Safety in a cyclone?

Contributed by jose on 2003-10-06 from the typesafe-languages dept.

anonymous asks: "The OpenBSD system has been hit by a few buffer overflows lately, with serious security implications. I've thought for a while "it's time to stop using C. No bounds checking, weak type checking, and many other dangerous qualities put it on the edge of safety." But Java is not going to be an acceptable solution to most of the OpenBSD developers. What about Cyclone , billed as a "safe dialect of C"? Cyclone guarantees type safety and memory safety, while retaining a very C-like syntax, and in fact the ability to compile some unmodified C programs. The performance overhead is small. The compiler is GPL and the libraries are LGPL. What do you think? I'm putting this out for discussion, not intended as a trolling."

I've actually used Cyclone on OpenBSD, it should work just fine after convincing the build system it's OK. It passes the regression tests. The Cyclone community is increasing in activity these days. However, I doubt a project as large and complex as OpenBSD would ever move wholesale into this language and compiler for a variety of reasons, including the limited number of platforms the compiler supports. However, anyone here play extensively with it?

(Comments are closed)

Comments

By Michael () on 2003-10-06 15:51

For the OS, I'd say let's stick with C. The overhead for Cyclone is not big at all, but any overhead is bad at that level.

However, for user land programs - cyclone is more than adequate. If you are doing any sort of input/output, then overhead is not your bottleneck. Not to mention the fact that Cyclone is fairly easy to pick up.

I think what is needed is a Cyclone module for gcc. Once we have that, people may start to take a second look at it and say, "Hey, this looks pretty slick."
Comments
1. By Michael () on 2003-10-06 15:54
  
  ^gt;If you are doing any sort of input/output, then overhead is not your bottleneck. --- <If you are doing any sort of input/output, then overhead is probably not your bottleneck.
  Comments
  1. By Michael () on 2003-10-06 15:55
    
    >If you are doing any sort of input/output, then overhead is not your bottleneck.
    ---
    <If you are doing any sort of input/output, then overhead is probably not your bottleneck. I am retarded.
2. By Anonymous Coward () on 2003-10-06 17:45
  
  There's overhead from propolice, and that's being used.
  Comments
  1. By michael () on 2003-10-06 17:58
    
    Good call - forgot about that.
    
    I suppose then that we should keep the overhead as low as possible. It seems like the issues addressed with ProPolice are essentially the same issues that Cyclone takes care of. So....I'm not sure where I'm going with this.
    
    It may be a moot point -> cyclone is on version 0.6 as far I can tell. It's probably not a good idea to write an operating system with beta material.
    
    --michael
  2. By tedu () on 2003-10-06 18:34
    
    overhead is about 1%, and didn't require rewriting anything (developer overhead).
    
    Comments
    
    By Anonymous Coward () on 2003-10-06 19:44
    
    Just that cyclones performance hit should be comparable to that of propolice, which is already in use, so I don't think cyclone would be rejected for performance reasons. Its not like "be the fastest OS" is one of OpenBSD's goals.
  3. By Anonymous Coward () grey on 2003-10-06 18:44 http://www.cansecwest.com/core03/theo-csw03.mgp
    
    You might want to read the presentation Theo gave at CanSecWest '03 where he discusses (briefly) some of the overhead penalities incurred for ProPolice, W^X and various other things implemented in the past year or so. Overall the feeling seems to be that most of those protections should incur 1-3% overhead. Theo did say something to the effect of, all of these 1-3% slowdowns could add up to a much larger slowdown if more similar performance penalizing things are implemented. (Very very loose paraphrase).
    
    That said, while not technically a dialect, some might argue that OpenBSD's use of alternate str* functions already constitutes some shift from standard C. You might want to read http://openbsd.org/papers/strlcpy-paper.ps as Todd & Theo provided some arguments for why they chose to go that route, and see how well alternate safe C programming extensions or dialects match up.
    
    There are a lot of other interesting security minded projects outside of OpenBSD to be sure; but they're not always destined to work together, or sometimes just not quite yet (opencm comes to mind as an example).
By djm () on 2003-10-06 20:16

The recent problems haven't been traditional strcpy(tooshort, toolong) buffer overflows, they have been a fair bit more subtle than that. Astute readers of source-changes@ would notice that a sweep of the entire tree was made for similar problems shortly after the discovery of the ones in OpenSSH.
Comments
1. By Giovanni () nospam@nospam.org on 2003-10-07 09:59 mailto:nospam@nospam.org
  
  Was anything found ? I'm not a source-changes@ reader at all.
By Christian Stork () on 2003-10-06 20:35

