|
Tuesday, May 20, 2008 Alarming Open-Source Security HolesHow a programming error introduced profound security vulnerabilities in millions of computer systems. By Simson Garfinkel
Back in May 2006, a few programmers working on an open-source security project made a whopper of a mistake. Last week, the full impact of that mistake was just beginning to dawn on security professionals around the world. In technical terms, a programming error reduced the amount of entropy used to create the cryptographic keys in a piece of code called the OpenSSL library, which is used by programs like the Apache Web server, the SSH remote access program, the IPsec Virtual Private Network (VPN), secure e-mail programs, some software used for anonymously accessing the Internet, and so on. In plainer language: after a week of analysis, we now know that two changed lines of code have created profound security vulnerabilities in at least four different open-source operating systems, 25 different application programs, and millions of individual computer systems on the Internet. And even though the vulnerability was discovered on May 13 and a patch has been distributed, installing the patch doesn't repair the damage to the compromised systems. What's even more alarming is that some computers may be compromised even though they aren't running the suspect code. The reason that the patch doesn't fix the problem has to do with the specifics of the programmers' error. Modern computer systems employ large numbers to generate the keys that are used to encrypt and decrypt information sent over a network. Authorized users know the right key, so they don't have to guess it. Malevolent hackers don't know the right key. Normally, it would simply take too long to guess it by trying all possible keys--like, hundreds of billions of years too long. But the security of the system turns upside down if the computer can only use a limited number of a million different keys. For the authorized user, the key looks good--the data gets encrypted. But the bad guy's software can quickly make and then try all possible keys for a specific computer. The error introduced two years ago makes cryptographic keys easy to guess. The error doesn't give every computer the same cryptographic key--that would have been caught before now. Instead, it reduces the number of different keys that these Linux computers can generate to 32,767 different keys, depending on the computer's processor architecture, the size of the key, and the key type. Less than a day after the vulnerability was announced, computer hacker HD Moore of the Metasploit project released a set of "toys" for cracking the keys of these poor Linux and Ubuntu computer systems. As of Sunday, Moore's website had downloadable files of precomputed keys, just to make it easier to identify vulnerable computer systems. Unlike the common buffer overflow bug, which can be fixed by loading new software, keys created with the buggy software don't get better when the computer is patched: instead, new keys have to be generated and installed. Complicating the process is the fact that keys also need to be certified and distributed: the process is time consuming, complex, and error prone. Nobody knows just how many systems are impacted by this problem, because cryptographic keys are portable: vulnerable keys could have been generated on a Debian system in one office and then installed on a server running Windows in another. Debian is a favored Linux distribution of many security professionals, and Ubuntu is one of the most popular Linux distributions for general use, so the reach of the problem could be quite widespread. So how did the programmers make the mistake in the first place? Ironically, they were using an automated tool designed to catch the kinds of programming bugs that lead to security vulnerabilities. The tool, called Valgrind, discovered that the OpenSSL library was using a block of memory without initializing the memory to a known state--for example, setting the block's contents to be all zeros. Normally, it's a mistake to use memory without setting it to a known value. But in this case, that unknown state was being intentionally used by the OpenSSL library to help generate randomness. |
 |
|
||
| |||
Audio »
Share »
Digg this
Add to del.icio.us
Add to Reddit
Add to Facebook
Slashdot It!
Stumble It!
Add to Newsvine
Add to Connotea
Add to CiteUlike
Add to Furl
Googlize this
Add to Rojo
Add to MyWeb
Favorite
Print
E-mail
Comments
shishir0610 on 05/20/2008 at 1:31 AM
4
I will take Ben Laurie's advice:" Never fix a bug you don’t understand"
Sjobeck on 05/20/2008 at 1:32 AM
15
Who's ever heard of fixing someone else's software yourself when you didnt understand it in the first place? Wouldnt you have the creator(s)/author(s) first it?
Total id10t's.
gnomic on 05/20/2008 at 9:19 PM
2
I've been doing this for 32 years now. I've met exactly 6 real developers that understood this profession. And no one wanted to pay them what they were worth.
deanjg on 05/21/2008 at 5:47 PM
1
zig158 on 05/20/2008 at 7:32 AM
55
jeremiah on 05/20/2008 at 7:50 AM
4
This does not mean they could have inferred all the changes wrought on the software by debian nor that the true context of the changes was made evident, but OpenSSL really wants to blame debian and not take a share of the blame for not being a better upstream source of code.
