DJB Announces 44 Security Holes In *nix Software 983
generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."
Misleading Title (Score:4, Insightful)
Re:Misleading Title (Score:5, Insightful)
Re:Misleading Title (Score:5, Insightful)
I think that most people would agree that if the program can be *easily* removed from the underlying OS, it's not part of the OS itself. Therefore I would not consider notepad.exe part of the OS, however I would consider explorer.exe (even though it is a seperate application).
If you don't agree, it's okay, but that's how I think of it.
Re:Misleading Title (Score:3, Funny)
Windows tries pretty hard to keep you from doing so.
Re:Misleading Title (Score:3, Insightful)
Yes, most people would. And that's why the title says *nix Software rather than *nix OS's. I don't know know anybody would defines "software" as meaning "something that is part of an OS". The title isn't misleading at all. In fact, it makes it explicit that we are discussing software for *nix rather than the OS itself.
Re:Misleading Title (Score:5, Insightful)
Ahh, this is such stuff that pointless flamewars are made on.
Cheers
Stor
Re:Misleading Title (Score:5, Funny)
No it isn't, you moron!
Re:Misleading Title (Score:3, Insightful)
Re:Misleading Title (Score:4, Insightful)
or better yet, since it sounds as if this is an assignment due at the end of the semester, dive into some code, write up a few paragraphs on what you *think* is a security flaw, and submit it.
heck, i think the instructor should give credit for explaining 10 good code examples of secure routines.
Re:Misleading Title (Score:4, Informative)
Re:Misleading Title (Score:4, Informative)
BSD Sockets (Winsock on Win32). Ever noticed that socket programming on UNIX and Win32 are extremely similar? Not a co-incidence.
Re:Misleading Title (Score:4, Informative)
Re:Misleading Title (Score:5, Informative)
Wikipedia has a nice entry [wikipedia.org] that is consistent with everything I learned there as an intern a while back. After I left there were many rumors that NT took BSD's better performing TCP stack, but unless someone who knows ever tells the story, its still just a rumor. What is true though it that they use some acient utilities ported from BSD, such as the command-line ftp.
Re:Misleading Title (Score:4, Interesting)
Someone once told me to increment each letter in VMS to get WNT. Kind of like the IBM --> HAL.
Re:Misleading Title (Score:3, Insightful)
Re:Misleading Title (Score:5, Informative)
James Longstreet and Tom Indelli, two students in my Fall 2004 UNIX
Security Holes course, have discovered a remotely exploitable security
hole in bsb2ppm, a program to convert BSB image files to PPM image
files. I'm publishing this notice, but all the discovery credits should
be assigned to Longstreet and Indelli.
Re:Misleading "Exploits" (Was Re:Misleading Title) (Score:5, Insightful)
A video player, say, should be completely immune to bad input. It should not be possible to craft an input file that causes my vide player to delete files or anything like that.
There is a very limited class of data (scripts, executables) that need to be "dangerous". Viewing a jpeg, even a jpeg hand-crafted by Dr. Evil, should never have the ability to do anything bad [well, OK, seeing the goatse guy is abd, but you know what I mean].
Don't just take this lying down, IMO (Score:5, Interesting)
As much as I respect profs who are willing to push you to do neat things (finding 44 holes in UNIX and it's standard set of programs is nothing to sneeze at), if you really do fail the class I'd take this straight to the administration. They're letting you down by allowing a professor to fail an entire class, especially since the grades are based on something that doesn't really reflect your understanding of the subject.
I've always had a problem with this sort of behavior in college profs -- it gets away from what I consider to be the basic nature of higher education. As a student, I'm the consumer. I'm paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information at the end of the class. Assignments such as this one or classes which are set up as "cut down classes" just aren't consistant with that.
It works the same way on the other end; I had a few professors in college who would cancel class on a fairly routine basis. Hey, I enjoy the odd day off as much as anyone else, but I'm paying a lot of money based on the assumption that I'm going to be getting something in return -- if I were to subscribe to a magazine and then only get 2/3rds of the issues, do you thing I'd be within my rights to object? Hell, the overly easy classes were bad enough; I actually had a few that graded based mostly on attendance. Yeah, getting the most for my tuition dollar there.
Anyhow, I know there are folks out there who are going to disagree with my view of a University education, and that's fine, but regardless I would really encourage you not to accept this lying down. I know as a student it often seems like you're powerless, but if 25 of you (and your parents -- I know you're an adult, but schools listen to parents) get together and make yourselves heard, you'll probably end up with a satisfactory outcome.
Re:Don't just take this lying down, IMO (Score:5, Insightful)
Agreed, many profs are abusive (Score:3, Interesting)
The problem is that many of the profs have no professional experience outside the academic realm. None. Amazing as it sounds, they go from graduate work to post-doc to the fac
Re:Agreed, many profs are abusive (Score:3, Funny)
This is false.
We sleep with our students because they're just so damn sexy in their cute little spring wardrobes.
(I'm joking, I'm joking; stop slapping me with that trout already!)
Re:Agreed, many profs are abusive (Score:3, Funny)
The scary thing is, you're a kindergarten teacher!
Re:Good idea? (Score:5, Informative)
We're not blaming DJB for our failure. He told us we would fail if we didn't find 10 unique holes. We didn't find 10 holes, so we failed. It's not hard to understand. DJB is not the guy that goes back on his word. He tells you what he means and sticks with it. That's something to respect. (Same with all the DJB-isms [wikipedia.org]. Nothing wrong with saying what you mean and being confident in those statements.)
We're upset about failing, but that's life. It's the hardest CS course at the University (and this is my first semester in college), so it's expected. I know more about C, computer internals, and security than most professionals now, so I'm not too sad
Re:Good idea? (Score:5, Insightful)
You also know more about IT management, unrealistic goals, undeserved punishment, and PHBs [wikipedia.org] than most professionals now. I don't know whether to rejoice in your hardwon jumpstart on corporate wisdom or mourn the inevitable early onset of cynicism.
Re:Good idea? (Score:4, Funny)
Of course you failed. Obviously, half of you were supposed to rapidly deploy buggy software via sourceforge while the other half "fixed" the problems. Or don't you know more about Dilbert than us professionals? :)
Re:Good idea? (Score:5, Insightful)
Welcome to astronomy 101, 60% of your grade will depend on finding 10 new planets in our solar system
"and security than most professionals now,"
I have my doubts.
pollics. (Score:4, Interesting)
How about "file system becomes damaged if power is unplugged" (DOS atttack when running without UPS).
Re:Good idea? (Score:4, Insightful)
Well, then perhaps you do deserve to fail. He's the one doing the grading, and he's the person responsible for giving you an assignment where success is based as much on luck as on technical prowess.
He tells you what he means and sticks with it. That's something to respect.
This is called begging the question. Why, exactly, is this something to respect?
"Hey, I'm going to kill you if you don't give me your money."
"Well, I don't have any money."
"Sorry, gotta kill you."
"That's cool. I totally respect that."
Perhaps if you didn't idolize him as much, you might realize the practical consequences of a failing grade for your GPA, and potential employment future. But at least you got to learn from a kick-ass prof, right? Or rather, an ass-kicking prof.
Re:Don't just take this lying down, IMO (Score:3, Insightful)
Re:Don't just take this lying down, IMO (Score:4, Insightful)
1) Make wildly overstated demands.
2) Watch 1/3 of students abandon class.
3) Hold class
4) Back off on demands and grade fairly.
(Sorry, this is academia. No profit involved.)
Re:I can see it now... (Score:3, Insightful)
Re:Don't just take this lying down, IMO (Score:5, Insightful)
1. This is the first term this class has been taught.
2. Nobody did well with the homework if the entire class of 25 students only found 44 holes.
3. Even those who were among the best students in the class, getting A's on all the exams, only found 2-3 holes.
Therefore the grades should be assigned to fit a bell curve based mainly on test scores and minimizing points earned for the homework.
Re:Don't just take this lying down, IMO (Score:3, Funny)
fwiw this was obviously djb trying to get his students to dig up ammo for him to go on another one of his public penis-waving tantrums, acting all smug and high and mighty again (oh lookit me i wrote qmail and its all uber secure, and wooo lookit all the MISERABLE LAMERS WRITING SHIT CODE!!1!!111!)
