Re: Concurrency, deadlocks, security and unicode.

["Steven M. Christey" <coley () mitre org>]

Dave Aitel said:

> I expect people to discover that you can manipulate the state machines
> that drive many web applications in weird ways using concurrency
> flaws. Has anyone on this list found this to be true yet?

Not at the level of complexity you're talking about with respect to
threading, but there are a few dozen publicly reported vulnerabilities
that involve out-of-order or asynchronous operations between 2
distinct processes, e.g.:

  - sending a PASS command before USER in an FTP session

  - interrupting an asynchronous data transfer operation.  This is
    found fairly frequently by Luigi Auriemma in his analysis of video
    games (as a shout-out to him, he's the only one who seems to be
    doing this kind of analysis regularly).

  - CVE-2005-3847 is a recent Linux kernel example where you cause a
    deadlock by sending a SIGKILL to a real-time threaded process
    while it is performing a core dump.

One of these days maybe there will be a fad/trend for doing this kind
of analysis, e.g. when file format fuzzing stops being so easy?  :)
Execution fuzzing is an intriguing concept...

- Steve