Free Software means we have to change the way we collaborate, and debian is in fact reinventing that paradigm for all to use. Mistakes like this happen, that is the price of a truly free, community operating system.
avi4now on 05/20/2008 at 10:03 AM
2
I expect more from Technology Review. Please consider adding a note or correction to this effect.
jpontin on 05/20/2008 at 10:41 AM
Editor in Chief and Publisher
18
The headline does not suggest, nor was intended to suggest, that open-source code is more prone to these kinds of programmers' errors than closed software.
Still, whether open-source software has fewer or less adequate processes for debugging or other quality controls is a fair subject for debate amongst computer scientists and programmers. Simson Garfinkel's story is fairly balanced on this matter: the antepenultimate paragraph reads, in part: "Perhaps more disconcerting, though, is what this story tells us about the security of open-source software--and perhaps about the security of software in general."
avi4now on 05/20/2008 at 1:12 PM
2
As I said in my first comment, I hope it's an innocent mistake. But it is a mistake. If we lived in a more perfect world, where commercial software interests weren't aggressively seeking to defame Open Source software, it might even be a harmless mistake. But we don't live in that world; in our world, there's an ongoing debate about the general quality and fitness of Open Source versus Closed Source software, and headline writers need to take care not to take sides in that debate.
I completely agree that "processes for debugging or other quality controls" in Open versus Closed source software is a fair subject for debate - more than that, it's an important subject! But sides shouldn't be taken in headlines. And if an article is going to be about that debate, it should evenly present both sides.
jpontin on 05/20/2008 at 2:06 PM
Editor in Chief and Publisher
18
I am not sure how I would write a headline that said all open-source software was fatally flawed by a security hole (if such a thing were possible). Perhaps, "All Open-Source Software Has Security Hole." But I think your reading places a value on the headline few other readers would make - and which, as I wrote, we certainly did not intend.
commonsguy on 05/20/2008 at 5:56 PM
1
First of all, you use the plural "security holes", yet the article only discusses one at length. Hence, the correct form is to use the singular "security hole".
Second, while "open source" is certainly serving as an adjective, modifying "security holes", it's too broad for the context of the article. Had the article reviewed several cases of security holes in open source, then "open source" would be a valid qualifier on "security holes". As it stands, "Debian" or "OpenSSL" would be more appropriate, but less sexy.
Your headline is equivalent to "Alarming Brain Tumors in US Federal Government", with an article only discussing Sen. Ted Kennedy. Yes, the article would discuss a brain tumor. Yes, Sen. Kennedy is part of the government, but the implication from the headline would be that there are many brain tumors affecting multiple government employees. Unless the article backed that up, and perhaps provided some smattering of evidence that there is an above-average rate of brain tumors among government employees, the headline would be inappropriate.
Now, you're free to use sensational headlines, courtesy of the First Amendment and all. Heaven knows plenty of other media outlets do it. But it seems beneath your publication, and pretending it's not sensationalized is disingenuous at best.
pthom13 on 05/24/2008 at 7:20 AM
3
I'm pro-Debian, I run it on my own servers. I do software development of all kinds and at times I write crypto and security software. I also maintain software source code of all kinds.
I also have the standard love-hate relationship with Microsoft that most other longtime software developers have, and I know Microsoft-inspired FUD when I smell it.
This is not FUD or anti open source or whatever.
The reason the title and the article are not anti-open source is this: the basis for complaints here seems to be the use of the words "open source" and "security holes" plural in the title.
Well... let me respectfully submit that the error was inserted into a goddamned library that is used to build a whole shitload of other software. (Pardon the technical terms). If it was one program affected, then yes, the singular "security hole" would be the correct form. This, however, is a whole passel of security programs that are affected.
Let me re-enumerate from the article, lest I be accused of exaggerating:
- Apache
- ssh
- IPsec
- VPN
- email
- anon access
Is there any other kind of security program left?
My God, that's practically the whole kit and kaboodle!
And I count that as "HOLES", plural, big enough to drive a truck through, any one of which is capable of destroying a system.
Which is why this error was so very critical and stupid. It affected a library of re-usable components, which then cascaded through whole subsystems of security layers.
I love open source software. I love the open source movement. I love Debian. But I'll call a pig a pig when I see one. To do otherwise is to tolerate insecure systems and crappy software. And that would be stupid.
It seems to me this article is great - it points out the strengths of open source as well as some weaknesses. You think mistakes like this won't happen again if we pussyfoot about them? Y'all just wanna shoot the messenger. I think he did us all a service.
I run Debian servers. I don't think I'm affected by this particular problem, but I intend to check them anyway. And I thank the author for bringing this problem to our attention. But this is not the first and it certainly won't be the last. That's why we need to encourage openness about these issues.
A few years ago, one of my servers WAS penetrated. And my network was compromised. Nastily. I won't name names, but at the time Red Hat was shipping certain programs with known security risks as the default install packages. That's in large part why I'm now on Debian.
