DJB Announces 44 Security Holes In *nix Software 983
generationxyu writes "D. J. Bernstein, better known as DJB, has announced the discovery of 44 security holes that were found by students in his course MCS 494: Unix Security Holes this fall at the University of Illinois at Chicago. Vulnerable programs of note include: CUPS, NASM, mpg123, MPlayer, xine-lib, and numerous others. Copies of the notification emails are here. The homework for the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software. In a class of 25, 44 security holes seems a bit low. Most of the class failed. I was credited with bsb2ppm (actually libbsb) and jpegtoavi. After 300 hours of work and an A average on the exams, I expect to fail the course."
Don't just take this lying down, IMO (Score:5, Interesting)
As much as I respect profs who are willing to push you to do neat things (finding 44 holes in UNIX and it's standard set of programs is nothing to sneeze at), if you really do fail the class I'd take this straight to the administration. They're letting you down by allowing a professor to fail an entire class, especially since the grades are based on something that doesn't really reflect your understanding of the subject.
I've always had a problem with this sort of behavior in college profs -- it gets away from what I consider to be the basic nature of higher education. As a student, I'm the consumer. I'm paying the professor to teach me what he/she knows and then to rate how well I've absorbed that information at the end of the class. Assignments such as this one or classes which are set up as "cut down classes" just aren't consistant with that.
It works the same way on the other end; I had a few professors in college who would cancel class on a fairly routine basis. Hey, I enjoy the odd day off as much as anyone else, but I'm paying a lot of money based on the assumption that I'm going to be getting something in return -- if I were to subscribe to a magazine and then only get 2/3rds of the issues, do you thing I'd be within my rights to object? Hell, the overly easy classes were bad enough; I actually had a few that graded based mostly on attendance. Yeah, getting the most for my tuition dollar there.
Anyhow, I know there are folks out there who are going to disagree with my view of a University education, and that's fine, but regardless I would really encourage you not to accept this lying down. I know as a student it often seems like you're powerless, but if 25 of you (and your parents -- I know you're an adult, but schools listen to parents) get together and make yourselves heard, you'll probably end up with a satisfactory outcome.
Comment removed (Score:3, Interesting)
Students didn't exploit the loophole (Score:5, Interesting)
Have you seen CPAN? Half of that code is something someone hacked up in a day! And what about all those sourceforge projects that have one developer and less than 10000 lines?
Meanwhile, almost every piece of code that this class is looking at is stuff that's already had a once over - heck, probably even been looked over thousands of times. No wonder they couldn't find any bugs. They were looking in the houses, not the motels.
Agreed, many profs are abusive (Score:3, Interesting)
The problem is that many of the profs have no professional experience outside the academic realm. None. Amazing as it sounds, they go from graduate work to post-doc to the faculty lounge, all the while succesfully avoiding any opportunity to deal with people as equals...its always grovelling to someone or getting someone to grovel to you. Its no coincidence many sleep with their students, its often the only way they can get laid.
The dynamics of academic environments are truly absurd, I'm amazed more of them are not murdered.
Sounds like Fermi at University of Chicago (Score:4, Interesting)
The pity is that such a strategy allows for no differentiation between people who are working at their full capacity and goof-offs who sleep though class.
Fuzz testing (Score:5, Interesting)
The better approach is to create one or more large files of random data and feed that into the apps; this is better because it gives you a reproducible stream. (Or you can use a Perl script with a known srand() seed.)
The term "fuzz testing" comes from a seminal 1990 paper [wisc.edu] (and followups in 1995 and 2000) by Barton Miller et al., who, incidentally, found much higher quality in GNU tools than in their proprietary counterparts. Before my tendinitis got too bad, I used to run The Bulletproof Penguin [pacbell.net] a one-man project devoted to stamping out such bugs (my initial goal, easily achieved, was to eliminate all the bugs reported in the original paper). Ben Woodard was doing something very similar [sourceforge.net] for a while, but I don't know whether he still does.
Incidentally, this makes a certain recent Slashdot story [slashdot.org] more embarrassing: it seems that free Web browsers crash on malformed input, the kind of case that free software normally handles better than its proprietary competition.
Re:Most people will pass (Score:1, Interesting)
Crash.... (Score:3, Interesting)
If I could have crafted an exploit for the crashes then that would be 4 holes.
