BASHed and ShellShocked

By Bob Supnik, Vice President, Engineering, Unisys

There’s trouble abroad in cybersecurity land. A longstanding bug in a major UNIX and Linux component – known technically as CVE-2014-6271 and colloquially as ShellShock – is exposing tens of thousands of servers around the world to hackers.

The bug is in a command line interpreter called BASH, which stands for the Bourne Again Shell. The Bourne Shell was the command interpreter for UNIX v7, named after its creator, Steve Bourne of Bell Labs. The Bourne Shell was re-implemented as “free software,” with additional features from many other UNIX shell variants; hence “Bourne Again.”

This past September, a UK-based UNIX/Linux specialist discovered a security bug that has lain dormant for 22 years, since BASH version 1.13. The bug can be externally exploited and allows for arbitrary code to be executed; for that reason, security mavens regard as a very severe risk, receiving 10 out of 10 under currently accepted security rating guidelines. (Unlike Olympic gymnastics, in this context a perfect score is not a good thing.)

The first patches were rushed out as soon as the story broke, but they were incomplete, creating a second vulnerability, CVE-2014-7169. The second and third rounds of patches were also incomplete, creating additional new vulnerabilities, CVE-2014-6277 and now CVE-2014-6278. Further testing has found more bugs in BASH. The major Linux distributions are scrambling to fix all the problems, and the rest of the industry is waiting anxiously to apply them. Meanwhile, according to reports in IT media, hackers are testing the defenses of every Internet-facing Linux-based web server, and compromises have already occurred.

The fundamental problem in BASH is that it is a scripting engine – it interprets data as code. In particular, BASH allows programs to place function definitions into environment variables, which are persistent definitions accessed by multiple programs. With the bug, a hacker can place arbitrary code into an environment variable and then force it to be invoked. Disaster ensues.

The unchecked interpretation of data as code in privileged programs is one of the fundamental security flaws of our age. All of the problems in the first wave of Windows compromises were all based on scripts that were executed in the user’s default context, which was privileged. They required the user to do something, like click on an email attachment.

That’s now considered passé. Modern script hacks are buried in web pages in the form of Java or JavaScript exploits. A user who accesses the webpage downloads and runs the poisoned script. The hacks can also be included in Adobe PDF files, Microsoft Word documents or downloadable help files. The list goes on.

ShellShock and the earlier HeartBleed attack should be wake-up calls to the Open Source community that their vibrant bazaar (to borrow a term from proponent Eric Raymond) contains a number of dark and unsafe alleyways. Companies need to find ways to bypass those dangerous passages in the first place, and adhere resoutlety to their own map. .

For example, Unisys has worked to avoid the problem by building scripting languages into the MCP and OS 2200 operating environments on the company’s flagship ClearPath systems. The reason is quite simple: the scripting languages don’t provide an automated path for executing downloaded data as code. ClearPath systems don’t implement native Java or email; all of those are offloaded to surrounding systems. Their web services on ClearPath systems are carefully circumscribed. There’s no way to automatically import a script and execute it. A malicious user could manually transfer a bad script and run it, but ClearPath’s strict privilege controls would severely limit the damage that could be done. In ClearPath, hackers have no easy path to follow.

Open Source advocates claim that many hands studying code leads to rapid detection and correction of potential breaches. Indeed, studies have shown that well-maintained Open Source components, like the Linux kernel, have defect densities on par with proprietary code. However, not all Open Source projects have the resources or the “density of eyeballs” of the Linux kernel, and some critical components are maintained by sub-critical mass teams.

HeartBleed and ShellShock were the first two examples of that phenomenon. Unfortunately – and undoubtedly – there will be others. Enthusiasm and numbers are not a substitute for a coherent and ruthlessly-enforced security architecture.

Bob Supnik, VP of engineering, Unisys

I’m Bob Supnik, Vice President and General Manager of Engineering and Supply Chain Operations (ESC), and Chief Technology Officer of Technology, Consulting, and Integration Solutions (TCIS). At Unisys, I am directly responsible for software and hardware development.

My global organization delivers enterprise level systems for ClearPath and the ES7000 lines of servers, as well as tools and solutions for Data Center Transformation and Cloud Computing.

Through technology and innovation, the organization creates value for Unisys customers. It also drives technology-based solutions through their full life cycle: creation, implementation, production, and support.

Prior to joining Unisys, I was Vice President of Engineering at SiCortex, Inc., a company that builds energy-efficient, high-performance technical computing systems from the silicon up. Previously, I held the positions of Vice President of Engineering/CTO at Nauticus Networks and FairMarket.

I served in several vice president and senior corporate consulting engineer positions at Digital Equipment Corp. (later purchased by Compaq), including Head of Corporate Research, Director of Architecture and Technology, and Technical Director of Central Engineering.

At DEC, I managed the ground-breaking Alpha systems program, as well as the successful series of VAX microprocessors. And before I came to DEC, I worked for more than a decade in the software industry.

I earned two bachelor’s from Massachusetts Institute of Technology, and a master’s from Brandeis University. Outside of my Unisys world, I have been a featured author and speaker at computer and industry conferences, and I hold eight computer-related patents. In addition, I am the author of a series of emulators for historically significant computers.