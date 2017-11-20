Security Problems Are Primarily Just Bugs, Linus Torvalds Says (iu.edu) 82
Linus Torvalds, in his signature voice: Some security people have scoffed at me when I say that security problems are primarily "just bugs." Those security people are f*cking morons. Because honestly, the kind of security person who doesn't accept that security problems are primarily just bugs, I don't want to work with. Security firm Errata Security has defended Linus's point of view.
They're bugs, unless they're not (Score:5, Insightful)
Security by obscurity, government backdoors, etc. Those are not bugs.
Re: (Score:2)
If your OS is not open-source, forget release/review processes. If the NSA tells you to add this black box of code, you fucking do it.
Re: (Score:2)
that works for open source too, it's just trickier.
Re: (Score:2)
yeah, but it probably isn't. there would be much smarter, more widely-deployed, and more cost-effective ways to do it.
selinux is just easy for people to think of because it was designed by the NSA to scratch their particular bureaucratic itch. but, sure, anything is possible.
Re: (Score:2)
The backdoor in SELinux isn't in the code, it's in the setup documentation.
All data security is through obscurity (Score:2)
Security by obscurity
All data security is essentially security through obscurity. Vault combinations, cryptography, keys, etc are all rely on various forms of information that is not widely known. The security comes through obscure information. Now there are forms of "security" through obscurity which are trivial to figure out and thus effectively worthless but even the most robust cryptography is still security through obscurity at its core.
Re: (Score:3)
When we talk about security by obscurity we mean that the way of how the security is produced is obscured. Not that a certain secret, a key, has to be kept secret to use it.
PGP contains a private key, this is not what obscurity means in this context. What obscurity means is when the basic algorithm used to produce the encrypted result is not open to a public audit.
The key is secret. Not the lock. Big difference.
Re: (Score:2)
Re: (Score:2)
That's not what Linus is talking about either. Stop grinding axe at every opportunity.
Re: (Score:2)
True, but. (Score:3)
Re: (Score:2)
It's true, security problems usually exploit a bug. BUT, in general, there is a systematic problem underneath the bug, which allows a bug in a program to escalate to gain access to root-level systems. So, it's not just a bug, but a bug that is built on a system that does not have security built in.
I am assuming Torvalds considers not building security into a system is a bug. Consider software which does not prevent SQL injection attacks. If there was no attempt to prevent these attacks, technically the code is working as intended. Security simply was not a consideration. But in practice I believe it is still fair to consider that a bug.
Re: (Score:2)
Aren't SQL injection attacks usually queued commands? Isn't the ability to queue multiple SQL commands in one string a flaw in itself? Ex: what possible harm would it do to require a "drop table" command to be called on its own,etc ?
Re: True, but. (Score:2, Insightful)
Theyâ(TM)re usually someone passing unescaped user data to an sql query. So the end user is able to break out of a string and change the functionality of the query. Incredibly basic stuff.
Re: (Score:2)
Aren't SQL injection attacks usually queued commands? Isn't the ability to queue multiple SQL commands in one string a flaw in itself? Ex: what possible harm would it do to require a "drop table" command to be called on its own,etc ?
The real flaw is giving out ddl grants to a service account that's supposed to be doing dml.
Re: (Score:2)
Aren't SQL injection attacks usually queued commands? Isn't the ability to queue multiple SQL commands in one string a flaw in itself? Ex: what possible harm would it do to require a "drop table" command to be called on its own,etc ?
You won't be able to execute non-trivial installation SQL scripts directly through your code. You'll either have to chop the script into individual queries and run each separately, or run the SQL script e.g. from command line.
Also, SQL injection can be useful even without adding extra query. For example, if the login form uses this kind of SQL query: "SELECT * FROM users WHERE username='$username' AND password='$password_hash';", you can log in as arbitrary user without knowing the password just by typing t
Re: (Score:3)
Re: (Score:2)
The same can be said of functional bugs, they are buggy, but you don't know it until discovered. The discovery of the bug does not mean the code changed, it means that bug hadn't been caught yet.
