Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security (theintercept.com) 77
Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept:
"Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...
The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.
The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."
The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.
Re: (Score:1)
Exactly. $600K, and two people in a basement doing simple software assessments does not equal a non-profit. It amounts to a very lucrative and profitable government contract. I would even go so far as to venture the idea of laundering.
Former NSA, DARPA funding. "nonprofit" ... Yeah, and the moon is made of cheese.
I bet their house is a fucking mansion.
Re: (Score:3, Insightful)
They've evaluated 12,000 programs, and they have to purchase the ones that don't have fully functional trial versions available. That isn't going to be cheap. I presume they've set up a decent lab, that could be $50K-$100K just in hardware. Then there's developer time, lawyers, the technical review board that looks at their static analysis methods...
If this effort improves the state of application security (or at least steers users away from products that aren't improved), I'd say $600,000 is a pittance to
Re: (Score:2)
Yes, I agree that the costs are going to be huge - ESPECIALLY the lawyers. We all know who gets the lions share
Re: (Score:3)
I bet their house is a fucking mansion.
It's beyond that, it's practically a palace [cmu.edu], room for over 300 people.
Re: (Score:2)
I was always puzzled about the outrageous rates at which companies billed out software engineers. But when I got into consulting, I found out the hard way how important lawyers are. And then the larger the company gets, the more specialized people are needed. Contracting officers, accountants, site security, hardware, health insurance, unemployment insurance, taxes. All of those costs have to be covered by the revenue from products, services and billed-to-the-client staff. That made the hourly rates sudd
Re: (Score:2)
Re: (Score:2)
Too little space in the attic?
Re: (Score:2)
Why in the basement? Seems a bit suspicious to me.
His mom lives upstairs?
Re: (Score:1)
Who cares about security on OS X? 10% of all desktop users I would imagine. And where did you get the idea they were only testing OS X applications. You seem to have invented that out of whole cloth.
Re: (Score:1)
But that's hard and stuff.
Re: The usual reason for old tools (Score:1)
Who hasn't?
Re: (Score:1)
This a thousand times over.
I've had to change over to new toolchains quite a few times, and although most code keeps working, there's always the code written by That Guy and that code always breaks in a million different little ways at every perturbation. And a toolchain change tends to be the big perturbation that breaks all fragile code.
And that wouldn't be so bad, perhaps, if you just got a list of compiler errors so you could tell management that there's a hundred problem sites, so it's going to take ni
Modern compiler protective measures (Score:2, Insightful)
Security is only as good as the underlying Operating Sys
Re: (Score:3, Informative)
Security is only as good as the underlying Operating System and Memory Management Unit , which is to say in the case of Microsoft Windows running on Intel hardware is non-existent
The hell are you talking about? Intel chips have had MMUs for 30 years now.
Re: (Score:3, Informative)
Yea, and for 30 years now the Intel MMU has been unable to reliably isolate user processes or at least tell the difference between code and date.
Re:Modern compiler protective measures (Score:5, Informative)
> And nobody in his/her right mind would connect industrial control systems directly to the Internet.
I used to work in the oil & gas industry (I'm retired now).
We used to deal with a lot of eccentric PLCs and other control systems.
A lot of the earlier equipment would just work. Sure, you had to program it using some ancient software package running under pure DOS mode with an equally antiquated laptop, but once you'd done that all you had to do was feed them power and away they'd go.
Then they started including protection systems in the PLCs. I could never figure out why, it just made them all a huge pain in the ass to deal with. I guess it had to do with regulations (since some of that equipment could, conceivably, be used for very nefarious purposes if it landed up on the black market), but it always seemed to me like it had more to do with eliminating the second hand market and ensuring vendor lock-in.
Sometimes it was just a hardware FOB located somewhere on the controller in a proprietary port. Sometimes it was a literal 3.5" floppy drive built straight into the unit itself, sometimes it was a floppy drive that you had to connect temporarily to load up the licensing information off a disk. Sometimes you could "activate" the unit over whatever port you were using to program the thing (sometimes RS-232, sometimes RS-485, sometimes 10 base T ethernet, etc). For the most part, it was all offline, while there were a few systems that required online connectivity you really just had to download a bunch of files to a computer somewhere, then hook that computer up to the PLC and let the software work it's magic.
Then, someone (I'm looking at you, Allen Bradley) decided it'd be a great idea to make the PLCs require a live fucking internet connection to activate with some remote server.