(Getting a 1am phone call from one of the largest backbone ISP's on the east coast asking why you're attacking their routers is a big wake up call I don't want to repeat any time soon)
And do I blame open source for these problems? No way. Yes, having too many brown moties involved in stirring the stew will always result in problems. Software is hard. Complexity is hard. And yes, it's really crappy this problem went unnoticed for 2 years. That sucks. Really really sucks.
But the problem was caught. Because it is open source! And the author, who should be listened to instead of vilified, has pointed out 2 very important messages here:
(1) simple patching is not going to fix this problem! WAKE UP! we may have to patch the systems affected and then regenerate every key those systems ever touched! and that could be a nightmare but it has to be done
(2) the author is right, there may be other places in the total body of open source code where similar dumb, simple, incredibly-dumb errors were introduced -- who is out looking for those? who will catch them? you? me? the Russians? the Chinese?
I understand the desire to defend open source, both the body of work and the process, but one of the ways we'll make it better is to examine its known festering wounds -- and fix it.
dannysauer on 06/09/2008 at 12:32 PM
2
IPSec and VPN aren't separate, IPSec is one implementation of a VPN.
Listing email as being impacted is questionable at best. Yes, you might check your email over an SSL-encrypted connection, but what's been compromised here is the integrity of the keys, not the encryption used within a connection. Almost no one authenticates to email via SSL certificates; they establish a connection to a server, and then use a password to auth.
This is the same concern as with Apache. All this vulnerability does is make man-in-the-middle attacks more feasible, because the server can succesfully be impersonated. But when's the last time anyone validated the source of a certificate anyway? If you're not validating the certs that servers are presenting you, then you were already at the exact same level of risk before this bug existed. And man-in-the-middle is relatively hard; the ssl cert part is just one minor piece of that puzzle.
This is a big impact to ssh, because a client machine can impersonate another client by authenticating with a known key. This is a huge impact to VPN implementations because clients can impersonate other clients. Those are genuinely big deals. But let's try not to exaggerate the impact by blindly including every SSL-enabled protocol as if they're equally impacted...
nekote on 05/21/2008 at 1:15 PM
115
"Open-Source" shouldn't be in the headline.
The issue is the incredible security hole.
In today's world, where "spin", "sound bites" and "staying on message" can all too often become the message perceived, "Open-Source" should not be in the headline.
Grammatically and logically, yeah , it's correct.
It isn't the "headliner" news.
Rather, an interesting aspect of the story.
pthom13 on 05/24/2008 at 7:57 AM
3
"Open-Source" is definitely one of the issues.
Many of us rely on open source for our network security. It seems to me something in the process broke down.
And you can't claim this is exclusively a Debian problem.
Could this same exact problem happen with any other open source operating system? Oh yes. And it's not just limited to Linux and its siblings. I can delineate any number of ways this could happen.
This is one of the problems with open source. This security catastrophe occurred because of the nature of open source.
And I'm not claiming closed source is better, on the contrary. With closed source it may be better... or not. The process for maintaining a closed source code base and system builds may be better... or not. You can never know. That's why open source is superior. Because we can know. Problems are discoverable. And fixable.
Software is hard. Complexity is hard. Life is short and the art is long. Humans are limited and chaos is relentless.
That's why we have to constantly work at it. Denying that something you love has a problem isn't going to fix it.
nekote on 05/26/2008 at 1:30 PM
115
Other headline writers / editors have selected "Linux" as the security issue.
Rather than "Open-Source".
Yes I agree that the the platform / paradigm has something to do with it.
But, IMHO, more so, it the nature of we failable humans that is more the root, than a particular venue.
jpontin on 05/27/2008 at 8:28 AM
Editor in Chief and Publisher
18
dannysauer on 06/09/2008 at 11:50 AM
2
On a related note, Debian systems now (since a couple of weeks ago) use a blacklist which prevents OpenSSH, OpenVPN, and web app connections from machines using the impacted keys. So, they're technically *more* secure now than other systems which might still trust the impacted keys. Whoops. :)
pthom13 on 05/27/2008 at 1:26 PM
3
"Other headline writers / editors have selected 'Linux' as the security issue. Rather than 'Open-Source'."
Well, they're wrong. Those other headeline writers / editors are wrong if they focussed on Linux rather than Open Source.
Open SSL is a software package available to any operating system or application that wants to use it or adapt it. That's the whole nature of open source. That's why Open SSL has the word "Open" in its name.
