Dailydave mailing list archives
The inability to deliver a secure implementation is an architectural flaw.
From: Dave Aitel <dave () kof immunityinc com>
Date: Tue, 7 Jul 2009 23:53:03 -0400
Congrats to Mark Dowd and Ben Hawkes on winning the Google Native Client contest. But the google blog gives you pause: http://googlecode.blogspot.com/2009/07/native-client-security-contest-results.html So in the CLOUDBURST talk we quote the a DOD private unclassified journal as a lesson's learned: “The Next Wave” Vol 17 No 3 - 2008 "Using seven analysts over a ten week period and with some limited input from VMware developers, we explored the ability of the core NetTop technologies – VMware running on a Linux host – to maintain isolation [...]. The results of this first study were encouraging – no apparent show-stopping flaws were identified.” NetTop is a virtualization based system that establishes a "virtual air gap" between two VM's running at different classification level. When systems like that have failures, the result is strategic. It's not patchable. The article is interesting and talks about how while the technical review staff were against the idea, they got pushed over and the system was deployed "successfully"! I thought it was interesting the same verbage came from the Google Blog today re: Native Client. """ This contest helped us discover implementation errors in Native Client and some areas of our codebase we need to spend more time reviewing. More importantly, that no major architectural flaws were found provides evidence that Native Client can be made safe enough for widespread use. """ At some point someone senior at any project like this needs to quantify the level of testing that is required to build a secure product. Contests are interesting, but they're not providing evidence of architectural safety. All we learned here was that with some minor level of effort, lots of bugs can be found. That's not a good sign. Although it's impossible to prove "there's no bugs", it IS possible to decide not to do stuff you can't reasonably do. That's how you avoid getting on the "advisory treadmill". -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The inability to deliver a secure implementation is an architectural flaw. Dave Aitel (Jul 07)
- Re: The inability to deliver a secure implementation is an architectural flaw. Halvar Flake (Jul 08)