Monday, October 6. 2014
How to stop Bleeding Hearts and Shocking Shells
The free software community was recently shattered by two security bugs called Heartbleed and Shellshock. While technically these bugs where quite different I think they still share a lot.Heartbleed hit the news in April this year. A bug in OpenSSL that allowed to extract privat keys of encrypted connections. When a bug in Bash called Shellshock hit the news I was first hesistant to call it bigger than Heartbleed. But now I am pretty sure it is. While Heartbleed was big there were some things that alleviated the impact. It took some days till people found out how to practically extract private keys - and it still wasn't fast. And the most likely attack scenario - stealing a private key and pulling off a Man-in-the-Middle-attack - seemed something that'd still pose some difficulties to an attacker. It seemed that people who update their systems quickly (like me) weren't in any real danger.
Shellshock was different. It's astonishingly simple to use and real attacks started hours after it became public. If circumstances had been unfortunate there would've been a very real chance that my own servers could've been hit by it. I usually feel the IT stuff under my responsibility is pretty safe, so things like this scare me.
What OpenSSL and Bash have in common
Shortly after Heartbleed something became very obvious: The OpenSSL project wasn't in good shape. The software that pretty much everyone in the Internet uses to do encryption was run by a small number of underpaid people. People trying to contribute and submit patches were often ignored (I know that, I tried it). The truth about Bash looks even grimmer: It's a project mostly run by a single volunteer. And yet almost every large Internet company out there uses it. Apple installs it on every laptop. OpenSSL and Bash are crucial pieces of software and run on the majority of the servers that run the Internet. Yet they are very small projects backed by few people. Besides they are both quite old, you'll find tons of legacy code in them written more than a decade ago.
People like to rant about the code quality of software like OpenSSL and Bash. However I am not that concerned about these two projects. This is the upside of events like these: OpenSSL is probably much securer than it ever was and after the dust settles Bash will be a better piece of software. If you want to ask yourself where the next Heartbleed/Shellshock-alike bug will happen, ask this: What projects are there that are installed on almost every Linux system out there? And how many of them have a healthy community and received a good security audit lately?
Software installed on almost any Linux system
Let me propose a little experiment: Take your favorite Linux distribution, make a minimal installation without anything and look what's installed. These are the software projects you should worry about. To make things easier I did this for you. I took my own system of choice, Gentoo Linux, but the results wouldn't be very different on other distributions. The results are at at the bottom of this text. (I removed everything Gentoo-specific.) I admit this is oversimplifying things. Some of these provide more attack surface than others, we should probably worry more about the ones that are directly involved in providing network services.
After Heartbleed some people already asked questions like these. How could it happen that a project so essential to IT security is so underfunded? Some large companies acted and the result is the Core Infrastructure Initiative by the Linux Foundation, which already helped improving OpenSSL development. This is a great start and an example for an initiative of which we should have more. We should ask the large IT companies who are not part of that initiative what they are doing to improve overall Internet security.
Just to put this into perspective: A thorough security audit of a project like Bash would probably require a five figure number of dollars. For a small, volunteer driven project this is huge. For a company like Apple - the one that installed Bash on all their laptops - it's nearly nothing.
There's another recent development I find noteworthy. Google started Project Zero where they hired some of the brightest minds in IT security and gave them a single job: Search for security bugs. Not in Google's own software. In every piece of software out there. This is not merely an altruistic project. It makes sense for Google. They want the web to be a safer place - because the web is where they earn their money. I like that approach a lot and I have only one question to ask about it: Why doesn't every large IT company have a Project Zero?
Sparking interest
There's another aspect I want to talk about. After Heartbleed people started having a closer look at OpenSSL and found a number of small and one other quite severe issue. After Bash people instantly found more issues in the function parser and we now have six CVEs for Shellshock and friends. When a piece of software is affected by a severe security bug people start to look for more. I wonder what it'd take to have people looking at the projects that aren't in the spotlight.
I was brainstorming if we could have something like a "free software audit action day". A regular call where an important but neglected project is chosen and the security community is asked to have a look at it. This is just a vague idea for now, if you like it please leave a comment.
That's it. I refrain from having discussions whether bugs like Heartbleed or Shellshock disprove the "many eyes"-principle that free software advocates like to cite, because I think these discussions are a pointless waste of time. I'd like to discuss how to improve things. Let's start.
Here's the promised list of Gentoo packages in the standard installation:
bzip2
gzip
tar
unzip
xz-utils
nano
ca-certificates
mime-types
pax-utils
bash
build-docbook-catalog
docbook-xml-dtd
docbook-xsl-stylesheets
openjade
opensp
po4a
sgml-common
perl
python
elfutils
expat
glib
gmp
libffi
libgcrypt
libgpg-error
libpcre
libpipeline
libxml2
libxslt
mpc
mpfr
openssl
popt
Locale-gettext
SGMLSpm
TermReadKey
Text-CharWidth
Text-WrapI18N
XML-Parser
gperf
gtk-doc-am
intltool
pkgconfig
iputils
netifrc
openssh
rsync
wget
acl
attr
baselayout
busybox
coreutils
debianutils
diffutils
file
findutils
gawk
grep
groff
help2man
hwids
kbd
kmod
less
man-db
man-pages
man-pages-posix
net-tools
sed
shadow
sysvinit
tcp-wrappers
texinfo
util-linux
which
pambase
autoconf
automake
binutils
bison
flex
gcc
gettext
gnuconfig
libtool
m4
make
patch
e2fsprogs
udev
linux-headers
cracklib
db
e2fsprogs-libs
gdbm
glibc
libcap
ncurses
pam
readline
timezone-data
zlib
procps
psmisc
shared-mime-info
Comments
Display comments as
(Linear | Threaded)
The kernel certainly is a target, however it has a very active community and there are security minded people having a look. So I'm not that worried.
