Monocultures and software security

Posted Oct 17, 2002 3:38 UTC (Thu) by smoogen (subscriber, #97) [Link]

I think that we have to just accept that monocultures are a part of the game of code reuse. We extol the re-use of code because it allows us to work on bigger problems without having to re-invent the wheel one more time.

We just have to come up with methods to deal with security problems more effectively. Having us come up with 30 different versions of apache from the ground up is actually the worst thing we could do because it produces a different kind of holy war.

While apache, openssh, and other applications are prevalent major applications, there are also large parts of code that either get re-used verbatim or re-used by design. Look at how many packages had to be replaced because of the problem in the RPC XDR code. This affected several of packages that had grabbed the source, or had implemented identical like functions.

In the end, I think the problem isnt monocultures as much as poor engineering techniques. We dont expect our cars to be safer because their are 40 brands of them. We expect them to be safer because engineers did the hard work of tearing them apart.

Posted Oct 17, 2002 4:44 UTC (Thu) by raph (guest, #326) [Link]

Just about every competitive landscape has something like an 80/20/5 rule, in which the top 3 competitors grab about 95% of the landscape. I don't see any reason for things to be different with free software. For some discussion of why this "law" applies, see "Linked", by Albert-Laszlo Barabasi. It's a power-law distribution.

Of course, what you didn't mention is that the Microsoft world is far more monocultural than the free software world. A great deal of mail and Web runs on MS servers, for whatever that's worth.

I expect security to get better very slowly. An exciting old technology is provably-correct software (an assertion that won't be surprising for those following my recent diary). In the meantime, probably the biggest win is to deploy software and configurations as simple as needed, something far more difficult to do in the feature-laden world of proprietary software.

Posted Oct 17, 2002 5:50 UTC (Thu) by anr (subscriber, #234) [Link]

djbdns is a very good alternative to bind.

Is the license a problem? There could be a whole article discussing this issue.

I certainly find djbware very reliable and secure, and use it a lot. I am glad it's available, and I think LWN should at least mention it as an option.

Posted Oct 17, 2002 6:47 UTC (Thu) by Peter (guest, #1127) [Link]

Who was it, Mark Twain? "Put all your eggs in one basket - and watch that basket." Whoever it was, there is something to be said for the OpenSSH approach. Not only do we have perhaps the world's foremost security auditing experts working on it, but now, with things like privilege separation, I actually think OpenSSH is getting more secure over time - the opposite trend, unfortunately, from most software. Sure, there have been a couple recent holes, but these were a result of active auditing by the maintainers themselves - so I expect such "surprises" to be rare in the future.

As for MTAs, lots of people run Postfix and Exim (and of course qmail and Exchange, in the less-free category), so while Sendmail is the default choice for old-school Unix, I think it will continue to decline over time (market-share-wise, of course).

Bind? Well, the world is at least split between v8 and v9 (with a few stalwarts hanging on to v4.9). Bind 9 was a complete rewrite, so I think this counts as two products, for security vulnerability purposes. Likewise with Apache 1.3 vs 2.0.

All I'm saying is, perhaps our installed base is a little more diverse than it looks. (:

Posted Oct 17, 2002 10:57 UTC (Thu) by evgeny (guest, #774) [Link]

> There are, seemingly, almost as many editors available as users to run them.

1. Because they are "compatible" - you can open the same file in any text editor and can see the same contents. So it takes no time to _try_ a new one, therfore the chances are high each user selects what suits him best. Situation with MTA, HTTP servers etc is much more complicated. Eventhough, say, sendmail, postfix, and qmail share at least 95% of functionality (and these 95% cover 99.9% of existing installations), the configuration of that 95% differs drastically from one to one. Syntax of configuration files, names of parameters,.. - all is different. When it comes to plugins - ABI and even API are different - but why? why can konqueror and mozilla use the same plugins but apache and e.g. aolserver can't?

2. About everyone has tried a dozen editors (and from time to time, gives a try to a new one), but how many sysadmins can you count who actually tried several MTAs in real-life configurations? And it's undesrtandable. A wrong choice of editor in the worst (and extremely rare) case means a corrupted text file. A wrong choice (read - misconfiguration) of MTA means emails disappearing, angry users and managers, etc etc - and all that after many hours of installation/reading manuals/configuration/... Clearly, people use either the MTA they've been working with last years or whatever comes by default with their distribution, and switch to a different one only when there is an ultimate need.

IMHO, monocultures can _improve_ security, but monocultures here are meant in the sense of foundation stuff like mature configuration, string handling etc libraries. A major part of security holes are due to wrong memory (usually text string) handling - which is a simple reflection of the fact that the relevant part of the libc API is light years back and completely inadequate. Same regarding configuration - a lot of code in a lot of projects is just for basic config file parsing, meaning, as a result, many hours of duplicate work and NO compatibility. I dream about a well designed and implemented equivalent of AD/Registry. Well, this is a separate topic...

Posted Oct 17, 2002 12:42 UTC (Thu) by brugolsky (✭ supporter ✭, #28) [Link]

I have to agree with many of the folks here -- the benefits of code reuse weigh heavily in favor of monocultures. We simply need to write better code in languages that have safer primitives (since most exploits these days rely on buffer overflows or arithmetic overflows). Also, security *policy* can differ from system to system, even if the code is the same. E.g., deploying SELinux provides layered defense, but it complicates things considerably. Security is difficult, and when it comes to core infrastructure, there is no alternative to relying on professionals to configure and manage complex systems correctly.

Also, with a layered defense, if there is a security breach, there is usually some layer at which the breach can be halted quickly (e.g., iptables), while a longer-term solution is found (fix the bug in the application).

Posted Oct 17, 2002 17:22 UTC (Thu) by strombrg (guest, #2178) [Link]

It's not like lsh is unusable, right? And I believe it's GPL'd.

Posted Oct 17, 2002 19:58 UTC (Thu) by cdmiller (subscriber, #2813) [Link]

Stability comes first. The most stable, mature products will always garner the most use. Given that, as long as there is choice, monoculture in free or open source software will never take a firm or lasting grip. Even Linux itself, (the kernel), is up for grabs for full replacement or endless customization.

Some examples:

As mentioned Sendmail, Postfix, Qmail, Exim... I have replaced Sendmail with Qmail everywhere I worked. I assume others are doing the same with their favorites, even tweaking and upgrading Sendmail itself counts as some difference where monoculture vulnerabilities are concerned.

Openssh, Lsh, SSL, SEP, Kerberose capable telnet and ftp clients are all in use. Openssh is often run in differing configurations.

Apache competes with tons of other web servers. Apache is run in different custom configurations, not just default pre packaged Linux distro flavors. One persons Apache config may be vulnerable while anothers is not.

Djbdns is actively in use, other name servers will appear eventually. Lots of folks who actually run Bind do so in fairly safe ways, (chrooted etc.)

Some Linux distros even recompile their entire code base with tools like Stackguard.

Free software monoculture? I think not, and that's by design.

Posted Oct 24, 2002 6:40 UTC (Thu) by rickmoen (subscriber, #6943) [Link]

Excellent question. Free/open-source alternatives to OpenSSH (that implement the SSH protocols):

• http://www.net.lut.ac.uk/psst/: LSH
• ftp://ftp.pdc.kth.se/pub/krypto/ossh/: ossh
• http://www.fressh.org/: FreSSH

Taken from my comprehensive list of SSH software at http://linuxmafia.com/pub/linux/security/ssh-clients.

Free/open-source alternatives to BIND:

• http://www.dents.org/: DENTS
• http://www.maradns.org/ MaraDNS
• http://mydns.bboy.net/: MyDNS
• http://home.t-online.de/home/Moestl/: pdnsd
• http://dnrd.nevalabs.org/: Domain Name Relay Daemon
• http://posadis.sourceforge.net/: Posadis
• http://pliant.cx/pliant/protocol/dns/: Pliant
• http://www.linuks.mine.nu/helpers/yaku-ns/: Yaku-NS (official site at www.kyuzz.org/antirez/ens.html seems to be down)
• http://customdns.sourceforge.net/: CustomDNS
• http://www.thekelleys.org.uk/dnsmasq/: Dnsmasq
• http://gnudip2.sourceforge.net/gnudip-www/: GnuDIP
• http://www.stanford.edu/~riepel/lbnamed/: lbnamed
• http://eddie.sourceforge.net/lbdns.html: lbdns

Taken from my list of such software in http://linuxmafia.com/~rick/faq/#djb, which also includes all known open-source Web and ftp daemons for *ix. (Some of the DNS daemons listed are for specialised applications, but many are not.)

Rick Moen
rick@linuxmafia.com

Posted Oct 24, 2002 6:46 UTC (Thu) by rickmoen (subscriber, #6943) [Link]

Since the story also mentioned Sendmail: Here's a brief attempt to outline the points of comparison among MTAs commonly used on Linux, both open-source (Postfix, Exim, Sendmail, and Courier) and proprietary (Qmail): http://linuxmafia.com/~rick/linux-info/mtas

Rick Moen
rick@linuxmafia.com

Posted Oct 24, 2002 10:00 UTC (Thu) by anonymous (guest, #6955) [Link]

I have question: if it is the same source code,
but binaries differ, because of some randomizing
option in gcc, will the "community" be still
vulnerable? I mean, if buffer overflow does
something different on every single machine.

Posted Oct 26, 2002 9:03 UTC (Sat) by job (subscriber, #670) [Link]

The GNU version of SSH, lsh, hasn't had any of these security holes. However, far too few people use it, so please install and try. It interoperates with SSH.com and OpenSSH, but you'll have to relearn some command line switches (much like going from PGP.com to GnuPG). I have been running lsh 1.4.2 as my SSH daemon on several servers for over a year, and so far it has been rock stable.