On Friday 27 December 2002 11:43, John Viega wrote:
> Of course it's possible to write something that's not exploitable.
> However, it's tougher than most people think.

As an unqualified statement, this is patently false. If you had said that
given a fixed environment, it's possible to develop an application that
provides protection from circumvention of well defined security
restrictions against a certain type of attack or attacker, then I might
take it seriously. Until then, you're just furthering the myth of
attainable total security (e.g., is survivability in thermonuclear war a
requirement of your app? is that appropriate? if your app fails in this
case, has it been "exploited" or DoS'd or is that an accepted failure
scenario?).

> For example, I've seen
> applications that the authors assumed were not networked whatsoever,
> and had no special local privilege. However, if the files they read
> and wrote were stored on a remote file system such as an SMB mount,
> then their otherwise non-networked program was completely exploitable.

Secure design can often compartmentalize enough to handle a changing
environment, but it's something of a desireable side effect of good design,
not a strong property. Change the environment enough (or change
abstractions that authors don't question, like the remote filesystem) , and
anything will break. How it breaks is the important question, and something
I don't think we spend enough time discussing over the incessant din of
those looking for a security silver bullet.

--
Alex Russell
alex (at) netWindows (dot) org [email concealed]
alex (at) SecurePipe (dot) com [email concealed]

[ reply ]