Security-related innovation in Unix, 2005-09-28
Story continued from Page 1
“
The more hurdles that one has to jump through for good security, the less likely people will go through the trouble. OpenBSD allows even the most inexperienced users to take advantage of these technologies without any effort.
”
Although having applications crash immediately might not sound like a good thing, it is certainly for the better good. It will help OpenBSD users to find bugs in software more easily, which will result in better applications for everyone. Also, diagnosing the cause of the crash will also be much easier; as some of you may already know, heap-related bugs can be extremely difficult to track down.
What's so great about the new OpenBSD heap?
Although I haven't looked at the code for OpenBSD's new heap implementation yet, the e-mail message from Theo de Raadt included in the kerneltrap.org article includes enough information to understand how it works. If you're interested in the dirty details, be sure to check it out. Continuing along with what I've just mentioned, I'd like to elaborate on a few things that I really like about the new OpenBSD heap.
1. It's going to be included and (mostly) enabled by default in OpenBSD.
Technologies like this are fantastic, but they really start to lose their value when only a small subset of people use them. OpenBSD has done a stellar job of putting innovative security features like this in their operating system, and enabling them by default. The more hurdles that one has to jump through for good security, the less likely people will go through the trouble. OpenBSD allows even the most inexperienced users to take advantage of these technologies without any effort.
2. It's going to help find and pinpoint heap-related bugs.
I still haven't come to a personal conclusion about the number of vulnerabilities in software being finite, but I think we can all agree that when we eliminate a vulnerability in an application, we're making the application stronger. With this new heap in wide-scale use, we're going to start finding a lot of bugs in various applications, and those bugs will start to be fixed. For those of you that will be using this new heap, please file bug reports for any applications that crash, as this will help make software better for everyone.
3. The guard pages will help to hinder many "heap-data" exploit vectors.
As I mentioned earlier, misuse of the heap can result in an attacker playing tricks with the heap algorithms, causing the offending program to give up control of itself to the attacker. Even when using a heap designed to protect against this type of trickery, it may still be possible for an attacker to overwrite other application-specific data on the heap, which can also result in some leverage for the attacker. Without getting into too many technical details, the new OpenBSD heap's guard pages will help protect this type of attack in many (but not all) cases.
Innovate, and propagate
Personally, I'm a huge fan of technologies like this. We already have some similar projects that, although not specifically related to the heap, aim to hinder exploitation at the machine code level. If you use Linux, and haven't heard of PaX, then get out from under your rock and start using it.
Now, from a technical standpoint, PaX is very different from a secure heap implementation, but they do share the end goal of pro-actively defending against the exploitation of software vulnerabilities. The only problem with PaX is that not enough people use it. The more popular Linux distributions need to include technologies like this in the default installation. Innovation is useless without exposure - you can build some very powerful protection technologies, but if nobody uses them, they have very little value.
As far as PaX-like functionality for the BSD operating systems, OpenBSD's has W^X, which is very similar to PaX in many regards, and is included and enabled by default. Even NetBSD has support for non-executable pages to a varied level of granularity on many of its supported platforms.
Ultimately, we need more pro-active technologies like these, and more importantly, better integration of these innovations to the masses. Security shouldn't be anything but a top priority.
Summary
Pro-active solutions to security issues are fantastic. The security industry needs to take a more pro-active approach to securing their systems, because the reactionary techniques that have plagued our history have done nothing but fuel the never ending arms race. It's time for us to stop playing catch-up, and start gaining some ground. And if we have to sacrifice a little usability on the way there, then so be it.
