethernet, etc). For the most part, it was all offline, while there were a few systems that required online connectivity you really just had to download a bunch of files to a computer somewhere, then hook that computer up to the PLC and let the software work it's magic.

      Then, someone (I'm looking at you, Allen Bradley) decided it'd be a great idea to make the PLCs require a live fucking internet connection to activate with some remote server.

      I'll never forget the day I was doing field work up in Northern Alberta at a huge oil production facility, and someone forgot to pre-activate the PLCs we were working with at the time. Of course everyone was on a tight deadline and the hardware had to be operational NOW, not tomorrow or the day after, and the PLCs were already installed and wired up in the control cabinets, so we couldn't just yank them out and take them up to the control office and plug them into the internet. We landed up stringing together god knows how many spare CAT5 cables, couplers, and hubs to form a temporary 200m line that ran all the way across the facility floor, through several doorways, up and down at least three stairwells, and into the office where they actually had internet. And even then, the fucking PLC wouldn't activate because the firewall rules were setup for default-deny-all, and nobody could figure out what the hell the thing wanted before it'd activate, so we found someone fairly high up that was desperate enough to basically say "turn around, you don't wanna see this" and plug the thing straight into the modem for a few minutes.

      Of course, the likelihood of that system getting pwned at that exact moment was pretty much a statistical impossibility, but still. From what I've heard, there's a lot of control systems out there that now need persistent connections to the internet, and if that connection fails then your licenses will invalidate and everything will grind to a halt.

      But... yeah. That's one way critical systems can land up connected to the internet.

    3. Re:Modern compiler protective measures by phantomfive · · Score: 2

      Then, someone (I'm looking at you, Allen Bradley) decided it'd be a great idea to make the PLCs require a live fucking internet connection to activate with some remote server.

      They should be publicly shamed and plastered against the wall.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Modern compiler protective measures by Tom · · Score: 2

      And nobody in his/her right mind would connect industrial control systems directly to the Internet.

      aka "someone is sure to do exactly that"

      --
      Assorted stuff I do sometimes: Lemuria.org
    5. Re:Modern compiler protective measures by khz6955 · · Score: 3, Informative

      @Desler: "The hell are you talking about? Intel chips have had MMUs for 30 years now."

      Yea, and for 30 years now the Intel MMU has been unable to reliably isolate user processes or at least tell the difference between code and date.

    6. Re:Modern compiler protective measures by Antique+Geekmeister · · Score: 2

      I must say, from long experience, that maintaining a pure firewall does _not_ do as well as NAT. The network overhead of NAT is unnoticeable with even the most modest household modems and routers of the last few decades. Maintaining even a modest firewall is often fragile, vulnerable to profound configuration errors, and likely to cut off expected services at the most inoportune moments. This is compounded by the genuinely awful interfaces and management tools for many firewalls. Simply activating NAT is so vastly simpler and reduces the attack surface so profoundly that it leaves time and money to do more effective internal firwalls, to configure as desired. that I find myself alarmed at _any_ environment that insists on putting all its devices on publicly routable IP addresses and relying, on correct and consistent configuration of firewalls to protect those systems.

  3. Re:Yep by arglebargle_xiv · · Score: 2

    I bet their house is a fucking mansion.

    It's beyond that, it's practically a palace, room for over 300 people.

  4. Firefox ASLR by ameen.ross · · Score: 3, Informative

    Really? Firefox has no ASLR? So when did that regression happen, because it used to have it, even for binary components (addons), see: http://blog.kylehuey.com/post/...

    Or am I misunderstanding somehow?

    --
    $(echo cm0gLXJmIC8= | base64 --decode)
    1. Re:Firefox ASLR by Anonymous Coward · · Score: 2, Informative

      I can confirm that at least on Win7 Firefox uses ASLR. For example, Firefox.exe has an image base of 40 0000h but it's loaded at 10D 0000h. Similar story for some other modules I've checked.

      Maybe it's different on OS X though, because that is apparently the only platform this ‘famed hacker’ tested on. His main claim to fame, by the way, is boldly boasting he could bring down the entire internet in 30 minutes. Turns out that was an erm... slight exaggeration.

  5. CyberInsecurity: The Cost of Monopoly by khz6955 · · Score: 2

    How the Dominance of Microsoft's Products Poses a Risk to Security

  6. Fairly dismal community here by mspohr · · Score: 2

    I submitted this story since it looked like an interesting approach to a thorny problem of measuring and reporting on software security.
    I was hoping that someone would comment on this approach to grading software for potential vulnerabilities.

    At 50 comments now, nobody has posted a comment which addresses the topic of the article.
    Instead, we have a lot of people who are apparently jealous that someone is getting paid for providing a service.
    Other people have taken the opportunity to trash talk various operating systems, languages, hardware and software.
    Most benign (but still irrelevant) are war stories how some courageous, smart iconoclast overcame co-worker and institutional stupidity to save the day.
    And, of course, personal attacks.
    I guess this is a sign of the times. We have no discussion of substance, just flame wars.
    Make Slashdot great again!
    I really must find something (anything) better to do with my time.

    --
    I don't read your sig. Why are you reading mine?