ITP Sites:   ITP Site|TechBlog|TechHub in schools|NZ CloudCode|All Tech Events|Software Escrow NZ

ITP Techblog

Brought to you by IT Professionals NZ
« Back to Home

Proper Branding for 'Weird Machines'

Graeme Neilson, Aura Security. 13 October 2014, 11:54 am

It seems that 2014 is turning out to be a violent year for security, at least going by the names of the Heartbleed and Shellshock vulnerabilities.

I remember a gentler time of viral attacks quaintly dubbed Melissa, ILOVEYOU, Stoned, Kama Sutra and Michaelangelo. It was a time when only malware merited christening, while vulnerabilities had to go by their drier CVE designations.

It's a different world today. Malware producers don't care about fame—they want money. Today, vulnerabilities have names, which is useful for  the researchers who want to sound the alarm. If you want to clue in the world to a vulnerability, it's helpful to give it a cool name.

So I have a request to all the security researchers out there. if you have the chance to name a vulnerability, why not take the opportunity to use it to the best effect possible? Rather than invoking pain and violence, maybe pick a name that makes people think about how and why these vulnerabilities occur. Shellshock allows attackers to inject code into environment variables via the network. This code then gets executed by the shell. Maybe Shellshock should have had an environmentally friendly name. The broader environment must always be included when considering the security of any system. Shellshock is a reminder that security vulnerabilities and attackers do not respect application boundaries, test scopes or other arbitrary divisions in logical systems. It is at the interfaces, the boundaries and in particular parsers that the vulnerabilities lie.

These vulnerabilities are what Sergey Bratus would call the "weird machines". They lie dormant until some specifically-crafted input enters the system and causes your code to execute in a completely unexpected and undesirable manner. Sergey also points out that once your input language, and hence parser (program), reaches a certain complexity, your parser will run into the Halting Problem. Simplified this means it is mathematically provable that you cannot fully test the parser. Therefore, there will be unknown bugs in your parser. Some of these bugs will be related to security. Someone will find these bugs. This is why there are so many security vulnerabilities and why we will keep finding security vulnerabilities. So, we should not have been shocked by "Shellshock". it was inevitable.

Sergey is trying to promote a solution to this endemic problem through LANGSEC, a language-theory based approach to trustworthy protocols and systems. As systems increase in complexity and interconnectedness, the scope for untrusted input from the wider environment being used in an unsafe manner will become all the greater. Consider the "Internet of Things" (wearables, smart cars, smart phones, home automation, smart medical implants) and the numerous interfaces and data sharing that will be enabled. Already researchers have discovered many critical vulnerabilities in devices that will soon live in the IoT. Once computing is ubiquitous, everything is a site of computation and 'everyware' is networked, what will the impact of a vulnerability like Shellshock be? When we pass unfiltered input from an interface into the IoT what will happen? If we don't listen to Sergey, once the Internet of Things is a reality someone will find the GaiaShock vulnerability. I just hope my future car and pacemaker are not vulnerable.


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio