oss-sec mailing list archives

Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 17 Nov 2014 07:54:54 -0800

I know that this sounds awfully impractical (at least for the time
being, because the landscape here is changing pretty rapidly), but
some would say that the best advice they can give to "average users"
now is to watch "untrusted" movies with web browsers which are
employing well-reviewed and tested sandboxing technologies and their
media decoders are well tested (also: fuzzed). I guess "regular" media
players will follow with this approach in some time.


Well, but that's a tough argument.

First, as you note, the primary way that things like ffmpeg have
improved is fuzzing. In fact, if anything, ffmpeg has been
*exceptionally* bad before that, would definitely fail the "designed
for security" test, and by that criteria, should not have been used in
any browser to begin with. So, it's probably not a very good argument
against fuzzing bad software =)

Secondly - as most people on this list know, sandboxing is a tricky
beast. Firefox doesn't have it. Safari and Opera don't have it (that I
know of). MSIE has a fairly limited one. Chrome has a good sandbox on
most platforms, but today, it is certainly far from being a silver
bullet - an RCE in a sandboxed renderer still gives access to many of
your online assets (doubly so if you advise people to conduct their
business in browser-accessible VMs, cloud services, or so).

They are working on something better, but the difficulty of making
that happen for a fairly specific use case certainly emphasizes how
tricky sandboxing can be with today's monolithic, multi-purpose apps.
People have been talking about lightweight, dynamic
compartmentalization-on-the-fly for other tools for a very long time,
but not much has gained widespread acceptance so far. Most OSes ship
with a dizzying array of containment mechanisms, most of which are
completely unused spare for a handful binaries built by teams
passionate about infosec. I'm not sure if we have the power to change
that.

/mz

Current thread:

Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less, (continued)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
  - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Michal Zalewski (Nov 16)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Joshua Rogers (Nov 16)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Watson (Nov 16)
  - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Raphael Geissert (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Michal Zalewski (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Raphael Geissert (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Raphael Geissert (Nov 18)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Jakub Wilk (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Jakub Wilk (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Alexander Cherepanov (Nov 17)
  - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Daniel Kahn Gillmor (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Watson (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Watson (Nov 17)
    - Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Michal Zalewski (Nov 17)

(Thread continues...)