Secure Coding mailing list archives
COBOL Exploits
From: ken at krvw.com (Kenneth Van Wyk)
Date: Fri, 2 Nov 2007 10:41:48 -0400
On Nov 2, 2007, at 12:13 AM, Mark Rockman wrote:
I'm sure you can write COBOL programs that crash, but it must be hard to make them take control of the operating system.
If software exploits were "only" isolated to OS compromise, that'd be just fine. But let's not forget that an application can be thoroughly compromised by an attacker who never leaves the realm of the application -- e.g., providing spoofed credentials to read another user's customer data in a database app. The business logic data access control (authorization) is just one area of an app that transcends implementation language. A poorly design authorization model can be implemented in pretty much anything, I believe. Let's get past the simple buffer overflow exploit to get OS access. IMHO, it's right to consider mainframe/COBOL apps carefully. Although we likely won't find a buffer overflow "smoking gun", I'll bet we are likely to find examples of bad security logic that can lead to app compromise. Plus, let's face it, modern attacks are moving more and more towards the pure application layer (think XSS, SQL/XML injection, cross-site request forgery, etc.), AND they're increasingly financially motivated. Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2500 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20071102/4a075e29/attachment-0001.bin
Current thread:
- COBOL Exploits Mark Rockman (Nov 01)
- COBOL Exploits security curmudgeon (Nov 02)
- COBOL Exploits ljknews (Nov 02)
- COBOL Exploits Leichter, Jerry (Nov 02)
- COBOL Exploits Kenneth Van Wyk (Nov 02)
- <Possible follow-ups>
- COBOL Exploits Peter G. Neumann (Nov 02)
- COBOL Exploits Andrew van der Stock (Nov 17)