Government Starts Effort to Plug Open Source Security Holes

by Kristin Palitza

A U.S. government agency is backing an initiative called Sardonix to increase Linux security auditing. The Defense Advanced Research Project Agency (DARPA), which spawned many of the technologies that went into creating the Internet, said it aimed to engage the open source community in a consortium-based approach to create a neutral and secure operating system architecture framework. DARPA has sponsored an audit portal to serve as a forum for open source code reviewers from all over the world.

WireX assures participants in the Sardonix initiative that the portal will not recommend any security vendor's software--and certainly not its own. "That would destroy the community approach," WireX chief scientist, Crispin Cowan said. "WireX will only benefit from the overall Linux improvement." DARPA is not funding the portal totally selflessly, either. It anticipates to use the improved security architecture framework "for defensive information warfare capabilities." The Sardonix site--today in beta review--is aimed at facilitating program inspections and measuring how often systems like Linux or Mozilla get audited. It provides a core repository for reviewing and submitting audits, particularly from third parties. "It is a user-oriented site for both auditors and individuals seeking information on the security of program audits," the Sardonix initiators said on the Web site, http:www.sardonix.org. The auditing process is expected to start in the next couple of months. The Sardonix initiative was brought to life after a similar auditing project led by the Linux community a few years ago failed. "The Linux audit project lacked infrastructure, was nothing but a mailing list that quickly turned into a discussion forum about security," Cowan said. The Sardonix site, in contrast, will have "a lot of infrastructure," Cowan further claimed. Reviewers, for example, will have access to a set of free auditing tools, funded by the DARPA.

It will be up to WireX to decide which programs are vulnerable and which are not, Cowan said. Those decisions will be purely based on the expertise and judgment of WireX. The portal will provide a list of audited and unaudited programs, so visitors to the site can see what programs have already been reviewed.

Security vulnerabilities are not only a concern of the open source community, but also effect software giants like Oracle and Microsoft. Oracle, for example, had to issue about 5,000 patches for its 11i Internet Applications suite last year, and had to make three major modifications to the software set in less than twelve months. Microsoft chairman Bill Gates recently issued a memo to his programmers to make security the company's top priority.

DARPA decided to fund the Sardonix initiative because many successful attacks are not detected. "Such attacks make systems unusable, degrade performance, lead to poor decisions due to faulty data, leak valuable secrets, and leave behind code that could provide continuing backdoor access or be activated on a predetermined event to take obstructive action," the government agency said. "No set of barriers is perfect or impermeable to determined attackers."

DARPA also had an open source research project at the Oregon Graduate Institute of Science and Technology in place to develop the OS security tools that are now available on the Sardonix portal. WireX, as a Linux-based vendor, was part of the program. The company developed its Immunix security tools set that are today an on-going project at WireX and are used to host the Sardonix portal. Immunix is a family of tools--including SubDomain, FormatGuard, and StackGuard--designed to boost system integrity of Linux and Unix systems by hardening components and platforms against security attacks, says WireX, which is based in Portland, Oregon. Immunix hardens existing software pieces and platforms so that attempts to exploit security vulnerabilities will fail--the compromised process stops and restarts without giving access to the hacker, the company further said.

Immunix is geared toward protecting against attacks not made through the firewall, unauthorized user's malicious behavior, Trojan horse programs, bad and non-existent security policies with security enforcement, and incorrect filter setup. Its StackGuard and FormatGuard components are open source, whereas the SubDomain piece is proprietary, Cowan explained.

SubDomain comes into play when firms need to install a program they do not necessarily trust, WireX said. It quarantines programs to protect the rest of the system from damage when it confines the suspect program to a limited set of files. Administrators are able to specify a domain of activities the program is allowed to perform by listing the files the program may access, and the operations the program may perform. Those restrictions complement the kernel's native access controls, WireX says, since any file access must pass the native access controls and the SubDomain restrictions before access is granted.

FormatGuard is designed to get rid of large numbers of unknown format bugs. It can distinguish macros with identical names but a different number of arguments, since it provides a macro definition of the printf function for each argument, up to a hundred arguments, WireX claimed. Each of these macros calls a safe wrapper that counts the number of % characters in the format string, and rejects the call if the number of arguments does not match the number of % directives, the company further explained.

StackGuard, the third Immunix component, is a compiler that emits programs hardened against "stack smashing" attacks, which, WireX said, are the most common form of penetration attack. When a vulnerable program is attacked, StackGuard detects the attack in progress, raises an intrusion alert, and halts the victim program, the company explained.