(19 Jan 2004 at 18:56)
|Thank goodness, the amazing Georgi Guninski has found a security hole in qmail. For years Dan Bernstein has terrorized the safe languages proponents by publishing his C software that, unlike almost all other C software in the world, is actually quite secure. (example terrorism by djb fanboy) This always worried me because there is little in his code that actually makes it different from typical C code (except for his string library and the fact that he understands security and is an excellent hacker), and infuriated me because nobody ever actually found any exploitable holes. Read the Qmail security guarantee for a flavor of his methodology and bravado. (For the record, I believe djb's practices and ideals are still much better than most C programmers, and his software is, too.)|
The bug is an integer overflow, a sort of bug that is unfortunately very easy to make in C, even for superhackers, because C programmers often use integers to compute array indices and iterate through data. It does apparently require sending 2 gigabytes of data, so don't expect any worms based on this technique. ;) Of course, SML would be doubly immune: first because integers don't overflow, and second because array accesses are bounds-checked.
So, "secure C" programmers: even your prophet is not invincible!
|ahem, Georgi Guninski did not find a security hole. He has found a way to make the qmail-smtpd program crash but nothing as spectacular as a security hole that allows you to exploit the machine under attack.
Please use a more appropriate term instead of your 'security hole' and continue to be infuriated by the fact that NOBODY ever actually found any exploitable holes. No one is going to ever root another machine via qmail-smtpd. Live with it.
|Ahaha. Exploitable or not, this was exactly the kind of bug that leads to real "security holes." My point is that given this discovery, there are likely to be more unknown problems, some which may be serious.
Also, thank you for providing me with a great example of the kind of blind patriotism I'm talking about!
|Not impressed. :-P Yes, it's an overflow of a kind very much akin to those which lead to security holes. Nevertheless, you promised me a security hole, and I think Anonymous is correct in saying you have failed to deliver.
Point well-taken about the fact that it was largely luck that this particular integer overflow didn't result in arbitrary code execution. (Might not be entirely luck, since I assume Georgi Guninski subsequently went through the rest of Qmail with a fine-toothed comb looking for exploitable integer overflows, and failed to find any...)
|Ah, I do note on DJB's security guarantee page that Guninski did find a real exploitable hole in 64-bit qmail, which djb denied (perhaps rightly; perhaps not) on the grounds that if you're running his approved configuration with proper ulimits, the hole is not exploitable. I think I will grant you that one.|
|I think what I promised was a "vulnerability", but maybe not. Is this not a DOS? Anyway it doesn't matter: The idea that we can make correct software just by flexing our muscles (and particularly the implicit or explicit rejection of systematic methods that make writing secure code easier) is what I'm arguing against. This was clearly a bug, which is only by luck and not foresight caught by the VMM, and obviously of the same character that has frequently lead to exploitable holes. Suffering in and of itself does not beget results.|