seth15-qc.log

tarzeau and debian? and the hurd? rene and microsoft? :) tarzeau hah :) tarzeau no i meant the hurd has it different tarzeau nothing i could explain with a few sentences on irc here and now, but check #hurd on opn/fn rene fair enough Stingray sarnold: AFAIK microsoft have 50M lines of code, most of it was written in early 90s and never read in past 5 years :) yes they need a whole army of auditors! sarnold Stingray :) fernand0 there is another problem: auditing code is not easy jose_n fernand0: sometimes it is enough to simply question a code snippet :) rene embrace and extend also doesn't help... not sticking to proven protocols and continually inventing your own additions (see IE, for example) also means you introduce *a lot* of bugs fernand0 question ? jose_n fernand0: yeah, like saying "hey, this doesn't look right". forces the programmer to look at it again and justify it fernand0 ah tarzeau ... my boss doesn't see the difference between freeware and free software.. fernand0 but it'll become af the history of the shepherd and the wolf fernand0 ;) fernand0 some companies act if it were like this even with actual problems rene sarnold: to open-sourec specifically I believe there is also another problem. sometimes when I find a bug, I end up not reporting it, bacause I was fixing it myself (I have the source after all ...) then get to far into that, reqrite loads, get stuck halfway, and drop it rene rewrite docelic There should a lot of effort be put into advising existing/new programmers how to write new code with at least basic security aspects in mind (in addition to just working on fixing bugs someone made who-knows-when in the past). tarzeau rene: to that problem debian has a solution, the bug tracking system tarzeau rene: but that's to debian users/developers only.. rene sarnold: good plan, I'll keep that in mind :-) jose_n does sardonix also score vendors? ie "-1: not responsive" or "+5: rapid response, worked closely with community to develop a fix." jose_n docelic: there are various guides, the sardonix.org site has a few listed. docelic ok riel sarnold: one problem I am seeing is that people copy code with security bugs from books and online examples. Do you know of any effort to audit educational material for security bugs ? rene the "copying bugs" problem gets even worse with todays (visual-style) click-em-together programs. people just glue existing stuff together, rather than writing it themselves fork wasn't that Stevens paying for pointing out for errors in his books? fork yes, he was it, sorry fork nevertheless, quiet a grateful move docelic concerning the bugs in online examples and/or books... maybe some people would gather around sardonix to volunteer to audit the code intended for publishing.. so if the original author focuses on functionality, we could add a grain of correctness into it, and prevent mistakes from happening both at the author's and the readers side tarzeau i'd love to read some old mid eighties unix books... docelic hehe definitely ;) sarnold, prepare a list tarzeau sometimes secure programming isn't that important... tarzeau or it's not easy to have the border between secure and buggy tarzeau like games.. i mean tarzeau of course it's important to make sure input data is valid tarzeau and won't cause problems tarzeau but that i'd call defenesive/careful programming docelic well that's exactly the point.. I wouldnt want programmers to become so paranoid they never finish their application because they think about security too much.. but just eliminating bad software practices surely helps along the way docelic hehe sarnold ;-)) tarzeau sarnold: very nice saying :) riel sarnold: don't forget about games on multiuser machines, that have a shared highscore file tarzeau i have one too (found on dp.o, debianplanet.org that is) (it's about secure operating systems) tarzeau "secure by default is only good for good press - that way clueless users get<br>'secure' install. It's the admin that makes system secure, not having closed everything<br>in base system - when you install debian and get only kernel+ash, it won't help anyone." Borja I disagree, sarnold ;-) fork i think an example of games is not actually that good. Popular network-capable games (i.e. quake) were leaking in past, and that was really bad and abused Borja Even games must be made secure, if they are intended to be exposed to the Internet. fork oh... tarzeau that bad input is with webservers and cgi a thing i guess... tarzeau well anything that's networked Borja In fact, gaming machines could become an excellent army of zombies for a DoS being easy targets. docelic good point (#linux) tarzeau i find it not critical if software isn't secure which would cause death/harm to human or other lifeforms tarzeau like software in hospitals/devices and airplanes blackkoal define security in application as you understood blackkoal ok thanks tarzeau wasn't debian used in some nasa project, space shuttle projects? well tarzeau i don't know how critical that systems were... sarnold tarzeau: almost certainly only experimental systems :) tarzeau open source *is* used at some places where you wouldn't expect it tarzeau so sardonix.org is kinda like slashdot.org, advogato.org, freshmeat.net ? where to make an account? what can i do? blackkoal https://sardonix.org/Become_an_Auditor.html Borja Anyway, I don't think auditing is the main point. Borja Software should be stronger by design. rene sarnold: sorry for being clueless, but what is this "karma whore" stuff? blackkoal people who only do anything if the became respect (i think) docelic rene: gaining public recognition ;) Borja Design errors are much more serious, and much more difficult to detect in an audit. rene mmm Borja Yes, it's a great book. Unfortunately few people nowadays has read it :-( Borja And it was written at a time when security was not an important concern tarzeau the goats.cx guy is a karma whore? Borja Yes, that is what I meant. Audits are not effective against "intrinsic" bugs (I prefer to call them design flaws) Borja That's the point! Education. Borja And not thinking of software development as an assembly line, a fashionable concept in software engineering sToneheAd tarzeau, lol rene strlcpy? tarzeau and strfry! sarnold hehe :) Beregorn my favorite one ;) rene sarnold: mmm, not a manpage not glib manual entry for it, so I guess we don't have it on linux? :) rene nor rene glibc sarnold rene: indeed, ulrich (glibc maintainer) isn't interested in having Yet Another String Function. Bummer. But it is small enough that it could be autoconfigured or similar. fernand0 there is a nice paper explaining it, iirc rene I see, thanks... blackkoal another question: is there anywhere a website how to write clean code (i mean with clean and good comments, ...? especially how to write comments) fernand0 http://www.openbsd.org/papers/strlcpy-paper.ps rene fernand0: thanks tarzeau blackkoal: c language? fernand0 it's not long ... MJesus please answerd in #linux tarzeau blackkoal: k&r's is nice and k's practice of programming tarzeau blackkoal: see linuxbrit.co.uk 's recommended books blackkoal c, php blackkoal ok tarzeau omg... don't write c and php on one line blackkoal why? tarzeau www.gnu.org/fun/jokes/declarations.html viZard that was deep blackkoal lol sh0nX hehe sh0nX you can use aliases too to replace functions ;-) sh0nX er to majeu how can one avoid the problems with the LD_PRELOAD, besides compiling statically mcp majeu: using grsecurity features :) majeu i don't use linux mcp ah mcp what then? mcp bsd? mcp sunos? tarzeau hurd? tarzeau openstep? tarzeau dos? majeu I use several bsds sarnold then hopefully whoever provided your system libraries has put effort into cleaning the environment when setuid/setgid applications get executed :) mcp hehe dos ;) docelic tarzeau: all viable options ;-)))) tarzeau amigaos i forgot! majeu eros majeu :) sarnold majeu :) mcp majeu: there is a project for openbsd which should avoid this kind of things mcp I wish I remember the name sarnold "stephanie" ? majeu stefanie? sh0nX NEVER compile QT and install it when in KDE;-) majeu I recall that name from somewhere sh0nX heh mcp hmm, no, it was not stefahnie :) mcp mom mcp sarnold: wooohoo sh0nX hmm sh0nX questions sh0nX how much of standard open source utils (like core GNU tools) and such get audited? tarzeau does someone audit nethack too? sh0nX thats pretty bad crispin Steven Christey's list is a richer form of the pathology list that sardonix already has. crispin but there's a defect in the sardonix organization: that list is burried in the audit submission form, and you can't see it until you go to submit an audit. sh0nX I'd like to see an open source auditing group/consortium sh0nX but it takes time/money sh0nX I see. sh0nX how about automated tools that look for things sh0nX like buffer overflows sh0nX intelligent tools that can help us find exploits? fork ok, given we have to live with that whole lot of insecure software, and even that whole lot of years was not enough to fix the tar, there is no hope we get for example xchat straight sh0nX nice! fork or any other new and complex application pflanze It would probably be a good idea to use "sandboxing" for applications like browsers, icq or irc clients. pflanze i.e. running under another user, plus maybe in a chroot. fork how about make that sandboxing simple enough to encourage the usage of them? tarzeau does someone know linux se, err selinux? tarzeau fork: or fast enough fork yes sh0nX with the introduction of LSM to Linux, we can take advantage of Privilage separation. Which can help lower/eliminate exploits even if they are present in code? fork sh0nX: it will not eliminate them. They just will be ineffective in a particalr configuration sh0nX hmm sh0nX it's a start though :-) pflanze Re 'proving code does not have security flaws is an unsolvable problem': It's only unproveable as long as you don't depart from the view that features are more important than correctness. :) pflanze i.e. when you are careful from the beginning (like DJB), it should be possible to write 100% secure software. ijuz what is about scanning the source for calls and create corresponding rules for the sandboxing environment? fork ijuz: isn't the count of possible combinations too impossible to cover? ijuz fork: not for relative small applications, the little daemon has not to unlink files, what was just a silly thought pflanze ijuz: there are scripts that use strace for this (I've begun writing one myself once), but for big apps: when do you know the app has done all actions it will ever do? pflanze (Maybe after some point, an interactive "allow this" and "disallow that" would be possible, à la firewalls known from Mswindows) ijuz pflanze: therefor scanning the source pflanze ah, misread your statement docelic sarnold: secure from start? how about that DARPA-funded openssh audit, did you hear about it ? From what I've seen, the resulting patch was as usual, testing size of some variable on few places... fernand0 Thank you to all for comming, and to Seth Arnold for this interesting talk sarnold docelic: ah, openssl audit, and yeah, it was pretty usual. :) sarnold docelic: it found several errors, which wasn't surprising; i'm surprised it didn't find more. :) Generated by irclog2html.pl 2.1 by Jeff Waugh - find it at freshmeat.net!

`tarzeau`	`and debian? and the hurd?`
`rene`	`and microsoft? :)`
`tarzeau`	`hah :)`
`tarzeau`	`no i meant the hurd has it different`
`tarzeau`	`nothing i could explain with a few sentences on irc here and now, but check #hurd on opn/fn`
`rene`	`fair enough`
`Stingray`	`sarnold: AFAIK microsoft have 50M lines of code, most of it was written in early 90s and never read in past 5 years :) yes they need a whole army of auditors!`
`sarnold`	`Stingray :)`
`fernand0`	`there is another problem: auditing code is not easy`
`jose_n`	`fernand0: sometimes it is enough to simply question a code snippet :)`
`rene`	`embrace and extend also doesn't help... not sticking to proven protocols and continually inventing your own additions (see IE, for example) also means you introduce a lot of bugs`
`fernand0`	`question ?`
`jose_n`	`fernand0: yeah, like saying "hey, this doesn't look right". forces the programmer to look at it again and justify it`
`fernand0`	`ah`
`tarzeau`	`... my boss doesn't see the difference between freeware and free software..`
`fernand0`	`but it'll become af the history of the shepherd and the wolf`
`fernand0`	`;)`
`fernand0`	`some companies act if it were like this even with actual problems`
`rene`	`sarnold: to open-sourec specifically I believe there is also another problem. sometimes when I find a bug, I end up not reporting it, bacause I was fixing it myself (I have the source after all ...) then get to far into that, reqrite loads, get stuck halfway, and drop it`
`rene`	`rewrite`
`docelic`	`There should a lot of effort be put into advising existing/new programmers how to write new code with at least basic security aspects in mind (in addition to just working on fixing bugs someone made who-knows-when in the past).`
`tarzeau`	`rene: to that problem debian has a solution, the bug tracking system`
`tarzeau`	`rene: but that's to debian users/developers only..`
`rene`	`sarnold: good plan, I'll keep that in mind :-)`
`jose_n`	`does sardonix also score vendors? ie "-1: not responsive" or "+5: rapid response, worked closely with community to develop a fix."`
`jose_n`	`docelic: there are various guides, the sardonix.org site has a few listed.`
`docelic`	`ok`
`riel`	`sarnold: one problem I am seeing is that people copy code with security bugs from books and online examples. Do you know of any effort to audit educational material for security bugs ?`
`rene`	`the "copying bugs" problem gets even worse with todays (visual-style) click-em-together programs. people just glue existing stuff together, rather than writing it themselves`
`fork`	`wasn't that Stevens paying for pointing out for errors in his books?`
`fork`	`yes, he was it, sorry`
`fork`	`nevertheless, quiet a grateful move`
`docelic`	`concerning the bugs in online examples and/or books... maybe some people would gather around sardonix to volunteer to audit the code intended for publishing.. so if the original author focuses on functionality, we could add a grain of correctness into it, and prevent mistakes from happening both at the author's and the readers side`
`tarzeau`	`i'd love to read some old mid eighties unix books...`
`docelic`	`hehe definitely ;) sarnold, prepare a list`
`tarzeau`	`sometimes secure programming isn't that important...`
`tarzeau`	`or it's not easy to have the border between secure and buggy`
`tarzeau`	`like games.. i mean`
`tarzeau`	`of course it's important to make sure input data is valid`
`tarzeau`	`and won't cause problems`
`tarzeau`	`but that i'd call defenesive/careful programming`
`docelic`	`well that's exactly the point.. I wouldnt want programmers to become so paranoid they never finish their application because they think about security too much.. but just eliminating bad software practices surely helps along the way`
`docelic`	`hehe sarnold ;-))`
`tarzeau`	`sarnold: very nice saying :)`
`riel`	`sarnold: don't forget about games on multiuser machines, that have a shared highscore file`
`tarzeau`	`i have one too (found on dp.o, debianplanet.org that is) (it's about secure operating systems)`
`tarzeau`	`"secure by default is only good for good press - that way clueless users get<br>'secure' install. It's the admin that makes system secure, not having closed everything<br>in base system - when you install debian and get only kernel+ash, it won't help anyone."`
`Borja`	`I disagree, sarnold ;-)`
`fork`	`i think an example of games is not actually that good. Popular network-capable games (i.e. quake) were leaking in past, and that was really bad and abused`
`Borja`	`Even games must be made secure, if they are intended to be exposed to the Internet.`
`fork`	`oh...`
`tarzeau`	`that bad input is with webservers and cgi a thing i guess...`
`tarzeau`	`well anything that's networked`
`Borja`	`In fact, gaming machines could become an excellent army of zombies for a DoS being easy targets.`
`docelic`	`good point (#linux)`
`tarzeau`	`i find it not critical if software isn't secure which would cause death/harm to human or other lifeforms`
`tarzeau`	`like software in hospitals/devices and airplanes`
`blackkoal`	`define security in application as you understood`
`blackkoal`	`ok thanks`
`tarzeau`	`wasn't debian used in some nasa project, space shuttle projects? well`
`tarzeau`	`i don't know how critical that systems were...`
`sarnold`	`tarzeau: almost certainly only experimental systems :)`
`tarzeau`	`open source is used at some places where you wouldn't expect it`
`tarzeau`	`so sardonix.org is kinda like slashdot.org, advogato.org, freshmeat.net ? where to make an account? what can i do?`
`blackkoal`	`https://sardonix.org/Become_an_Auditor.html`
`Borja`	`Anyway, I don't think auditing is the main point.`
`Borja`	`Software should be stronger by design.`
`rene`	`sarnold: sorry for being clueless, but what is this "karma whore" stuff?`
`blackkoal`	`people who only do anything if the became respect (i think)`
`docelic`	`rene: gaining public recognition ;)`
`Borja`	`Design errors are much more serious, and much more difficult to detect in an audit.`
`rene`	`mmm`
`Borja`	`Yes, it's a great book. Unfortunately few people nowadays has read it :-(`
`Borja`	`And it was written at a time when security was not an important concern`
`tarzeau`	`the goats.cx guy is a karma whore?`
`Borja`	`Yes, that is what I meant. Audits are not effective against "intrinsic" bugs (I prefer to call them design flaws)`
`Borja`	`That's the point! Education.`
`Borja`	`And not thinking of software development as an assembly line, a fashionable concept in software engineering`
`sToneheAd`	`tarzeau, lol`
`rene`	`strlcpy?`
`tarzeau`	`and strfry!`
`sarnold`	`hehe :)`
`Beregorn`	`my favorite one ;)`
`rene`	`sarnold: mmm, not a manpage not glib manual entry for it, so I guess we don't have it on linux? :)`
`rene`	`nor`
`rene`	`glibc`
`sarnold`	`rene: indeed, ulrich (glibc maintainer) isn't interested in having Yet Another String Function. Bummer. But it is small enough that it could be autoconfigured or similar.`
`fernand0`	`there is a nice paper explaining it, iirc`
`rene`	`I see, thanks...`
`blackkoal`	`another question: is there anywhere a website how to write clean code (i mean with clean and good comments, ...? especially how to write comments)`
`fernand0`	`http://www.openbsd.org/papers/strlcpy-paper.ps`
`rene`	`fernand0: thanks`
`tarzeau`	`blackkoal: c language?`
`fernand0`	`it's not long ...`
`MJesus`	`please answerd in #linux`
`tarzeau`	`blackkoal: k&r's is nice and k's practice of programming`
`tarzeau`	`blackkoal: see linuxbrit.co.uk 's recommended books`
`blackkoal`	`c, php`
`blackkoal`	`ok`
`tarzeau`	`omg... don't write c and php on one line`
`blackkoal`	`why?`
`tarzeau`	`www.gnu.org/fun/jokes/declarations.html`
`viZard`	`that was deep`
`blackkoal`	`lol`
`sh0nX`	`hehe`
`sh0nX`	`you can use aliases too to replace functions ;-)`
`sh0nX`	`er to`
`majeu`	`how can one avoid the problems with the LD_PRELOAD, besides compiling statically`
`mcp`	`majeu: using grsecurity features :)`
`majeu`	`i don't use linux`
`mcp`	`ah`
