LWN.net Weekly Edition for December 4, 2003 [LWN.net]

The brk() vulnerability

It has been disclosed that the compromise of the Debian Project's servers was made possible, in part, by a previously unpatched vulnerability in the kernel's memory management code. For the curious, this article describes how that vulnerability works, and what is required to exploit it. We'll also look at how it could have remained unfixed for months.

Process memory
0x00000000-0x08047FFF Unmapped area
0x08048000-0x08?????? Program text
0x08??????- Named memory and heap
0x40000000-0x4??????? Shared libraries, shared memory segments
0x4???????-0xbfffcfff Unmapped area
0xbfffd000-0xc0000000 Stack

The kernel organizes a process's memory in a way vaguely similar to the diagram at the right. The addresses shown there correspond to the default ia-32 implementation. This picture has been simplified somewhat, but it conveys the basic idea. The real picture on a specific system can be had by running "cat /proc/self/maps".

The bulk of the memory used by a program for its variables and heap storage is found in the section marked "named memory and heap" in the diagram. This memory area is initially made large enough to hold the static variables created by the program, but, as soon as more memory is required (to satisfy malloc() calls, perhaps) that region of memory must be expanded. Since the beginning, Unix-like systems have provided a system call (named brk()) which can be used to change the size of the heap area. The caller simply passes in the virtual address indicating where the new "break point" should be set, and the area is expanded or contracted as need be.

Back in September, Andrew Morton noticed that no sort of bounds checking was being applied to the address passed to brk(). In theory, this omission means that a process could request an arbitrarily large heap area. In practice, most programs would not get that far. The kernel does not allow virtual memory areas to overlap each other, so any expansion of the heap area that caused it to impinge upon the shared library areas starting at 0x40000000 would be rejected with an error. So it would appear that the lack of bounds checking was never that serious of a problem; all it could do is allow a user to set up some huge page tables.

Obviously, the situation is worse than that. The memory layout diagram is missing one important area; on ia-32 systems, the kernel itself is mapped in starting at 0xc0000000 - right above the process stack area. Processes normally do not have any access to that part of memory, of course. But, as it turns out, if you can convince brk() to expand your heap area up into the kernel's address range, you have direct access to the kernel code and data areas. At that point, the integrity of the system is lost.

The key to cracking the system is changing the process memory layout so that the heap area can be expanded into the kernel's space. You cannot easily do that with a normal C program, but, with a bit of assembly trickery things become easier. A proof of concept exploit has already been posted to Bugtraq, so one can see how it is done. It is really a matter of (1) moving the program origin up into the highest part of virtual memory, where the stack usually lives, and (2) shorting out the C library's startup code which sets up the address space in the first part. Once you do that, an unpatched system will happily expand your heap area into kernel space.

So, as the Debian Project learned at great cost, this little omission in the implementation of the brk() system call is fully usable for a complete local root exploit.

There have been a lot of questions about how such a vulnerability could remain unfixed for so long. In fact, it was patched in the 2.6.0-test series almost as soon as it was found. The fix also went to Marcelo Tosatti, the 2.4 maintainer, but it was too late for the 2.4.22 release, which happened on August 25. So the fix was merged into 2.4.23-pre7, which came out on October 9. The current 2.4.23 kernel is not vulnerable - but that was too late to help Debian.

The real problem, of course, is that nobody realized the severity of this bug. Had the kernel developers understood that current kernels were vulnerable to this sort of attack, the alert would have gone out and the various distributors would have sent out the usual set of updates. But this patch was just one of over 2000 patches merged by Linus in September. It would seem that it simply became part of the stream of fixes, and nobody looked at it particularly closely.

Except, of course, somebody did. Chances are, the posting of this fix drew an attacker's attention to the brk() code. With a bit of effort, the exploit got written, and now thousands or millions of systems are at risk.

What the kernel (along with most other projects) needs is more friendly eyes looking for this sort of problem. We do reasonably well, in that most vulnerabilities are found and fixed by the good guys before they can be exploited. There are cases where that doesn't happen, however, and the brk() bug was one of them. Security auditing is hard work, and usually unrewarding. But it would have been nice if somebody had looked hard enough at this problem to raise the alarm.

Comments (34 posted)

Wind River's change of heart

December 3, 2003

This article was contributed by Joe 'Zonker' Brockmeier.

You win some, you lose some. While the free software community has lost an ally (by some peoples' reckoning, anyway) with the defection of SCO, Wind River seems to be coming around, at least to some degree. Until recently, the company had been fairly critical of the GPL and Linux as an embedded solution. The company surprised many in October when the announcement went out that Wind River would be providing tools for Linux development.

This week, Wind River upped the ante with the announcements that it would be joining two open source industry groups, the Eclipse Consortium and the Open Source Development Labs (OSDL). Wind River is joining OSDL to participate in OSDL's Carrier Grade Linux (CGL) Working Group, and focusing on embedded tools that are compatible with the Eclipse framework.

We spoke with Michel Genard, general manager of Wind River's Hardware Assisted and Stand-alone Tools product division about the company's change of heart. Why has Wind River changed its tune with regards to Linux? Genard first explained that Wind River's previous stance towards Linux and the GPL was based in part on fear.

We were not very sure about exactly what to do, and definitely some fear [of Linux], that it would cannibalize some of our business. We had an internal [Linux] project, gave up based on GPL fear and issues. In 2001 we announced acquisition of BSD assets. We thought that what customers wanted was attributes of Linux, delivered with BSD. This year, you know, through a lot of thinking and changes... we realized we were wrong.

Dave Fraser, Wind River's group vice president of products acknowledged in an interview with eWeek that Wind River had backed the wrong horse in trying to supplant Linux with a BSD-derived solution:

The primary market focus is on Linux and not [Unix]. We took a risky bet that BSD was going to be the business-friendly alternative to Linux, but that turned out not to be the case. [Unix] became Betamaxed to Linux's VHS.

Being the Betamax of embedded OSes can be painful. According to the company's SEC filings, its revenue peaked in its 2001 fiscal year at almost $438 million, dropping to $351 million in 2002 and $249 million in 2003. (Wind River's fiscal year begins in April of the previous year.) Wind River seems to be headed for a disappointing 2004 fiscal year as well, with revenue for the six months ending July 31, 2003 falling off by almost $31 million compared to the previous year. Wind River also notes in recent SEC filings that open source may be more popular "where our customer's budget constraints may make such software more appealing than Wind River products for their initial project development."

Recent changes in management also help to ease Wind River's transition to a Linux-friendly company. Kenneth Klein has taken the CEO job after Tom St. Dennis resigned in late June. St. Dennis had been critical of Linux and the GPL, while Klein seems open to working with Linux and the free software community.

As Wind River tries to overcome its past missteps, it will likely face some skepticism. The company's past statements regarding the GPL aren't likely to be forgotten easily, nor the firing of Slackware's development team shortly after the BSDi acquisition.

More recently, Darl McBride has cited Wind River as one of the companies "on this side of the table as SCO is on." Though McBride seemed to be merely citing Wind River since the company had previously criticized the GPL, we asked Genard where Wind River stood on SCO's claims. Genard said Wind River has no position on SCO's claims that the GPL is invalid, but said that the suit was "a wake-up call for the customer."

When you manage and design software, you have to use best practices to understand how you don't contaminate your own code with other IP, whether it's coming from a third-party or open source...but I think we should let the people involved [determine] if the GPL is really enforceable or an issue or not.

There is also some concern that embedded companies are disregarding the GPL, so we asked Genard if Wind River would be working to educate their customers about their obligations when using GPL-licensed code in embedded devices. Genard said that, at the moment, they are only offering tools to develop Linux-based solutions and that the company isn't planning to "do any recommendation to the customer what to do with Linux."

One need not look too deeply to understand why Wind River has changed its attitude towards Linux. Its past strategy of dismissing embedded Linux simply wasn't working, and an ever-shrinking market share was probably not very appealing to Wind River's customers. Wind River is being squeezed on two sides in the embedded space. On one side is Linux, a robust solution that is royalty-free and extremely flexible. On the other side is Microsoft, which outguns Wind River by several orders of magnitude when it comes to dollars spent on marketing and R&D.

Whatever the reasons, it's good to see that a company can change its tune for the better. We hope that Wind River continues this process and becomes an active contributor to the free software community.

Comments (3 posted)

Jon Johansen returns to court

Things have been quiet enough on the DeCSS front that one might be forgiven for thinking that the issue had run its course. The software remains freely available on the net, and there are no high-profile DeCSS cases left in the U.S. We are now being treated to a reminder that the U.S. is far from alone when it comes to repressive legislation, however.

Jon Johansen is one of the original authors of the DeCSS code, which may be employed to play a DVD on a Linux system. The Motion Picture Association of America (MPAA), not content with its efforts to suppress any mention of the code in the U.S., went to the Norwegian economic crime authorities and asked that charges be pressed against Mr. Johansen in Norway. The agency (Økokrim) obliged, and Jon went to trial in 2002 for violations of Norway's anti-circumvention law. The court, however, decided that, if you buy a DVD with a film on it, you have bought the right to access that film. Jon Johansen was acquitted on all counts.

The Norwegian government appealed the ruling, and the new trial started on December 2. It is expected to last for eight days. Jon and his lawyers have expressed confidence that the appeal will come to the same conclusion as the original trial, but there is never any certainty when an issue goes to court. One can only hope that the appeals court will see reason and realize that it makes no sense to convict somebody for breaking into their own property.

Regardless of the outcome, however, the MPAA will have achieved an important goal. It has been made clear that, if you write the wrong sort of code, you can be arrested and threatened with jail. Even if the ultimate outcome is a complete acquittal, few people will want to avail themselves of the opportunity to learn how the justice system works in such a close way. The prosecution of hackers like Jon Johansen can only have a chilling effect on other developers, whether or not that prosecution is successful.

(See also: this IP Justice press release).

Comments (5 posted)

The GPL Is a License, not a Contract

December 3, 2003

By Pamela Jones, Editor of Groklaw

[Editor's note: last week's article on GPL attacks drew some questions on just why the GPL cannot be enforced like a contract. We're pleased to announce that we have convinced Pamela Jones to expand on that issue for us.]

There has been considerable FUD of late asserting that, if a company inadvertently incorporates GPL code into its proprietary code, it can be forced to release its proprietary code under the GPL. This isn't new FUD. It's old FUD, but it is coming from some new sources. Even some attorneys have been saying this in the media and at various conferences. While it's not a crime to misunderstand the GPL, and it certainly isn't rare, it does arouse unnecessary fears about whether the GPL is safe to use or work with. Is it true? Can you lose your code this way? No, and the reason why hinges on the GPL being a license and not a contract.

A lot of the confusion about the GPL stems from this central issue: Is the GPL a license or a contract? The reason this issue matters is that contracts are enforced under contract law, which is done state by state, and there are certain necessary elements to qualify as a valid contract. Licenses, instead, are enforced under copyright law at the federal level. The penalties available are not the same.

Let's analyze and see how this all relates to the recent FUD. First of all, what is a license? A license is just a permission to do something you otherwise wouldn't be allowed to do. When I want to go fishing, for example, I have to get a fishing license from the local municipality. That's a license, as its name implies. But why? Why isn't it a contract? Because there are no further agreed-upon promises, no reciprocal obligations. It would be a contract if I said to the owner of a pond: if you give me a license to fish in this pond, I'll give you half of all the fish I catch. In that scenario, each of us has voluntarily entered into a kind of promise. We each give the other something of value, so if I get the license and then I don't give over half of all my catch of the day, the pond owner can sue me for not living up to the terms of the contract.

Eben Moglen, the Free Software Foundation's attorney, who is primarily responsible for enforcing the GPL, explains the difference between contracts and licenses like this:

The word 'license' has, and has had for hundreds of years, a specific technical meaning in the law of property. A license is a unilateral permission to use someone else's property. The traditional example given in the first-year law school Property course is an invitation to come to dinner at my house. If, when you cross my threshold, I sue you for trespass, you plead my 'license,' that is, my unilateral permission to enter on and use my property.

A contract, on the other hand, is an exchange of obligations, either of promises for promises or of promises of future performance for present performance or payment. The idea that 'licenses' to use patents or copyrights must be contracts is an artifact of twentieth-century practice, in which licensors offered an exchange of promises with users: 'We will give you a copy of our copyrighted work,' in essence, 'if you pay us and promise to enter into certain obligations concerning the work.' With respect to software, those obligations by users include promises not to decompile or reverse-engineer the software, and not to transfer the software.

Very clear, but what about the GPL? First, the name tells you what the authors intended: General Public License. It doesn't say "General Public Contract" or even "General Public License Contract". So they intended it to be a license, not a contract. Does it fit the definition? Professor Moglen:

The GPL, however, is a true copyright license: a unilateral permission, in which no obligations are reciprocally required by the licensor. Copyright holders of computer programs are given, by the Copyright Act, exclusive right to copy, modify and redistribute their programs. The GPL, reduced to its essence, says: 'You may copy, modify and redistribute this software, whether modified or unmodified, freely. But if you redistribute it, in modified or unmodified form, your permission extends only to distribution under the terms of this license. If you violate the terms of this license, all permission is withdrawn.'

Suppose a company really did mingle GPL code into a program with its own proprietary code and then distributed the merged product under a proprietary license or without living up to the terms of the GPL? Now what happens? What will the judge do now? Order the code released under the GPL over the wishes of the owner?

Stop and think. What happens if you violate the terms of a fishing license? For example, the license may restrict how much fish you can catch on a particular day or what kinds of fish you can keep, what sizes, etc. Suppose you violate the terms of the license. What happens? You lose your license to fish. There may be a fine to pay. That's essentially the same thing that happens under the GPL, except it's nicer, because the company gets to choose what it wishes to do under the terms of the GPL. If it still isn't resolved, and it goes to a judge, however, it's enforced as a violation of copyright law, not contract law. Here is Professor Moglen's explanation of what happens:

Because the GPL does not require any promises in return from licensees, it does not need contract enforcement in order to work. A GPL licensor doesn't say in the event of trouble "But, judge, the licensee promised me he wouldn't do what he's doing now." The licensor plaintiff says 'Judge, the defendant is redistributing my copyrighted work without permission.' The defendant can then either agree that he has no permission, in which case he loses, or assert that his permission is the GPL, in which case he must show that he is obeying its terms. A defendant cannot simultaneously assert that the GPL is valid permission for his distribution and also assert that it is not a valid copyright license, which is why defendants do not 'challenge' the GPL.

The claim that a GPL violation could lead to the forcing open of proprietary code that has wrongfully included GPL'd components is simply wrong. There is no provision in the Copyright Act to require distribution of infringing work on altered terms. What copyright plaintiffs are entitled to, under the Act, are damages, injunctions to prevent infringing distribution, and--where appropriate--attorneys' fees. A defendant found to have wrongfully included GPL'd code in its own proprietary work can be mulcted in damages for the distribution that has already occurred, and prevented from distributing its product further. That's a sufficient disincentive to make wrongful use of GPL'd program code. And it is all that the Copyright Act permits.

So when you read claims that the GPL is perhaps not enforceable because you don't sign it or click on a form, or because of a lack of privity, or because there is a lack of consideration, or some such, you'll know that the person misunderstood the GPL and thought in terms of contract law. It's a common error. They don't shoot you at dawn for not fully understanding the GPL. But at the same time, it's good to know that the problems people think they see in the GPL generally are the result of not understanding it, not from any weakness in the GPL itself.

Similarly, when you hear that the GPL is viral and can force proprietary code to become GPL, which a couple of lawyers have been saying, you'll know that isn't true. If you steal GPL code, you can expect an enforcement action. But this action can only be enforcement of a license, not a contract, and a forced release under the GPL can't be imposed on you under copyright law. It's not one of the choices, as Professor Moglen has explained. You do have a choice under the GPL: you can stop using the stolen code and write your own, or you can decide you'd rather release under the GPL. But the choice is yours. If you say "I choose neither," the court can impose an injunction to stop you from further distribution, but it won't order your code released under the GPL. Your code remains yours, as you can see, even in a worst case scenario.

Of course, you could avoid all such troubles in the first place by not stealing GPL code to begin with. But if something happens inadvertently and some rogue employee sneaks some GPL code into your proprietary product, the sky isn't falling. It's a manageable risk and a solvable problem. No one wants to steal your code in retaliation or force it to be something you don't want it to be. The GPL is unequivocally a license, and that's the truth.

Comments (87 posted)

Page editor: Jonathan Corbet

Security

Brief items

Peer to Peer Freedom of Speech

December 3, 2003

This article was contributed by Jake Edge.

One necessary precondition for true freedom of speech is a way to communicate that does not identify the speaker or the listener. Several projects are working to provide that ability through peer-to-peer networking protocols that use cryptography to enable this kind of communication: Freenet, Entropy, and GNUnet. The goals of these projects are quite similar, to provide for the free exchange of ideas while thwarting any attempts to censor the information or punish the participants.

The basic framework for each of these networks is a decentralized, peer-to-peer communications model where a node in the network talks to some number of other nodes, sending requests to these peer nodes and handling requests that come from them. The messages sent between nodes are encrypted using a session key that has been negotiated between the nodes using public key encryption. This encryption should be sufficient to deny a 'man in the middle' from determining anything useful about the traffic (other than its existence).

When a node sends a request to one of its peers, there is no reason to assume that the request actually originated on that node as nodes will forward requests that they receive, but cannot satisfy. Any response that is generated to a node is likewise not necessarily ultimately bound for that node and could be the response to a request that was forwarded by the node. With a sufficient number of nodes and amount of traffic, no analysis of the traffic to or from nodes will reveal the true source and destinations of the requests. This stands in stark contrast to the more common peer-to-peer networks where, once the content is found, a direct connection is made from the destination to the source to retrieve the content.

