Amit Singh's Challenge: Find a Decade-Old Bug 83
dreicodan writes "Well this has too many juicy Mac OS X nuggets in one bag! All details are on this page, but I'll summarise. Apparently Amit Singh discovered a 10+ year old serious bug in OS X. The bug started in Nextstep and is still in Panther (and apparently Tiger, too). Then Amit wrote a program to demo the bug, but also made the program capable of hiding what it does using some complicated Mach kernel voodo! He then threw a challenge open to OS X experts to figure out the bug. It turns out that a week and some 1000 downloads later, three brilliant hackers (Alexy Proskuryakov, Andrew Wellington, Graham Dennis) were able to solve the puzzle. Also looks like other than these guys, nobody got anywhere with the problem. Be ready for extremely gory details of how the program was written and how it was decoded. Its a thrilling read, and OS X hacking doesn't get any more hardcore than this! Hopefully Apple fixes this bug now at last."
Funny responses (Score:5, Funny)
http://www.kernelthread.com/mac/challenge/result/ [kernelthread.com]
Re:Funny responses (Score:3, Interesting)
that's the response I got when macupdate.com had automatically picked up one of my sf.net [sf.net] projects. I made an OSX installer package for my binaries and received many complaints about it in the "discuss this software" forum of macupdate...
bastards.
Re:Funny responses (Score:2)
Its number 1 thing made me switch to OS X. I hated the attitude of opensource coders. I hated the win32 as well. Linux wasn't serving my needs. Call me lamer too. Whatever.
I currently use Adium X, Growl, Quicksilver as opensource apps but their coders are totally aware of the community they serve by their own decision.
I have no money problem and paid a lot to crap in my firs
Re:Funny responses (Score:3)
I worked on a GUI a little, but was having trouble keeping it uptodate with the commandline version, and it also required a complete rewrite to get certain func
Re:Funny responses (Score:1)
If you be patient to trolls, I mean if they don't go beyond like "he stole my cc", its a good feedback tool. Oh, you can immediately make those accounts closed as you have developer account. Of course, with a valid reason
mac.com gives it free I guess, so many mac people uses it.
I missed the point you say "they picked auto". So, likely an editor from staff added it or a fan of your prog
Re:Funny responses (Score:1)
> too much future in OS X or Win32
The other poster was perhaps not clear enough. I will try to explain this clearly so that you can understand it: some programs can never be useful to people who don't want to open up a terminal, just because of the inherently very technical nature of what the programs do. panpipes is exactly the sort of program that such a person would never be interested in using. All it does is make the co
Re:Funny responses (Score:3, Informative)
You don't talk to many Windows users, do you? It's pretty much the same thing.
I've also heard pretty similar things from people who say they use Linux, thoug admittedly not nearly as often.
Re:Funny responses (Score:2)
Re:Funny responses (Score:1)
Re:Funny responses (Score:2)
10 years? (Score:4, Funny)
Re:10 years? (Score:2, Insightful)
Why is it that M$ (dollar sign, LOL!) gets brought up every time Linux or Apple fucks up big time, when it's not related and usually worse than any similar issues that M$ (clever!) has ever had, let alone left unfixed?
Re:10 years? (Score:3, Interesting)
Does c:\con\con count?
Re:10 years? (Score:3, Insightful)
I think I remember hearing that unless M$ restructures the Sec model, there really isnt a way for them to stop it from happening.
and why do I use M$, well, because Bill Gates exemplified Greed to me. The Largest software developer in the world, Oracle not far behind, M$ exudes Greed, Avarice, and Exclusionism (w?). And that dear friends comes from a 30 developer , not a 13yo, like so many critics
Re:10 years? (Score:2)
I imagine Microsoft (justifiably, IMHO) consider that to be a software developer's problem. Programs are only vulnerable if the developer writes them to be.
Re:10 years? (Score:3, Informative)
This one was in the NT based OSes for a long time:
That Voodoo is evil (Score:1)
Re:That Voodoo is evil (Score:1)
What's impressive (Score:4, Insightful)
Re:What's impressive (Score:3, Insightful)
Re:What's impressive (Score:5, Interesting)
I agree. Either they didn't know it was there, or they didn't think it was important enough to fix right away.
But that's different from them not knowing how to fix something, which I'm sure they do.
Re:What's impressive (Score:4, Interesting)
There was an old terminal machine from the 70s that had a weird bug of permanently hiding processes far beneath "ps" so no admin could ever see it. When the machine was decommissioned in the 90s, the shutdown revealed some student's print-paper-lpr process that got lost for 20 years.
Re:What's impressive (Score:1)
I don't actually remember what I did to make it work, but I had a render running in the background after logging out that no one noticed for three weeks. Some people noticed that the system was running a little slowly, but I could never find any indication that the process was running at all. (Except for the fact that every hour or so a new file would appear in the frames directory.)
Re:What's impressive (Score:2)
Re:What's impressive (Score:4, Insightful)
If you never, ever encounter it, it's not serious.
You could probably cause a kernel panic by driving an iron spike through the boot drive during some critical OS-level operation.
But it'd be daft to write iron-spike-handling code, to prevent a kernel panic in that rare situation.
Re:What's impressive (Score:2)
Re:What's impressive (Score:3, Insightful)
If it was perfectly ordinary, it would have been discovered long ago.
If it's gone 10 years without being discovered, if Bank of America's NeXTSTEP trading systems never broke because of it in all the years they've been in use, then it's not a significant bug.
Re:What's impressive (Score:2)
This is the software equivalent of the F00F bug - an incredibly simple and perfectly reliable way to make a system crash - hard - that doesn't require any special privileges or anything, just the ability to execute software, which every user has.
Re:What's impressive (Score:5, Informative)
Re:What's impressive (Score:2)
he just mentions that the bug has been present with no explanation as to how this was determined.
If you look closely, he wrote code for the bug on NeXTStep 3.3 and presumably ran it on an old box he had.
Re:What's impressive (Score:3, Informative)
Is it clear from his write up that NextStep/Apple has known about this bug? It sounds to me like he uncovered a long standing bug but I didn't see anywhere that he says Apple knows about it. He simply says this bug has 'existed for 10 years' not that he told Steve Jobs about it 10 years ago.
=tkk
Re: (Score:3, Insightful)
Re:What's impressive (Score:5, Interesting)
NEXTSTEP/OS X has an incredibly layered architecture, and those layers are quite well-stratified. That stratification is a great design asset - it makes it a lot easier to keep the whole mess organized, and reduces the number of boundary conditions where bugs (such as this kernel bug
-BUT-, the bug is still there. While I normally hate old bugs as much as anyone, especially ones that cause kernel panics, in this case I am sincerely and profundly impressed at the amount of discipline that must have been present in the development culture at NeXT. (We'll see about Apple - on the inside, Classic MacOS became quite possibly the most tangled kludge of an operating system ever produced in its last few incarnations, and I do get the impression that Apple is starting to take OS X down that path, too.)
Re:What's impressive (Score:1)
on the inside, Classic MacOS became quite possibly the most tangled kludge of an operating system ever produced in its last few incarnations, and I do get the impression that Apple is starting to take OS X down that path, too.
What makes you say that? Mac OS 9 seemed kludgy even for the user, but what suggests that Apple would develop OS X in a less disciplined manner than NeXT did?
Re:What's impressive (Score:1)
Re:What's impressive (Score:2)
My hypothesis is that you probably wouldn't actually get a kernel panic on the NeXT...only a crashed BSD layer (which would have pretty much the same effect, except the machine might still respond to ping).
Re:To be honest (Score:4, Insightful)
I don't think the person behind the challenge meant to imply that macs are toys. Only that very few people outside of Apple know much about the inner workings of their beast named OS X. As far as exploits go, a kernel panic is one of the safest out there. No way of intentionally damaging specific files, no remote execution of code. Of course, as one of the many people who doesn't know much about OSX internals, I suppose its possible that the vulnerability could lead to such things. I just don't know, and given that your name wasn't on the list, I surmise you don't either.
Re:To be honest (Score:2)
Re:To be honest (Score:4, Insightful)
Well, apart from the attempt to disclaim responsibility for a statement whilst still presenting it as credible (the '_some_ claim' statement), there's the gratuitous insult aimed at provoking others - 'toy'.
Why bother claiming Macs are toys in a story about an obscure bug? What does a toy mean to you? Ironically one of the most persistent criticisms of Macs is that current games don't play well on them, so they are in fact not very good toys.
Re:To be honest (Score:2)
Well, apart from the attempt to disclaim responsibility for a statement whilst still presenting it as credible (the '_some_ claim' statement), there's the gratuitous insult aimed at provoking others - 'toy'.
Obviously i inserted the '_some_ claim' because i'm not one of them. I was talking about an image, which can be roughly translated as a perception of the mass. I know far more than the mass
A reason why there weren't 1000 submissions (Score:5, Insightful)
Singh said he was going to give the prize to the first person with a correct submission. Not the best submission, nor the most complete submission, or the most creative submission.
So I think people just gave up after the first couple of submissions were posted. He shouldn't have displayed the number of submissions that had been received.
Also, this challenge didn't hit Slashdot until after it was finished. I know I didnt' hear about it until after the first two submissions were submitted.
It was fun to track down though.
Re:A reason why there weren't 1000 submissions (Score:5, Informative)
aftk2's recent submissions:
The Mac OS X Expert Challenge
Thu Apr 07, '05 01:22 PM
Rejected
Not for lack of trying, unfortunately.
Re:A reason why there weren't 1000 submissions (Score:2, Interesting)
Re:A reason why there weren't 1000 submissions (Score:2)
Seriously though, it says a lot about the OS that people like Amit are abusing it and that people on
Re:A reason why there weren't 1000 submissions (Score:2)
How zen (Score:5, Funny)
Re:How zen (Score:3, Funny)
A lot of cursing, that is.
Re:How zen (Score:2, Funny)
NeXTSTEP had lots of bugs (Score:5, Interesting)
Let's all hope (Score:5, Funny)
Man, What with blowing away their 2Q'05 earnings projections, I hope the first thing Apple does is address this bug that no one has paid any attention to in 10 years. That will make me as a Apple user and share holder happier than if they continue this "innovation" fad.
Re:Let's all hope (Score:2)
Nice Tie-In (Score:4, Interesting)
Re:Nice Tie-In (Score:1, Interesting)
exploits for dummies (Score:5, Insightful)
The rest of the article is good fun, but this passage is a brain fart. There are millions of lines of source code in any modern operating system. Exploits don't sprout overnight like mana from heaven. The most useful skill for divining exploits is to notice the existence of edge cases in how various subsystems interact with one another. There is also the important case where "chance favors the prepared mind". This is where something funny happens as a result of an honest mistake, then the "prepared mind" notices (and pursues) the chance event's darker implications.
Serious bugs that lurk for decades are hardly unknown. The ASN.1 bug springs to mind. It's hard to image a bug more widely deployed that escaped detection for such a long time. The question here is why, for such a long time, this simple flaw evaded interactions with dark energy. It's for precisely the same reason that experts rarely make the best testers. There are certain kinds of elementary programming mistakes that the "prepared mind" will habitually avoid. This distribution has a slim tail. If the minions of evil fail to stumble into any telltale clues after five years, chances are good it will remain hidden for a long time yet.
This is in fact the same mistake that Kurweil makes in predicting the imminent singularity: that intellectual power is a fully ordered function, based on the premise that a really smart person can achieve any interesting result that any person much less smart can achieve. To put this in perspective, consider the recently discovered AKS primality test. This is what AKS achieved by some clever tricks using concepts of undergraduate algebra and a 15-year old theorem.
http://www.flonnet.com/fl1917/19171290.htm [flonnet.com]
Undergraduate concepts in algebra exploited to achieve mathematical immortality. That ought to frame a tiny, unnoticed flaw in OS/X.
Re:exploits for dummies (Score:5, Interesting)
Indeed. I think the problem is not that nobody was looking for flaws, but that they were looking in the parts they're familiar with. They'd be looking in the BSD-oriented parts, or the upper levels of the OS.
They probably wouldn't be looking in the Mach parts of the OS, where this bug appears. I doubt many people have spent the time to learn enough about Mach to think of potential exploits.
Re:exploits for dummies (Score:1)
Dr. Norton, are you paying attention? (Score:4, Interesting)
People in Capital One, Compound Therapeutics, Fossil, Goldman Sachs, IKEA, and SAAB were interested enough to download this, but no one from the Semantecs/Sophos/Secunas of this world found it worth their while to check it out??!!
I would certainly hope that they are paying attention to the use of dynamic code modification, code obfuscation, and red herrings. While these techniques are not new, none of the (Windows) malware seen so far were designed to be even half as proficient in these matters as panpipes. Further, Amit has stated that he could have made panpipes even more difficult to debug (but didn't).
Kudos to Amit for this highly educational exercise! He certainly seems to know his way about the innards of OS X (not to mention all the other OSes he runs [kernelthread.com] on his 17"PB via VPC.)
(I bet he has some interesting insights about the evolution and workings of OSes from MS (he is running ALL the flavors of DOS [kernelthread.com] and Windows [kernelthread.com] that I know of.)
Re:Dr. Norton, are you paying attention? (Score:2)
If there's one person Apple should hire (Score:5, Insightful)
Given that all the immense amount of detail that Amit has given on OSX as shown on kernelthread and in his upcoming book has been done in his spare time, could you imagine what he could achieve if this was his job. Granted, I'm no HR person, but I would think that Apple should be chafing at the bit to get him on board. I know that if it was up to me, I would offer him an almost blank cheque to write his own salary on.
He is the person who could get OSX into the enterprise.
Of course, if he did work for Apple, then his website would surely suffer, what with NDAs and such. Perhaps it's better that he doesn't work at Apple.
Re:If there's one person Apple should hire (Score:3, Insightful)
Not only is he a brilliant computer scientest who knows his shit in-and-out, but he's a very gifted writer with an uncanny ability to write articles targeted at manny different levels of ability. He also does a great job of staying out of the OS flame war by always looking at OS's from an objective point of view.
As far as I can tell by looking at the dates on his resume, he's only in his late-twenties or early-thirties, which
Re:If there's one person Apple should hire (Score:1, Flamebait)
Re:If there's one person Apple should hire (Score:3, Insightful)
A system call not checking input values ?? (Score:3, Interesting)
If that's the only example like that which can cause a kernel panic, I'd be impressed. Especially in kernel-level I/O areas where performance is key, it's even possible that such a check is left out on purpose, and data integrity is meant to be the job of some higher-level or intermediary calling function which is ( nearly ) always used.
Of course, I avoid programming on such a low level if possible, so I could be wrong. But it is likely there's a reason why fixing this isn't terribly important, and why my OS X machine *never* reboots unless I've done some system software update.