University students tasked with finding flaws in Unix applications as homework have uncovered 44 bugs. But since the University of Illinois at Chicago students were asked by tutor Daniel Bernstein to find 10 bugs each, most will likely flunk his Unix Security Holes course. The assignment counted for 60 per cent of the marks available to the 25 students taking the course.
re you sure that they are not just throwing out the bus that over lap?
I mean, if all those students found 10 bugs each and there was significant overlap, then they could pass the course but still only have found 44 bugs.
This is retarded. It was on /., and I can’t believe it made it here. If that is something that a teacher is going to actually used to pass/fail his students, then he should be replaced immediately. Unless he had some “control” programs to give them or somehow knew for a fact that there were that many exploits in the wild, then it is an unfair test. Give them a bone – atleast some hints or buggy code to examine. This is just ridiculous to me.
@brett
I disagree. This is a great assignment. Think of it this way: you don’t have staged bugs when you are developing software outside of the classroom. You have bugs which range from the obvious, to the incredibly obscure. By giving them production software and asking them to document real bugs, those students are going to have that much of a lead over their peers at other universities.
Think about it. Most students get through because they know how to jump through the hoops, just because they know what their instructors are looking for. Now they are being told that the instructor doesn’t necessarily know what they are looking for, in fact there may be thousands of professionals who do not know what they are looking for.
When these students succeed, they have accomplished something which others have failed at, and they are all the better for it. Our schools should expect more of this, rather than producing cookie cutter students.
So what are these students being trained for? Beta testers for a Q&A department? I’d say the ability to FIX bugs is more important than to find them – users and testers will find the bugs for you.
The point isn’t that the assignment isn’t great, but how it is graded. They have done great work accomplished something quite impressive and still they’re being failed simply because DJB is a prick.
Actually, I take that back. Since the nature of the bugs they’ve been asked to find are security holes, and found only by looking at the code rather than testing/using the software. (The article blurb wasn’t clear about this.)
So this is indeed a good assignment, and actually would probably been fairly easy to find by looking at the exploits found. Most deal with unsafe functions such as strcpy/sprinf/strcat – so to find such flaws you’d only need to grep for them and then see how they’re used in the code that comes up. And it’s usually quite obvious of they are used safely or not.
You’re wrong, Myrd. Your users should NOT find the bugs. You, as a development team, should. This is especially true if the system developed is a critical system. You wouldn’t like the control software in your local power plant to fail, would you?
I think this is a great assignment!
“its so easy for average American student to find 10 bugs as an exarcise what about
goverment-supported cracker…”
these students specifically looked for easily detectable bugs. most of them were in string handling functions in c. a well known issue. I suspect your overage Linux or Windows software wouldnt have them but its hard to know for sure
> “its so easy for average American student to find 10 bugs as an exarcise
They were supposed to find 10 each, or 250 assuming no overlaps. They found 44. It’s quite possible, but not -that- easy.
> what about
goverment-supported cracker…”
…
> these students specifically looked for easily detectable bugs. most of them were in string handling functions in c. a well known issue. I suspect your overage Linux or Windows software wouldnt have them but its hard to know for sure
Yes, string handling bugs in C are a well-known issue. Unfortunately, your average software has far too many of them, Windows or Linux. People have been making the same idiotic mistakes for decades.
Since when flaws in MPLAYER, mpg123, xine,… , are UNIX flaws …
thats like saying all the US army soldiers have a degree they may all know how to shoot a gun but i HIGHLY DOUBT that they all studied at college level, even with the US armies defence budget of billions.
Everyone…
It’s very interesting that this article inspires a discussion regarding how these students found these bugs and weather or not this was a good or bad assignment from their teacher.
Why? This is a security issue.
As far as the bugs being found… GREAT! This is UNIX and they will be fixed quickly and correctly. Who cares how they were found? The tighter the code the better. So, go out and find more.
Timo…
Stop watching the news for a while and educate yourself.
BTW…
Most of these bugs are regarding FreeBDS 4.10 (Legacy). I would be interested in knowing how 5.3 holds up. And don’t forget OpenBSD? NetBSD? Solaris? HP-UX? etc…?
“Most of these bugs are regarding FreeBDS 4.10 (Legacy). I would be interested in knowing how 5.3 holds up. And don’t forget OpenBSD? NetBSD? Solaris? HP-UX? etc…?”
No, just because DJB was using FreeBSD 4.10 to install the software does not mean they were FreeBSD 4.10 specific. These exploits would work using any flavor of *NIX, unless the software they were using was patched previously.
All this tells us is that either DJB or his students prefer to use FreeBSD 4.10 for now.
Have you ever heard about day zero attacks? Most of people who find bugs are in “good side” nowadays, but what happens if increasing number of them start to be in “dark side”?
I don’t deny that USA is great and powerful power with big number of smart business men and computer guys but still I would be more afraid of Russian crackers than them.
I think this is a cool assignment, though, the 60% of the marks bit seems a bit harsh.
By the sounds of that article most will fail? Reminds me of that old saying “theres no such thing as a bad student…”.
Anywho, I’m happy I’m not in that class
He didn’t require students to find security flaws in security critical software, he required them to find it in any software that is in production. That is, he didn’t say: find security flaws in anything that runs as root on a linux box, he said: find security flaws in any of the software that runs on a linux box. This is MUCH MUCH EASIER, because all the care and attention that goes into making something that runs as root or as a network service secure doesn’t go into making everything else secure. That is, it’s a hell of a lot easier to find security flaws in nano than it is in wu-ftpd. The fact that these students couldn’t find 10 bits of blatantly insecure code each just demonstrates how much they suck. How hard is it to grep for strcpy?
Actually, this is one of the main strengths of OSS – anyone can audit the code, so holes like these are found. Better the devil you know, more or less.
CSPAN is your friend.
Perhaps they should be tasked to find 1000 Windows bugs / security holes (hmmmm.. maybe that’s wayyyy tooooo easy).
here is a link to a story from the washington post
http://www.danielpipes.org/article/1032
http://tigger.uic.edu/~jlongs2/holes/
hit the up a directory button… looks like some script kiddie got the best of the fine site..
….the students may just google for the security wholes, and show their instructor bugs from yesterday?
Guess not…just my 2 cents
Those of you worrying about how the poor students fared can stop worrying:
http://news.com.com/Students+uncover+dozens+of+Unix+software+flaws/…
“At the end of the course, I decided to throw that scale away and think about how much the students had learned”
I am sure that DJB is a reasonable person who does not delight in failing all his students. Besides, no professor would fail the majority of the students in a graduate level class.
Cool course!
If the assignment was to find bugs in M$ Windoze, then they’d found whole tons of them.
I think it’s your turn to stfu.
Some of you guys are really funny.
Some students at college are told to find bugs in an operating system, and some guys mention terrorists, bad russian hackers, and windows security.
…there is this book about a spanish guy who is fighting windmills…
But i guess many people here simply watch too much Tv.
Infact i think this is a good practise thing, but the outcome of this task is too less controllable for a serious test. Luck is a too big factor in this test, in terms of looking at the right piece of code at the right time.
So, are we’re talking about finding flaws in Unix APPLICATIONS or are we’re talking about flaws in a Unix KERNEL?
And if a unix kernel, what kernel excactly? (*BSD, Solaris, what?)
Oh great, I just read:
“Notices about the security flaws uncovered – which range in severity and affect applications including CUPS and MPlayer”
Yeah, that’s unix flaws allright. ;-(
Always the same, a flaw in KDE results in a “linux security hole” and this time is comes from a person who should know better…
Afaik there are one or two of these apps that have also been compiled for windows , like abc2midi. If these flaws exist in one compilation, it’s not unreasonable to suppose they may cause problems on Windows machines as well as unix-type systems.
As for the exercise itself, I think it’s an excellent idea, that has immediately delivered something useful to the rest of the Unix world. Judgements as to whether it’s a fair/achievable assignment is up to the faculty to decide, not outside observers, and calling Daniel Berstein ‘retarded’ or a ‘prick’ is totally uncalled for, in fact downright offensive.
There were a couple of people who obviously got their 10 bugs, but most of the rest of class didn’t get any. Ariel Berkman is all over.
When there’s a security flaw in Outlook people go “Whoa, Windows sure sucks! It comes with crappy software! Indeed so!”
When software that comes with just about any linux distribution out there contains security flaws people go “Hey! Don’t say that Linux/*nix contains flaws! It’s this/that program/library! It’s not the KERNEL! There’s a HUGE DIFFERENCE YOUKNOW!”. Even though the files containing the holes might just as well be installed in 90% of the Linux desktop machines out there and could be considered “standard”.
Even so, when KDE/Gnome releases new major versions people go “Whoa, LINUX sure will dominate the desktops in a year or so, just wait and see!”. Isn’t it interesting how Kernel vs Software are divided when the article is negative and joined together when it’s positive?
For me, “Linux” is a system running Linux. The kernel to me is the “Linux Kernel”. And yes, i know this is wrong but i guess there’s more people out there thinking like me.
you gave me a link to the washington post LOL
that will be biased as hell LOL, thats like ask china about communism LOL
i rest my case about your mentality.
I’d say the ability to FIX bugs is more important than to find them
Ahem. Are you dealt with hunting for occasional bugs? Bugs, which pop up once a month for one user of hundreds? Bugs, what are caused just by application complexity and interaction with other (often unknown) system components? Usually these bugs can be fixed in 5 minutes, or workaround created in 2 hours – but finding them takes days, if not weeks.
—–
To people, talking about 1000 windows bugs:
Just find some new bugs and show them. If you want, download leaked Win source and search in code – I’ll bet you don’t find anything:) I don’t say that there’re none, of course they exist (1 bug per 1000 lines of code or so) – but claiming “it’s easy to find 1000 bugs” is just plain nonsense.
“Even so, when KDE/Gnome releases new major versions people go “Whoa, LINUX sure will dominate the desktops in a year or so, just wait and see!”. Isn’t it interesting how Kernel vs Software are divided when the article is negative and joined together when it’s positive?”
This is beacause KDE/Gnome is easily obtained through a Linux distribution. So when KDE/Gnome starts to spread, it usually means that Linux is spreading.
When there are found a exploit in things which is _not_ in the kernel, it applys to *BSD, Mac and Solaris. So here it is very important to distinguish.
So the logic flaw you are looking for, doesn’t exist.
dirty and ragged appearance does not imply a lack of education.
but i guess it is easier for some people to think they are just stupid because they dont have suits on.
When there are found a exploit in things which is _not_ in the kernel, it applys to *BSD, Mac and Solaris. So here it is very important to distinguish.
I agree up to some extent. Based on your explanation, I would say that such bug (in widespread application) is even more important (at least for normal desktop users) than just kernel exploit – and it is really different.
This, of course, doesn’t mean that it’s not linux related bug – for majority of desktop users linux means distro (kernel+apps) and fooling them with “this is not linux bug” is simply wrong.
What would you say when I tell you that most of windows exploits are no way related to kernel and are actually not windows bugs? Right answer is: windows is not only kernel, it is entire OS. Same for desktop linux in common – it is distro (entire OS, consisting of kernel and apps). Ability to run kernel without GUI apps (which is possible in windows too, just not so usable) doesn’t make it any different.
Well, let’s see, shall we? Here’s all the programs with exploits listed:
2fax – not in my default install. Not on my system. never used it.
abc2midi – ditto. What the heck is abc, anyway?
abcm2ps – ditto. Looks like this is a closely related app to the above and the same hole, in fact.
abcpp – ditto again.
abctab2ps – and again.
asp2php – another like the above.
bsb2ppm – and again.
changepassword.cgi – again, not on my system. Could be a bad flaw in a multi-user system functioning as a squid server, though, I guess.
chbg – wow, at last, one that might possibly be used by Joe User. It’s definitely packaged for Mandrake, don’t know if it’s in the default install.
(note that all the attacks so far rely on some degree of user interaction – basically, you have to download and use a remote file of some sort.)
convex3d – nope, not in my install or the default.
csv2xml – another obscure conversion tool. Don’t know if this one is around by default, don’t think so, though.
a couple in CUPS – that’s an important component, yup, but these flaws aren’t as serious as the others.
dxfscope – another one not in anyone’s default install so far as I’m aware.
elm/bolthole filter program – don’t even know what this is.
greed – again, nothing very standard. an obscure FTP/HTTP downloader, apparently. any standaard *nix system would just have wget, maybe d4x for graphical use.
html2hdml: more obscure conversion tools, noticing any trends yet?
iglooftp – well, i’ve at least heard of this one, but don’t think it’s standard for any distro and it’s certainly not the most popular ftp client around.
jcabc2ps – yes, more obscure conversion.
jpeg2avi – this is a more likely conversion, but I doubt a lot of people would download a bunch of jpegs from a remote server and use this tool to convert them to a .avi. Call me crazy, but it’s not something i’d expect to happen every day. don’t think it’s installed by standard by anyone, either.
junkie – obscure ftp client, anyone ever heard of this before?
linpopup – this one is packaged for Mandrake, not installed by default. ironically, it’s an implementation of a retarded Microsoft idea (that stupid thing that let you pop up a message on any Windows system, much abused on networks which didn’t shut it off yet)…bad exploit, though.
meshviewer: what’s this? what’s a mesh file when it’s at home? anyone customarily download and view them from random websites?
mpg123 – bad one.
mplayer – another bad one.
napshare – not a default piece of software, but this is quite a bad exploit. would need a gnutella server admin gone bad or a man-in-the-middle attack to exploit, though.
nasm – well…as the description notes, if you build a bit of software you’re likely to be about to run it, and if you’re going to do that then _of course_ it could do anything to your system. I don’t think Joe User is likely to be in the scenario the text suggests, either (they build software in an unsafe context then run it in a safe one). so though this is commonly used software it’s not a terrible problem. it’s not actually installed by default, either, at least on mandrake.
o3read – more obscure conversion tools.
pcal – random calendar tool. Don’t think it’s a default or particularly widely-used piece of software.
pgn2web – converts chess games to web pages. Oooh, yeah, there’s a vital and default system component.
qwik-smtpd – hardly the most common mail server around. if this were sendmail or postfix i’d be just a tad more worried. bloody stupid bit of coding, though.
ringtonetools – you guessed it, not a default piece of software anywhere.
rtf2latex2e – yawn, more conversion kits.
tnftp – another obscure ftp program.
uml-utilities – not sure what this is, something to do with user mode linux? don’t think it’s default, anyways. bad bug in a server environment though.
unrtf – another non-standard conversion tool. Most people would just open an rtf in a text editor or OO.o or whereever.
vb2c – yet another.
vilistextum – yet another. it’s not even the most common html to text converter (heck, less does it for you).
xine-lib – another bad one.
xlreader – another obscure file-reader. Joe User opens these in OpenOffice, and doesn’t have this installed.
yamt – j. random mp3 organiser. not a default bit of kit.
yanf – a UseNet downloader. not a standard bit of kit.
—
OK, so we see that this is basically a big list of obscure conversion utilities with braindead buffer overflows written into them. There are four bad vulns likely to actually exist on the average user’s computer – mplayer, cups (two of) and xine-lib. These all require you to actively do something with a compromised file, and do not involve privilege escalation. They’re still bad compromises, but still. To compare to a Windows environment, this is like finding a security flaw in the printing subsystem, one in Windows Media Player, and then forty others in completely random bits of obscure third-party software like two-bit FTP clients and format converters. I’d be really, really, really amazed if there weren’t just as many, or more, badly-written bits of third-party Windows software with buffer overflows in them.
Mandrake requires chbg for gnome-panel which is semi-essential for running gnome so it is not obscure
ah, thanks for that, I wasn’t sitting at a Linux machine when I wrote the list so I couldn’t check for sure. Though it’s a dependency of gnome-panel it wouldn’t actually be used unless you specifically turned on a certain panel app.