Recently Blog Entries
- Why Your Kanban Workflow Should Be More Than “In Progress”
- Two Questions to Help You Understand if You’re Doing Kanban
- Spike Abuse
- My Latest Article on Agile and Security
- Essentials of the Scaled Agile Framework
- A Possible Solution to the Issue of Test Data
- Project Sauron: A Long-lived, Stealthy and Likely State-sponsored Malware
- CCTV cameras used in massive botnet
- Sprint Planning: The Case for Finishing What You Start
- Scrum Retrospectives: Start, Stop… Continue? One of these things is not like the others…
Subscribe
RSS
Categories
Polls
Loading ...
Archives
- May 2017
- April 2017
- September 2016
- August 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- October 2015
- September 2015
- July 2014
- January 2014
- March 2013
- February 2013
- January 2013
- December 2012
- July 2012
- May 2012
- April 2012
- January 2012
- November 2011
- October 2011
- September 2011
- August 2011
- April 2011
- October 2010
- August 2010
- July 2010
- June 2010
- May 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- December 2008
- November 2008
- September 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
Admin
Search
Feb
12
Slashdot is running this article on a flaw found in OpenBSD’s implementation of their pseudorandom number generator (PNRG). This number generator is used by the implementation of a number of network services on OpenBSD, and from there its found its way into a number of other *NIX implementations, including Darwin/MacOS X, FreeBSD, and NetBSD. Most of the implementations other than OpenBSD have committed to fix this bug, although Apple isn’t committing to when. Knowing what “random” number is going to come up next permits some exotic exploits that allow an attacker to compromise security. The question at hand isn’t whether this fault exists, it’s how important is it.
OpenBSD’s maintainers have decided that the bug is academic, and doesn’t represent a real enough threat to fix. This puts the debate squarely into interesting territory for me. I’m a pragmatist, and I think that the development activities you perform (and this includes fixing a bug) have to be related to their real value. I classify a bug in the category of “risk”, which means I use a two-part formula to determine how important it is to address.
Although many professionals don’t realize it, risks (and this includes bugs) have two dimensions, severity and probability. Probability is frequently given short shrift, and the focus is all on it’s more glamorous relative, severity. Priority is however a factor of these two dimensions.
For example of this principle in action, we need look no further than the example at hand: the PNRG generator in OpenBSD. The argument made by the maintainers is that the probability is low enough that regardless of how severe the consequences of the exploit, the chances that it will or can be exploited are low enough that the overall priority is low. This is a questionable assumption with an open source project such as OpenBSD, and with the amount of attention that this particular bug can get.
Developers, and their subspecies crackers, are a somewhat arrogant lot (and I include myself in that bucket, before anyone gets upset). If you tell us that we can’t do something, that usually is just blood in the water. Knowing that this exploit exists, even if we have to work really hard to get to it, well, we’ll try to figure out a way anyway. This adds to the probability, simply because there are so many of us out there. Additionally, the knowledge of this weakness is easily obtained, which also lowers the barrier to entry, again increasing the probability.
There’s always the possibility that someone else will fix the problem and contribute it to the OpenBSD community, since this is open source, but if the maintainers refuse to integrate a contributed fix, that could result in a fracture of the code base, and that isn’t good for anyone.
Time is the only way that we will tell whether the OpenBSD maintainers are correct in their assessment of the probability, and thus the risk involved with this PNRG bug. If proof-of-concept or actual exploits appear for this in the wild, then the maintainers may have little choice except to integrate a fix, or to suffer people moving to other BSD variants that don’t have the same flaw.
Comments
3 Comments »
Blogroll
- Ars Technica
- Dark Reading - IT Security
- Help Net Security
- InformIT
- SANS Internet Storm Center
- Schneier on Security - Dr. Bruce Schieier’s blog
- Security Info Watch
- What to Fix - Daniel Markham, fellow consultant
- Wired Gadget Lab
- Wordpress Documentation
- WordPress Planet
- Wordpress Support Forum
[…] When Should You Fix a Bug? […]
The question that comes to mind, then, is how does one magic up a better PRNG that’s usable, particularly for OpenBSD’s license policies. None of the articles I’m reading about this really cover whether this applies to more than just a stock i386 install; a rather large number of hardware random number generators are supported transparently, and no mention if the presence of such a device changes the cache-poisoning risk.
Randomness in computers is hard, I admit. I know that Linux implementations have a pair of pseudo-device that accumulates randomness “from device drivers and and other sources into an entropy pool” from which you can then draw random numbers. One of those devices blocks until it has enough randomness to satisfy your request, the other just returns as much as it has.
If you’re interested in true randomness without access to cosmic background noise, say with commodity hardware, try this: using a webcam with it’s lens cap on, and using the noise from the CCD as a random number source: LavaRnd