Insecurity blues: What I learned from my buggy code
Summary
Topics
Commentary--It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.
It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.
The kind of security bugs we get now are much more sophisticated than those that were originally present in the first releases of Samba. We also treat them much more seriously than we used to. In the early days, we (or someone else examining the code) would discover a security problem, and almost immediately we made an announcement of a fixed version. Those were also the days where binary releases of Open Source/Free Software were unknown, as everyone knew how to compile from source code. At least everyone who we were interested in working with did. Our response time for security bugs was usually measured in hours (depending on the timezone of the person reporting the bug). I still remember the first attempt by someone to sabotage Samba with a zero-day exploit posted directly to our mailing list without any warning. Andrew Tridgell (the original author of Samba) was so incensed that he immediately raced to ensure the very next message on the list was the patch for the bug. He succeeded. These days we rarely get zero-day exploits posted openly to lists. The bad guys who discover exploits keep them secret for their own illicit use, and the good guys go through the currently agreed-upon best practice of sending notice to the Samba developers directly (at the mailing address security@samba.org) and work with us in coordinating the announcement of the problem and its fix.
Our response time appears to be much slower these days, even though internally we still usually create an initial fix for the problem within a few hours of seeing the report of the bug. Having Samba Team members in almost all timezones helps with this speed of response. What slows us down these days is our own success. In order to responsibly release a security fix version of Samba we must coordinate with a large number of vendors who are reselling and shipping our code. Most of them have their own patch release schedule and internal security teams who validate the suggested patch and agree on a time to announce the vulnerability to everyone.
Who discovers our security bugs? These days, it's about 50-50 between internal audits by the Samba Team and other Open Source security people and external security researchers, who make their money winning contracts by proving how smart they are by discovering vulnerabilities in Open Source/Free Software projects. The way we respond has changed also. What we do now on seeing a security bug is immediately audit the entire code-base to discover if there are any similar problems, or even similar coding practices that might cause future problems, and re-write or remove all such code. It takes longer, but is much safer in the long run. If you examine parts of the Samba code you'll find common functions that are known to be insecure simply won't compile if added to our code. A set of automated macros warns of any use of known bad functions. Still, we can't depend on automation for protection. Our current security vulnerabilities involve exploiting an assumption in one part of the code to cause a vulnerability in what appears to be a completely separate part of the code, which is actually interdependent. Attackers and security researchers are very clever these days.
Is it easier to find and fix security bugs in Open Source/Free Software code rather than proprietary code? My personal feeling on that is "yes". Being able to examine the intent of the author by looking at the code and comments makes it much easier to see where the intent and the code don't match. That's where the security bugs live. Is Open Source/Free Software code safer than proprietary code? I'd say "yes" to that also. Looking at the number of vulnerabilities is misleading. A good 50 percent of our security bugs are found by our own internal code audits, or someone just looking over some code they're working on and saying to themselves "that looks funny..." Whenever we find something like that, we have to report it to the our vendor community and make a security announcement. It is painful doing this but as all our processes are open we don't have the luxury of silently fixing something and hoping no one will ever notice. Proprietary vendors do have that luxury; they would be insane not to take it, and I'm sure they do. Proprietary code vendors need all the help they can get competing with good Open Source/Free Software.
Samba is still written in C. I've examined the possibility of moving to C++, but to be honest that won't really help for the kind of security bugs that we seem to suffer from. In fact by hiding interdependencies in object classes it may make them more difficult to find. Also I'm not the final decision maker on that and many of the Samba Team hate C++ (Luddites that they are :-). Re-writing in a managed code language like Java or C#.NET would definitely help reduce our security problems but would reduce the performance that people find to be one of the compelling reasons to use Samba. It's no accident that none of the competing CIFS servers are written in managed code either. It would cost us six months to a year to re-write everything and get back to the same level of features, probably with reduced performance. We simply don't have the people or time to do that. For the moment we're stuck with C and we have to make the best of it. If someone is creating a competing Open Source/Free Software CIFS server I'd encourage you to do so in a managed code language as an experiment. If it works as well as I'd hope, we may throw our code away and join you :-).
In order to keep Samba relevant and current with modern practice, we've had to keep re-writing and re-designing core parts of the code. Our upcoming release, Samba 3.2, bears little relation to the original 1992 code and uses modern memory management techniques to avoid heap overflow, buffer overruns and memory leaks, much of which was invented by the Samba Team for internal use. The goal is to keep ourselves secure, as the Samba Team uses Samba for file services ourselves. This is all about scratching our own itch, and helping out everyone else as we do so.
I still feel bad about the mistakes I've made, but I try and redeem myself by using them as examples of how not to write code when I do interviews here at Google. If someone doesn't see the bug it always makes me feel better, but acts as a black mark against them in the interview score. After all, everyone we hire should be able to write code better than me :-). The code is out there to be studied; so learn from my mistakes and don't end up having to coordinate a security announcement. That's one learning experience it's better not to have.
Jeremy Allison is one of the lead developers on the Samba Team, a group of programmers developing an open source Windows compatible file and print server product for UNIX systems. Developed over the Internet in a distributed manner similar to the Linux system, Samba is used by all Linux distributions as well as many thousands of corporations worldwide. Jeremy handles the co-ordination of Samba development efforts and acts as a corporate liaison to companies using the Samba code commercially. He works for Google, Inc. who fund him to work full-time on improving Samba and solving the problems of Windows and Linux interoperability.
Just In
For example, on a parameter pass and within a function call, was strcpy() being called vs strncpy() with len n check that produced the side effect? Or was it void * parameter that was cast incorrectly?
Thanks Jeremy!
Essentially the problem was reading into a fixed-size buffer which was correctly length checked and sanitized so no possibility of overrun. This buffer was then (via a very covoluted code path) being passed to a function that was outputing a network packet with a shorter fixed buffer size. The incoming data was assumed to be safe - of course it wasn't (we need a C "taint" flag really).
We don't allow strcpy in Samba, it's a banned function.
Jeremy.
strncpy - does not always terminate the string.
sprintf - just like strcpy, no length check.
realloc - about any arguments you can throw at it are valid for something.
Well, would like to have the list of banned functions.
Do you all the "?" operator?
realloc is ok, but we use a wrapper for it that is careful about not losing the original pointer on malloc failure.
What really helps us is using talloc() for everything. This is a home-grown (tridge created actually) malloc wrapper library that gives C++-list destructors to C code.
Jeremy.
There are even some strange ones that give cross platform problems such as strptime().
And, let us not forget the non thread safe functions like localtime(), which should be replaced by localtime_r().
I am still puzzling over why you have banned strncasecmp(). I will be trying to figure out why you banned it.
I will definitely check out talloc()!
And, finally, sorry I did not reply sooner. I forgot to check back, until I was talking about banned functions.
So open source code is safer because half of all errors are found by Samba team members, with the other half from people attempting to increase business for their security companies.
Makes the argument uncompelling, no?!
Relevant quotes:
"These days we rarely get zero-day exploits posted openly to lists. The bad guys who discover exploits keep them secret for their own illicit use, and the good guys go through the currently agreed-upon best practice of sending notice to the Samba developers directly (at the mailing address security@samba.org) and work with us in coordinating the announcement of the problem and its fix."
and:
"Looking at the number of vulnerabilities is misleading. A good 50 percent of our security bugs are found by our own internal code audits, or someone just looking over some code they're working on and saying to themselves 'that looks funny...'"
While I agree that internally half the bugs are found, and I suspect the same is true of Microsoft and their review process.
In general this is one of the things that puts me off on anything open source. The claims of better security simply is not born out by the facts. Open source code has had as many reported "bugs" as anything else and when guys like Jerremy refuse to accept that fact it tells me they are full of themselves and not being honest.
Jeremy.
You could do worse. Wait until you get Loverock Davidson commenting on your articles. Arguing with him is like arguing with a cerebral black hole - if you do it long enough it sucks intelligence out of you. Or better - you know you've made it when Mike Cox, ZDNet's satirist, replies to your articles.
BTW - the flip side is that Samba is widely used and appreciated - warts and all - in investment banks that I've worked in. And I don't rightly remember all that many warts. In fact, I often wish the rest of the software tools I use were as reliable and secure!
Regards
Banjo
Ahh, I can already feel my IQ slowly slipping away as I read his response.
Please make it stop....
funny though? It was mildly entertaining i suppose. Go to youtube and watch Frank Caliendo for "nose shooting" humor.
of Microsoft and their review process."
Perhaps true but this was not Jeremy's point, that judging security simply by
looking at the number of publicly disclosed vulnerabilities is misleading. His point
is with proprietary code who's to say how many of the discovered security problems
are disclosed publicly?
"The claims of better security simply is not born out by the facts."
What facts? Jeremy "personal feeling" is "find and fix[ing] security bugs" in open
source is easier. Having the source makes it easier for ME to find and fix bugs.
Code audits of large open source projects compare favourably with other projects
(e.g. Coverity's & Reasoning kernel code quality studies).
http://lwn.net/Articles/115530/
http://www.news.com/2100-1001-985221.html
For once can you backup your claimed Facts which, well, facts.
You know what puts me off more than open source? People who put words into other peoples mouths.
He wasn't supposed to blow security on the plan.
They will be assimilated -- resistance is futile.
