OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Crispin Cowan (crispinWIREX.COM)
Date: Thu Jan 04 2001 - 14:29:36 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Bryan Porter wrote:

    > I'm sorry, but this seems a bit much for me. My car has tires, and because
    > the tires are kind of bad and over-engineered, I should'nt drive over 10MPH
    > because they might explode? What? Fix the tires. Same thing here.
    >
    > "Don't make GTK+ program suid/setgid because it's based on another project
    > with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
    > suck because we bought cheap rubber." What?

    That's the silliest thing I've read today. SUID programs (or in fact any
    highly trusted entity) absolutely should be small. Small size is a classic
    element of good design of a Trusted Computing Base. You cannot effectively
    security-audit a large code base, so you identify the smallest possible
    elements that need strong authority, and exlcude the rest from the high-trust
    mode.

    > Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
    > then it is horribly broken. It's a graphic library for christs sake. And, if
    > it so full of spaghetti code that it can't easily be fixed, then trash it.
    > But the excuses given are ridiculous, period. No professional project would
    > ever stand for this level of ineptitude. Qt works fine suid. And it's quite
    > cross-platform.

    The "Don't use setuid with X" that Wichert Akkerman posted is excellent
    advice. This also applies to Qt: I do not for one second believe that Qt or
    KDE is secure.

    Further, this issue is the fundamental basis for some of the security and
    stability problems found in Windows NT. Windows incorporates a large graphics
    subsystem into the kernel, forcing it to be part of the trusted computing
    base. Problem: when bugs in that code break stuff, the whole kernel goes south
    and you get a BSOD.

    KISS (Keep It Simple, Stupid) is the soul of secure design. More importantly,
    the architecture should allow the implementor to build small & simple trusted
    programs, without having to link in huge tracts of code.

    Harkening back to your tire analogy: tires (and breaks and stearing) are all
    part of the car's safety systems, and thus are heavily over-engineered. But
    don't make the safety of the car depend on flakey, unnecessary components like
    the radio and the power windows, or you substantially increase the risk of
    failure.

    Crispin 

    --
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org