Wednesday, February 3, 2010

There is no such thing as a perfectly secure program

Back in 2007, I posted this criticism of DjbDNS on their mailing list. As you can imagine, the people on the mailing list were not happy.

What has changed with DjbDNS since I wrote this criticism:I can not help but observe that, ever since those three security holes have been discovered in DjbDNS, DJB advocates have been a lot more quiet about how ultra-secure DjbDNS is.

In comparison, MaraDNS has had 12 security problems in its near-decade of existence. OK, so I have four security problems for every security problem DjbDNS has. Then again, of those 12 holes:
  • Four were only in unstable development releases of MaraDNS
  • One was caused by broken behavior in the Linux kernel and not by MaraDNS
  • Two were patches against theoretical problems in AES that do not have any real-world exploits
  • The remaining five problems only allowed an attacker to perform a denial of service against MaraDNS; the one I patched yesterday only works in the unusual case of an attacker being able to give MaraDNS a csv2 zone file
To make this an apples-to-apples comparison, there have only been five practically exploitable security problems in stable releases of MaraDNS caused by my own coding errors. None of them have been worse than denial of service.

I should also point out the hole I patched yesterday only exists because I decided it was good to have a more attractive zone file format for MaraDNS.

The idea that there exists an uber-genius programmer who can magically make code without any security problems that never needs to be updated was a myth DJB advocates liked to present in the first decade of the 2000s. This is nothing more than a myth, shattered by the three security holes people have discovered in DJBdns (not to mention the backscatter spam problem in Qmail, which is a security problem).

Security is a process. Programmers, no matter how experienced or skilled, make errors. To criticize a programmer for making a mistake is unreasonable and unrealistic. The best we can do is make a program with a coding style that minimizes security problems; considering that MaraDNS has had only four (maybe five) practically exploitable security problems in stable releases is a very good record.

If you want security, you want to use a program that the programmer stands behind and continues to support. Which is what I have been doing with MaraDNS for nearly a decade and which I have no plans to stop doing.