Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

From: Predrag Zivic <pzivic () yahoo com>
Date: Mon, 13 Aug 2001 08:22:32 -0700 (PDT)
Well if the basic OS access control mechanisms are in
place your statement is true.
However, the position of the access control software
implementation is between the OS and application
software.

App. software
Access control software
OS

So, any application security flaws (i.e. buffer
overrun) are locked within access control (software
again) and are not allowed to access OS. I know that
this is an ideal picture but it helps.
Anyway, this is not to say that applications can be
developed just like that. It could be considered that
the software assurance is orthogonal to access control
assurance, as David points (I will think about it).
Applications should be and must be thoroughly
(security-wise) tested before release, but everyone
makes a mistake sometimes. (Is there a paper or
something on best security practices for software
development?) To eliminate software problems, access
control software should be implemented. According to
me this is one example of multiple layer security
implementation. Before you get to the OS one should
break application and access control software
security.
One will argue that access control software is just
another software that adds complexity. That is OK, and
one should measure the risk and benefits and needs and
decide what to do. 
My text was refering to actual access control software
implementation and actual info flow process.

Pez

--- David Wagner <daw () mozart cs berkeley edu> wrote:

Predrag Zivic  wrote:

You were quite right to what the solution should

be.

Prevent is the key word. Not how to deal (although
that is the part of the issue and the process) but

how

to prevent the problem from happening. 
As far as I am concerned, proper and fine grained
access control is a very good prevention solution.


Huh?  Access control has little to do with buggy
code.  All the access
control mechanisms in the world don't help if your
trusted code has a
buffer overrun vulnerability.  Access control and
software assurance
are orthogonal.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com


http://list.nfr.com/mailman/listinfo/firewall-wizards


__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: