Re: Ports 0-1023?

From: Michal Zalewski (lcamtufat_private)
Date: Thu Jul 04 2002 - 11:41:14 PDT

Next message: Blue Boar: "Re: Ports 0-1023?"

Previous message: zillion: "nn format string exploit"
In reply to: Dave Aitel: "Re: Ports 0-1023?"
Next in thread: hicks: "Re: Ports 0-1023?"
Next in thread: Juan M. Courcoul: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4 Jul 2002, Dave Aitel wrote:

> Realistically, every OS has always had a local exploit for its entire
> history.

Same about remote exploits... This does not change the fact that you have
a chance to be lucky if you maintain your local security (i.e. don't have
50+ suids from default distribution, properly configure temporary storage
and permissions, keep setuid software up-to-date, etc). Of course, it
takes much more experience and knowledge, and most vendors are doing their
best not to make your life simplier, but it isn't impossible.

Better privilege control would be better, at least in theory. In practice,
of course, I would expect many vendors to ship things with maximum
privileges set just to save some time - just as we have some root daemons
and setuid root applications shipping with no good reason, a separate
account and setgid would do.

> Why not just run every process as root and get rid of all the other
> pesky conventions?

Including mail clients or web browsers, and other software that really has
to bind low ports, write to /etc and do other things like that?;>

> The more you get into ACLs, the more you move to an NT-style "everything
> is complicated" permissions system. This increases complexity and
> demonstrably decreases overall security (how many services don't run as
> SYSTEM these days? Any?).

Static ACLs are generally as flawed as uid 0 access control, because such
solutions force programmers to use very careful and highly modular design
- which is pretty much like telling them to code in safer programming
languages. Otherwise, any reasonably big monolithic application has to
access so many things it is not that different from giving it root
privileges.

But it is not impossible to design a good ACL (perhaps dynamic) system.
And there are some automated ACL systems that can actually profile the
application and automate the process, with only minor tweaking necessary.
Of course, once again, vendors would most likely do their best to render
this mechanism almost useless.

-- 
_____________________________________________________
Michal Zalewski [lcamtufat_private] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/

Next message: Blue Boar: "Re: Ports 0-1023?"
Previous message: zillion: "nn format string exploit"
In reply to: Dave Aitel: "Re: Ports 0-1023?"
Next in thread: hicks: "Re: Ports 0-1023?"
Next in thread: Juan M. Courcoul: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 13:42:03 PDT