Re:Don't just take this lying down, IMO (Score:3, Insightful)
Same rules apply for universities, as the army, private industry, etc.
Re:Don't just take this lying down, IMO (Score:3, Insightful)
"follow the chain of command..."
"the *political* office..."
John Sheridan knew his stuff alright; it sure is one way to start a civil war! (sort of)
Re:Don't just take this lying down, IMO (Score:5, Interesting)
That's cute. His code may not have any bugs in it, but damn, does it ever have some huge logical flaws.
Qmail has the lovely lack of ability to reject e-mail while the SMTP connection is still active. What it does instead is it creates and sends a bounce message itself, instead of leaving that up to the sending server. What happens when you do this is you allow spammers to send e-mail to recipients in the To: line instead of the From: line, just by putting in a bogus To: line and putting the real recipient in the From: line.
There's a patch for this, but it involves setting up a list of e-mail addresses that are allowed to be accepted. Once you have several thousand e-mail addresses all over the place courtesy of Vpopmail, this becomes an impossible task.
So no, this man isn't a perfect programmer.
Re:Don't just take this lying down, IMO (Score:5, Insightful)
Re:Don't just take this lying down, IMO (Score:5, Funny)
Re:Don't just take this lying down, IMO (Score:3, Funny)
For 1 city, you're already done.
For 2 cities, you start in one and go to the other.
For three cities, you find the two cities furthest from eachother, travel from one of them to the middle city and then to the far city.
Obviously it's no more complex for (any-value-of-N) cities.
Re:Don't just take this lying down, IMO (Score:4, Funny)
Re:Don't just take this lying down, IMO (Score:4, Insightful)
No, no, and hell no. As a student, you are a student. Leave your stupid consumer victimization routine in suburbia, where it belongs. Don't try to bring that crap to academia.
Re:Don't just take this lying down, IMO (Score:5, Insightful)
Re:Don't just take this lying down, IMO (Score:3, Funny)
Wait, to late.
Re:Don't just take this lying down, IMO (Score:3, Interesting)
Actually, you're both right.
You're not paying for an education. You're paying for the opportunity to be educated. A part of that is the understanding that assessments of your progress (grades) are done fairly. Another part of that is the necessity that the professor actually show up to teach.
Re:Don't just take this lying down, IMO (Score:3, Insightful)
Frankly, I think you're jumping the gun here. Ten is a nice round figure and one that suggests that it mig
Re:Don't just take this lying down, IMO (Score:5, Insightful)
Frankly, I think you're jumping the gun here...
I didn't jump the gun, I provided a qualified statement. You know, "if he does this then you should do this".
Now, let me provide another statement which may or may not apply to this specific case (since we haven't seen grades yet): Any time an entire class fails, it is on the professor's shoulders. Since we assume that the people in the class are both mentally competent and reasonably intelligent based on the fact that they're in college, and excepting odd situations (a 1 or 2 person class, for instance), a near-100% failure rate can only be one of three things:
1. The professor has created a class which cannot be successfully completed given the time constraints and the level of the students.
2. The professor has completely failed to impart his knowledge to the students.
3. The professor has based the grades on items which do not accurately reflect what was taught in the class.
Implying that a professor who fails all or nearly all of a given class has competently done his/her job is nonsense. It's not "part of the learning experience", it's a professional failure on the part of the professor and needs to be treated as such. In any event, when this sort of extraordinary event occurs, the University itself is responsible for allowing that failure to occur.
Re:Don't just take this lying down, IMO (Score:4, Informative)
Are you implying, for example, that all 25 students in a graduate course entitled 'Unix Security Holes' were either incompetent or didn't even make an effort at completing the course? Are you implying that in most cases where an entire class fails---with an F, not a C---that it is because every student either slacked off or was incompetent? I won't rule out that possibility, but I think it's very unlikely that in any given class, there isn't anyone who isn't both intelligent and hard-working enough to at least get a D in the class. Do you have reason to believe otherwise?
Re:Don't just take this lying down, IMO (Score:5, Insightful)
That's different, and it's still bad because that reflects poorly on the professor. If you were a university, would you want to hire a professor of astronomy who couldn't teach people the basics (for whatever reason)?
