| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Sep 2010 20:47:03 +0200 (CEST) From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz> To: full-disclosure@...ts.grok.org.uk Subject: Re: DLL hijacking with Autorun on a USB drive On Tue, 31 Aug 2010 Valdis.Kletnieks@...edu wrote: > Only if your OS's security model understands the fact that executable > code and data belong in different security domains and thus different > rules should apply about what files to "trust" in each category. If your OS's security model "understands" programs and data belong in different security domains then every instruction of code on your computer is trusted to enforce that policy. Your line of defence goes through every program and any bug can breach it. The failure is inevitable. [1] [1] P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner and J. F. Farrell, "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments", In Proceedings of the 21st National Information Systems Security Conference, 1998, pp. 303--314 <http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.117.5890> -- Pavel Kankovsky aka Peak / Jeremiah 9:21 \ "For death is come up into our MS Windows(tm)..." \ 21st century edition / _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists