Secure Coding mailing list archives
Re: ACM Queue article and security education
From: George Capehart <gwc () acm org>
Date: Thu, 01 Jul 2004 00:21:30 +0100
On Wednesday 30 June 2004 12:00, Michael S Hines allegedly wrote: <snip>
And then a thought question - in message passing operating systems (those that respond to external stimuli, or internal message queues) - if one can inject messages into the processing queue, can't one in essence 'capture the flag'?
The short version of a very long answer is: "It's certainly possible, but we've been securing message-based systems for a long time and understand the attacks and defenses. Any well-designed message-based system includes controls that preserve the confidentiality, integrity and availability of the system. Some even include audit trails, etc." Yet we see message passing systems as
middleware (and OS core technology in some cases) to facilitate cross platform interfaces. Aren't we introducing inherient security flaws in the process?
Yes. See above. Google for "CORBASec", "DCE Security Service," MQSecure. Go to www.w3c.org, www.oasis-open.org, www.projectliberty.org, www.ws-i.org, etc. for the work that's being done on securing Web services. Then go to http://citeseer.ist.psu.edu/ and search on terms like Kerberos, SSL, TLS, IPSec, etc. Then, see _Applied_Cryptography_ and _Practical_Cryptography . . . You are absolutely correct that, left unprotected, message passing systems are subject to *all* *sorts* of attacks. The good news is that there are lots of very smart people working on securing them. Cheers, George Capehart -- George W. Capehart Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA "With sufficient thrust, pigs fly just fine." -- RFC 1925
Current thread:
- Re: ACM Queue article and security education George Capehart (Jun 30)
- <Possible follow-ups>
- RE: ACM Queue article and security education Michael Canty (Jul 01)
- RE: ACM Queue article and security education Peter Amey (Jul 01)
- Re: ACM Queue article and security education Blue Boar (Jul 01)
- RE: ACM Queue article and security education Michael S Hines (Jul 01)
- Re: ACM Queue article and security education ljknews (Jul 01)
- Re: ACM Queue article and security education Blue Boar (Jul 01)
- Re: ACM Queue article and security education ljknews (Jul 02)
- Re: ACM Queue article and security education Blue Boar (Jul 01)
- Re: ACM Queue article and security education Blue Boar (Jul 02)