Indistinguishable from Jesse

C++ lets developers work with raw pointers, allowing some performance tricks not available in higher-level languages. By allowing developers to decide when objects are allocated and deallocated, developers have the flexibility to choose between (or mix and match) reference counting, various forms of tracing garbage collection, and ad-hoc calls to "new" and "delete". Developers also have the ability to allocate some objects on the stack rather than the heap, improving performance. While C++ is not the only language that allows stack allocation, it is one of the few that lets you maintain linked lists of stack-allocated objects.

C++ also allows developers to do manual pointer arithmetic, making it possible to steal bits from pointers or implement XOR linked lists. Arrays use implicit pointer arithmetic without bounds-checking, which is nice for performance when bounds-checking would be redundant.

Unfortunately, most C++ compilers do not include theorem provers, so they cannot require you to declare invariants and provide enough proof hints to explain why your use of raw pointers is safe. As a result, it is easy to have bugs that lead to severe security holes.

Common types of memory safety bugs

These memory safety bugs usually manifest themselves as crashes. They're also usually exploitable to run arbitrary code.

• Using a dangling pointer. A simple read from a dangling pointer usually won't cause too much damage, except perhaps to privacy. But writing to a dangling pointer can corrupt another data structure, and freeing a dangling pointer can leave another data structure open to future corruption. Worst, calling a virtual member function on a dangling pointer will jump to a memory location based on a vtable pointer that is likely to have been overwritten, easily leading to arbitrary code execution. Most of the memory safety bugs I have found in Gecko involve dangling pointers.
• Buffer overflows, also known as "writing past the end of a string or array". These are the best-known memory safety bugs, and among the first to be exploited to run arbitrary code. They're dangerous whether the array is on the heap or the stack, and whether the overflow is as long as the attacker wants or a single byte.
• Integer overflows, bugs due to forgetting that what C++ calls "int" is really "integer mod 2³²" (or 2⁶⁴). If int computation is used to decide how much memory to allocate, overflow can lead to a buffer-overflow situation. If reference counting is implemented using an int counter, overflow can lead to an object being freed prematurely, creating a dangling-pointer situation.

Safe crashes

Several common types of crashes that are not security holes:

• Dereferencing NULL. Most operating systems never allocate page 0, so userland programs can assume that dereferencing null is a safe crash. This is good because null dereferences are significantly harder to prevent than uses of dangling pointers.
• Too much recursion. Most operating systems have a guard page at the stack limit to prevent your stack and heap from colliding. This is good because preventing too-much-recursion bugs is hard and has historically not been necessary.

Note that some operating systems have bugs or design flaws that turn these "safe" crashes into security holes. Until recently, Windows had a bug that turned null dereferences in some programs into security holes. And at least as of 2005, some operating systems do not guarantee that null dereferences and too-much-recursion are crashes. IMO, those operating systems need to be fixed, so developers can continue treating null-dereference crashes as having the same severity across operating systems.

I had a great time at the San Diego Firefox party, organized by numist. Most of the people at the party were a lot of UCSD computer science students, but there was also at least one Cog Sci major and an English major. Many of the computer science majors were juniors who had just finished struggling with difficult OCaml assignments in a Programming Languages course.

Not everyone who was at the party uses Firefox as their main browser. While some of them use nothing but Firefox trunk builds, the host uses Safari for most of his browsing.

Lawrence Eng, a market researcher at Opera Software's San Diego office, also joined the party. We discussed differences in anti-phishing approaches: Opera's default protection involves contacting the server with URLs you visit, but Opera promises to only use the URLs it collects due to the feature in specific ways. He also admitted to having tried out Thumbs, saying that "Firefox has Opera beat there".

Some people at the party were disappointed at the lack of Firefox t-shirts, but said they weren't going to switch to Opera or Safari as a result. I replied that it was a good thing Lawrence hadn't brought along any Opera shirts.

I brought my copy of Apples to Apples. It is one of my favorite party games, along with Taboo and Scattergories. About half an hour into the party, I tried to start the game. Not many of the partygoers knew the game, so we started with four players and let others join gradually.

Like any good party game, Apples to Apples is fun even if you're not winning; it's possible to play without keeping score at all. This was good for me because I'm not an especially strong player and many of the other players had the advantage of already knowing each other.

Perhaps in part due to my overall low score, I was very satisfied with how I won the last round. The adjective to match was "Frightening" and I played "A sunrise", initially hoping to win on irony. But after seeing that my "sunrise" was up against the Anne Frank card, I had a flash of insight. I explained: "You've been up all night working on a project, you're not even close to done, and you look out the window and see the sun rising." Another player had been in exactly that situation the morning before the party, and the judge picked my card.

Yesterday, at around 4pm, I noticed that the content on squarefree.com was missing, and the main page was an empty directory listing. I ssh'ed to my web server and noticed that the "squarefree.com" directory had been renamed to "squarefree.com_DISABLED_BY_DREAMHOST". Then I checked my email and saw a message from DreamHost support:

Hello,

I just had to disable your site squarefree.com as it's coming under some load and spawning countless php processes that are crashing the webserver. I wasn't able to figure out exactly what's going on, as leaving it up for more than a minute pretty much toasts the server. Please don't re-enable it until you've figured out what's going on, or disabled any possibly problematic php.

Thanks,

James

I jumped into #dreamhost on irc.freenode.net and started looking through my web server logs for suspicious requests. I was expecting to find that my blog had been DDoSed, perhaps by someone trying to leave comment spam. Instead, I found a large number of requests for non-existant files, falling into two categories:

• Requests for favicon.ico, a file that does not exist on my site. Some of these requests are expected: most browsers with tabs request favicon.ico to display it in the tab bar. But there were also hundreds of IP addresses that requested nothing but favicon.ico for the entire day, and some requested it many times. About 100 of these IPs were Internet Explorer users with the Google Toolbar, so apparently I was getting DDoS'ed by a bug in the Google Toolbar. Another 100 were Firefox users; I haven't figured out why Firefox would request nothing but favicon.ico over and over.
• Requests due to people using my Real-time HTML Editor to edit pages that used relative URLs for images, iframes, etc. One user made dozens of requests for a file named "border=0". Another user made a request for 14 gif files every time the editor refreshed. I also saw from referrers that the Real-time HTML Editor had been featured on Digg, greatly increasing its traffic.

But why would 404 requests create PHP processes? Due to a recent change in WordPress, Apache was directing each 404 request to WordPress. WordPress used to put detailed rules in .htaccess -- for example, it would ask Apache to direct requests for http://www.squarefree.com/2005/ to WordPress using RewriteRule ^([0-9]{4})/?$. But newer versions of WordPress instead ask Apache to send it all requests for nonexistent files. I imagine this puts less strain on Apache when a site uses lots of WordPress Pages, but it hurts when a site gets lots of 404 requests. Several months ago, I had instructed WordPress to serve my custom 404 page for these requests, but WordPress still had to do a lot of work to determine that the requests should be treated as 404s.

Once I realized what had happened, and determined that reconfiguring WordPress would be difficult, I did what I could to reduce the number of 404 requests WordPress would have to handle. I created a tiny favicon.ico file so those requests wouldn't be 404s, and I moved the Real-time HTML Editor onto its own subdomain so WordPress wouldn't handle the 404s it causes. My site was only down for 40 minutes, with the Real-time HTML Editor down a little longer while I waited for the new subdomain's DNS to propagate.

Some things DreamHost could have done better:

• It would have been nice if James had disabled PHP for my domain instead of disabling my site entirely. Pornzilla did not need to be down due to PHP problems.
• A per-user process limit might have allowed my site to send "503 Service Unavailable" in response to some requests instead of being down entirely. It would have also prevented my site from causing problems for other sites on the shared server.
• Better performance diagnostics would have helped both James and me isolate the problem. For example, it would have been great to have a list of PHP processes showing the request URL that caused each PHP instance to be triggered, the lifetime of each process, and perhaps some performance information (CPU used, RAM used, number of database requests).

Some things DreamHost did right:

• DreamHost allowed me to restore my site myself once I fixed the problems. All I had to do was rename "squarefree.com_DISABLED_BY_DREAMHOST" back to "squarefree.com".
• Knowing about DreamHost's .snapshot feature kept me from panicking about data loss when my site appeared to have disappeared.
• The employees in #dreamhost were helpful.

If anyone is wondering: yes, I still love DreamHost.

Following Winamp, Mozilla plans to adopt Fibonacci version numbers for Firefox and Thunderbird. The move is intended to help Firefox catch up with Internet Explorer, currently at version 6, and Opera, currently at version 9.

Firefox's previous version numbers, 1 and 1.5, as well as the versions currently being worked on, 2 and 3, fit into the new scheme perfectly. Mozilla CTO Brendan Eich promised to update the Mozilla Roadmap as soon as he finishes implementing JavaScript 1.7 and finalizing the version number for what was previously planned as JavaScript 2.

Firefox user interface designer Mike Beltzner said "Firefox is all about an intuitive and natural user interface, and the Fibonacci sequence is a perfect expression of nature's expression of order and beauty."

"It's got nothing at all to do with horning on on Dan Brown's success with the Da Vinci Code," added Beltzner.

Apple declined to comment as to whether Safari, currently at version 2, would follow. It did, however, threaten to sue a rumor site editor who wrote that Apple would use only powers of two as Safari version numbers.

Firefox 2, which adds spell-checking and scam protection, is slated for a September 2006 release. Firefox 3, which will add a new bookmark system and bring Acid 2 compliance, is planned for a mid-2007 release. Specific plans for Firefox 5 have not yet been announced.

Joost de Valk (aka AlthA) is hosting a CSS3 contest this month. One way to enter is to submit a patch adding a CSS3 feature to Gecko (Firefox) or WebKit (Safari), and get it checked in. For CSS3 features whose specifications are still subject to change, implementations that use a browser prefix (e.g. "-moz-") are acceptable.

Today's Mac OS X security update includes a fix for a Safari/WebKit security hole I reported :)

Description: A maliciously-crafted HTML document could cause a previously deallocated object to be accessed. This may lead to an application crash or arbitrary code execution. This update addresses the issue by properly handling such documents. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue.

The irc.mozilla.org quote database, which I helped start, now has over 1000 quotes! Coincidentally, the 1000th quote happens to contain the number 1000.

Anti-porn site pornwar.info is hosting a contest, Cleanzilla, for creating a Firefox extension to help users avoid porn.

It was recently brought to my attention that there is a group out there working to create extensions for Firefox in an effort to make it the best internet browser for surfing porn on the web. Pornzilla, as they call themselves, have taken the open source browser Firefox, a personal favorite of mine, and worked to make it hyper-efficient at doing the very thing I am seeking to avoid.

Therefore, I have decided to return the favor, and begin an annual contest. PORN WAR.INFO will hold an annual showcase for aspiring and seasoned programmers seeking to gain greater recognition on the net.

Starting this March, I will hold the 1st Annual “Cleanzilla” Safer-Browsing Firefox extension contest.

The goal is to create a useful, innovative, and effective extension for the latest version of the open source Mozilla Firefox browser, which will help to create a cleaner, safer, browsing experience on the web.

There's about a week left in the contest. If the winning entry is good, I might use it -- I don't like to encounter pornography when I'm not looking for it.