Matt, Well, clearly the environment plays a factor. Indeed, we will agree that an environment where there are no SMB shares, the applications I was describing really can be "probably" secure if coded carefully against possible risks from local users, because they don't have any sensitive data themselves to manipulate and they don't introduce a path to escalating privilege on the machine in which they run. In an environment where there's only a single local user, then there really is no issue. However, when doing audits of the security of an application, we try to assume the absolute worst case deployment environment. That is, you should always be asking yourself about the circumstances that might actually introduce risks you weren't already considering. Often, this will lead you to risk from insiders, including physical security. Usually, such risks aren't in a developer's threat model, even when they should be. John On Friday, December 27, 2002, at 03:59 PM, Matt McClellan wrote: > I would explicitly qualify "not exploitable" as "not exploitable in a > given > environment". Developers will generally have to make some assumptions > when > writing code. Take that code to an environment where one of the > assumptions > is invalid and there might be an exploit. I don't see how writing > something > that is absolutely "not exploitable" is any more possible than "total > security". > > --Matt > >> -----Original Message----- >> From: John Viega [mailto:viegaat_private] >> Sent: Friday, December 27, 2002 12:44 PM >> To: Rahul Chander Kashyap >> Cc: secprogat_private >> Subject: Re: Writing Secure code >> >> >> Of course it's possible to write something that's not exploitable. >> However, it's tougher than most people think. For example, I've seen >> applications that the authors assumed were not networked whatsoever, >> and had no special local privilege. However, if the files they read >> and wrote were stored on a remote file system such as an SMB mount, >> then their otherwise non-networked program was completely exploitable. >> >> John >> >> On Friday, December 27, 2002, at 07:46 AM, Rahul Chander Kashyap >> wrote: >> >>> Hi people, >>> >>> I've been going through some articles on how to write secure code >>> esp. >>> from: http://www.shmoo.com/securecode/ >>> >>> I am looking for something more specific for the windows platform. >>> Are >>> there any specific guidelines/standards that one could follow? >>> >>> And one more thing...<this one might be intresting ;-)> Is it >>> possible >>> to write code that is completely secure and not exploitable? >>> >>> Thanks for parsing thru my mail :-) >>> >>> Regards, >>> >>> Rahul Kashyap >>> >>> www.nsecure.net >>> ------------------------ >>> Layered Defence >>> ------------------------ >>> >>> >> >> >
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 22:05:33 PST