On Friday 27 December 2002 11:43, John Viega wrote: > Of course it's possible to write something that's not exploitable. > However, it's tougher than most people think. As an unqualified statement, this is patently false. If you had said that given a fixed environment, it's possible to develop an application that provides protection from circumvention of well defined security restrictions against a certain type of attack or attacker, then I might take it seriously. Until then, you're just furthering the myth of attainable total security (e.g., is survivability in thermonuclear war a requirement of your app? is that appropriate? if your app fails in this case, has it been "exploited" or DoS'd or is that an accepted failure scenario?). > For example, I've seen > applications that the authors assumed were not networked whatsoever, > and had no special local privilege. However, if the files they read > and wrote were stored on a remote file system such as an SMB mount, > then their otherwise non-networked program was completely exploitable. Secure design can often compartmentalize enough to handle a changing environment, but it's something of a desireable side effect of good design, not a strong property. Change the environment enough (or change abstractions that authors don't question, like the remote filesystem) , and anything will break. How it breaks is the important question, and something I don't think we spend enough time discussing over the incessant din of those looking for a security silver bullet. -- Alex Russell alexat_private alexat_private
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 22:05:21 PST