Each node that fully participates in the network provides some local storage for information in the network and can immediately satisfy requests for any data that it has stored locally. In order to provide deniability for the operators of these nodes, this data is encrypted and the operators are unable to determine what content actually resides on their node at any given time. Cryptographic hash functions on the file contents are typically used to identify particular files that have been inserted into the network. These identifiers are not particularly user friendly - for instance a copy of Kevin Mitnick's book The Art of Deception can be found in the Entropy network using the identifier:

    SSK@zpxOK~ounTzoDwJKguoUHib8G7sBCMA/ArtOfDeception//

To make the system easier to use, various network users have put together directories of content to help navigation.

The popularity of a file governs how long it stays in the network and how often it is replicated. Each of the networks has limits on the amount of storage available to it (based on the number of active nodes and the amount of storage allocated to the nodes by each operator) and must sometimes prune content when new content is added. GNUnet tries to overcome the problem of 'freeloaders' (nodes that request content but do not serve any) by adding an 'economic' layer to its network. Each node keeps track of its 'opinion' of the other nodes that it has talked to; nodes that satisfy requests have a better reputation and will be treated preferentially under higher network loads.

Both Freenet and Entropy provide an HTTP proxy that allows the use of standard web browsers as clients to view some of the content on the network. Entropy also adopted the Freenet Client Protocol so that all of the client applications originally written for Freenet will work with Entropy as well. Frost is one of the most widely used clients and provides file sharing and message board functionality. GNUnet appears to mainly use command line tools, though gnunet-gtk provides a graphical front-end.

Security is clearly taking precedence over performance, as it should, but this causes the user experience browsing Freenet or Entropy (at least) to be fairly frustrating. Sites can take tens of minutes to load or fail to load altogether, presumably because the information has either dropped out of the network or any sites that contain the information are currently offline or too far away (in network, not geographic, terms).

Critics of these projects complain that they could be used by criminals for nefarious purposes and, obviously, that is true. There is no way to provide for anonymous communication that cannot be abused and these projects have decided that freedom of communication is more important than stopping illegal uses. In the end, these networks are tools like computers or phones and they can be used for good or for ill. It would be impossible and a serious affront to liberty to outlaw all tools that could be used to commit a crime.

Comments (10 posted)

Security reports

Savanna.gnu.org compromised too

If you go to Savannah, the GNU project's development server, you'll find a note stating that it, too, has been broken into. "The compromise seems to be of the same nature as the recent attacks on Debian project servers; the attacker seemed to operate identically." Savannah will be down until (at least) December 5. (Thanks to "sdoyon", who posted the news in an LWN comment).

Comments (22 posted)

New vulnerabilities

bind: cache poisoning

Package(s):

bind

CVE #(s):

CAN-2003-0914

Created:

November 26, 2003

Updated:

February 19, 2004

Description:

A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache.

Alerts:

SCO Group	CSSA-2004-003.0	2004-02-19
Debian	DSA-409-1	2004-01-05
SuSE	SuSE-SA:2003:047	2003-11-28
Trustix	2003-0044	2003-11-27
Immunix	IMNX-2003-7+-024-01	2003-10-27
EnGarde	ESA-20031126-031	2003-11-26

LWN.net Weekly Edition for December 4, 2003

bind: cache poisoning

GnuPG: ElGamal signing keys compromised

kernel: local root exploit in 2.4.22

Net-SNMP: security bugs in versions before 5.0.9

screen: privilege escalation

stunnel: file descriptor leak

2.4 kernel - several vulnerabilities

apache: buffer overflows in mod_alias, mod_rewrite

apache2: Denial of Service vulnerability

CUPS: denial of service

ethereal: multiple remote and local vulnerabilities

Filename disclosure vulnerability in fam

fetchmail may crash on specially crafted message

fileutils/wu-ftpd: denial of service

glibc: DNS stub resolvers contain buffer overflow vulnerability

gtkhtml: malformed messages cause crash

iproute: local denial of service

KDE: Two issues in KDM

kernel-utils: setuid vulnerability

libnids: remotely exploitable buffer overflow

libpng, libpng3: buffer overflow

mikmod: buffer overflow

mpg123: heap overflow

mplayer: remotely exploitable buffer overflow vulnerability

Nessus NASL scripting engine security issues

nfs-utils xlog() off-by-one bug

openssh: timing attack leads to information disclosure

Pan: denial of service

postfix: denial of service vulnerabilities

proftpd: remote root shell

Multiple-use vulnerability in Safe.pm

sane-backends: several vulnerabilities

File overwrite vulnerability in tar and unzip

Multiple vendor telnetd vulnerability

vim - modeline vulnerability

wget: buffer overflow

zebra: denial of service vulnerability