| Main |

Well it's ironic

It's ironic that MoKB have replied to my post about dmg kernel panics by accusing me of not:

reading, checking and…[being] willing to say something that doesn't make sense at all.

They also continue to imply that dmg crashes really are a new discovery. Apparently it’s not enough that I'm a disk utility developer and therefore stand really quite a considerable chance of having seen one. No, it seems that it only happened if I announced it publicly, which I didn’t.

In fact, I reported such a bug to Apple so long ago that it’s now no longer listed in the “My Originated Problems” page on their Bug Reporter. I think I even sent them a dmg file that triggered a kernel panic when it opened, though it’s possible that I just documented the bug in question. The particular bug that I reported was certainly fixed, I know that much.

I also quite enjoy the way that they quote my remark about crashes not necessarily being (or implying the existence of) exploits and use it to imply that I’m some kind of Mac zealot. What they don’t say is that I mentioned that this criticism wasn’t operating system specific. I’m just as unhappy about similar leaps of faith (“Oh, it crashed… well that must be an exploit then!”) on the Windows side.

They then go on to say that “the definition of a 'crash' in kernel-land has quite a few possible meanings”. Ignoring the ungrammatical nature of that sentence, they proceed to conflate types of crash with causes of crashes, then fail to define the term “exploit” in any kind of meaningful way.

But let’s be clear, and let’s define “crash” and “exploit” (something MoKB’s post said it was going to do, then didn’t):

crash
…to break down or cause (a computer system or program) to break down completely…
exploit
vt to gain control of a computer system or program (usually without authorisation) by taking advantage of a flaw in the design of that system or program. — n a tool or technique for gaining control of a computer system or program.

The former definition comes from The Chambers Dictionary. The latter is my own. I haven’t included all the other meanings of the two words, since they aren’t in dispute here. It should be quite clear from the definitions that crashes and exploits are quite distinct things, contrary to what Brian Krebs’ article implies.

Now, it is true that some crashes are indicative of an exploitable bug, and that still others can be misused as part of a deliberate denial of service attack. But a crash is not an exploit. It doesn’t even mean that an exploit is possible! Interestingly, despite disputing this fact when I originally mentioned it, MoKB go on to state it themselves, saying that

Basically exploiting a bug a [sic] in kernel-land requires some conditions to be met:

and then listing a few such conditions (there are more that they don’t mention).

Anyway, MoKB people, please understand that I have a lot of experience with low-level issues. You aren’t going to steamroller your way through me by claiming that I’m just some random Mac blogger (which isn’t true) or that I “don’t understand”. I do understand; I used to work as an embedded systems developer and even before that I was patching bugs in software I owned, breaking into computer games so I could cheat, re-writing bits of my machine’s operating system so they worked better, etc… These days, I write disk utilities, though I still tinker with other things.

Trying to mischaracterise me as someone who “doesn’t know what they’re talking about” because I happen not to agree with you is just a very good way to make yourselves look foolish. But go right ahead, if you’re determined.

Posted by alastair on November 28, 2006 at 11:36 AM Digg It | | Comments (3) | TrackBacks (0)

Trackbacks

TrackBack URL for this entry:
http://alastairs-place.net/movabletype/mt-tb.cgi/110.

Comments

Do you have any other point to make besides "crashes aren't exploits"? Because security people, by and large, have learned the hard way that that's the wrong way to think; the history of memory corruption vulnerabilities since 1995 is of continuously weaponizing problems that weren't believed exploitable before that.

Who are you trying to convince? It sounds like you're writing for the Mac audience, not the security audience, so why even bother talking about "low-level details"?

Posted by Thomas H. Ptacek on November 28, 2006 2:22 PM

You’re quite right, the primary issue that I’m talking about here is really that crashes and exploits are not one and the same thing. There’s quite a gulf between finding something that can crash a piece of software and actually exploiting it for nefarious purposes. I needn’t tell you that, of course (and my only criticism of Matasano in my original post was that your article made it easy to come away thinking that other systems—besides Mac OS X—weren’t vulnerable to this kind of thing, which isn’t really true).

Certainly I can believe that bugs that some people thought weren’t exploitable turned out to be, but I don’t think that means that all crashes should be immediately hailed as exploits, which is what is currently happening with bugs discovered on Mac OS X (and it’s specifically what Brian Krebs did in this case). I even saw someone characterise the kernel panic as a “denial of service” attack! Of course, that’s nonsense because a denial of service has to continue without the user’s permission, whereas a kernel panic won’t happen in this instance unless the user mounts the dmg again.

What I’d really like to see is accurate writing from the security community (journalists in particular). Particularly with Mac OS X, there appears to be a tendency to blow things out of proportion; for instance, proof-of-concept malware on OS X seems to receive at least as much attention (probably more attention, in fact) as actual malware on Windows. Equally there are some security software vendors who have a nasty tendency to exaggerate threats on the platforms they serve (Windows and Mac alike), as if it’s really some sort of marketing exercise. Scaremongering to sell anti-virus software, for instance, is simply unacceptable, IMO.

As for why I bother to talk about low-level details, well the reason for that is that both MoKB and a previous poster on my site decided to write replies on the basis that I was a “Space Cowboy” or a “Blogger that doesn't have a clue”. I’m certainly not trying to write for the security community (indeed, I’m much more interested in explaining my perspective to less technically minded folk), but on the other hand I’m hardly going to sit back and put up with remarks like that.

Posted by alastair Author Profile Page on November 28, 2006 3:19 PM

As someone that enjoys well-thought-out technical writings (in computer science and science in general), I've enjoyed yours on this topic and share an opinion that parallels your assertion about some of the the knee-jerk reactions by security investigators (or perhaps their reporters or marketing departments).

Posted by McHargue on December 1, 2006 7:17 PM

Post a comment

If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thank-you for your patience.

(Your e-mail address will not be displayed or included in any pages served on this site; nor will you get any spam as a result.)

A live preview of your comment will be displayed below. It should refresh automatically when you stop typing, but if not then the “Preview” button above will update it.

Live Comment Preview