I'll never forget the day I was doing field work up in Northern Alberta at a huge oil production facility, and someone forgot to pre-activate the PLCs we were working with at the time. Of course everyone was on a tight deadline and the hardware had to be operational NOW, not tomorrow or the day after, and the PLCs were already installed and wired up in the control cabinets, so we couldn't just yank them out and take them up to the control office and plug them into the internet. We landed up stringing together god knows how many spare CAT5 cables, couplers, and hubs to form a temporary 200m line that ran all the way across the facility floor, through several doorways, up and down at least three stairwells, and into the office where they actually had internet. And even then, the fucking PLC wouldn't activate because the firewall rules were setup for default-deny-all, and nobody could figure out what the hell the thing wanted before it'd activate, so we found someone fairly high up that was desperate enough to basically say "turn around, you don't wanna see this" and plug the thing straight into the modem for a few minutes.
Of course, the likelihood of that system getting pwned at that exact moment was pretty much a statistical impossibility, but still. From what I've heard, there's a lot of control systems out there that now need persistent connections to the internet, and if that connection fails then your licenses will invalidate and everything will grind to a halt.
But... yeah. That's one way critical systems can land up connected to the internet.
Re: (Score:3)
Then, someone (I'm looking at you, Allen Bradley) decided it'd be a great idea to make the PLCs require a live fucking internet connection to activate with some remote server.
They should be publicly shamed and plastered against the wall.
Re: (Score:1)
From what I've heard, there's a lot of control systems out there that now need persistent connections to the internet,
Pet feeders, for example.
Re: (Score:3)
And nobody in his/her right mind would connect industrial control systems directly to the Internet.
aka "someone is sure to do exactly that"
Re: (Score:1)
Security is only as good as the underlying Operating System and Memory Management Unit, which is to say in the case of Microsoft Windows running on Intel hardware is non-existent.
UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT Information is ENCOURAGED.
Re: (Score:2)
> And nobody in his/her right mind would connect industrial control systems directly to the Internet.
The designer of an industrial system usually has _no_ control over how remote sites configure their local networks. None.
Many admins, and their supervisors, insist on dynamic monitoring of equipment to report its status. The investment in time, energy, and even network hardware to provide better protected network access to that equipment is a real expense which they often choose not to pay. If they think
Re: (Score:2)
A firewall would do just as well as NAT without the overhead of NAT
Re: (Score:3)
I must say, from long experience, that maintaining a pure firewall does _not_ do as well as NAT. The network overhead of NAT is unnoticeable with even the most modest household modems and routers of the last few decades. Maintaining even a modest firewall is often fragile, vulnerable to profound configuration errors, and likely to cut off expected services at the most inoportune moments. This is compounded by the genuinely awful interfaces and management tools for many firewalls. Simply activating NAT is so
Re: (Score:2)
A firewall would do just as well as NAT without the overhead of NAT
... but only if it was actually installed, which I believe is the parent poster's point. Because NAT has become largely necessary for IPv4 access, people have a motivation to install and use it. (People should be motivated by security concerns as well, of course, but all too often they are not, because good security isn't necessary to get the system working ASAP, and sometimes gets in the way of getting the system working)
Re: (Score:2)
People didn't choose NAT - it just came with whatever home router they bought and thats just how the world works for them. If NAT hadn't been needed, I think the world would have evolved perfectly fine with home routers that came with a proper default firewall without the need for NAT.
Mudge - famed hacker (Score:2)
helpful perhaps, but doesn't solve the problem (Score:1)
This is all well and good, but it doesn't really solve the problem. The most severe problem is that conventional C/C++ programming is inherently prone to critical memory access vulnerabilities. And while code analysis tools can help, they don't (and cannot) correctly identify all such memory access bugs. But since the advent of C++11, it is actually possible and practical to substitute C++'s unsafe elements (i.e. pointers, references, arrays, ...) with compatible, (memory) safe replacements, thus eliminatin
Re: (Score:1)
> The most severe problem is that programming is inherently prone to access vulnerabilities.
Fixed That For You
> But since the advent of C++11, it is actually possible and practical to substitute C++'s well known and stable elements (i.e. pointers, references, arrays, ...) with complex, untestable abstractions vulnerable to compiler specific and destabilizing re-interpretation of what the source code actually said..
Fixed That For You, Too.
Firefox ASLR (Score:4, Informative)
Really? Firefox has no ASLR? So when did that regression happen, because it used to have it, even for binary components (addons), see: http://blog.kylehuey.com/post/... [kylehuey.com]
Or am I misunderstanding somehow?
Re: (Score:2, Informative)
I can confirm that at least on Win7 Firefox uses ASLR. For example, Firefox.exe has an image base of 40 0000h but it's loaded at 10D 0000h. Similar story for some other modules I've checked.
Maybe it's different on OS X though, because that is apparently the only platform this ‘famed hacker’ tested on. His main claim to fame, by the way, is boldly boasting he could bring down the entire internet in 30 minutes. Turns out that was an erm... slight exaggeration.
Re: (Score:2)
Does not sound like a security expert to me. More like somebody that want so con people out of their money.
Test your own code for these features. (Score:1)
There's a shell script that'll tell you what is and isn't compiled with these options on your own system.
http://tk-blog.blogspot.com/2009/12/new-version-of-checksecsh.html
Despite what the summary says, you actually have to explicitly tell the compile to enable these security features, otherwise you don't get any of them.
Compile with these options: -fPIE -D_FORTIFY_SOURCE=2 -fstack-protector-all
Link with these options: -Wl,-z,relro,-z,now,-z,noexecstack -pie
When compiling shared libraries, change "PIE" to
CyberInsecurity: The Cost of Monopoly (Score:2)
Fairly dismal community here (Score:3)
I submitted this story since it looked like an interesting approach to a thorny problem of measuring and reporting on software security.
I was hoping that someone would comment on this approach to grading software for potential vulnerabilities.
At 50 comments now, nobody has posted a comment which addresses the topic of the article.
Instead, we have a lot of people who are apparently jealous that someone is getting paid for providing a service.
Other people have taken the opportunity to trash talk various operating systems, languages, hardware and software.
Most benign (but still irrelevant) are war stories how some courageous, smart iconoclast overcame co-worker and institutional stupidity to save the day.
And, of course, personal attacks.
I guess this is a sign of the times. We have no discussion of substance, just flame wars.
Make Slashdot great again!
I really must find something (anything) better to do with my time.
Re: (Score:2)
The metric is pretty worthless. It can identify extremely bad code, but that it is. It will however con people into thinking it is much better than that and as such do a disservice to software security. Yet another worthless metric that delivers a mostly meaningless number.
The only way at this time to get a good assessment of code-quality is still having an experienced and capable expert look at it manually. Unless we get strong AI at some time (highly doubtful) that will very likely remain the only way.
Re: (Score:2)
It seems to me that it identifies code which uses unsafe programming practices (such as compilers without security settings set) and code which uses unsafe libraries. The code itself might be OK but the environment might be dangerous.
For instance, they mentioned that the Windows version of MS Office uses the latest version of the compiler with security settings and is therefore scored highly but the OSX version uses an old "unsafe" compiler and scores poorly.
I agree that the methodology has its limits but d
Re: (Score:2)
Well, this is a judgment call. I personally find metrics that may give people a false sense of security a very bad thing. The thing here is that this is a decidedly "experts-only" metric because most people cannot interpret it. Metrics are however routinely used by non-experts (a.k.a. "managers") and that makes any kind of expert-only metric dangerous.
Re: Fairly dismal community here (Score:2)
I agree that many people will misunderstand the limitations of the metric (managers are a good example).
However, it may help push good programming practice.
Re: (Score:2)
I doubt it. Those that use good programming practices use them because they realize their worth. The others are a lost cause IMO.
Gentoo (Score:1)
An actual security reason to keep using Gentoo!
WTF? (Score:2)
First, I have never heard of this "famed" person and I have been in computer security research for quite a while. Second, what they describe is basically worthless: They can identify really, really, really bad code, but if it is better than that their metric is unusable.
Sounds like a con to get attention and funding to me, nothing more, and they do harm by promoting yet another useless metric.
Re: (Score:1)
What is quite a while? 5 years? That's really nothing, I go back 30 years. Maybe you're in the windows world? Here, let me google that for you - http://lmgtfy.com/?q=mudge [lmgtfy.com] . If you don't know him, don't take it too hard. We can't know everything and everyone after all.
Check out l0pht, etc. Stuff that was done about 20 years ago. I've met him, he's a really smart guy. Just look at his work with l0pht crack. If he's coming up with it I bet it's good.
Office for Mac (Score:1)
The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says
hahah I went to undergrad with one of the developers. Good to know he hasn't been asked to update it since then. Seriously though, that's kind of the problem with the corporate form and fiduciary duty: companies will nicely box and sell a turd as a wholesome source of fiber if it's the only way they can figure out how to increase profit.