Re: [inbox] Re: RE: Linux (in)security

["Bill Royds" <full-disclosure () royds net>]

Actually there is a significant difference between OS that get a large
number of vulnerabilities released like Windows, Linux etc. and those OS
like VMS and OS/400 that do not.
The real difference is the programming language used to write the code. The
C programming language used for Windows, Linux etc. is inherently insecure.
The C string is an invitation to a buffer overflow. It has no bounds
checking by default so each use of it (copy, string search ...)  must be
checked for a buffer overflow.
A Pascal string has an explicit length associated with it so buffer
overflows are much less likely (there are still the problems of the
underlying OS written in C).
 Another problem with C is that there is not an inherent mechanism to match
the types of parameters in a fnction call with the types of the actual
parameters used, especially when calling with arrays or pointers. A pointer
argument is inherently insecure because it could point to anything. The only
mechanism for passing parameters that need to be changed by a function is a
pointer in C (others have value/result where the subroutine makes a local
copy modifies that then returns the modified value for caller to use).
    If we really want to have more secure software we need to look at the
tools we use to write it, not just at the platforms it runs on.


----- Original Message ----- 
From: <Glenn_Everhart () bankone com>
To: <purdy () tecman com>; <lcamtuf () ghettot org>
Cc: <full-disclosure () lists netsys com>
Sent: Thursday, October 23, 2003 3:39 PM
Subject: RE: [inbox] Re: [Full-disclosure] RE: Linux (in)security


I agree that inherent OS features have much to do with their
security, but must observe that OSs like VMS and OS/400 have
very few security issues (even, in the first case, where heavily
tested in wide networks) and are not open source (though again
listings are published not too expensively for those interested
at least in the first of these). Secure OS construction has been
accomplished, to a pretty good approximation, by these OSs due
I suspect to a culture of security paranoia in the engineering
groups responsible. Any modest sized group with such a culture
I would submit is likely to develop good solutions; the more talent
in the group, the better they will be.

I mention these two because they are to my way of thinking examples
of OSs which have been built with relatively few mistakes or
misfeatures in the security area, disproving claims that such
OSs cannot be built.

I would also submit that unless "properly configured" systems include
"out of the box" systems, many fewer such will be found. VMS switched
to such after V5 due to having been publically beaten up by worms
that used some of the old wide-open defaults. Made a tremendous
difference in the field.



-----Original Message-----
From: Curt Purdy [mailto:purdy () tecman com]
Sent: Thursday, October 23, 2003 3:33 PM
To: 'Michal Zalewski'
Cc: full-disclosure () lists netsys com
Subject: RE: [inbox] Re: [Full-disclosure] RE: Linux (in)security


> > > http://www.linuxunlimited.com/why-linux.htm
> > > ``Properly configured and maintained, Linux is one of the
> > > most secure operating systems available today.''
> >
> > The key words here are "properly configured".
>
> Well, once "properly configured", pretty much _any_ operating
> system would
> make it to the top 0.01% of the most secure boxes in the
> world.
<snip>

I hardily disagree.  When you have inherently more secure code in OS's like
*NIX and Netware, as evidenced by the paltry number of patches required by
those OS's (1 in Netware vs. 38 for Windows in the same period)it doesn't
matter how well you configure Windows, it will still be vulnerable, waiting
for a compromise of the next discovered hole.  The reason for this is
fundamental in the design.  From the use of a registry (which corrupts with
time, finally requiring re-installation) to the fact that no single human
being knows all the source code for Windows, much less audits it, is the
difference between MS and the rest.

This is the reason open-source is inherently more secure.  First, people can
actually audit it for security (you think IBM recommended Linux without
going over every single line of code?)  Second, everyone can see the code
and contribute fixes when they see a potential problem, not after a
vulnerability has developed and been discovered.  True Netware is
closed-source but the engineering is superb and it does only what it needs
to do, be a network OS.

People have the wrong idea when they say "Windows vulns are more researched
and discovered because it so prevalent.  Without a total re-architecture and
re-write of Windows code, if and when (hopefully) Windows OS's become a
minority, they will still be getting the vast majority of discovered and
exploited holes. Lay a dollar to a dime on that.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This transmission may contain information that is privileged, confidential
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html