A Linux security story

There's no such thing as perfect security. There are no programs that give you absolute software security. After all, security is a process, not a product. Linux's security process, though, is outstanding, which is one reason why it has great security. Here's an example.

On July 16th, a security programmer named Brad Spengler, who designs an open-source network and server security program called grsecurity revealed on the full disclosures security mailing list that there was a security hole in the 2.6.30 Linux kernel.

The short version of this vulnerability, according to the SANS Internet Storm Center goes like this: "The vulnerable code is located in the net/tun implementation. Basically, what happens here is that the developer initialized a variable to a certain value that can be NULL. The developer correctly checked the value of this new variable couple of lines later and, if it is 0 (NULL), he just returns back an error. "

But, and from a technical standpoint this is where it gets interesting. The programmer's code that does this looks innocent. It only after the gcc "compiler takes this into its hands, while optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code. This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland - and this finally pwns the box."

Scary isn't it? You see, because it's working at such a low level, this vulnerability can be used to dodge around SELinux (Security Enhanced Linux), AppArmor and other Linux security programs. Well, actually, it's not very scary at all.

First, to crack a computer with this, you already need to have a high level of access to a Linux computer to be able to use the developer tools. Next, you need to deliberately compile a program from source code with the exploit already written in it.

This is not like Windows where the only mistake you need to make is to click on the wrong URL or open an e-mail attachment and your computer is instantly infected with malware or enrolled in a botnet. You really almost need to try to break into your Linux computer to hack it with this method.

But, it's probably not going to work anyway. You see, a similar exploit, and potentially far more dangerous one, using PulseAudio, a popular Linux and Windows audio server, was already explored and, this is the important part, fixed, in June.

So, if you're using the latest version of the Linux kernel, Linux 2.6.31-rc3, you should be fine and dandy.

The point of all this, however, isn't in the technical details. It's that in open source, problems are publicly discovered and publicly fixed. Firefox 3.5, for example, had a major security hole revealed on Monday, and Firefox 3.5.1 fixed it on Friday.

Microsoft also had a major security hole in Internet Explorer revealed on Monday, and there's no patch in sight. But, that's nothing. Windows and other Microsoft programs have security holes that are months, years old, and there's still not a fix in sight for some of them. At least, late last year, Microsoft fixed one hole that had been around for--I kid you not--seven years. And, let's not forget that MyDoom, malware which first showed up in 2004, was being used on Windows PCs to launch DDoS (Distributed Denial of Service) attacks last week.

The simple truth is that all open-source software, is much more secure than its proprietary brothers, because it's very nature makes finding and quickly fixing security holes so much faster. If Microsoft was really serious about securing its software, it wouldn't have Patch Tuesdays, it would open up its code so the junk could be weeded out. That, however, will never happen. So, for now, and forever, FOSS (free and open-source software) will remain the security champion.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies