Saturday, September 27, 2014

A slightly different view on Shellsocked BASH bug

Before I joined Sun, I was a BASH user (think mid 90's). Moving to the commercial enviornment I found myself on systems without BASH so it was just easier to train my mind to use ksh.

Now in my book if a bug can lie undescovered for 25 years (we could look at the mercurial log I guess to see the change history to this bug, but its been there a long time) then that is a good advert for the quality of the code in question. Its a super edge case, though clearly if it gets 10 out of 10 on the scale of vulnerabilities its an important one, but thats more down to the ubiquity of the use of BASH as a medium to spawn processes in CGI and DHCP server for example, rather than the seriousness of the bug itself.

What is reported of what Mr Dyhouse said is disappointing

That such key parts of everyday technology are maintained in this way is a cause for concern, said Tony Dyhouse from the UK's Trustworthy Software Initiative.
"To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up," he said.
"This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK.
"Ultimately, this is a lifecycle problem. It's here because people are making mistakes whilst writing code and making further mistakes when patching the original problems."

If we all did what Mr Dyhouse suggests the process of rewriting seriously complex systems(and BASH is) from scratch would introduce orders of magnitude more security, functionality and reliability issues for code that would never ship.  Time for a look at the bigger picture.

Maybe this was mis-reported or maybe Mr Dyhouse has not worked on large complex software systems, either could be true. When did you write some code that someone else relies on Tony?

There are 2 important aspects to this

  1. Finding bugs and then fixing them is part of the engineering lifecycle of software systems, it is symtomatic of it being hard and complex
  2. If a bug in shell pattern matching has such widespread consequences, then there is an architectural problem.
There is also no doubt a promotion aspect to this, lots of people stepping up to present themselves as todays informed pundit.

The real questions and the only ones that matters, unless we are going to stop using computers until a major rearchitecture effort is completeted, is  ....

where is the next security bug, and the next, and the next ........

No comments:

Post a Comment