The upcoming security fight
Strangely enough, neither of those efforts will make Windows more secure in any way. But they will raise the stakes with regard to security issues. We should expect that, in the future, Linux-related security problems will receive much more attention than they have in the past. If Microsoft is out to prove itself more secure than Linux, it certainly will not waste any PR opportunities resulting from Linux vulnerabilities.
There are many implications to note from an increased emphasis on the perceived security of software products. Both developers and users of free software will want to redouble their efforts to tighten up security. The free software community may be better at the creation and deployment of secure software than just about anybody else, but our record is still far from good enough.
There is nothing new in the statement above. But consider for a moment the recent attempt to insert a backdoor into the Linux kernel. There is no way of knowing who was responsible for that attack, but it is worth thinking about who might have benefitted from it. The attempted back door - which did not enable remote attacks - would have been more useful for publicity than for actual exploits. Somebody wanted to be able to say that a vulnerability had been successfully planted in the Linux kernel. Any company with an interest in attacking the security record of free software - and there is more than one such company - would have gotten great mileage out of this kind of demonstration. It is safe to assume that there will be other attempts to insert malicious code into free software releases; a high level of vigilance will be required to detect and defeat those attempts.
The public perception of the relative security of operating systems has
become an issue that means real money to the companies involved. When free
software starts to eat too far into its competitors' bottom line, those
competitors can be expected to fight back. Not all of them will choose to
fight fairly; a quick look at the SCO case will verify that fact. Without
giving in to absolute paranoia, we should expect the debate around security
issues to take on a harsher edge. Things could get interesting, but this
is a fight we should win decisively by doing what we always do: developing
the best software we can with our users' needs in mind.
Posted Nov 13, 2003 2:30 UTC (Thu)
by oloryn (guest, #7408)
[Link] (1 responses)
I'm not sure it's strange at all. Just another indication that Microsoft is more serious about security PR than it is about security itself. And I don't think it's peculiar to Microsoft either. "Prioritizing PR above actual effectiveness" is a common failing in both business and politics nowadays.
Posted Nov 13, 2003 12:11 UTC (Thu)
by rknop (guest, #66)
[Link]
I'm not sure it's strange at all. Just another indication that Microsoft is more serious about security PR than it is about security itself. ...and Microsoft is far from alone. Indeed, I think in our society today, PR is far more important than anything real. Consider airport security. The most important thing about all of that is to make everybody think that we're more secure, so that we'll all keep flying and flowing money into the airlines. Is it really more secure? Well, probalby a little, but that's not the main point. Consumer Confidence is more important than Corporate Honesty or even Corporate Efficiency. And, if you have a convenient target that's communistic or easily equated with stealing music, put them down in order to make yourself appear better by comparison; that just makes your PR easier. All very sad, really. -Rob
Posted Nov 13, 2003 3:51 UTC (Thu)
by dkite (guest, #4577)
[Link]
Posted Nov 13, 2003 6:16 UTC (Thu)
by jreiser (subscriber, #11027)
[Link]
Posted Nov 13, 2003 7:21 UTC (Thu)
by ken (subscriber, #625)
[Link] (11 responses)
Time for a "how to write secure c/c++ with open source tools" article series.
Posted Nov 13, 2003 7:59 UTC (Thu)
by eru (subscriber, #2753)
[Link] (3 responses)
Flawfinder:
http://www.dwheeler.com/flawfinder/
RATS:
http://www.securesoftware.com/download_form_rats.htm
These are both somewhat conceptually similar code scanners, about equal
in power, but one may catch things the other misses. Paranoid people
might want to run both. These are very easy to use.
Splint: http://splint.org/
Splint is quite a bit more complex tool, and for maximum benefit you need to add some annotations to your code to describe expectations about what functions do. Handles C only (Flawfinder and RATS do both C and C++.)
Jlint: http://artho.com/jlint/
This one is for Java.
Posted Nov 13, 2003 8:36 UTC (Thu)
by proski (subscriber, #104)
[Link] (2 responses)
Posted Nov 13, 2003 14:31 UTC (Thu)
by stijn (subscriber, #570)
[Link] (1 responses)
Posted Nov 13, 2003 15:55 UTC (Thu)
by eru (subscriber, #2753)
[Link]
I would recommend that both kinds of tools be used.
Posted Nov 13, 2003 9:39 UTC (Thu)
by brouhaha (subscriber, #1698)
[Link] (5 responses)
Some languages I recommend for this are Ada, Eiffel, Java, Modula 3,
Python, Sather, Scheme, or Smalltalk. Ada, Eiffel, Modula 3, and Sather
generally have little or no performance penalty compared to C or C++.
That's true of Java as well, if it's compiled to native code.
C and C++ are like table saws missing their finger guards. If you're careful you can get away with it for a while, but it's eventually going to cause you a problem.
Posted Nov 13, 2003 10:18 UTC (Thu)
by jonth (guest, #4008)
[Link] (1 responses)
I write low level software for very small embedded systems (mobile phones, to be precise); for the time being there is no alternative to C as an efficient, highly portable high level language for these devices. It is the lingua franca of the low level computing world: it's the first compilable language made available for almost every new processor. For anything that gets reasonably close to hardware, there just isn't any choice to C. (Even C++ is a stretch too far in this case.) Java for a device driver? Don't make me laugh. The Linux kernel is itself written in C, and it's pretty secure. It's not perfect (nothing is), but for something that complicated, it's damn good. It got that way not because of the language in which it's written, but the process by which it's written. Trusting a language to be "inherently secure" is damn dangerous. Ask any Java developer. cheers, Jonth
Posted Nov 14, 2003 2:29 UTC (Fri)
by brouhaha (subscriber, #1698)
[Link]
I also develop for Microchip PIC processors, and for those, I use assembly language, because even C isn't a good fit for them, though the newer PIC18 architecture is somewhat better suited to C.
Trusting a language to be "inherently secure" is damn dangerous.
I never said that you should trust a language to be inherently secure. Just because a table saw has a finger guard, you don't trust it to be perfectly safe. You still use it cautiously. That doesn't mean that a finger guard is useless.
Posted Nov 13, 2003 13:22 UTC (Thu)
by rmstar (guest, #3672)
[Link] (1 responses)
How many large security holes could have been avoided, for instance, if strings and arrays were propperly bound-checked? Certainly thousands. How many if assignment were not allowed in conditional clauses? etc. C/C++ are error prone, and thus insecure, in every respect. From memory management all the way to their insane and barroque syntax. Regards,
Posted Nov 13, 2003 18:00 UTC (Thu)
by JoeBuck (subscriber, #2330)
[Link]
You confuse C and C++. C++ has a standard string class that is properly bounds checked, and a standard vector class that can grow to unlimited size.
However, too many C++ programmers are really C programmers and use the C mechanisms that they are more familiar with, instead of the safer classes that take care of memory management properly.
Posted Nov 13, 2003 17:10 UTC (Thu)
by zooko (guest, #2589)
[Link]
Posted Nov 13, 2003 17:45 UTC (Thu)
by dwheeler (guest, #1216)
[Link]
The most important tool is the one between your ears.
If you develop software,
run, don't walk, to a book that will help you understand how to write
secure programs.
This stuff certainly isn't taught in schools.
I give away a free book (both senses)
that specifically discusses how to write
secure programs:
Secure Programming
for Linux and Unix HOWTO at http://www.dwheeler.com/secure-programs.
There are various computer tools too, including my own
flawfinder.
My book lists many other tools tool (including RATS, splint, etc.).
I agree with the other posters that using a collection of tools
is far more effective than using just one tool.
Each tool has its weaknesses, so using a combination of those tools
will be far more effective.
Posted Nov 13, 2003 9:20 UTC (Thu)
by pointwood (guest, #2814)
[Link]
I don't think MS's security push is all PR and I believe those saying that, is basically spreading FUD. No, I'm not a MS fanboy, far from it, but I'm not a Linux zealot either. Just the other day, I witnessed the CTO (or whatever he was) from MS Denmark, give a short speech about what MS is doing (hey, they gave me free ticket to the movie theater). I was actually expecting the "usual" MS sales speech with nothing interesting being said, but it wasn't. It was a pretty good overview of the problems they and others are facing in regards to security. He also showed how Windows 2003 was different from their previous OS'es in that regard. Windows doesn't automatically start all kinds of services and ports by default anymore, the user/administrator now have to do it themselves. That makes the systems much more secure by default and makes they much harder targets for crackers. Of course, it'll take many years before people upgrade their OS - lots of people are still running Win98 and so on. Microsoft *is* able to turnaround, just look at what they did when they "discovered" the internet. One of the big problems is getting people to apply the security patches. The world would look much better if people actually updated their systems, but many don't. The sad part of course, is that there is no easy solution.
Posted Nov 13, 2003 15:26 UTC (Thu)
by kfox (guest, #4767)
[Link] (1 responses)
The structure of free software works both for us and against us. On the one hand, it forces us to create modular, independent services. On the other hand, it encourages uncontrolled copying and the false belief that services really are independent. Injecting a bug through a low visibility project is a good way to attack us. Microsoft is smart to draw us into a fight on their terms. Microsoft is also smart to fan the paranoia of SCO and anti-Linux conspiracy. I think the window of opportunity to kill off Linux has closed. The right strategy now is to keep building community ownership of distributions (like Debian and Fedora) and stay focused on the thing we love: free software.
Posted Nov 13, 2003 15:46 UTC (Thu)
by zone (guest, #3633)
[Link]
Posted Nov 26, 2003 2:37 UTC (Wed)
by MarkSwanson (guest, #9328)
[Link] (2 responses)
Posted Nov 26, 2003 8:14 UTC (Wed)
by dvdeug (guest, #10998)
[Link] (1 responses)
Posted Nov 26, 2003 20:56 UTC (Wed)
by MarkSwanson (guest, #9328)
[Link]
The upcoming security fight
Strangely enough, neither of those efforts will make Windows more secure in any way.
The upcoming security fight
I wouldn't worry too much. As soon as there is a lull in the security problems, the subject will be The upcoming security fight
changed.
Remember, security is a non sell. It is a pain in the a**, expensive to create and maintain, and
impossible to sell. The best programming talent is taken away from more important (from a
marketing perspective) pursuits to do something that is invisible. It is all negative. Any sales
person will say that negatives cost sales, even when it makes you look good.
Another way to look at this is to consider it a blessing. Sortof a darwinian process. Any who
fall for a Microsoft "Security" sales pitch, well, deserve what they get. That leaves the rest as
good smart customers.
Oops. That wasn't very respectful, was it.
Derek
Microsoft's reward is for information resulting in arrest and conviction of those who "illegally release" or who are "responsible for launching" damaging software; see
http://www.microsoft.com/presspass/press/2003/nov03/11-05AntiVirusRewardsPR.asp.
It will be interesting to see how or if a distinction will be made between writing and/or publishing such software (source code), versus actually deploying it (unleashing an executable instance.)
Virus authors are not a target
What tools dose exist to detect security bugs in the software?The upcoming security fight
Some free code analysis tools I have seen and evaluated:
Some tools for code security checking
Valgrind can also be used to find security holes. Many errors in memory usage are exploitable. Valgrind 2.0.0 was released two days ago.
Some tools for code security checking
I use valgrind and like it a lot. It is incredibly easy to use and quite powerful. Anyone know how valgrind, RATS, and flawfinder compare to each other?
Some tools for code security checking
Comparing Valgrind to Flawfinder and RATS is a bit of an apples-and-oranges comparison, because Valgrind tries to spot errors at run-time, but the others try to analyze the source code. Both approaches have advantages and disadvantages. A run-time checker like Valgrind can see a problem only if your test case performs a sequence that involves it. A statical checker can potentially spot errors in places your test cases forget to visit. On the other hand, a statical checker may not be able to detect more complicated data-dependent errors. This is especially true of Flawfinder and RATS that do rather simple analysis. Splint is more powerful.Some tools for code security checking
One of the best ways to "write secure c/c++ with open source tools" is
to ditch C/C++ entirely and use a language that actually tries to promote
reliable software. It's certainly possible to write secure code in C
or C++, but it's way too much work, so it almost never is done in practice.
The upcoming security fight
And while we're at it, let's all speak Esperanto - English is inherently irregular, open to misunderstanding and difficult to learn. Look how easily lawyers can twist English to their own ends: it must be bad ;-)The upcoming security fight
I respectfully disagree. I have written code in Ada and Modula 3 for small embedded systems, and it worked just fine. I didn't find any area in which they were deficient as compared to C. But the compiler was able to catch errors that would only have been found at runtime if I'd used C instead.
The upcoming security fight
You are completely right.The upcoming security fight
rmstar
The upcoming security fight
The E language has been carefully engineered through and through to maximize security. It also features the unification of object-oriented programming and capability-security programming, which is a really neat idea.
secure programming languages
Actually, your request has been answered on several fronts.
Secure Programming HOWTO available, and use multiple tools
Generally, I would consider more focus on security to be a good thing. That MS is focusing more on security is a good thing! Bad security in MS products doesn't just affect MS users.The upcoming security fight
I find it disingenuous to blame this backdoor attempt on someone hoping to discredit Linux. The backdoor was clever and useful -- especially if it had been widely deployed by, for example, web hosting companies. The most obvious conclusion to draw is that someone wanted a silent backdoor to uid 0.Linux backdoor not just a marketing stunt
> Somebody wanted to be able to say that a vulnerability had been successfully planted in the Linux kernel.
Linux backdoor not just a marketing stunt
That statement is as bad as those in the FUD we love so much. For all we know, the person who tried to get the exploit in wasn't planning on telling anyone, and was happy to stay silent and exploit the vulnerability. I would have expected LWN to take a more balanced approach to writing that paragraph-- state that planted exploits for PR reasons are a possibility, but that there is no evidence in this case.
Please correct me if I'm wrong, but is there anything even remotely as secure as Unsigned Java Web Start seems the most secure
unsigned Java Web Start (JWS) applications?
Unsigned JWS applications have a few limitations (and there were some security holes
in versions released a year ago) but you can do pretty much anything you need to in
this environment except for access serial/parallel ports or native code. It seems to be
the most powerful/secure environment but seems to get the least mention. I wonder
why that is...
There are many forms of sandboxing that are just as secure as JWS, but without the speedhit of interpreted code. There are many that are more secure; if a program has internet access, it can be a jumping point for an attack on another system.
Unsigned Java Web Start seems the most secure
You say there are others, but why don't you name any? Unsigned Java Web Start seems the most secure
Inquiring minds would like to know:
1. Name one that is as secure.
2. Name one that is more secure.
Perhaps I left things too open-ended. F.E. I don't consider the chroot
environment (or the capabilities settings Linux provides) as usable for
the masses as they require too much work to set up.