What most of these posts are saying is that this professor did not grade these students on a reasonable test of their skills. It's kind of like a professor of Art History requiring students to discover a previously undiscovered Picasso. Sure, some may exist in people's basements or garage sales, and sometimes a new piece of art from an expired artist shows up on the auction block from an previously unknown collector of rare things, but would you consider it fair to flunk art students who could not find a new Picasso? How would you rate such a find, grade-wise?
Re:Don't just take this lying down, IMO (Score:4, Insightful)
I actually had a class like that, expected to fail but passed becase I actually did a lot of work on the problem and it showed. This may be one of those cases. Remember, research is about trying your best but still failing, actually most of the time.
Crash.... (Score:3, Interesting)
If I could have crafted an exploit for the crashes then that would be 4 holes.
All the students needed to do was look at the current/recent bugs list for a version of software.
Identify bugs that could possibly be exploited. (say maybe 100)
Run automated buffer/stack exploit
checking software against those bugs.
hope to get 10 criticals.
Khtml's probably a good choice for exploiting at
Re:It's just an assignment - Did you even go to un (Score:5, Informative)
Re:It's just an assignment - Did you even go to un (Score:5, Insightful)
Makes sense.
The requirements are to exploit 10 holes in unix software. Nowhere does it say that the unix software must come standard with any distros, and it doesn't say that you can't write it yourself.
Write a simple program with 10 holes in it, point them out, and boom you win.
We are talking about finding vulnerabilities and exploiting them aren't we? I'd get extra credit for finding and exploiting holes the class requirements.
Re:It's just an assignment - Did you even go to un (Score:5, Interesting)
One of them was: What is the orbital period of Saturn? (2 pts/100)
I started thinking about Bode's law and the posibility I could calculate it from an approximate radius I would get from that law... if I could remember it. But when you expect a 72% to be an A on a test, you have bigger fish to fry.
Then I got it. It was right, it should work, and no one would have to be nailed to anything.
I wrote: One Saturn-Year
I didn't get credit for it. A couple years later a sophmore was telling me about this funny question he had in the same class. He showed it to me. It read:
What is the orbital period of Saturn? (Do not put one Saturn-Year)
I was so right that it had to be guarded against. Yet those were 2 points I would never have.
Re:It's just an assignment - Did you even go to un (Score:4, Interesting)
Re:It's just an assignment - Did you even go to un (Score:5, Interesting)
Some time ago I received a call from a colleague. He was about to give a student a zero for his answer to a physics question, while the student claimed a perfect score. The instructor and the student agreed to an impartial arbiter, and I was selected.
I read the examination question: "Show how it is possible to determine the height of a tall building with the aid of a barometer." The student had answered: "Take the barometer to the top of the building, attach a long rope to it, lower it to the street, and then bring it up, measuring the length of the rope. The length of the rope is the height of the building."
The student really had a strong case for full credit since he had really answered the question completely and correctly! On the other hand, if full credit were given, it could well contribute to a high grade in his physics course and certify competence in physics, but the answer did not confirm this.
I suggested that the student have another try. I gave the student six minutes to answer the question with the warning that the answer should show some knowledge of physics. At the end of five minutes, he hadn't written anything. I asked if he wished to give up, but he said he had many answers to this problem; he was just thinking of the best one. I excused myself for interrupting him and asked him to please go on.
In the next minute, he dashed off his answer, which read: "Take the barometer to the top of the building and lean over the edge of the roof. Drop the barometer, timing its fall with a stopwatch. Then, using the formula x=0.5*a*t^2, calculate the height of the building." At this point, I asked my colleague if he would give up. He conceded, and gave the student almost full credit.
While leaving my colleague's office, I recalled that the student had said that he had other answers to the problem, so I asked him what they were.
"Well," said the student, "there are many ways of getting the height of a tall building with the aid of a barometer.
For example, you could take the barometer out on a sunny day and measure the height of the barometer, the length of its shadow, and the length of the shadow of the building, and by the use of simple proportion, determine the height of the building."
"Fine," I said, "and others?"
"Yes," said the student, "there is a very basic measurement method you will like. In this method, you take the barometer and begin to walk up the stairs. As you climb the stairs, you mark off the length of the barometer along the wall. You then count the number of marks, and this will give you the height of the building in barometer units." "A very direct method."
"Of course. If you want a more sophisticated method, you can tie the barometer to the end of a string, swing it as a pendulum, and determine the value of g [gravity] at the street level and at the top of the building. From the difference between the two values of g, the height of the building, in principle, can be calculated."
"On this same tack, you could take the barometer to the top of the building, attach a long rope to it, lower it to just above the street, and then swing it as a pendulum. You could then calculate the height of the building by the period of the precession".
"Finally," he concluded, "there are many other ways of solving the problem. Probably the best," he said, "is to take the barometer to the basement and knock on the superintendent's door. When the superintendent answers, you speak to him as follows: 'Mr. Superintendent, here is a fine barometer. If you will tell me the height of the building, I will give you this barometer."
At this point, I asked the student if he really did not know the conventional answer to this question. He admitted that he did, but said that he was fed up with high school and college instructors trying to teach him how to think.
The name of the studen
Re:It's just an assignment - Did you even go to un (Score:4, Interesting)
(delta P on the barometer will be so small that error in reading the difference will dominate the result)
Urban legend (Score:5, Informative)
Re:It's just an assignment - Did you even go to un (Score:5, Informative)
Not quite. From the first slide here's the credit specification (emphasis mine):
Presumably a toy program you write on your doesn't count as "deployed UNIX software".
Clearing up ALL "it's just an assignment" posts: (Score:4, Informative)
Re:Don't just take this lying down, IMO (Score:5, Insightful)
All you need is one more hole... (Score:5, Funny)
All you need to do is find one more hole, this one in the campus records department, and exploit it for improving your grade. If you have an "A" average otherwise, another "A" will look right in place. It's the "D" average people suddenly getting "A"s and "B"s that draw suspicion.
and the moral is: (Score:3, Funny)
but we've all learned a valuable lesson: don't take a class taught by DJB
Fourth year: bird courses only please (Score:4, Insightful)
Its well known that every college grinds out the poor students in the first two years...if you've made it to fourth year, its time to ladle up some gravy and bolster your GPA in time for grad school applications, resume bolstering, etc.
So the real moral is that the most intelligent students are the ones avoiding the course altogether. If you want to get an education in unix security holes, go read the OpenBSD mail archives.
Re:Fourth year: bird courses only please (Score:3, Insightful)
Re:Fourth year: bird courses only please (Score:3, Insightful)
There is a time for learning for learnings sake - retirement.
That's one way of looking at it, sure. But I think I'll learn for learning's sake my entire life, thank you very much. That way I wouldn't feel my life was a waste of time if I died at 64.
Better link (Score:3, Informative)
Hmm... (Score:4, Funny)
What? (Score:4, Insightful)
Re:What? (Score:4, Interesting)
And I agree with user 820979.
Where's the gumpf? (Score:5, Funny)
[ Part 2, Text/PLAIN (charset: unknown-8bit) 95 lines. ]
[ Unable to print this part. ]
Comment removed (Score:3, Interesting)
ah, buffer overflows... (Score:4, Insightful)
I see the two specific items linked to are buffer overflow exploits. Anyone learning to program in C needs to have good buffer dicipline beaten into their heads.
It's like wiping your butt after crapping - mandatory basic hygine. If you can always remember to wipe your butt, you can always remembers to watch your buffer lengths.
Re:ah, buffer overflows... (Score:5, Funny)
Well, there's the problem!
But you have already found 10 bugs!!! (Score:5, Funny)
Why take for granted that the number of bugs to be found was expressed in base-10? Why not base-2?
Re:But you have already found 10 bugs!!! (Score:4, Funny)
Most of the class failed? (Score:3, Insightful)
Define "failed." They failed to find holes? Or they failed the course?
I seriously doubt a prof would fail an A average student for not being able to find a hole for an assignment. Extra credit, maybe, but an F? I mean, WTF?
My thoughts. (Score:5, Insightful)
Evidence to support this belief:
1) Giving homework to "go out and find some exploits" doesn't teach you anything and has a very unpredictable "path to completion"; i.e., it's not like there's a "problem" to solve, per se. It's simply a matter of some students having gotten lucky whereas others failed.
2) "After 300 hours of work and an A average on the exams, I expect to fail the course." Either the student is overly-pessimistic (which is possible), or the prof has done very little to: (a) boost morale, reassure students, or instil confidence; or, (b) grade students appropriately for the effort that they've put in. I think that the truth always lies somewhere between the extremes
3) "In a class of 25, 44 security holes seems a bit low." I highly doubt this, but then again, it entirely depends. If you're trying to find a security hole in "telnet" or "finger", I think you'd be outta luck -- the average joe undergrad would be better off picking random numbers to win the lottery than to find holes in software that has been tried, tested, and true for years.
Alternatively, if you just go to http://freshmeat.net and find some little backward project coded by a grade 9 high school student -- well, yeah, I think that an exploit should be pretty straightforward. Which leads me to ask: What the fuck does this assignment actually prove/teach? (See point (1), above.)
Re:My thoughts. (Score:5, Insightful)
What's the deal? (Score:5, Insightful)
10 for each student? I doubt DJB himself could find 10 on his own inside of a semester.
In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course.
I guess the whispers I've been hearing about DJB being a complete asshole are true. It is always nice to have your academic future dictated by such people to your disadvantage, even though you may be a cut above the teacher himself. And in the meantime he will take credit for your work while simultaneously failing you. Thank you, sir, for reminding me why I dropped out of college.
Re:What's the deal? (Score:3, Interesting)
In this fashion, as is typical with academia, the professors take the credit for their students' grunt work. That is what I was getting at. I should have been more clear.
All the students will get is something to attach to their resume. Or will they? Af
Students didn't exploit the loophole (Score:5, Interesting)
Have you seen CPAN? Half of that code is something someone hacked up in a day! And what about all those sourceforge projects that have one developer and less than 10000 lines?
Meanwhile, almost every piece of code that this class is looking at is stuff that's already had a once over - heck, probably even been looked over thousands of times. No wonder they couldn't find any bugs. They were looking in the houses, not the motels.
If the majority of the class failed... (Score:5, Insightful)
Re:If the majority of the class failed... (Score:3, Funny)
Sounds like Fermi at University of Chicago (Score:4, Interesting)
The pity is that such a strategy allows for no differentiation between people who are working at their full capacity and goof-offs who sleep though class.
Re:Sounds like Fermi at University of Chicago (Score:5, Informative)
Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago.
This story is not likely.
Fermi only gave the quantium mechanics course once in 1954 [physicstoday.org] in the last year of his life. He was known as an outstanding teacher [iop.org], always willing to help students. His notes for the course were published in a book titled Notes on Quantum Mechanics [amazon.com] with additional material supplied by one of the students. None of the reviews I've found mention the story about all the students failing.
One of his colleagues writes [physicstoday.org]:
Mplayer and Xine new security releases (Score:3, Informative)
http://www.mplayerhq.hu/ [mplayerhq.hu]
"New xine-lib released. This version adress multiple security vulnerabilites on PNM and Real RTSP clients. All users are advised to upgrade to 1-rc8. The release also includes several bug fixes and new features"
http://xinehq.de/ [xinehq.de]
Re:Mplayer and Xine new security releases (Score:4, Interesting)
As one of the mplayer developers, I would like to thank to DJB for giving us (hmm)16 (?) hours before unleashing exploints on wild.
Maybe he is not aware that making right fix, testing it and finally releasing it, is not so simple task. Especially if we have to convice the person that have release (write) permisions, that him girlfriend is not as importan as the security release:)
Not to say, that I still haven't got the mail in my mailbox, despire that gmame shows it have been recived.
Also mplayer-dev-eng@mplayerhq.hu is the more appropriate maillist to send security issues. (MPlayer documentation will be updated accordingly.)
The exploit that is found in MPlayer is not alone. There are at least 2 other places with similar exploitable bahavioud in the same file. I guess the students keep them for next semester.
BTW code originates from Xine, probably it is time to update our version ;)
10 types of people ... (Score:3, Funny)
"There are only 10 types of people in the world: Those who understand binary, and those who don't"
Fuzz testing (Score:5, Interesting)
The better approach is to create one or more large files of random data and feed that into the apps; this is better because it gives you a reproducible stream. (Or you can use a Perl script with a known srand() seed.)
