>> Your guess is as good as mine. At least with BSDI, Linux or NetBSD the
>> sources are available for people to scrutinize (even if it would take a long
>> time) and fix; and at least many holes have been plugged because of this.
>
>I'll probably get flamed for this, but it seems to me that most
>the common ways to crack Internet systems rely on source code being
>available.
Let's be more accurate: Most of the common ways to crack
Internet systems rely on cruddy, bogus software on the Internet
systems, a fair amount of which is available in source form on
the 'net.
In fact, relatively few "exploits" rely on source code.
Having source code is handy if you're attacking a system because
you can *verify* that it has a Stupid Bug by looking at the
source, but often enough you can check using other means. It's
a simple matter of skill. The tricks can get automated; I
suppose I could write a tool to parse out places where buffers
were mismanaged in network daemons. It'd be a pretty amusing
project, actually.
> Why is it that only Unix systems are hacked these days?
>The reason is that they're the only systems in which hackers have
>source code for the programs that others run.
I used to get incredibly frustrated when people asked
questions like the above, because it's usually followed with:
"...if everyone just ran {VMS|MVS|WNT} this wouldn't happen"
or some such drivel. :)
In this case, though, you're possibly right, but I
feel it's more the case that UNIX machines are more widely
accessible for the hackers to work on and learn about. A
large number of the college systems have UNIX nodes for the
general student computing. Also, many of the research outfits
or educational computer centers that have lame security are
running lots of UNIX machines. So hackers have a lot of
good opportunities to learn to love UNIX. :)
I suspect it's more a matter of:
1) demographics
2) cruddy software
3) lousy defaults
1) demographics: there are a LOT of UNIX boxes out
there. While, in the Real World, there are more PeeCees running
Windows than anything else, UNIX' TCP/IP integration and
Internet tools make it the O/S of choice for Internet servers.
After all, with many other O/S that shall remain nameless,
TCP/IP is an expensive or badly braindamaged add-on package.
Since it's the O/S of choice, it's also the target of opportunity.
Who's going to attack someone's desktop PeeCee when they can
go after someone's WWW server? Which brings me to...
2) cruddy software: UNIX' software sets a new standard
in bad, generally. That's because it was accreted, not designed,
and, as usual, security was the last thing in the designer's
minds. Usually it was an afterthought. Often the designers of
Important Internet Applications were bashing stuff together
as a research toy and -- ooops -- it got popular so now it's
a product how can we secure it? Add to that the fact that UNIX'
wonderful network integration has not encouraged vendors to
try to make anything be other than crud.
3) lousy defaults: Many major applications or parts
of the O/S ship with security turned OFF as the default,
when there is any to speak of in the first place. And, not to
name names, one vendor STILL ships UNIX with a "+" in the
/etc/hosts.equiv file because their customers would complain
if they stopped. Others would complain if they continue, but
people seem willing to plonk down big $$ for it in its
current state.
>Look at many of the
>recent attacks, such as the httpd and sendmail problems: they are
>obviously the result of someone with too much idle time pouring over
>source code looking for opportunities for stack overflow.
No. They are obviously the result of badly implemented,
mis-designed, cruddy software.
I probably shouldn't post this in a public forum, but
the ultimate hackers tool is: the mind. In fact, if you want
to, you can formalize hacking. It's actually been done, but
fortunately the hackers haven't learned from it. :) But, let's
assume the following procedure:
1) Identify a likely weak point
2) Postulate an implementation flaw
3) Develop a test to probe the flaw
4) Gather results
5) If the results indicate a flaw, exploit it
This DOESN'T require source code. Step #1 is easy. You
start with sendmail because sendmail has a history of being
amazingly mis-designed cruddy software. Knowing where to start
is 9/10 of the battle won already, and you can literally do it
by simple statistics:
Look for all setuid root executables
Plot setuid-ness with number of times it appears in a CERT
warning
Sort the output
Attack the top 3 programs [which, I will bet you are, in
order: sendmail, exrecover, and ftpd]
For implementation flaws, classify the types of errors
commonly found, and count each type. Sort the output and postulate
that there are probably a few bugs of the top 2 categories left
to find in each of { sendmail, exrecover, and ftpd }. This list
is likely:
Executing the wrong thing
Overrunning buffers
Forgetting to give up permissions it never would have
had in the first place were it not amazingly
mis-designed cruddy software
Then write a simple harness to pass in large globs of
stuff (BUFSIZ * 2) where it reads from you, and see if you
get a core dump. If you do, you're golden.
Alternative #2: Identify a target machine. Connect to
it and determine its O/S type and rev level. Get the release
notes for the NEXT version and see what is identified as
changed in that release. Sort the list against setuid executables
and you'll find all the holes CERT hasn't announced yet, but
which the vendors have fixed.
>It's true that experts can scrutinize the source code, but my reading
>of history is that hackers do it a lot more.
The real people who *SHOULD* scrutinize the source code
are the people who are mis-designing the next generation of cruddy
software we'll all have to run. :)
A lot of this is definitional, though. The biggest problem
in computer security today is based on an environment where the
source code is NOT known at all, and is, in fact, a closely held
secret. That's DOS. And the problem is virusses. Wherever there
is a target interesting or challenging enough to hackers, they
will look for weaknesses.
I'll let you in on a secret: The UNIX tools that are
on the Internet were designed as dummy programs to distract the
hackers, by being mis-designed, cruddy, and full of security
holes. The idea was the the hackers would just romp all over
the UNIX machines and never go after the important or interesting
stuff, which all runs on VMS, MVS, MULTICS, and Plan 9.
Unfortunately, the plan has backfired, and UNIX seems to have
survived better than was expected. Since it's become a commercial
product, the April 1 announcement of the joke was delayed and
the whole plot covered up.
mjr.
References:
|
|
