Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DJB's students release 44 poorly-worded, overblown advisories

From: karger () watson ibm com
Date: Wed, 22 Dec 2004 17:33:24 +0000

ljknews writes:


Date: Mon, 20 Dec 2004 13:16:59 -0500
From: ljknews <[EMAIL PROTECTED]>
Subject: [SC-L] Re: DJB's students release 44 poorly-worded,  overblown adv=
isories

At 11:09 AM -0500 12/20/04, Paco Hope wrote:


I mean, if these things are "remote exploits," I could say "The entire
OpenBSD operating system is remotely exploitable: if I email you an OpenBS=

D

binary and you execute it, I 0wn you." Well, duh.


That risk is mitigated when an operating system has mandatory access
controls (MAC) arranged so that users are not permitted to execute
programs which they create or import.  That capability is not quite
within the Biba Integrity Extensions to the Bell-Lapadula model, but
it is close.

On most important systems there is no need for the users to be able
to provide executable which they then run.  Executables are provided
by the system manager.
- --
Larry Kilgallen



This should be no surprise.  The Bell and Lapadula model and the Biba
model were explicitly designed to deal with precisely this kind of
Trojan horse threat.  They both presume the presence of arbitrarily
malicious applications code.  Bell and LaPadula prevents the malicious
code from leaking copies of secret information to people who are not
properly authorized.  Biba prevents prevents a process that is
handling data that requires high integrity from either executing
untrusted code or from reading untrusted data that could facilitate a
data-driven attack.  Biba constrains such a process to only executing
trusted code and reading trusted data.  Of course, deciding which code
and data should be trusted is a much harder problem!  See this paper for
some ideas on that handling that harder problem:

Schellhorn, G., W. Reif, A. Schairer, P. Karger, V. Austel, and
D. Toll. Verification of a Formal Security Model for Multiapplicative
Smart Cards. in 6th European Symposium on Research in Computer
Security (ESORICS 2000). 4-6 October 2000, Toulouse, France:Lecture
Notes in Computer Science Vol. 1895. Springer-Verlag. p. 17-36.
  
  - Paul
Previous By Date Next
Previous By Thread Next

Current thread: