Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Hypothetical design question

From: Nick Lothian <nl () essential com au>
Date: Fri, 30 Jan 2004 02:29:26 +0000
The problem with "restricting malicious things" is that the 
same action can
be veiwed as desirable or malicious, depending on intent.  
Intent is an
intangible.  Computing systems tend to deal poorly with intangibles.

If I type 'rm -fr /', my intention is to prepare a machine 
for a new OS
load, prior to a reformat.  If an intruder types 'rm -fr /', 
his intentions
are *likely* (can't say for sure without directly asking the 
intruder!) to
be somewhat more malicious.

The OS has no way of determining who the "real" user is and 
which intention
is desirable and which isn't.  If you try to enumerate a list of
"potentially malicious code" that shouldn't be run from 
Application X you'll
be at it for the rest of your life; a never-ending, 
never-winning battle.
:-(



Exactly. That is why I dreamed up the persistant codebase thing.

Nothing recieved from email should ever be able to execute rm -rf, nor
should it ever be able to send email itself, nor open sockets, etc - even if
it has been saved to disk and is being executed later.
Previous By Date Next
Previous By Thread Next

Current thread: