DJB Announces 44 Security Holes In *nix Software 983
generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."
Fail the course? (Score:1, Informative)
Better link (Score:3, Informative)
Re:It's just an assignment - Did you even go to un (Score:5, Informative)
Re:Were any of them *not* buffer overflows? (Score:2, Informative)
Clearing up ALL "it's just an assignment" posts: (Score:4, Informative)
Mplayer and Xine new security releases (Score:3, Informative)
http://www.mplayerhq.hu/ [mplayerhq.hu]
"New xine-lib released. This version adress multiple security vulnerabilites on PNM and Real RTSP clients. All users are advised to upgrade to 1-rc8. The release also includes several bug fixes and new features"
http://xinehq.de/ [xinehq.de]
Re:Misleading Title (Score:4, Informative)
Re:Misleading Title (Score:5, Informative)
James Longstreet and Tom Indelli, two students in my Fall 2004 UNIX
Security Holes course, have discovered a remotely exploitable security
hole in bsb2ppm, a program to convert BSB image files to PPM image
files. I'm publishing this notice, but all the discovery credits should
be assigned to Longstreet and Indelli.
Re:Misleading Title (Score:4, Informative)
BSD Sockets (Winsock on Win32). Ever noticed that socket programming on UNIX and Win32 are extremely similar? Not a co-incidence.
Re:Modern education sunken to a new low (Score:5, Informative)
The exams and the homework were completely different. DJB should post the exams; there's lots of theoretical holes that we had to find for exams. It was very comprehensive, educational, and practical. It was a great course. (I too failed it, but grades and learning are not necessarily related. For the record I only missed points on exams because my exploit code wasn't C99-compliant
Re:Misleading Title (Score:5, Informative)
Wikipedia has a nice entry [wikipedia.org] that is consistent with everything I learned there as an intern a while back. After I left there were many rumors that NT took BSD's better performing TCP stack, but unless someone who knows ever tells the story, its still just a rumor. What is true though it that they use some acient utilities ported from BSD, such as the command-line ftp.
Re:Good idea? (Score:5, Informative)
We're not blaming DJB for our failure. He told us we would fail if we didn't find 10 unique holes. We didn't find 10 holes, so we failed. It's not hard to understand. DJB is not the guy that goes back on his word. He tells you what he means and sticks with it. That's something to respect. (Same with all the DJB-isms [wikipedia.org]. Nothing wrong with saying what you mean and being confident in those statements.)
We're upset about failing, but that's life. It's the hardest CS course at the University (and this is my first semester in college), so it's expected. I know more about C, computer internals, and security than most professionals now, so I'm not too sad
Re:Most people will pass (Score:3, Informative)
Rules were changed partially because of this incident (there were a number of students who complained, I just happened to know this one). The result was that profs had to come up with more subtle ways of weighting exams. One I knew used to ask a couple of essay type questions, and mark them last. If the class was doing poorly, he would grade those questions very generously.
And yes, there was for Parnas to not like the student. He was a pain in the ass. Regardless, one would think that two students with the same raw scores should get the same grade.
Re:It's just an assignment - Did you even go to un (Score:5, Informative)
Not quite. From the first slide here's the credit specification (emphasis mine):
Presumably a toy program you write on your doesn't count as "deployed UNIX software".
Re:Misleading Title (Score:3, Informative)
Gremlins (was Re:Fuzz testing) (Score:2, Informative)
It randomly taps all over the screen, fast. It pays special attention to buttons, menus, etc., but also taps on blank spaces. It types random characters into text fields, or sometimes for no reason. Sometimes it'll write fragments of Shakespeare... If your application survives a few million events, you can say with a good degree of certainty that it's reliable. If it doesn't, you get all the Palm debugging tools.
Re:What's the deal? (Score:2, Informative)
djb doesn't come across as the nicest of gentlemen, but he's no thief.
Re:Sounds like Fermi at University of Chicago (Score:5, Informative)
Enrico Fermi supposedly failed every single person who ever took his Quantum Mechanics course at the University of Chicago.
This story is not likely.
Fermi only gave the quantium mechanics course once in 1954 [physicstoday.org] in the last year of his life. He was known as an outstanding teacher [iop.org], always willing to help students. His notes for the course were published in a book titled Notes on Quantum Mechanics [amazon.com] with additional material supplied by one of the students. None of the reviews I've found mention the story about all the students failing.
One of his colleagues writes [physicstoday.org]:
Re:Misleading Title (Score:4, Informative)
Re:It's just an assignment - Did you even go to un (Score:3, Informative)
I'd expect the error on making a measurement of gravity by the period of a pendulum swing and comparing the change over altitude to be _much_ less accurate, myself.
Urban legend (Score:5, Informative)
Re:Modern education sunken to a new low (Score:1, Informative)
Re:Don't just take this lying down, IMO (Score:4, Informative)
Are you implying, for example, that all 25 students in a graduate course entitled 'Unix Security Holes' were either incompetent or didn't even make an effort at completing the course? Are you implying that in most cases where an entire class fails---with an F, not a C---that it is because every student either slacked off or was incompetent? I won't rule out that possibility, but I think it's very unlikely that in any given class, there isn't anyone who isn't both intelligent and hard-working enough to at least get a D in the class. Do you have reason to believe otherwise?
Re:Misleading Title (Score:3, Informative)