All the students needed to do was look at the current/recent bugs list for a version of software.
Identify bugs that could possibly be exploited. (say maybe 100)
Run automated buffer/stack exploit
checking software against those bugs.
hope to get 10 criticals.
Khtml's probably a good choice for exploiting at the moment, as it's getting a lot of 'features and fixes' which probably caused the crashed I've reported.
Assignment was easy. (Score:2, Interesting)
Step 2: Develop script to detect. (Simple stuff like evil C functions)
Step 3: Develop script to download packages from freshmeat and run previous script.
Step 4: Play videogames for a few hours.
Step 5: Write reports.
Step 6: Profit! (Good grade would be considered profit here)
Re:If the majority of the class failed... (Score:2, Interesting)
You can not judge anything by the percentage of the class that fails.
Misleading "Exploits" (Was Re:Misleading Title) (Score:1, Interesting)
This is no more a remote exploit than somebody mailing you an executable that you run. Clearly the fact that the bash shell will let you run an executable that will do unexpected things means that there's a remote exploit in bash!
Re:Don't just take this lying down, IMO (Score:3, Interesting)
Actually, you're both right.
You're not paying for an education. You're paying for the opportunity to be educated. A part of that is the understanding that assessments of your progress (grades) are done fairly. Another part of that is the necessity that the professor actually show up to teach.
Re:It's just an assignment - Did you even go to un (Score:5, Interesting)
One of them was: What is the orbital period of Saturn? (2 pts/100)
I started thinking about Bode's law and the posibility I could calculate it from an approximate radius I would get from that law... if I could remember it. But when you expect a 72% to be an A on a test, you have bigger fish to fry.
Then I got it. It was right, it should work, and no one would have to be nailed to anything.
I wrote: One Saturn-Year
I didn't get credit for it. A couple years later a sophmore was telling me about this funny question he had in the same class. He showed it to me. It read:
What is the orbital period of Saturn? (Do not put one Saturn-Year)
I was so right that it had to be guarded against. Yet those were 2 points I would never have.
Re:How to pass this class (females only) (Score:2, Interesting)
Re:What's the deal? (Score:3, Interesting)
In this fashion, as is typical with academia, the professors take the credit for their students' grunt work. That is what I was getting at. I should have been more clear.
All the students will get is something to attach to their resume. Or will they? After all, they failed the class.
Re:Don't just take this lying down, IMO (Score:2, Interesting)
There are plenty of algorithms out there for solving NP-Complete (and harder) problems. It's just that they won't work too fast for large, hard case problems...
Varying levels of seriousness... (Score:4, Interesting)
Others are pretty implausible, for instance the jpegtoavi exploit [uic.edu], which requires the user to run the jpegtoavi program on a set of files provided by an attacker.
On my quick perusal, the nastiest holes seem to be the changepassword [uic.edu] hole, a local root exploit, and the two [uic.edu] holes [uic.edu] in cups, particularly the first one, which straightforwardly gets the attacker access to user "lp" where they can monitor everything that gets printed.
One thing that is a bit surprising and disappointing is that so many of these bugs are from well-known bad coding practices. Why the hell is *anyone* still using strcat in distributed software, for instance?
Re:Don't just take this lying down, IMO (Score:3, Interesting)
I seriously doubt Dr. Bernstein is going to fail all these students. He should give them the grades he thinks they deserve with one letter grade lower for whiners. People who lose sight of the importance of the subject matter because they are obsessed with grades rather disgust me.
Re:It's just an assignment - Did you even go to un (Score:4, Interesting)
Re:Good idea? (Score:1, Interesting)
You should. When 25 out of 25 probed to be intelligent and wanting to work people fail, then its time to look at the teacher's fault.
In those situations, it usually ends up being one of those two cases:
1/ The teacher wasn't able to pass to you the essence of his course, or the level he himself will be asking on the tests. Any way is his fault either for being unable to teach appropiately, or being a smartass which teaches the 101 but then asks for the whole degree
2/ He asks for more or less trivial things, but then asks for a ton of them so there's no physical time to pass the tests. Where he really thinks he is? It's good to press the boys, but is plain stupid to do so beyond what's doable. There's no intellectual nor social benefit in asking someone to dig a one kilometer tunnel... with a teaspoon... in an hour. Except, of course, for the sadistic pleasure of being known as "the hardest teacher this side of the Pecos River".
