The Price of Shells…

White seashell with a hole

In the mid nineties, when Apple introduced Macintoshes based on the 68040 processor, Word for Macintosh started crashing systematically. The reason for this was that Motorola had introduced two separate caches into their processor: one for data, one for instructions. Programs that would modify their own code, a practice that was discouraged for years, would fail because of cache inconsistencies.

Years have passed, and Unix systems have come to dominate, to the point where younger programmers have only ever coded on Linux. One of the strong points of Unix is its flexibility: everything is a file, most files are in human readable format, and many components can be reconfigured or re-assembled, in a lego-like way. As Douglas McIlroy one of the first contributors to Unix said:

This is the Unix philosophy: Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface.

This has led Unix to adopt prefer human readable formats and to represent configuration as an executable program, sometimes reusing the shell interpreter for that purpose, sometimes not. Because everything is text, there is no real typing and because everything has to be human readable, there are many escaping rules. Learning which quotes do what is one the most confusing things when learning a Unix shell.

This flexibility made Unix very versatile and adaptable, but we are now paying the price of this flexibility: if you conflate data and code, it is easier for an attacker to inject code into data, if your system has arcane escaping rules, there is a good chance someone will find a way to abuse them.

Shellshock shows this in an exemplar fashion: the bug has been there for ages, hidden in the way the shell interprets environment variables (un-typed text) and interprets the data as code. As this component is reused practically everywhere, the potential attack surface is huge and it is not just a matter of fixing a bug, the issue is systemic and for certain systems this is certainly a feature, i.e. they need it to work, fix the bug, and you break those elements.

Seashell Hole © Zen Sutherland CC BY-NC-SA 2.0.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: