Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Tuesday December 12 2017, @03:51AM   Printer-friendly
from the fuzzy-illogic dept.

Submitted via IRC for SoyCow8317

Research presented this week at the Black Hat Europe 2017 security conference has revealed that several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks.

The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi. The expert says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

[...] The researcher released XDiFF as an open source project on GitHub. A more detailed presentation of the testing procedure and all the vulnerabilities is available in Arnaboldi's research paper named "Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing."

Source: https://www.bleepingcomputer.com/news/security/secure-apps-exposed-to-hacking-via-flaws-in-underlying-programming-languages/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by The Mighty Buzzard on Tuesday December 12 2017, @04:24PM (7 children)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Tuesday December 12 2017, @04:24PM (#608768) Homepage Journal

    I didn't say blindly trust. I'd expect any code additions to anything but a single-coder project to be reviewed before being merged.

    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Arik on Tuesday December 12 2017, @04:53PM (6 children)

    by Arik (4543) on Tuesday December 12 2017, @04:53PM (#608786) Journal
    "I didn't say blindly trust."

    Didn't say you did. You said:

    "a lot of these bugs would require you have write access to the source of the script to be run to cause any problems. "

    And that's true enough in a literal sense, of course, but the 'tone' seems a bit dismissive. Oh, it would require write access, that means it's not really a problem, well no, if you want any chance of producing secure programs you need to jettison that thought, it won't do you any good.

    "I'd expect any code additions to anything but a single-coder project to be reviewed before being merged."

    1) Reviews are not magical. The more that needs to be reviewed the less intensive the attention. Not all reviewers are equal and even the best can miss things. And deceivers have plenty of tools in their bag as well.
    2) Even if reviews *were* magical, there are still many possible ways to bypass them.

    Many many highly intelligent humans have been working for many many years on making computers *do stuff.* A far smaller number focus on making them *not do stuff.* Security is about the latter, not the former. Security is swimming against the stream, a half-hearted effort is effectively a total failure.
    --
    If laughter is the best medicine, who are the best doctors?
    • (Score: 2) by The Mighty Buzzard on Tuesday December 12 2017, @06:05PM (5 children)

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Tuesday December 12 2017, @06:05PM (#608827) Homepage Journal

      ...a half-hearted effort is effectively a total failure.

      And yet, that's the best you can do if you ever want to ship anything. A full on effort would require a minimum of a formal proof for every last line of code in your code base, the operating system if there is one, the compiler/interpreter you're using, and any third party libraries you use. Even then you're trusting the ability and integrity of the authority certifying the proof.

      At the end of the day, people in the real world try to learn as much as they can, keep up to date on new developments, do the best they know how, and make sure someone with a similar approach is double checking them. "Perfect" isn't just the enemy of "good", it's also the enemy of "ever ready".

      --
      My rights don't end where your fear begins.
      • (Score: 2) by Arik on Tuesday December 12 2017, @07:16PM (4 children)

        by Arik (4543) on Tuesday December 12 2017, @07:16PM (#608870) Journal
        "And yet, that's the best you can do if you ever want to ship anything."

        Yes, exactly, that is the commercial reality which has lead inexorably to our current swampland of widely distributed and fundamentally insecurable systems.

        The question is, how to get from here to anywhere else?

        "A full on effort would require a minimum of a formal proof for every last line of code in your code base, the operating system if there is one, the compiler/interpreter you're using, and any third party libraries you use."

        That should be the goal of any system that aspires to be secure.

        "Even then you're trusting the ability and integrity of the authority certifying the proof."

        Yes, nothing is perfect, but open review is the best review, multiple reviewers help, and these are minimum conditions.

        ""Perfect" isn't just the enemy of "good", it's also the enemy of "ever ready"."

        See, this is one thing we disagree on. Perfection alone does not condemn a project to never ready.

        Perfection *plus* a constantly expanding feature-list? Well yes, that will never, ever be ready. Modular design is key. Bootloader, kernel, dæmones, shell, userspace; subdivided again and again. Not divided to make things more complicated! Divided to make things more simple. Once this is done and out of the way then you can concentrate on the specific problems your program needs to solve and ignore the rest. Until this is done you cannot - we cannot - take any of it for granted.

        We create logical walls to make sure that unexpected things do not happen, and thereby ensure the expected, and desired, operation of each individual system as well as the system as a whole. And also so that it doesn't all have to be done at once, of course, or even ever. IF you had an actual mathematically proven system up to the point of the VM THEN you would actually be living in a reality where it might be sane to trust the VM enough to run arbitrary code in it a la ecma, java, flash, etc. When you go to build a three story house you don't start with a bunch of mud and driftwood for the first level and figure you'll make up for it by using steel and concrete up top.

        But anyway this is not impossible in any physical or mathematical sense it just takes more time and care. As a species we've been programming electronic computers for nearly a hundred years now we've had plenty of time to build a secure base system from the ground up and have it reviewed and tested thoroughly, if *anyone* had seen an interest in putting a moderate amount of funding into it. Instead the closest thing we have is OBSD, built mostly by volunteers in their free time, and with virtually no traction because of being systematically excluded from hardware. And speaking of hardware, ALL of this presumes old-school hardware. "Management Engine" and insecure microcode implementations are fundamental problems.

        Clearly there are other forces at work against perfection than merely it's own intrinsic difficulty. Again, take note, it's not that many people are aiming for it and fail. It is that an entire generation has been conditioned to believe it's impossible! Hence virtually no one even tries or notices. ¿Qui buono?

        --
        If laughter is the best medicine, who are the best doctors?
        • (Score: 2) by The Mighty Buzzard on Tuesday December 12 2017, @11:41PM (3 children)

          by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Tuesday December 12 2017, @11:41PM (#609014) Homepage Journal

          Clearly there are other forces at work against perfection than merely it's own intrinsic difficultypractical impossibility.

          FTFY. Looking for perfection will have you producing nothing. Getting "hello world" out the door in assembly without an OS wouldn't even be viable because you can't trust the silicon it runs on unless you created the chip using the same perfect security standard.

          Looking for "better without becoming a massive time sink" is what you want to be doing as a base. If your particular situation calls for more than that, do more than that.

          --
          My rights don't end where your fear begins.
          • (Score: 2) by Arik on Wednesday December 13 2017, @12:24AM (2 children)

            by Arik (4543) on Wednesday December 13 2017, @12:24AM (#609023) Journal
            That's a view that makes perfect sense - if you have a very narrow field of vision.

            But if you zoom back out to the macro scope, it's a disaster in progress.
            --
            If laughter is the best medicine, who are the best doctors?
            • (Score: 2) by The Mighty Buzzard on Wednesday December 13 2017, @02:54AM (1 child)

              by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Wednesday December 13 2017, @02:54AM (#609061) Homepage Journal

              I'm not by any stretch saying not to keep on top of things as best you're able and write secure code to the best of your ability. That's one of the programming givens for me. Spending months or years making double-super-certain that under no circumstances can your program ever fail in an unfortunate way is not helpful to anyone though unless you work in a national security capacity.

              --
              My rights don't end where your fear begins.
              • (Score: 2) by Arik on Wednesday December 13 2017, @03:55AM

                by Arik (4543) on Wednesday December 13 2017, @03:55AM (#609076) Journal
                "I'm not by any stretch saying not to keep on top of things as best you're able and write secure code to the best of your ability. That's one of the programming givens for me."

                That's great and I think you are misunderstanding me a little.

                I'm not criticizing your personal practices, which I am sure are better than industry standard and nothing to be ashamed about.

                I'm talking about the broader eco-system. You're working inside a system where you have no choice but to rely on the foundations that others built. And it's not your fault that those foundations were not built to be reliable.

                But it still might concern you.
                --
                If laughter is the best medicine, who are the best doctors?