Having DJB the fame he has, he has probably managed to be a perfect example... of those two points at the same time.
Re:If the majority of the class failed... (Score:1, Interesting)
Sometimes, most of the class SHOULD fail because they simply don't have the brains or background to learn the material.
There are a lot of undeserving students that get into tough university courses they are not qualified to handle. College entrance exams and high school grades are not enough to weed out students in very specific subjects like software security.
The only remaining way to weed them out is to fail them under these circumstances. Sad but what is the alternative? Grade on a curve so that any moron can receive credit for the course as long as he or she sits in a room full of other idiots?
Re:Mplayer and Xine new security releases (Score:4, Interesting)
As one of the mplayer developers, I would like to thank to DJB for giving us (hmm)16 (?) hours before unleashing exploints on wild.
Maybe he is not aware that making right fix, testing it and finally releasing it, is not so simple task. Especially if we have to convice the person that have release (write) permisions, that him girlfriend is not as importan as the security release:)
Not to say, that I still haven't got the mail in my mailbox, despire that gmame shows it have been recived.
Also mplayer-dev-eng@mplayerhq.hu is the more appropriate maillist to send security issues. (MPlayer documentation will be updated accordingly.)
The exploit that is found in MPlayer is not alone. There are at least 2 other places with similar exploitable bahavioud in the same file. I guess the students keep them for next semester.
BTW code originates from Xine, probably it is time to update our version ;)
Re:In all fairness (Score:2, Interesting)
Really? Then you do it. I'm sick and tired of people telling me that I didn't work hard enough or that I obviously don't understand C, or that "there's TOTALLY that many bugs out there." A day's work? Give me ten by a month from today, January 15, and I'll admit that I should have failed.
I know of 3 (possibly 4) people who are passing this course. One of them, Limin Wang, is DJB's grad student. She didn't take any other courses this semester, and had the entire time to work on this. One is a very knowledgable and hard working student, Ariel Berkman, and he deserves a better grade than he got.
The other two are Tom Palarz, the president of the ACM at UIC, and Kris Kubicki, a senior editor for AnandTech. They've slept about an hour a day the past few weeks, most of that in the CS computer labs.
DJB Faculty Profile (with Photo) (Score:2, Interesting)
Always interesting to put a face with a name.
True, however... (Score:3, Interesting)
>2. Student says 'OK.'
Nope.
Student weighs factors, realizes that if he takes the test, he'll probably fail the course. FAILING THE COURSE MEANS NO CREDIT HOURS, AND LOSS OF THAT TIME TO TAKE A DIFFERENT COURSE. Therefore, with regret, he takes his second choice for that slot.
Yes, Mr. Recruiter. I got an F in a course in my chosen major, but it was in an *impossible* course. Actually, between the presence of that F in the major field, and what it did to his GPA, he probably won't even get to see the recruiters he most wanted to see. He would have been weeded out before then.
The learning is great, sure. The impossible grade is serving absolutely nobody and nothing except DJB's ego.
Re:Agreed, many profs are abusive (Score:3, Interesting)
The CS profs were cool enough that I regularly shot pool with 3 of them early friday night (loosing team paid for the beer) before I went uptown to party with my classmates. The looks on the faces of the underclassmen when the chair of our dept walks up to me and asks if I'm shooting pool with them that evening were hilarious.
They even came to most of the "professional" house parties that we threw. It was really weird the first time I was at one of the house parties. I'm chatting with someone and all of a sudden my prof walks in. I nearly choked on my jello shot. He just came over, said hi, and then went over to get a couple of jello shots himself. It was also really weird the first few times I ran into one of them in the bars and they bought me a drink.
Just goes to show you that not all profs lack social skills.
Re:What? (Score:4, Interesting)
And I agree with user 820979.
Re:It's just an assignment - Did you even go to un (Score:5, Interesting)
Some time ago I received a call from a colleague. He was about to give a student a zero for his answer to a physics question, while the student claimed a perfect score. The instructor and the student agreed to an impartial arbiter, and I was selected.
I read the examination question: "Show how it is possible to determine the height of a tall building with the aid of a barometer." The student had answered: "Take the barometer to the top of the building, attach a long rope to it, lower it to the street, and then bring it up, measuring the length of the rope. The length of the rope is the height of the building."
The student really had a strong case for full credit since he had really answered the question completely and correctly! On the other hand, if full credit were given, it could well contribute to a high grade in his physics course and certify competence in physics, but the answer did not confirm this.
I suggested that the student have another try. I gave the student six minutes to answer the question with the warning that the answer should show some knowledge of physics. At the end of five minutes, he hadn't written anything. I asked if he wished to give up, but he said he had many answers to this problem; he was just thinking of the best one. I excused myself for interrupting him and asked him to please go on.
In the next minute, he dashed off his answer, which read: "Take the barometer to the top of the building and lean over the edge of the roof. Drop the barometer, timing its fall with a stopwatch. Then, using the formula x=0.5*a*t^2, calculate the height of the building." At this point, I asked my colleague if he would give up. He conceded, and gave the student almost full credit.
While leaving my colleague's office, I recalled that the student had said that he had other answers to the problem, so I asked him what they were.
"Well," said the student, "there are many ways of getting the height of a tall building with the aid of a barometer.
For example, you could take the barometer out on a sunny day and measure the height of the barometer, the length of its shadow, and the length of the shadow of the building, and by the use of simple proportion, determine the height of the building."
"Fine," I said, "and others?"
"Yes," said the student, "there is a very basic measurement method you will like. In this method, you take the barometer and begin to walk up the stairs. As you climb the stairs, you mark off the length of the barometer along the wall. You then count the number of marks, and this will give you the height of the building in barometer units." "A very direct method."
"Of course. If you want a more sophisticated method, you can tie the barometer to the end of a string, swing it as a pendulum, and determine the value of g [gravity] at the street level and at the top of the building. From the difference between the two values of g, the height of the building, in principle, can be calculated."
"On this same tack, you could take the barometer to the top of the building, attach a long rope to it, lower it to just above the street, and then swing it as a pendulum. You could then calculate the height of the building by the period of the precession".
"Finally," he concluded, "there are many other ways of solving the problem. Probably the best," he said, "is to take the barometer to the basement and knock on the superintendent's door. When the superintendent answers, you speak to him as follows: 'Mr. Superintendent, here is a fine barometer. If you will tell me the height of the building, I will give you this barometer."
At this point, I asked the student if he really did not know the conventional answer to this question. He admitted that he did, but said that he was fed up with high school and college instructors trying to teach him how to think.
The name of the studen
Re:Don't just take this lying down, IMO (Score:2, Interesting)
There's also the psychological factor -- most of our students come to our university from schools in which you got plenty of catch-up time and revision. High-school subjects are usually paced slowly enough that most students can get through them. The pace picks up tremendously at university.
The subjects we teach do not usually ease students gently into the course. Students are expected to hit the ground running. Because they are drawn from the more gifted high school students, they are usually used to goofing off; it's a lot harder to get away with that at Uni. Every year we fail a few students, not because they can't keep up with the course, but because they just don't. If we can save some of these students from dropping out by putting the frighteners on at the start of the year, I'm all for it. It's a heck of a lot cheaper than providing instructor-heavy remedial courses.
Re:Agreed, many profs are abusive (Score:3, Interesting)
Most of the engineering and CS profs I knew were cool (there were exceptions). The language profs were an absolute riot (even if the insane German wiped the floor with me in pool. Yes, I have this thing with pool. I spent several years as a kid living over a game room). The philosophy profs tended to be social creatures, as were most of the profs in the other departments that I dealt with (in academic, social, and professional capacities).
Re:Varying levels of seriousness... (Score:3, Interesting)
Because such functions are still in the libc and because C coding books still teach them. To get rid of such things one would simply need to either remove them completly from the library or at least let gcc output a big-fat warning on their use or only allow them when some pragma or gcc-flag is set. Having a better standard way to handle strings, such as libowfat's stralloc would of course also help.
As long as neither the libraries nor the compiler get it right and remove them, JoeProgrammer will continue to use the functions, be it by error, lack of knowledge or for portability reason.
Re:It's just an assignment - Did you even go to un (Score:4, Interesting)
(delta P on the barometer will be so small that error in reading the difference will dominate the result)
This is why you have a drop period for courses (Score:3, Interesting)
If you look at the first slide deck published:
http://cr.yp.to/2004-494/0823.pdf
You can see very clearly on page 7 that grading is very straight forward.
Simply put, you have 60% of your grade that is not related to formal tests.
Surely a 400 level course has adults capable of making an adult choice to drop the course if they cannot live with the grading terms outlined early in the course?
Last day to drop courses:
October 1, Friday
source: http://www.uic.edu/ucat/catalog/CA.html
That's six (6) weeks to realize that "Hey, this might not be an easy way to boost the ole GPA".
What am I missing?
Re:It's just an assignment - Did you even go to un (Score:1, Interesting)
1) 1 (possesive) You 'have' the one you took away.
2) 2 (mathematical subtraction) which is the 'expected' answer, one was subtracted from 3 leaving 2
3) 3 (existential) there are still 3 apples, 2 that I originally 'had' and the other which I now 'have' somewhere else.
4) 4 (additional) No constraint was given that the new apple belonged to the original set of 3.
Re:How to ace Bernstein's class (Score:2, Interesting)
void suspicious_function(char* previously_mallocd_buffer) {
char buffer[MAX_LEN];
if (strlen(previously_mallocd_buffer) >= MAX_LEN) {
fprintf(stderr, "input too long\n");
exit(1);
}
strcpy(buffer,previously_mallocd_buffer);
}
Is there anything wrong with this? Other than the fact that they could have used a simple strncpy, no... it isn't unsafe, just pointless and time consuming. I think it's the fact that s[canf,scanf,printf,trcpy,trcat] are so ingrained in people's minds that that's what they have to use -- they just know it's unsafe so they jump through hoops to make it safe.
Re:What's the deal? (Score:3, Interesting)
Here's an excerpt from the first one I viewed [uic.edu], with my emphesis:
Who's gonna call this guy's other bullshit?
Re:Don't just take this lying down, IMO (Score:2, Interesting)
Well I don't have a problem considering themselves students if they are paying for their education as long as they understand what they are paying for. It is not certificates, or exam passes, or knowledge. It is for the educational process. It seems to me this coursework represents some very good educational process. You always learn better by doing than having someone lecture at you - a bargain in those terms!
On the otherhand, this is the first time it was run and so some pragmatism and adjustments in how the coursework is assessed may be needed. Not an unusual situation to be in if you try something new.
Re:Don't just take this lying down, IMO (Score:5, Interesting)
That's cute. His code may not have any bugs in it, but damn, does it ever have some huge logical flaws.
Qmail has the lovely lack of ability to reject e-mail while the SMTP connection is still active. What it does instead is it creates and sends a bounce message itself, instead of leaving that up to the sending server. What happens when you do this is you allow spammers to send e-mail to recipients in the To: line instead of the From: line, just by putting in a bogus To: line and putting the real recipient in the From: line.
There's a patch for this, but it involves setting up a list of e-mail addresses that are allowed to be accepted. Once you have several thousand e-mail addresses all over the place courtesy of Vpopmail, this becomes an impossible task.
So no, this man isn't a perfect programmer.
Re:Modern education sunken to a new low (Score:2, Interesting)
No offense but getting an F on an insanely hard course does not reflect any better than an F on an easier one. Failing your course is utterly unfair if you did infact walk away with a good solid understanding of what this "teacher" was actually teaching you. In your situation I'd have definately approached him
Then again, maybe your failure was to allow someone like "DJB" to control your grades. Still challenging his judgement is a good thing. If you feel you deserve a higher grade then fight for it. If not then
Re:Misleading Title (Score:4, Interesting)
Someone once told me to increment each letter in VMS to get WNT. Kind of like the IBM --> HAL.
Re:Students didn't exploit the loophole (Score:2, Interesting)
That said, collaboration was really the key even with the partial credit scenario. From talking to other classmates, those that worked together seemed to do quite well. One team of two classmates had a great system where one would audit code while the other crafted PoC exploits. I realize now that lack of collaboration was my greatest mistake in this class.
pollics. (Score:4, Interesting)
How about "file system becomes damaged if power is unplugged" (DOS atttack when running without UPS).