How long does it take to spot a bug in an operating system? The answer, it seems, can be as long as 33 years. At least, that was the case with a recently discovered bug in the yacc parser generator originally developed at AT&T back in the 1970s and discovered recently by OpenBSD developer Otto […]
How long does it take to spot a bug in an operating system? The answer, it seems, can be as long as 33 years. At least, that was the case with a recently discovered bug in the yacc parser generator originally developed at AT&T back in the 1970s and discovered recently by OpenBSD developer Otto Moerbeek.
“Funny thing is that I traced this back to Sixth Edition Unix, released in 1975,” says Otto Moerbeek, the OpenBSD developer who discovered the bug.
This makes the 25 year old bug BSD bug discovered a couple of months ago by Marc Balmer, another OpenBSD developer, seem comparatively young. That particular bug, which he discovered when investigating mysterious SAMBA crashes, can be traced all the way back to 4.2BSD released in 1983, Balmer says.
Why has it taken so long to spot the yacc bug? Probably because there was nothing to indicate there might have been a problem back in 1975. Moerbeek discovered it only during the testing of a new version of a memory allocator he was working on. And it appears only on Sparc64 systems.
This illustrates rather nicely the fact that every operating system, however venerable, still has plenty of bugs waiting to be found: Every non-trivial body of code is bound to. No matter how many eyes review the code, many of these bugs will not be spotted until the code is examined in the context of its interaction with another piece of code. All this is a fancy way of saying that Harry’s not a problem by himself, and Sally’s not a problem by herself. It’s only when Harry meets Sally that there’s really a problem. And if Sally hasn’t been born yet, well then how is anyone to spot that anything is going to be amiss?
This has some obvious implications for security. No matter how tried and tested an operating system, no matter how open the source code, no matter how well it is reviewed, we can be sure it will always have a few critical vulnerabilities that haven’t yet popped their nasty little heads above the parapet. So Microsoft’s Windows Server 2008 code has been tried and tested in Vista (with which it shares the same codebase) for 18 months? It’s a start, but there will still be bugs in there waiting to be found in 18 years. And 33 years.
When it comes to operating systems, the best advice is probably: Trust none. Suspect them all. And patch immediately.
But even if we reviewed all the code running on a machine — OS and applications — and found every single bug, would it really help? Whatever the operating system, it still has to run on something. Independent security researcher Kris Kaspersky reckons flaws in Intel’s chips — known as errata — can be huge security vulnerabilities in and of themselves. He says the Intel Itanium, for example, has over known 230 bugs. He plans to demonstrate some attacks at October’s Hack In The Box conference in Malaysia in a presentation called “Remote Code Execution Through Intel CPU Bugs.”
“Some bugs ‘just’ crash the system (under quite rare conditions) while the others give the attackers full control over the machine,” he says in his presentation abstract. “In other words, Intel CPUs have exploitable bugs which are vulnerable to both local and remote attacks which works against any OS regardless of the patches applied or the applications which are running.”
Kaspersky may have developed his proof of concept code to work on Intel chips because they are ubiquitous, but you can bet your bottom dollar there are plenty of exploitable errata on any other chip you’d care to mention. It’s just that since they’re not as widely used as Intel chips, Kaspersky (or anyone else) hasn’t got around to writing exploits for these chips. Yet.
So, hats off to OpenBSD developers Otto Moerbeek and Marc Balmer then, for getting to the bottom of the two bugs many years after the seeds for them were sown. Branding the OpenBSD crowd “a bunch of masturbating monkeys,” for concentrating too much on security bug, as Linus Torvalds reportedly did last week, does seem a trifle harsh.
Paul Rubens is an IT consultant and journalist based in Marlow on
Thames, England. He has been programming, tinkering and generally
sitting in front of computer screens since his first encounter with a
DEC PDP-11 in 1979.
This article was first published on ServerWatch.com.
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Paul Rubens is a technology journalist based in England and is a Datamtion and eSecurity Planet contributor.
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