You are naive to think that a proprietary software company discloses each and every problem discovered or reported.
http://www.news.com/2100-1001-985221.html
-Mike
Back to your cube senile old man.
You may find it interesting to know that SAMBA does CIFS/SMB better than Microsoft does!
So while you're chastising Jeremy, we're all cheering him! Go SAMBA!
-Mike
It mimics Unix behavior and author(s) may have had access to minix or unix code, the world will never know.
Samba's SOLE purpose at launch was to reverse engineer Windows CIFS implementation and build their own.
So what is your point? That samba literally stole Microsoft IP and code and then focuses on that one piece? Woo hoo Mikey.
Glad you put it in perspective. You should cheer when open source is able to steal and make usable a Microsoft technology that's been in place years beforehand.
http://en.wikipedia.org/wiki/Server_Message_Block
FYI: We had Barry Feigenbaum, the original (IBM) author of SMB at the CIFS conference a few years ago. He's a really nice chap
.Jeremy.
flies. He probably thinks it's OSS that came
to get him.
Pay no never mind to what he says.
I don't believe it was a "Silly" comment. Again, it's not about who invented anything. There is very little "virgin" innovation happening in technology w/o somekind of basis on past or existing technologies.
But Microsoft had heavily modifed SMB and their CIFS implementation, as I said, and it was THAT which was the aim of SAMBA.
From the same article you posted above:
Because of the importance of the SMB protocol in interacting with the widespread Microsoft Windows platform, coupled with the heavily modified nature of the SMB implementation present in that platform, the Samba project originated with the aim of reverse engineer and providing a free implementation of a compatible SMB-client and server for use with non-Microsoft operating systems.
So please explain what was so "silly" about what I posted.
you. A Match Made In Heaven!
Question is, why are you so worried about
Open Source? Take a Valium, man, chill out!
Why are you so worried about Microsoft? Posting lengthy bits about them constantly.
Take a whole bottle of valium. Chill.
have to make up lies, stretch the truth, and
defend them for extortion.
How does it feel to defend the very people
whose every motive is to rip you off? Awwww,
poor guy! You don't even know what they're
up to, do you?
As for paying for my OS, I don't mind anymore than paying for cable or toys for my Son for Christmas or giving to charities that help people like you.
You know, when did capitalism die in your mind? The US economy is not all that healthy as it is right now and you want to make it worse. God bless you.
Capitalism is alive and well. It's the greedy capitalist pigs who throw a monkeywrench in the process. Not because they're capitalists, but because they're greedy pigs. If you want to support them, you're welcome to it, but it takes a twisted sense of value like yours to call it charity. I feel sorry for any poor deluded soul who depends on you for charity.
By greedy pigs, do you mean every company you deal with weekly to buy everything from groceries to toothpaste? Because you don't follow the corporate dealings of Nabisco, doesn't mean they aren't just as greedy as any other company, such as Apple (best example I can think of besides Google).
May God bless you this Christmas season and help you calm down and be happy. May he allow you to roam the internet in search of gifts for your loved ones w/o swearing like a trucker at the prices and how they are all evil greedy bas***ds.
amen.
Straw man!
First of all, he didn't congratulate himself for how many bugs the security audits found... he was noting that while a closed source company could hide those bugs and not report them, an open source project can't do that, which means that right off the bat they're having to report twice as many of the bugs found in their code as the closed source shops need to.
Second, the other half of *the reported bugs* are those found by people outside the samba team. Because they're found by third parties with source, they're easier to find, and so are found by more people. I know that I've often gone to report a bug in source code in some open-source project and discovered that someone else had already done it. And I'm not someone "attempting to drum up business for a security company", I'm an end user taking advantage of the fact that I have source code.
Second, whether or not some bad guy finds these bug (or, for that matter, the bugs found internally), the fact that there are so many eyes looking at the code means that they're also found and fixed at a greater rate than in closed source software. In addition, design flaws in the code (including in the API) tend to get fixed and the fixes get propagated upstream, because anyone can make them or (in the worst case) fork the project.
So what he's saying is that bugs are fixed faster, because there's more good guys looking at the code, and they don't get fixed silently, because there's good guys reading the change logs. Which is nothing to do with the words you're trying to put in his mouth.
But I love how you managed to paint a good guy/bad guy picture of open source v. Micros...er, i mean proprietary software.
Nice work, seriously.
I agree with you about what he was saying -- but I think it's worth challenging some of his assumptions a bit.
I don't think we should make blanket statements about whether open-source or proprietary software is more secure.
I think it depends on a number of factors:
1) The resources available. For popular open-source, vs budget-strapped proprietary, open-source may have the advantage. For open-source with a small developer community, vs proprietary with full-time programmers, proprietary may have the advantage.
2) The availability of the source lends advantage to attacker if there's not enough good guys looking at the source.
3) The quality of the development team (both as individuals and as a team).
It really annoys me when people claim "of course Open Source is more secure". And it annoys me when people go "Look at how many security holes are reported against Open Source!" Or "Look at how many patches Microsoft releases".
None of these are accurate reflection on the degree of insecurity, even at a blanket-statement level -- and even if they were, they'd be useless as a guide. Blanket statements don't apply to any particular software decision.
But I guess we like the security blanket of blanket security statements, rather than having to think hard about complex problems. So often we go after the simple answers, no matter how wrong!
There is no such thing as non-trivial error-free programming and never has been. We all do the best we can, but in the end, there will always be bugs. The goal is then to make the best quality software we can, knowing that it will never be perfect.
Boom! ... I had not anticipated NO input! I think this proves that even a TRIVIAL piece of code can have bugs. OK, I'm not a professional programmer, but I do have a PhD in Biology, so I'm not dumb. I can understand how problems get into code ... we are human.
I don't mean to say you are insincere here and not brown nosing for some reason, but I can tell you I've always taken claim to my code, good or bad.
I'm waiting for you to tell me what a real man I am........
..............
..........waiting still.........
Microsoft programmer?
Can we quote you on that?
Yep, you are a real man, in the same
category as Bill Gates when he made these
statements:
"There are no significant bugs in our
released software that any significant
number of users want fixed".
Focus Magazine No. 43 (23 October 1995)
"Microsoft programs are generally bug-free.
If you visit the Microsoft
hotline, you'll literally have to wait weeks
if not months until someone
calls in with a bug in one of our programs.
99.99% of calls turn out to
be user mistakes".
"I know not a single less irrelevant reason
for an update than bugfixes.
The reasons for updates are to present more
new features".
"No, the best way to prepare is to write
programs, and to study
great programs that other people have
written. In my case, I went to the
garbage cans at the Computer Science Center
and I fished out listings of
their operating system".
"We're responsible for the creation of the
PC industry. The whole idea of compatible
machines and lots of software.. that's
something we brought to computing. And so
it's a responsibility for us to make sure
that things like security don't get in the
way of that dream".
"There won't be anything we won't say to
people to try and convince
them that our way is the way to go".
"If you can't make it good, at least make it
look good"
"What we're really after is simply that
people acquire a legal license for Windows
for each computer they own before they move
on to Linux or Sun Solaris or BSD or OS/2 or
whatever".
In response to Java: "Anybody who thinks a
little 9,000-line program that's distributed
free and can be cloned by anyone is going to
affect anything we do at Microsoft has his
head screwed on wrong".
Here's one the Mac users will really
appreciate: "To create a new standard, it
takes something that's not just a little bit
different; it takes something that's really
new and really captures people's imagination
— and the Macintosh, of all the machines
I've ever seen, is the only one that meets
that standard".
So hold your head high, Zuny, you're in the
company of a real great man.
I just must throw in this last quote by
Ronald Reagan: "The Goliath of
totalitarianism will be brought down by the
David of the microchip".
My message was simple. If all it takes for a man to be so honorable and worthy of public praise is to admit to have been the author of code with flaws, then I wanted to let him know I alos must be a very honorable and great man.
relaxed.
Only took a coupla minutes to round up a few
asinine quotes by your Idol.
Don't get your skivvies in a knot about it.
You don't have to read it. I didn't post it
for your benefit anyway, but for others who
might enjoy reading it.
Loosen up. Pop a Valium. Take a toke. Have a
Coke. Snort it too, if you want.
please take a long vacation away from the internet. For your sake, I'm asking you. You need the rest and a chance to get your mind back into reality. If that's even possible at this point. I worry about you Ole Man and giving you good advice.
you may have ever possessed, and you have
never possessed the humility to recognize
your own failure. Your anger toward anybody
who tries to help you only amplifies your
complete lack of conscience and your moral
ineptitude.
You're on your own. Sink or swim. Don't beg
me.
Give it up. Take some of the drugs you're trying to peddle. Dig out your stash and take a few tokes. Nobody is going to hurt you. As soon as Microsoft gets all your money, they won't give a flip about you. They'll drop you like a hot potato.
Bill Gates loves his children and has a nice and giving Christian home. Too bad you are a dyed in the wool, hillary and Obama Liberal.
Now you are pushing drug use. How nice. I used to think you were a decent God fearing man at one time. I guess I was wrong.
I'm still amazed that people are foolish enough to connect their business network to the Internet thinking some off the shelf firewall will protect them.
Connecting your business computer to your home network shared by your children's (infested) computers is even worse.
It's been my experience that most people do not get serious about backups or network security until AFTER it has bit them in the backside.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
