Language Selection

English French German Italian Portuguese Spanish

Insecurity blues: What I learned from my buggy code

Filed under
Software

It hasn't been a good month for my code. Samba, the project I'm responsible for, has had to announce several security flaws. Unfortunately some of them were in code I wrote. I always do a large amount of soul-searching whenever that happens. There's nothing worse than finding out something you were responsible for is the cause of many thousands of people having to waste their time rolling out patches. It always makes me wonder if the time has come to give up this programming lark and end my days peacefully in management, messing up other people's code instead of creating my own.

It's very educational however to look at the causes of the flaws, and try and learn what we can from the bugs and also our reactions to them. Samba is an old program. The initial code was originally written 15 years ago. At that time, modern security problems such as integer wrap (where adding two numbers together can end up with a number smaller than both of them, due to the fixed sizes of integers that processors deal with), or heap overflow vulnerabilities (where overwriting unallocated memory on the program heap can allow a clever attacker to seize control of a program) were unheard of. We knew about buffer overruns (where reading more data into a buffer than was originally allocated for it can cause a security breach) and denial of service attacks, but 1992 was a simpler, less hostile time for network software development. Most initial deployments of Samba were on networks isolated from the main Internet, by technically advanced administrators who knew how to download the source code from the Internet.

More here




More in Tux Machines

Open source SDR SBC runs Snappy Ubuntu on Cyclone V

The open source, $299 “LimeSDR” board runs Snappy Ubuntu Core on a Cyclone V, and supports user-defined radios ranging from ZigBee to LTE. UK-based Lime Microsystems, which develops field programmable RF (FPRF) transceivers for wireless broadband systems, has launched an open source software defined radio (SDR) board on CrowdSupply. Like other Linux-based SDR systems we’ve seen, the LimeSDR uses an FPGA to help orchestrate wireless communications that can be tuned, manipulated, and reconfigured to different wireless standards via software. Read more

Critical Infrastructure Goes Open Source

The electrical grid, water, roads and bridges—the infrastructure we take for granted—is seldom noticed until it's unavailable. The burgeoning open source software movement is taking steps to help rebuild crumbling U.S. civil infrastructure while capitalizing on expansion in emerging markets by providing software building blocks to help develop interoperable and secure transportation, electric power, oil and gas as well as the healthcare infrastructure. Under a program launched in April called the Civil Infrastructure Platform, the Linux Foundation said the initiative would provide "an open source base layer of industrial grade software to enable the use and implementation of software building blocks for civil infrastructure." Read more

Where have all the MacBooks gone at Linux conferences?

In past years, the vast ocean of Apple logos really undercut any statement of “Linux is great.” People would, inevitably, retort with, “Then why are all the 'Linux People' using Macs?” Admittedly, that was a great point and has been a source of shame for many of us for a very long time. But now things are different. The Apple logos are (mostly) gone from Linux conferences. This may be an unscientific observation from one person attending a few conferences in North America. Regardless, it's a great feeling. Read more

Leftovers: Ubuntu

  • Ubuntu 16.04 to-do list
    UBUNTU 16.04 or Xenial Xerus, the latest upgrade of the popular Linux distribution, became available as a free download last month, and early reviews have been favorable. Instead of upgrading my existing Ubuntu 15.10 system, this time I opted for a fresh install. I also decided to give the improved Unity 7 desktop a go, instead of installing my preferred alternative XFCE. The installation process was trouble-free, but because I started from scratch, I had quite a bit to add and tweak after the OS itself was installed.
  • Ubuntu Founder Pledges No Back Doors in Linux
    VIDEO: Mark Shuttleworth, founder of Canonical and Ubuntu, discusses what might be coming in Ubuntu 16.10 later this year and why security is something he will never compromise. Ubuntu developers are gathering this week for the Ubuntu Online Summit (UOS), which runs from May 3-5, to discuss development plans for the upcoming Ubuntu 16.10 Linux distribution release, code-named "Yakkety Yak."
  • Ubuntu & Other Ubuntu Spins Look At Making Room To Grow
    With Ubuntu's install images continuing to be oversized with pushing 1.4GB on recent releases, Ubuntu developer Steve Langasek has raised the new limit for Ubuntu desktop images to 2GB. Other Ubuntu flavors are also following in this move. Langasek has raised the size limit for images now to 2GB for being able to accomodate the current oversized images plus still having room to grow.
  • Ubuntu’s Snap packages aren’t yet as secure as Canonical’s marketing claims
    Canonical has been talking up Snaps, a new type of package format featured in Ubuntu 16.04 LTS. “Users can install a snap without having to worry whether it will have an impact on their other apps or their system,” reads Canonical’s announcement. But this isn’t true, as prominent free software developer Matthew Garrett recently pointed out.