So yes, a system that is vulnerable to an as-yet unknown attack is buggy.
Re: (Score:1)
They've always been buggy, but now we have a test case that triggers the bug.
Re: (Score:2)
I disagree that you can view lack of security as a bug. Using your example, lets say a novel way to attack databases developed in 2018. Lets call it relationship mutations. Today we have no idea how it works and how to defend against it, because it isn't invented yet. Are all databases released today buggy as a result? Do they become buggy, without any code change whatsoever, at the time this new exploit is invented?
I am not sure why you don't consider that a bug. If a new way of attacking any SQL command was discovered tomorrow, that would simply mean that 100% of existing SQL commands have a bug in them. It was a previously undiscovered bug, but a bug which needs to be fixed none the less. Perhaps the bug is in the SQL syntax or ODBC interface, but it is still a bug in need of fixing.
Re: (Score:2)
I am assuming Torvalds considers not building security into a system is a bug.
By that measure, the code with the most bugs is the program that hasn't been written yet.
Re: (Score:2)
I am assuming Torvalds considers not building security into a system is a bug.
By that measure, the code with the most bugs is the program that hasn't been written yet.
If the program hasn't been written yet, it cannot behave in any unintended way. So no, it doesn't have any bugs. A piece of software that when run allows a user to do something they aren't supposed to do is behaving in an unintended way, so that is a bug regardless of whether they put any thought into security when building it.
Re: True, but. (Score:2)
Re: (Score:2)
I am 'security guy' but I would agree with Linus most, maybe not all, but certainly most are just bugs.
SQLi is a perfect example. The code does NOT work as intended. If SQLi is possible than code that was supposed to allow the input of a string somewhere does not handle certain strings properly, or does not correctly control the input domain if certain values are not supposed to be allowed! Take your pick.
The first time that name filed for example encounters a name with an apostrophe in it, D'Arc
Re: (Score:1)
A bug is never just a mistake. It represents something bigger. An error of thinking that makes you who you are.
-- Mr. Robot
Security problems are NOT just bugs (Score:2)
Re:Security problems are NOT just bugs (Score:5, Informative)
Linus's context is entirely in terms of the kernel. If you ignore that, you write comments that are complete non-sequiturs.
Re:Security problems are NOT just bugs (Score:4, Interesting)
A few years ago I spent some time studying ontology technologies. In a nutshell ontology is a branch of philosophy having to do with "being" and existence, but in an information technology context it refers to models of reality that are built around taxonomic models (e.g. statements like "security problems" are a kind of "software bug"). This has most obvious applications in object oriented class hierarchies, but taxonomic models are also a big part of database design and also implicitly arise in the design of data interchange formats.
Here's what I took away from my dive into the intersection of metaphysics and software engineering: taxonomic models are only valid within a specific domain of application. Even if you intend to model objective reality, you end up modeling just the parts you work with.
This is a perfect example. Torvalds is effectively saying while some security problems may not be bugs, but for practical purposes nearly all of them are. Clearly this is true for him, so true that he literally doesn't know how to work with people concerned with non-bug security problems. What he is saying has really more to do with what he does on a day to day basis, rather than about the overall field of security. In that field you also have to deal with issues like trust delegation, agency, physical security and and social engineering. Clearly Torvalds must know these things exist, but for him they might as well not.
People are very seldom concerned with some kind of universal model of capital T Truth; they're almost always concerned with creating models that help them get their job done. This is inevitable, and it creates problems when you try to glue data from different sources together. The unnecessary problems that arise come from people who don't accept that their useful domain-specific models don't describe all of objective reality.
Re: (Score:2)
Well, I certainly wouldn't want to endorse Torvalds' attitude here. But you encounter it, minus the armor of overwhelming fame, all the time when you work with multiple groups of stakeholders. As a system designer a lot of what you do when you develop system requirements is make localized concerns globally visible. But there are always people who don't see the needs of other users as important, and depending on how they're situated they can create a lot of grief.
People actually confuse "objective" and "
Re: (Score:2)
Linus's context is entirely in terms of the kernel. If you ignore that, you write comments that are complete non-sequiturs.
More importantly, Linus's context is the particular discussion. If you lift the comment to the context of the kernel as a whole, it's wrong.
In the full context, I think he has a point; he was arguing against panicking the kernel when an out-of-spec situation is found. The security guy's (Kees) patch presumed that out-of-spec indicated an attack, when it most likely just indicates a bug. Being a security guy myself, I sympathize with Kees, we tend to think about things in terms of how to mitigate possible
Re: (Score:2)
he said they were "primarily" bugs. By "problem", I would guess he is talking about issues in properly set up software.
You are right about there being other issues in practice but you might argue better without using a strawman.
Re: (Score:1)
He is demonstrably wrong. True, some security problems are bugs, but there are also security problems that are bad design choices, that are misconfigurations, that are counting use of old technology (e.g. RSA 1024), that are poor use cases (nobody follows policy, because it is too complex and/or convoluted). You can't secure systems with just code reviews and patching. No way, no how.
Considering that he is a kernel maintainer and that his was responding to a guy trying to push code into the kernel, it is pretty clear that he was talking about kernel code. So he is demonstrably right, if you understand that he is talking about the kernel code.
Re: (Score:3)
He is demonstrably wrong. True, some security problems are bugs, but there are also security problems that are bad design choices, that are misconfigurations, that are counting use of old technology (e.g. RSA 1024), that are poor use cases (nobody follows policy, because it is too complex and/or convoluted). You can't secure systems with just code reviews and patching. No way, no how.
A software bug is an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. [wikipedia.org] You may disagree with this definition of a software bug from Wikipedia, but I think it lines up with what I consider a bug. The bad design choices you mention are merely another potential cause of a bug.
The context of Linus's statements must also be considered. He is talking about product level security (Linux kernal in this case),
Re: (Score:1)
Bad design choices
Like choosing to use insecure-by-design languages.
The vast majority of security bugs would disappear if languages like Ada, PL/1, FORTRAN and COBOL were used instead.
Re: (Score:2)
He is demonstrably wrong. True, some security problems are bugs, but there are also security problems that are bad design choices, that are misconfigurations, that are counting use of old technology (e.g. RSA 1024), that are poor use cases (nobody follows policy, because it is too complex and/or convoluted). You can't secure systems with just code reviews and patching. No way, no how.
You are completely missing Linus' point. He is saying in the context of kernel development that security issues don't get privileged treatment. There is one set of rules for all issues, be they outright bugs, bad design choices in any aspect, misconfiguration in any aspect, etc.
Re: (Score:1)
Vocab [Re:Security problems are NOT just bugs] (Score:2)
Is there any objective and consistent working definition and/or test of "bug" versus "bad design"? I suspect there is a lot of gray area such that Laynes Law [rationalwiki.org] will reign over such discussions.
Re: (Score:1)
Re: (Score:1)
True, but I can think of many developers who build in security problems due to ineptitude. Ignorance is not an excuse.
Ineptitude is a bug. The resolution just involves a hammer to the face instead of an IDE.
Bug or feature? (Score:2)
The alternative would be "features"
Re: (Score:2)
The question was *how* equifax was hacked. Was it through a measure that this would have prevented? Probably not, it was probably much more mundane.
The patch may be a nice improvement and ultimately a good idea, but it's a hardening improvement, not a fix for a specific vulnearabilty, so caution must be taken. You can't just invoke the 'security' card as a 'nothing else matters' when dealing with adding security features.
Security vulnerablities are urgent, security mitigation features are important, but
Linus is mostly right (Score:2)
At least when you take into account that people should design security in today. So from the coding angle, pretty much "just bugs". From the testing angle often vastly different, as in functionality testing you check for the presence of functionality, but in security testing you check for the absence of functionality. Individual tests are still pretty similar, but getting test-coverage is very different and a lot more difficult.
Of course, the "just bugs" view also requires that the developers actually under
Re: (Score:2)
We will NEVER, EVER have 100% of all developers understand security at the level required to make 100% secure programs.
What we need is OS and languages that have security built-in, the same way programmers don't know assembly and UEFI and yet can still code and make programs.
Re: (Score:1)
Re: (Score:2)
There is also a 3rd class of coders, which one of my Application Security students pointed out last year: Those that do not really understand security, but know it is difficult and that get help from an expert when they need it. While this may be a bit underwhelming as result of my teaching efforts, I have to say he really got it.
Re: (Score:2)
So? Why would "100% secure programs" be desirable? This is the thinking of a complete amateur in the security-space. Security is risk management. You never do risk mitigation to "100%" in reality. It is stupid.
And "OS and languages that have security built-in"? Have you completely ignored all attempts and all research on that for the, oh, last 40 years or so? It cannot be done and asking for it is, again, stupid.
Re: (Score:1)
Re: (Score:2)
It is. You do not have to cut through the BS as with so many other people. Without that, Linux would never have grown to the quality-level it currently is at. While not perfect, it is pretty good, provided competent system administration and good competent coding.
Re: Finnish translation (Score:2)
Re: (Score:3)
The patch submitter agreed with him, don't know why everyone is jumping to white knight for him.
Torvalds point is that it can wait, and that it can be phased in. The proposal is a hardening scheme and there's a long history of hardening schemes breaking valid usage inadvertently. Torvalds perspective is that it can be done carefully, it's a nice to have, but it's not going to save the world and it's not so terrible for it to wait a little while to make sure it is right. The patch submitter said that he d
Assuming he has a clear requirement for security (Score:2)
Doesn't matter (Score:2)
You can word it the way you want. If it's not secure, it's not secure.
Here's a more complete discussion of the issue. (Score:5, Informative)
https://www.theregister.co.uk/... [theregister.co.uk]
Didn't Linus approve this? (Score:2)
I thought that Linus personally approves all the changes to the kernel. So didn't he approve the changes he is complaining about?
The context of his statement is refusing to approv (Score:2)
The context of the statement is that somebody submitted changes to the kernel and he denied the request.
Somebody wanted to add "security" code that would kill of a process, or even the whole kernel, if it detected something that might be a security concern. So with the proposed change, programs would crash without warning if this new code detected a possible security problem. Most of what it detects aren't attacks, though, they are just bugs in the software that need to be tweaked to explicitly follow sec
I agree... with certain assumed contexts (Score:2)
I couldn't agree more with Linus. It's not like we know each other or have Thanksgiving together; he's right in his own non-PC way. As long as we're talking about a bug not being: 1) maliciously intended code or put there 'on purpose', 2) functionality or operability that falls into as not-as-advertised, or blatantly didn't follow an RFP or standard or 3) hell, stuff that was just overlooked, seemingly over/under-engineered or ego-over-good-code.
...I'm sure there's a few more mental dice-up catalogs to
In his world, he is right (Score:2)
His world being the world of the Linux Kernel. When you use this context then of course any security breach is due to a bug, simply because, well, what else should it be?
Outside of that context... no.
In other news (Score:2)
For some value of âoebugâ (Score:2)
Thereâ(TM)s âoeyou forgot to check array bounds hereâ bugs, and then thereâ(TM)s âoeyour entire design is fundamentally fucked and insecureâ bugsâ¦
Re: For some value of "bug" (Score:2)
And then there's "it's 2017 and we've never heard of UTF-8" bugs.
AKA... (Score:1)
Features....to certain 3 letter agencies