Tuesday, April 8, 2014

The Internet Will Never Be Secure, Ever

Because it's written in C.

To quote yaakov34 on Hacker News:

There was a discussion here a few years ago about memory vulnerabilities in C. Some people tried to argue back then that various protections offered by modern OSs and runtimes, such as address space randomization, and the availability of tools like Valgrind for finding memory access bugs, mitigates this...

My opinion, then and now, is that C and other languages without memory checks are unsuitable for writing secure code...

This vulnerability is the result of yet another missing bound check. It wasn't discovered by Valgrind or some such tool, since it is not normally triggered - it needs to be triggered maliciously or by a testing protocol which is smart enough to look for it (a very difficult thing to do, as I explained on the original thread).

The fact is that no programmer is good enough to write code which is free from such vulnerabilities. Programmers are, after all, trained and skilled in following the logic of their program. But in languages without bounds checks, that logic can fall away as the computer starts reading or executing raw memory, which is no longer connected to specific variables or lines of code in your program. All non-bounds-checked languages expose multiple levels of the computer to the program...

We can't end all bugs in software, but we can plug this seemingly endless source of bugs which has been affecting the Internet since the Morris worm. It has now cost us a two-year window in which 70% of our internet traffic was potentially exposed. It will cost us more before we manage to end it.


To clarify, if you're not familiar with C, you might not realize that it basically makes all of its memory available to any code at any time. It's kind of a counter-intuitive design choice.



So the comment is saying the problem with Internet security is that the entire Internet, and the entirety of every Unix-style operating system, is based on the foundation of a programming language which allows you to read arbitrary data out of memory.

This is indeed a very big problem. If you want security, you probably don't want an entire online economy built on C.

The only thing I don't like about the comment is that the last few sentences:

we can plug this seemingly endless source of bugs which has been affecting the Internet since the Morris worm. It has now cost us a two-year window in which 70% of our internet traffic was potentially exposed. It will cost us more before we manage to end it.

Can we, really? How? Who the fuck is going to pay for that?

Here's what we would have to do first: rewrite every Unix-style operating system from the ground up in a new language. And that's the easy part. Afterwards, we would have to make this new operating system, or group of operating systems, so easy to use and install that everybody who already has stuff installed and running out there in the big wide Web would find it cost-effective to start over with a new operating system. We would then have to repeat the process for every programming language written in C.

What are the fucking odds? We live in a world where COBOL and Fortran became hot languages in 1999 because of the Y2K bug.

It's theoretically possible that a really, really savvy government could fund such a project, but that's not the world we live in. This is the government we actually have:



Unixes are old, and deep, and complicated. It is much easier to understand Unix (and friends) through the lens of an archaeological dig than it is to build a mental model of it as a coherent, well-designed piece of engineering. It has layers and layers and layers of systems which all interact successfully, without being designed to be aware of each other in any sense at all. The whole reason Unix works is because it has this very simple "everything is a file" paradigm, which enables lots and lots of small, highly specific programs at the system level to interact with much larger and more complex software at the application level, using very simple and manageable interfaces.

When it comes to security, though, because everything's built on C, it's less like "everything is a file" and more like "everything is a fail." It is utterly inevitable that more problems like Heartbleed will occur. Our entire online economy is built on an inherently unsafe foundation.

Long story short, the only way to get a secure Internet is to completely rebuild every part of it from scratch. That's just not how technological advances occur. People build on the stuff that is already there. The team behind Go probably want to do this kind of total Internet rebuild, and replace HTTP with SPDY while they're at it, but not even Google has enough Imperial stormtroopers to pull off that kind of coup.