Re: The security circus.

["Dave Korn" <dave.korn () artimi com>]

Peter Busser wrote on 19 August 2008 13:24:

> Talking about backdoors in Linux... What if people submit code which is
> intentionally backdoored? I wonder how resiliant the Linux community is
> against such things. 

  Someone tried it a couple of years back, and quite subtly too.  And it got
spotted and jumped on in about ten minutes when the patch made its way
upstream.

  Sorry, no reference to hand.  It was some subtle (poss. integer overflow?)
mis-handling of segment descriptors in relation to mmap support, that could
have allowed trivial ring0 escalation.

> Why do people think that security is only about elevating privileges?

  Well, pretty much every security *problem* comes down, at the root of it, to
someone or something being able to do something that someone else doesn't want
them too.  Otherwise it's either a) not a problem, or b) not security.

  But "Security" as a whole is as much about how you assign and manage those
privileges; it's not just "problems" (all of which can be cast in the form of
elevations, at a minor stretch), it's also "configuration", "administration",
"management", "planning", "budgeting".... all those less-exciting bits that
aren't about pwnx0r1ng someone's box...


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave