lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <12913.1321905350@turing-police.cc.vt.edu>
Date: Mon, 21 Nov 2011 14:55:50 -0500
From: Valdis.Kletnieks@...edu
To: Dan Kaminsky <dan@...para.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Ubuntu 11.10 now unsecure by default

On Mon, 21 Nov 2011 10:03:21 PST, Dan Kaminsky said:

> 15.3M lines of code != 15.3M lines of code in use on any one system !=
> 15.3M lines of code that can ever involve a security boundary.

Yes, but the vast majority of it is on use on *some* system (heck, there's still
code in there to support the 3 or so NCR Voyager systems still in existence).

And the biggest hassle with security boundaries is that often the place the
failure actually occurs is nowhere near where the boundary should have been
enforced. So just because there are only (for example) 500K lines of code
involved with the security boundary doesn't mean you can simply ignore the
other 14.8M lines of code, as you may have to do some hunting to find the 500K
you're interested in (in particular, a lot of ioctl parameter checks are pushed
down into drivers because the high-level VFS code has no *clue* what the
parameters mean or how to validate them).

It's kind of saying "We're doing an easter egg hunt, and since we only care
about the 250 1-foot square areas that actually contain eggs, we're going to
gloss over the fact that the areas are hidded all over 5 acres of dense woods
and underbrush".


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