don't assume stuff is safe (was Re: blowchunks)

["Perry E. Metzger" <perry () piermont com>]

Cris Bailiff <c.bailiff+bugtraq () devsecure com> writes:
> Because apache is so great, and has had a history of very few serious 
> security bugs,  older versions are embedded in a wide variety of
> products and systems,

(Not in any way criticizing your "blowchunks" work -- just using this
as a jumping off point...)

This has always been a mistake. Apache is a nice program designed by
good people, but it was never designed with security in mind. Indeed,
most systems are not designed with security in mind. A few systems
have been -- postfix and qmail for example -- but for the most part,
raging paranoia is the only way to treat software. Just because it
doesn't have a bad record doesn't mean someday someone isn't going to
crack it like an egg.

Design for security, folks. Just because the ostrich can't see the
predator doesn't mean it isn't there. Don't trust your
servers. Someday they'll be cracked. If you're a vendor, assume your
software can be attacked and make sure it won't cause much harm when
it is. If you don't know how to do that, study programs done by people
who do. That also means don't design systems so they can't be
upgraded.

If you're a user, design your networks and your business processes on
the assumption that portions of a system can and will be compromised
someday.

By the way, hats off to Niels Provos for his recent work on systrace
in OpenBSD (recently ported to NetBSD) -- it is a subsystem that lets
you go beyond just chrooting a vulnerable server and actually say
"this program isn't allowed to run fork or exec or open a file for
write" and such, thus preventing exploits from being able to do very
much once they've taken over a vulnerable server process. Not
foolproof, but certainly an excellent tool in a world where product
vendors spend so rarely design for security.

Perry