lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <423F49B5.90004@science.org>
Date: Tue, 22 Mar 2005 10:24:53 +1200
From: Jason Coombs <jasonc@...ence.org>
To: jericho@...rition.org
Cc: sberinato@....com, full-disclosure@...ts.grok.org.uk,
	isn@....org, bugtraq@...urityfocus.com
Subject: Re: [ISN] How To Save The Internet


InfoSec News wrote:
> Forwarded from: security curmudgeon <jericho@...rition.org>
> Cc: sberinato@....com
> ... Big load of crap ...
> : http://www.cio.com/archive/031505/security.html
> : BY SCOTT BERINATO
> : serial numbers and control their distribution. James Whittaker says 
> : programmable PCs are dangerous, so why not treat them like guns?

jericho@...rition.org wrote:
> In 2001, 2002, 2003 and 2004, how many deaths were attributed to 
> computers?

Programmable PCs *are* dangerous, but only to themselves and other 
programmable PCs that aren't operated by skilled people who know how to 
defend against the execution of unwanted machine code.

The problem with programmable PCs is that they execute machine code 
without considering whether any of the instructions are desired by the 
owner of the CPU. A no execute (NX) stack and heap [1] is a step in the 
right direction, but everyone in the computer industry who has given 
this any thought already knows that the core problem with computer 
security is that our CPUs make no effort to restrict the execution of 
machine code to that very small subset of all possible machine code 
which constitutes the code that the owner of the CPU desires it to run.

Until this security defect is solved, we will still have problems caused 
by rampant technical bugs in our programmable PCs. Insecure software 
would not be a threat except in rare circumstances if there were only a 
way for our CPUs to be configured to execute *only* the insecure 
software that we desire, and block anything else that is added to our 
boxes by buffers, bullies, or buffoons.

If anyone really cared about solving this core security problem with 
computing today, it would be solved in just a few months. We would then 
be left with all of the wonderful array of security problems that are 
caused by human behavior (theft, misuse, physical intrusion, 
eavesdropping, scam artists, etc) and these are problems we can all live 
with in relative harmony [7].

The marketplace is not demanding this solution, and it appears from the 
noise of the media and marketing and PR machines of our revered industry 
leaders that nobody is even trying to build awareness of the problem 
much less devise and deliver solutions.

Programmable CPUs are not suitable for use in data communications 
devices without hardware defenses that restrict the machine code 
instruction sequences that the CPU will accept. Programmable CPUs are 
barely suitable for anything without this simple security addition.

We're all so busy pushing bits around urgently we've forgotten to care.

CIO should be ashamed to be perpetuating the pointless and fraudulent 
business ideas of an industry addicted to extracting profit from victims 
by causing them unnecessary problems and then selling inadequate fixes.

Sincerely,

Jason Coombs
jasonc@...ence.org


[1] MSDN Security Developer Center: Execution Protection
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx

[7] Why Was Intel a No-Show on No Execute?
http://www.eweek.com/article2/0,1759,1599193,00.asp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