And it wasn't Linux that failed in this case, or Debian, or even Open SSL... what failed was the Open Source model. Anybody can get in there and screw with the code. In this case someone completely authorized to do so got in there and screwed with the code in a very very bad way. And then put that "fix" into a library that was used by we-don't-know-how-many unsuspecting programs. Which were then installed on an unknowable number of systems.
And to blame "we failable humans" just begs the issue...
Open Source IS us people who make it, and the systems in place to maintain it. If either of those fail, then you, me, we are all screwed... especially if it's a software package upon which all Internet commerce is based.
We just had a big "oops" in open-source-land. Not Linux. Not Debian. Not a little security hole to patch. Not a drunken programmer who drove a program off a bridge. Open Source. Had a failure. Had an error.
Now. This is very important. I'm not saying Open Source is bad. I'm not even saying there's a flaw in the open source model. I'm just saying that making excuses for what happened won't fix the problem, and won't keep it from happening again.
And that's what's most important now. Fixing the problem. Taking the steps to understand the big picture, the big failure, and then taking steps to fix whatever it is that needs fixing. Whatever it takes. More better testing? More better documentation of critical sections of code? More better accounting of code modifications and differences between systems? I can only conjecture.
As for this particular problem being limited to one specific platform... I can easily see the exact same scenario occurring on any number of other platforms, including BSD, including Apple, including commercial closed source vendors like Microsoft or Unisys (who are both known to 'borrow' code from open source), including any number of experimental OS's and platforms (who also borrow code from open source)... for all we know, this particular error could have propagated out from the Debian screw up... after all, the programmers fixed the code for the best of reasons, an automated tool told them it needed fixing... and if they then posted that patch and others decided to use it, to apply it to their platform... kablooey!
sorry to rant on here about this issue... but did i mention that this is a software package upon which all Internet commerce is based?
MakeSense on 05/20/2008 at 10:03 AM
67
Monsterboy on 05/20/2008 at 11:03 AM
57
gabrielg01 on 05/20/2008 at 2:29 PM
294
And the sad part is, just like the article mentions, that nondemocratic governments can meddle with the open systems to build back doors into them, so they can violate the rights of their citizens.
paul_one on 05/20/2008 at 8:12 PM
1
You can't even say it's an "openSSL" problem, as it's purely the debian packages which have the 'mistake'.
I don't like stereotyping, but to me Debian developers/users always seem to be this way, wanting things 'their own way' instead of co-operating easily.. No wonder development keeps falling over.
As for one person saying that openSSL were informed and thought it was a good idea - of course they did.. That's why it's included in the sourc... oh wait, no.. That's why it's included in other pack.. oh wait, no.
jeremiah on 05/21/2008 at 8:48 AM
4
"I don't like stereotyping, but to me Debian developers/users always seem to be this way, wanting things 'their own way' instead of co-operating easily.. No wonder development keeps falling over."
Umm, the most popular and largest linux distribution completely built by the community, entirely free (as in cost) and in license is falling over? You are mistaken.
"As for one person saying that openSSL were informed and thought it was a good idea - of course they did.. That's why it's included in the sourc... oh wait, no.. That's why it's included in other pack.. oh wait, no."
The OpenSSL developers looked directly at the source code.
Simson Garfinkel's article was very misleading, as was the title. But Garfinkel is not a journalist and should not be expected to write like one. Overall a rather shoddy peice of work that tries to denigrate debian as opposed to discuss how operating system vendors respond to common vulnerabilities. I think a quick look at the record would find debian in general more secure, and quicker to fix known problems transparently that other vendors like Apple and Microsoft.
The fact is that the record is there, as is all the source code - simple due diligence would have shown that this article is poorly researched FUD.
jeremiah on 05/21/2008 at 9:03 AM
4
I think the following quote is apt, it begins with a debian maintainer's message to OpeenSSL on their development list;
"Kurt’s first message starts with 'When debbuging applications' and ends with 'What do you people think about removing those 2 lines of code?' The reply he received from Ulf (a core OpenSSL developer) is 'If it helps with debugging, I’m in favor of removing them.' It seems to me that there might have been a miscommunication there, Ulf may have believed that the discussion only concerned a debugging built and not a build that would eventually end up on millions of machines."
So the OpenSSL guys looked right at the code and most certainly did not fall on the floor laughing. Of course OpenSSL has reason to misrepresent the incident because they do not wanted to be painted with the same brush as debian, which is reasonable enough in this case, but they needn't lie about it. And Garfinkle should do more than just parrot gossip heard on the web.
MikeRilee on 05/21/2008 at 6:02 PM
1
Wouldn't a lawyer be disbarred for such an error interpreting code that they are applying?
jeremiah on 05/23/2008 at 3:34 AM
4
As to whether a lawyer would be fired for a similar mistake - that question is too hypot