The term "fuzz testing" comes from a seminal 1990 paper [wisc.edu] (and followups in 1995 and 2000) by Barton Miller et al., who, incidentally, found much higher quality in GNU tools than in their proprietary counterparts. Before my tendinitis got too bad, I used to run The Bulletproof Penguin [pacbell.net] a one-man project devoted to stamping out such bugs (my initial goal, easily achieved, was to eliminate all the bugs reported in the original paper). Ben Woodard was doing something very similar [sourceforge.net] for a while, but I don't know whether he still does.
Incidentally, this makes a certain recent Slashdot story [slashdot.org] more embarrassing: it seems that free Web browsers crash on malformed input, the kind of case that free software normally handles better than its proprietary competition.
Strange definition of 'remote exploit' (Score:3, Insightful)
Example: http://www2.uic.edu/~kkubic1/securesoftware/26.tx
Jonathan Rockway, a student in my Fall 2004 UNIX Security Holes course,has discovered a remotely exploitable security hole in NASM. I'm publishing this notice, but all the discovery credits should be assigned to Rockway.
The only way I'd call this a remote exploit would be if someone has written an apache module that takes some assembly code and returns an executable. I dont think thats a very common setup.
Baz
How can you fail with open source?? (Score:3, Funny)
2) Post forks of programs with extra bugs inserted.
3) Profit!
You see - there's a number 2 step, thanks to open source.
Duh! (Score:3, Funny)
Re:Most people will pass (Score:4, Funny)
Grading used the 'high tide' method. That is, better score in one area of the course (exam, project, assignments) could override a poor score in another area. All instructor's judgement.
One student I knew got a C+ and discovered that he had roughly the same scores in each area as another student who got an A. That is, guy I knew had a poor exam, but awesome project. Someone else had nearly identical exam scores, and nearly the same (A) project.
So guy-I-knew approached Parnas, and asked why.
"Becuase I don't like you".
And that was the end of it.
Re:Most people will pass (Score:4, Insightful)
"Becuase I don't like you".
And that was the end of it."
I wonder why? Disliking someone is NOT a valid reason to assign low grades. Thinking their work is crap is a valid reason. That statement pretty much could have enabled the student to have his grade reevaluated by an outside observer. I would have complained to academic affairs. After all, if the professor already dislikes you, that bridge is already burned.
If the story is true, of course.
Re:Most people will pass (Score:3, Informative)
Re:Why? (Score:3, Insightful)
I don't. Your average security hole is exploitable under only very limited circumstances -- say, if a program is being run with privileges that the individual invoking it doesn't have.
Holes of that sort are extremely widespread (and part of the reason why marking programs that haven't been audited setuid is generally understood to be bad practice).
Varying levels of seriousness... (Score:4, Interesting)
Others are pretty implausible, for instance the jpegtoavi exploit [uic.edu], which requires the user to run the jpegtoavi program on a set of files provided by an attacker.
On my quick perusal, the nastiest holes seem to be the changepassword [uic.edu] hole, a local root exploit, and the two [uic.edu] holes [uic.edu] in cups, particularly the first one, which straightforwardly gets the attacker access to user "lp" where they can monitor everything that gets printed.
One thing that is a bit surprising and disappointing is that so many of these bugs are from well-known bad coding practices. Why the hell is *anyone* still using strcat in distributed software, for instance?
Re:Well, that's surprising (Score:3, Insightful)
Let's say I receive a virus attached to an email, which I open with kmail.
First of all, I've got to save it to disk, mark it as executable, and run it. This alone makes it quite improbable.
Second, the virus has actually to start up, and Linux binaries don't necessarily work on other systems, unless statically linked.
Assuming it's statically linked, Linux systems are rather less standard than Windows on
Re:Modern education sunken to a new low (Score:5, Informative)
The exams and the homework were completely different. DJB should post the exams; there's lots of theoretical holes that we had to find for exams. It was very comprehensive, educational, and practical. It was a great course. (I too failed it, but grades and learning are not necessarily related. For the record I only missed points on exams because my exploit code wasn't C99-compliant
Re:Modern education sunken to a new low (Score:4, Insightful)