Given its complexity it's surprising that we haven't seen any damning thing there like a remotely exploitable issue in the network code. Small issues are found all the time, e. g. you'll find a bunch of driver-related security issues in the list of vulnerabilities squashed by Project Zero.
Given its complexity it's surprising that we haven't seen any damning thing there like a remotely exploitable issue in the network code. Small issues are found all the time, e. g. you'll find a bunch of driver-related security issues in the list of vulnerabilities squashed by Project Zero.
First up, bzip2.
Single maintainer. Massive use.
No release since 2010?
Has anyone actually looked at this code from an auditing/style point of view?
Can't see any kind of official github or hosted source from the main page.
Single maintainer. Massive use.
No release since 2010?
Has anyone actually looked at this code from an auditing/style point of view?
Can't see any kind of official github or hosted source from the main page.
Nice entry. I was at first shocked to read that bash has only one major volunteer, but then I thought of our position here in Gentoo. As I write this there are so many things I need to fix or do. I'm cronically behind. And every time I hear of some major Gentoo project in need, I try to give it help, only to find I'm fighting an uphill battle.
I'd like to extend the "many eyes" metaphor: sure there are many eyes in open source, but the area they must survey is vast. Many things go unseen.
I'd like to extend the "many eyes" metaphor: sure there are many eyes in open source, but the area they must survey is vast. Many things go unseen.
I imagine that now there have been a few security holes found now within Open Source software that hackers are going to target linux systems even more and try and expose more weaknesses, especially when projects are run by only a few volunteers. Perhaps we need an all encompassing security suite to try and stop intruders in the first place (ala f-secure) but some systems have this already (not sure how good though). Would this approach work? It may be incredibly difficult to look through 1000s of packages checking for a weakness, let alone a program with source code of 10,000 lines.
It feels like there are too many projects with not enough people. Perhaps we should have less projects with more persons per projects.
I expect a few more problems within the next year or so. Linux is no longer safe as a lot love to think it is.
John
It feels like there are too many projects with not enough people. Perhaps we should have less projects with more persons per projects.
I expect a few more problems within the next year or so. Linux is no longer safe as a lot love to think it is.
John
Hmm. There are probably more Android systems out there than all other kinds of (MMU) Linux systems together.
Now, which shell does Android use, again? ;-)
(Google did give us a security review. I also do this occasionally. Still, more contributions welcome.)
Now, which shell does Android use, again? ;-)
(Google did give us a security review. I also do this occasionally. Still, more contributions welcome.)
The whole area of other shells is certainly an interesting target. Debian was mostly safe from Shellshock because they use dash, many embedded devices use busybox.
Regarding mksh/android it'd be interesting to look what it actually does there and how much it is interacting with possibly dangerous input.
Regarding mksh/android it'd be interesting to look what it actually does there and how much it is interacting with possibly dangerous input.
Yeah, I looked at it. All these shellshock bugs don’t affect it, but there was an mksh-specific issue I found myself during careful code review: “env 'x+=y' sh …” was interpreted as appending to $x, on import. Fixed, of course.
> I was brainstorming if we could have something like a "free software audit action day". A regular call where an important but neglected project is chosen and the security community is asked to have a look at it. This is just a vague idea for now, if you like it please leave a comment.
Security is a process. Audit day will not help you. Audit week will not help. You need to do this over and over again, frome time to time. And that's why you need to change 'just hack it' attitude, because if your program has a shitty design, shitty code and shitty coding style it will definitely have security issues. Second -- stop using dead and useless software like tcp-wrappers. Dead for years, sorry. Also you should consider switching to some distro where maintainers actualy do something, not whining around about respect and tolerance. How about that?
Security is a process. Audit day will not help you. Audit week will not help. You need to do this over and over again, frome time to time. And that's why you need to change 'just hack it' attitude, because if your program has a shitty design, shitty code and shitty coding style it will definitely have security issues. Second -- stop using dead and useless software like tcp-wrappers. Dead for years, sorry. Also you should consider switching to some distro where maintainers actualy do something, not whining around about respect and tolerance. How about that?
Great comment, I agree in full!
Luckily, mksh was mostly good design when I took it over, so I, having
learned from the best (OpenBSD) – and still learning! – merely did
what it took, constantly, to finish that and improve even more.
Luckily, mksh was mostly good design when I took it over, so I, having
learned from the best (OpenBSD) – and still learning! – merely did
what it took, constantly, to finish that and improve even more.
On Tuesday details about the security vulnerability GHOST in Glibc were published by the company Qualys. When severe security vulnerabilities hit the news I always like to take this as a chance to learn what can be improved and how to avoid similar incide
Tracked: Jan 30, 00:52