The Fix Is In

Programmers can stop Internet worms. Will they?

Illustration by Robert Neubecker

The SARS e-mail worm going around this week is nothing to worry about, but it’s only a matter of time before the next big hack attack knocks out half the Internet. After all the money spent Y2K-proofing every computer on the planet, the 21st century’s digital pox turned out to be a different bug, one that’s still unfixed. Slammer, Code Red, Nimda, and other Internet worms crawl into computers through a hole called a “buffer overflow.” It’s an old trick that involves connecting to one of a target computer’s network services—e-mail, HTTP, a database—and handing that service a carefully crafted string of data that’s longer than it’s supposed to be. The data gets written into its allocated parking spot in the computer’s memory (the buffer), but the extra-long tail (the overflow) spills out to overwrite running code parked in the next space. Sounds stupid, but it’s that easy. A moderately smart programmer can figure out how to put a new program in the overflow data and force the target computer to run it.

The most damaging attacks install a program that replicates itself as fast and far as possible, jamming network lines with its traffic. Programmers have worried about buffer overflow attacks ever since the Morris worm brought the fledgling Internet to a crawl 15 years ago. Yet building a barricade to block attacking worms has been all theory and no practice. Even mighty Linux is vulnerable.

But on May 1, a gaggle of programmers will publish working source code that solves the problem. They call it a “prophylactic” that protects against buffer overflows. It doesn’t eliminate the bugs, but it keeps them from taking over your computer. The free fix is for the little-used OpenBSD operating system, but it’s a working template that programmers can adopt into Windows, Mac OS, Linux, or whatever. To explain why the OpenBSD gang finally decided just to sit down and solve the problem, project leader Theo de Raadt told a reporter that “when you throw a bunch of guys into a room and get them drunk, this is what you get.”

I hope they’ve got another keg in the closet because they’ll need it to cope with the backlash their fix will create. Building a brick wall for worms seems like an obvious improvement, but to make it work, de Raadt’s team had to rethink the entire way the operating system allocates and uses memory. It changes the way programs are compiled, and it slows down the computer’s performance (by only a few percentage points, de Raadt claims). Worst of all, it requires other techies to rewrite parts of mission-critical applications, update operating systems, and possibly reinstall the operating system on every one of their company’s computers in order to put the fix into place.

Such an upgrade could cost thousands of dollars for a small company, millions for a big one. Not to mention that any engineer knows that fixing one bug can introduce another, and “don’t break my applications” is an IT manager’s prime directive. That’s why no one’s bothered to stop buffer overflows—not even as an option—for the past 15 years. But the cost of refusing the cure keeps getting higher. In 1988, the Morris worm knocked out only a few geek enclaves. This past January, Slammer grounded airline flights, put 911 callers on hold, and shut down 900 computers at the Department of Defense.

That kind of threat led the Defense Advanced Research Projects Agency to underwrite a $2.3 million grant to OpenBSD in 2001 as part of a search for crack-proof computers. But DARPA withdrew its funding last week, allegedly because of an interview with the Globe and Mail in which de Raadt veered from explaining his team’s new code to call the war in Iraq an oil grab. “It just sickens me,” he said. “I try to convince myself that our grant means a half of a cruise missile doesn’t get built.”

In the end, it doesn’t matter whether de Raadt gets his grant back. It’s more important that programmers at Microsoft (which owns Slate—you guys listening?) take a good hard look at his code next week. After all, Slammer, Code Red, and Nimda did their damage by attacking Microsoft applications running on Windows. They could just as well have hit OpenBSD, or Linux, or my PowerBook, but Microsoft’s market share makes it the cracker’s target of choice.

For now, Microsoft won’t say whether or not the next Windows upgrade, due in 2005, will have built-in buffer overflow protection. But a few weeks before Slammer hit, I sat in the front row of a talk on “Trustworthy Computing” by Microsoft Chief Technology Officer Craig Mundie. With Internet shutdowns now seen as a potential terror tool, Mundie told us it was time for pre-emptive strikes. “Even if it means we’re going to break some of your apps,” he said, “we’re going to make these things more secure, and you’re just going to have to go back and pay the price.” Promise?