nCircle.com >> 360 Security

« What Mozilla is doing wrong | Main | SCADAGard SIG To Be Established »

Has it really been that long?

Earlier this week, I went back to my alma mater to give a talk about buffer overflows. Michigan Tech is a unique school located in an abandoned mining town called Houghton in the otherwise untouched wilderness of Michigan's upper peninsula. The nearest city is Minneapolis -- an unreasonable 7 hour 41 minute drive away. The rest is nothing but small towns, abandoned mines, and snow.. lots of snow.. With 300 - 400 inches of snow a year, some days it felt like planet Hoth. At the Minneapolis airport, I recalled the isolation of the region while boarding a 30 seat propeller plane -- the only way to fly into the tiny airport near Houghton.

coldup.jpg


I was picked up from the airport by a senior who also knew first hand about the region's harsh climate. "Why the hell did you come back here?", he joked with me. While the solitude of the back country does have its certain charm, I distinctly remembered just wanting to get the hell out of there by the time I was a senior. Why the hell did I come back here?

Well, there is some history that makes this too funny to pass up. Eight years ago, when I was a sophomore I used to play around with the world-writable utmps and mess with people using flawed Xauth implementations. Soon one of the lab admins challenged me to get root on the main CS file server. It was easy to find a publicly known buffer overflow vulnerability in one of the many suidroot binaries on that system. After figuring out the proper offsets, I show the exploit to the lab admin. "Holy shit!", he exclaimed at the sight of the root shell prompt. "That's a big problem", he continued, "Someone should fix it." I agreed with him, so I e-mailed the necessary patches to the system admin along with an explanation of how I got root -- only to get my account shutdown the next day for violating the school's computer use policy. The lab admin who challenged me was only a student and the policy is the policy. I was threatened with expulsion and put on probation. The administration made it clear that if anything else happened, I would be out of there. I focused on my course work, did what they told me, and got my degree in the end. There were some good teachers there and I did feel a strange connection with this odd college in the middle of nowhere. But yeah.. a big reason was just the irony of giving a talk about buffer overflows at the same school I was reprimanded for the exact same issue.

Wait a second.. eight years ago and it's the exact same issue? Eight years ago my computer ran at 133Mhz, why is an eight year old computer vulnerability still relevant today? It's still relevant, because it's been a problem for much longer than that-- over 40 years, since the 1960s. In 1988, the Morris worm spread using a buffer overflow vulnerabilities. Decades later, Internet worms such as Code Red and Slammer still propagate using buffer overflow vulnerabilities. We've known about buffer overflow vulnerabilities for nearly half a century, but they still comprise over a fifth of the vulnerabilities reported last year. Holy crap.. has it really been that long?

How is it that the same mistakes keep getting made over and over? If you don't know about it, it can be an easy mistake to make. But so many programmers don't know about it simply because they don't need to. Security is often an afterthought in business, so managers are blind to security as a metric of performance. A developer who writes 5 insecure functions is obviously better than the one who writes 2 secure ones. And these are the guys who are hiring our new college graduates.

So why should the colleges care? Over dinner with MTU's CS department, I sympathized with their dilemma of increasing enrollment, despite the school's physical isolation. Job placement numbers -- making graduates those guys want to hire. That's what the curriculum is based on. I thought about recommending some computer security major -- but at the cost of other material, security knowledge probably wouldn't help job placement enough. Computer security is a whole different market. If you want them to get hired, steer them towards the big open markets. The markets where no one cares if you know what a buffer overflow is.

Okay, that's fine -- if they can't tell them about exploits, I guess I will. I gave my talk about buffer overflows, explaining how this mistake can be made. I explain what I said in last February's Linux Magazine, but with live interactive demonstrations illustrating how an overflow into a return address can take control of a program. As I explained things in this way I could see things clicking in the student's heads. After showing them how shellcode can be used to inject functionality into a hijacked program, I could see two distinct reactions from their faces. As the root shell prompt appeared, a group of astonished faces seemed to be saying "Holy shit!" and another group nodded responsibly -- as if they were thinking to themselves, "This is a big problem.. someone should fix it." Yup. That's what I've been trying to say for years.

MTUletter_clip.jpg

Posted on April 7, 2005 12:34 PM |

Comments (1)

bsonne:

Dude... that pic looks like Canada ;) I feel your snowy, wintery pain. Thank god spring has hit up here!

Posted by bsonne | April 11, 2005 2:15 PM

Posted on April 11, 2005 14:15

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on April 7, 2005 12:34 PM.

The previous post in this blog was What Mozilla is doing wrong.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]