`mcp`	`what then?`
`mcp`	`bsd?`
`mcp`	`sunos?`
`tarzeau`	`hurd?`
`tarzeau`	`openstep?`
`tarzeau`	`dos?`
`majeu`	`I use several bsds`
`sarnold`	`then hopefully whoever provided your system libraries has put effort into cleaning the environment when setuid/setgid applications get executed :)`
`mcp`	`hehe dos ;)`
`docelic`	`tarzeau: all viable options ;-))))`
`tarzeau`	`amigaos i forgot!`
`majeu`	`eros`
`majeu`	`:)`
`sarnold`	`majeu :)`
`mcp`	`majeu: there is a project for openbsd which should avoid this kind of things`
`mcp`	`I wish I remember the name`
`sarnold`	`"stephanie" ?`
`majeu`	`stefanie?`
`sh0nX`	`NEVER compile QT and install it when in KDE;-)`
`majeu`	`I recall that name from somewhere`
`sh0nX`	`heh`
`mcp`	`hmm, no, it was not stefahnie :)`
`mcp`	`mom`
`mcp`	`sarnold: wooohoo`
`sh0nX`	`hmm`
`sh0nX`	`questions`
`sh0nX`	`how much of standard open source utils (like core GNU tools) and such get audited?`
`tarzeau`	`does someone audit nethack too?`
`sh0nX`	`thats pretty bad`
`crispin`	`Steven Christey's list is a richer form of the pathology list that sardonix already has.`
`crispin`	`but there's a defect in the sardonix organization: that list is burried in the audit submission form, and you can't see it until you go to submit an audit.`
`sh0nX`	`I'd like to see an open source auditing group/consortium`
`sh0nX`	`but it takes time/money`
`sh0nX`	`I see.`
`sh0nX`	`how about automated tools that look for things`
`sh0nX`	`like buffer overflows`
`sh0nX`	`intelligent tools that can help us find exploits?`
`fork`	`ok, given we have to live with that whole lot of insecure software, and even that whole lot of years was not enough to fix the tar, there is no hope we get for example xchat straight`
`sh0nX`	`nice!`
`fork`	`or any other new and complex application`
`pflanze`	`It would probably be a good idea to use "sandboxing" for applications like browsers, icq or irc clients.`
`pflanze`	`i.e. running under another user, plus maybe in a chroot.`
`fork`	`how about make that sandboxing simple enough to encourage the usage of them?`
`tarzeau`	`does someone know linux se, err selinux?`
`tarzeau`	`fork: or fast enough`
`fork`	`yes`
`sh0nX`	`with the introduction of LSM to Linux, we can take advantage of Privilage separation. Which can help lower/eliminate exploits even if they are present in code?`
`fork`	`sh0nX: it will not eliminate them. They just will be ineffective in a particalr configuration`
`sh0nX`	`hmm`
`sh0nX`	`it's a start though :-)`
`pflanze`	`Re 'proving code does not have security flaws is an unsolvable problem': It's only unproveable as long as you don't depart from the view that features are more important than correctness. :)`
`pflanze`	`i.e. when you are careful from the beginning (like DJB), it should be possible to write 100% secure software.`
`ijuz`	`what is about scanning the source for calls and create corresponding rules for the sandboxing environment?`
`fork`	`ijuz: isn't the count of possible combinations too impossible to cover?`
`ijuz`	`fork: not for relative small applications, the little daemon has not to unlink files, what was just a silly thought`
`pflanze`	`ijuz: there are scripts that use strace for this (I've begun writing one myself once), but for big apps: when do you know the app has done all actions it will ever do?`
`pflanze`	`(Maybe after some point, an interactive "allow this" and "disallow that" would be possible, à la firewalls known from Mswindows)`
`ijuz`	`pflanze: therefor scanning the source`
`pflanze`	`ah, misread your statement`
`docelic`	`sarnold: secure from start? how about that DARPA-funded openssh audit, did you hear about it ? From what I've seen, the resulting patch was as usual, testing size of some variable on few places...`
`fernand0`	`Thank you to all for comming, and to Seth Arnold for this interesting talk`
`sarnold`	`docelic: ah, openssl audit, and yeah, it was pretty usual. :)`
`sarnold`	`docelic: it found several errors, which wasn't surprising; i'm surprised it didn't find more. :)`