Full Disclosure mailing list archives
Re: Ubuntu 11.10 now unsecure by default
From: Valdis.Kletnieks () vt edu
Date: Mon, 21 Nov 2011 14:55:50 -0500
On Mon, 21 Nov 2011 10:03:21 PST, Dan Kaminsky said:
15.3M lines of code != 15.3M lines of code in use on any one system != 15.3M lines of code that can ever involve a security boundary.
Yes, but the vast majority of it is on use on *some* system (heck, there's still code in there to support the 3 or so NCR Voyager systems still in existence). And the biggest hassle with security boundaries is that often the place the failure actually occurs is nowhere near where the boundary should have been enforced. So just because there are only (for example) 500K lines of code involved with the security boundary doesn't mean you can simply ignore the other 14.8M lines of code, as you may have to do some hunting to find the 500K you're interested in (in particular, a lot of ioctl parameter checks are pushed down into drivers because the high-level VFS code has no *clue* what the parameters mean or how to validate them). It's kind of saying "We're doing an easter egg hunt, and since we only care about the 250 1-foot square areas that actually contain eggs, we're going to gloss over the fact that the areas are hidded all over 5 acres of dense woods and underbrush".
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Ubuntu 11.10 now unsecure by default, (continued)
- Re: Ubuntu 11.10 now unsecure by default GloW - XD (Nov 18)
- Re: Ubuntu 11.10 now unsecure by default Valdis . Kletnieks (Nov 20)
- Re: Ubuntu 11.10 now unsecure by default Jason A. Donenfeld (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Darren Martyn (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Benji (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Darren Martyn (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Valdis . Kletnieks (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Darren Martyn (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Valdis . Kletnieks (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Dan Kaminsky (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Valdis . Kletnieks (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Darren Martyn (Nov 22)
- Re: Ubuntu 11.10 now unsecure by default xD 0x41 (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Matthew Harlum (Nov 22)
- Re: Ubuntu 11.10 now unsecure by default xD 0x41 (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default root (Nov 21)
- Message not available
- Message not available
- Re: Ubuntu 11.10 now unsecure by default xD 0x41 (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default xD 0x41 (Nov 21)
- Re: Ubuntu 11.10 now unsecure by default Julian DeMarchi (Nov 22)
- Re: Ubuntu 11.10 now unsecure by default Valdis . Kletnieks (Nov 22)
- Re: Ubuntu 11.10 now unsecure by default Mihamina Rakotomandimby (Nov 23)