Check out the CCured project at

http://manju.cs.berkeley.edu/ccured/

for a different approach. Probably, this one is more applicalbe since less intrusive.
By henning () henning@ on 2003-10-07 08:12 mailto:henning@

no, we've not been hit by what one usually calls "buffer overflows" lately, and there were no "severe security implications" from that. I keep wondering where that myth comes from.
it's out of question that the ssh buffer stuff was bad and a bug - but please enlighten me how that is a real security problem, at least on OpenBSD. at worst, this is a DoS.
Comments
1. By Anonymous Coward () on 2003-10-07 10:36
  
  The 'myth' that there were severe security implications from the last OpenSSH bug comes from some (unknown) individuals blatantly lying in various public forms (like Slashdot, etc) by claiming they were OpenBSD users who 'had the exploit' and it could confirm that worked against the newest version of OpenBSD. In other posts -- probably by the individuals -- it was implied that OBSD's 'Only one remote hole' claim was a lie, and citing the failure to add this incident to the list as evidence. Some losers personal smear campaign I would guess. Of course most casual readers would just take the initial claim at face value since it *could* be true as far as they know.
  Comments
  1. By Kurt () on 2003-10-07 14:42 http://marc.theaimsgroup.com/?l=full-disclosure&m=
    
    I wonder if the 'personal smear campaign' was in fact a bit of social engineering. A fake exploit was later released that had a Trojan in it.
    
    Comments
    
    By Anonymous Coward () on 2003-10-07 15:27
    
    Hmm ... a possibility that hadn't occurred to me. Maybe Theo has a dark alter ego personae I hadn't suspected .... 8^)
  2. By Anonymous Coward () on 2003-10-07 18:18
    
    And what makes you say that they were lying? Have you got perhaps some proof to the contrary or are you just another clueless self-congratulating 'genius'?
    
    Comments
    
    By tedu () on 2003-10-07 18:31
    
    yes, i have proof that there is no exploit. however, i would prefer to keep my analysis techniques to myself, so i won't be sharing it.
    
    Comments
    
    By Anonymous Coward () on 2003-10-08 09:47
    
    and this makes you different from the people claiming to have exploits.......how?
    
    By Anonymous Coward () on 2003-10-08 10:50
    
    though i dont know what tedu has done, i will second his opinion. if you look at the details of this bug, it would be a hard, hard thing to exploit on openbsd.
    
    its the infinite saw thing. could an attacker with infiniite time and inifinte resources exploit this? perhaps so. in the real world, finding a bug that does x is nothing too special, working out how to turn x into a local/remote vulnerability is where the beauty and skill of exploit writers comes from. nonetheless, turning this bug into a local/remote exploit i will happily eat my hat or shoes or whatever it is americans eat if they're wrong.
    
    Comments
    
    By Michael () on 2003-10-08 16:55
    
    happily eat my hat or shoes or whatever it is americans eat if they're wrong.
    
    It is proper for an American to eat their bowling shoes if s/he is wrong.
    
    By Anonymous Coward () on 2003-10-07 19:51
    
    No, I'm not a genius, but I am telepathically linked with Tedu, and I know what he knows. Yes, I have the proof that this is absolutely true, but I can't share it with the world either, because if others learn how telepathic links are established, it could be horribly misused.
    
    By Elvis "The King" () on 2003-10-07 23:22
    
    It's true just because I said so. Since I have 50 millions fans worldwide I just can't be wrong.
    Btw love me tender...
  3. By RC () on 2003-10-08 13:22
    
    It's not just slashdot. If you read through the bugtraq posts, you'd have seen several individuals that _claimed_ they had machines rooted, and that OpenSSH was the culprit.
    
    I don't think there is any question that there are numerous people who are dead-set on doing everything they can to give OpenBSD a bad reputation, and we've certainly seen a few of them posting regularly here on deadly.
    
    I too will believe it when I see an exploit, but the fraud is much more than a couple idiots on slashdot.
By jose () on 2003-10-15 00:39 http://monkey.org/~jose/

i should have looked and not assumed that because cyclone worked at 0.3 it will still work now. it doesn't. it looks like its hitting the W^X restrictions. it bootstraps itself (or tries to) and dies in the build process. basically the code builds a function and then tries to execute it (i think) by pushing it on the stack. you'll have to enable PROT_EXEC via mprotect() to get this to work. but after an hour of hacking and learning mprotect() stuff i'm no closer than this.

if anyone wants to start hacking on this, that would be very cool.

enable gcc -g in Makefile.inc, build, debug ... you'll see it died in gc/mark.c here:

#0 0x1c0e575f in GC_mark_from (mark_stack_top=0x3c0410a8,
mark_stack=0x3c0410a8, mark_stack_limit=0x3c0490a8) at mark.c:648
#1 0x1c0e526a in GC_mark_some (
cold_gc_frame=0xcfbefee4 "

Latest Articles

Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]