With security the focus of this year's Australian Unix Users Group (AUUG) conference, OpenBSD founder and project lead Theo de Raadt was invited to speak on exploit mitigation techniques. In an exclusive interview with Computerworld's Rodney Gedda, the man behind an operating system that lays claim to only one remote exploit in the default install in seven years, reveals where we are headed - and how far we have to go - in the search for more secure software
What are some of the things that the software industry today is neglecting or ignoring in terms of security and why do we have some many security problems?
Almost all the security problems that happen in software, like probably 95 percent of them, are low-level programmer errors. What happens is people are misusing program functions; they think they know how to use them but they're making very, very dumb errors and very small errors. These are things that we've been getting away with forever. The things that people learn from these things are copied by people reading code. These erroneous paradigms are being copied into newer pieces of code over, and over, and over. So now with the open source community and the close source community, we are faced with, let's say billions of lines of source code, all written by people who have made the same paradigm errors and passed them on to the next program. That's why we have security holes. An attacker is using the unintended side-effect of a bug, and since he understands them, he takes the unintended side-effects and twists them to give him privilege. He gets himself privilege because the machine behaves so regularly.
The attacker is always going to know how to do this. The only way we can solve this is by making the environment harsh or by fixing the bugs. And we know that fixing the bugs is never going to happen when we're talking billions of lines of code. We've been trying for a while to do that. That's why we are having all the security problems.
Why will we continue to have these security problems? There are a bunch of vendors out there that are not paying attention to security technologies, which is helping.
They are not doing the security audits that are required, they're not doing the education, and they are not integrating very simple technologies which effectively stump the attackers' attempts. The attacker still finds a bug and still knows what the side-effects are, but the side-effects are in such a strange environment that the attacker can't gain ground and gain the privileges he wants.
Are the vendors paying attention? No, they're not. That's all the Linuxes, all the commercial Unixes, and Microsoft. Now, there are exceptions. There are vendors who are starting to learn a bit. There are a few Linux variants that have some copycat - that's the wrong word for me to use but I'm going to be honest. We've built so many technologies now that when we see one or two small subsets of it show up we're pretty clear about it - having been doing it for five or six years now - that people have seen what we've done and they do something similar.
In the game of security cat and mouse, is OpenBSD trying to think one or two steps ahead?
We've seen in the wild, people who are not running OpenBSD boxes but are making them look like OpenBSD boxes because it will immediately make an attacker say: 'it's a waste of my time'.
But we are moving into a new world where attackers aren't looking at what they're attacking. Attackers basically troll the entire Internet with a known attack and they come back a week later and see what they've collected. People are trying to break into machines and turn them into zombies and there's an entire industry providing them for spammers, etc. So we're in a different field.
The way I look at security is that my security depends on your security because every single insecure machine on the Internet becomes a machine that can send me spam. These machines can be broken into to do a denial-of-service against me and take down my T1. And in a model like that we have to secure the entire Internet; that's the main target. Perhaps that's a little too visionary.
For example, 65 percent of Cisco's products ships with OpenSSH included. Cisco has its own SSH implementation for some of its IOS routers but as the CPU power of their routers increases it removed its own SSH and put ours on it. And I can't think of a free or commercial Unix that doesn't have it. This is a software monopoly but at least it was written by people who care about security, so it's not like Microsoft's monopoly. The benefit is that over three years we essentially killed Telnet and that's a good thing. It even gets weird, there are now 12 mobile phones available with OpenSSH.
Do you think Microsoft is learning from the open source community?
Unfortunately Microsoft security problems have nothing to do with Unix security problems. Microsoft's security problems have to do with its Web client which probably has 300 to 500 vulnerabilities in it which a firewall will never block as they are all in http, all inside a TCP session and a packet filter does not help you. And when you get to some of the more obscure things like the way it does ActiveX and the way it does cookie handling and the way it does zones. These things are a continual trap for the company and all the security knowledge that is protecting us in the Unix world is useless for it. It is still going to be providing everyone with crap code, so if you're going to keep on providing crap, then the protection technology is going to be their only saving grace, the only thing that is going to help. That's what I think it has to do but I don't think it is really paying attention. For example, its entire NX effort, the reliance on AMD64 PAE NX, is a mockery of what is possible because it is only protecting some parts of the address space so buffer overflows are still possible.
A lot of people compare open source versus closed models of security. What's your opinion on this?
People ask this thing often and they mention source but they don't say which source. Inside the Unix space there are two parts of the operating system, there's the operating system and then there's the stuff you run on it. Well, there isn't really a question anymore of open source versus closed source for the application. Everyone who runs an application is stuck with an open source application or a closed source application.
For the operating system, a proprietary Unix or open Unix, it comes down to craftsmanship and realities on the floor. And I don't think anybody is doing anything better than anybody else. Some of the projects are good in some ways and terrible in other ways. The source code doesn't make a difference. You can get the source code for anything today and an attacker can find vulnerabilities. The fact of the matter is, there is no more closed source there is just limited open source.