Firewall Wizards mailing list archives
Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: Predrag Zivic <pzivic () yahoo com>
Date: Mon, 13 Aug 2001 08:22:32 -0700 (PDT)
Well if the basic OS access control mechanisms are in place your statement is true. However, the position of the access control software implementation is between the OS and application software. App. software Access control software OS So, any application security flaws (i.e. buffer overrun) are locked within access control (software again) and are not allowed to access OS. I know that this is an ideal picture but it helps. Anyway, this is not to say that applications can be developed just like that. It could be considered that the software assurance is orthogonal to access control assurance, as David points (I will think about it). Applications should be and must be thoroughly (security-wise) tested before release, but everyone makes a mistake sometimes. (Is there a paper or something on best security practices for software development?) To eliminate software problems, access control software should be implemented. According to me this is one example of multiple layer security implementation. Before you get to the OS one should break application and access control software security. One will argue that access control software is just another software that adds complexity. That is OK, and one should measure the risk and benefits and needs and decide what to do. My text was refering to actual access control software implementation and actual info flow process. Pez --- David Wagner <daw () mozart cs berkeley edu> wrote:
Predrag Zivic wrote:You were quite right to what the solution shouldbe.Prevent is the key word. Not how to deal (although that is the part of the issue and the process) buthowto prevent the problem from happening. As far as I am concerned, proper and fine grained access control is a very good prevention solution.Huh? Access control has little to do with buggy code. All the access control mechanisms in the world don't help if your trusted code has a buffer overrun vulnerability. Access control and software assurance are orthogonal. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe), (continued)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 11)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) R. DuFresne (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 08)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) David Wagner (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 13)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Jody C. Patilla (Aug 11)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) B. Scott Harroff (Aug 13)