Vulnerability Development mailing list archives
Re: Cons and Security Validation
From: Michel Kaempf <maxx () MASTERSECURITY FR>
Date: Thu, 8 Feb 2001 19:21:30 +0100
On Wed, Feb 07, 2001, Blue Boar wrote:
This type of setup also has other nice side effects. For Immunix, if I have some new Redhat sploit, I now have an Immunix box to try it on.
Absolutely. When working on a new vulnerability, one thing I try to do is to build an exploit as portable as possible, so that: - every system administrator can test whether her systems are vulnerable or not; - people do not assume they are safe, just because the exploit was designed for Linux i386 for example, and they run a Linux sparc or a patched Linux i386 (Linux kernel patch from the Openwall Project, PaX, StackGuard or whatever). But one of the biggest problems I am faced with when trying to develop such a portable exploit is the lack of available resources: - there are so many different operating systems (Linux, SunOS, OpenBSD, FreeBSD, etc.), and they are not always (sigh) free; - there are so many different versions (Debian GNU/Linux 2.1, 2.2, 2.3, etc.); - there are so many different architectures (i386, sparc, sparc64, alpha, etc.). It would be really nice if these different systems were publicly accessible somewhere on the Internet, maybe: - every vendor could maintain different publicly available machines, one for each version and architecture, but I guess not every vendor would agree; - someone could maintain a sort of public machines farm, maybe something like SourceForge (sourceforge.net) or PullThePlug (pulltheplug.com). I do not know whether anyone would be ready to maintain such a farm, but I think it would be really useful to the security community, and greatly appreciated. One day, maybe. -- MaXX
Current thread:
- Re: Cons and Security Validation, (continued)
- Re: Cons and Security Validation Greg KH (Feb 06)
- Re: Cons and Security Validation Blue Boar (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Dan Kaminsky (Feb 07)
- Re: Cons and Security Validation Matt Barringer (Feb 07)
- Re: Cons and Security Validation H D Moore (Feb 08)
- Re: Cons and Security Validation Crispin Cowan (Feb 10)
- Re: Cons and Security Validation Greg KH (Feb 06)
- Re: Cons and Security Validation Crispin Cowan (Feb 07)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Michel Kaempf (Feb 08)
- Re: Cons and Security Validation Blue Boar (Feb 08)
- Re: Cons and Security Validation Pavel Kankovsky (Feb 13)
- Re: Cons and Security Validation Robert A. Seace (Feb 07)