Re: Cons and Security Validation

[Michel Kaempf <maxx () MASTERSECURITY FR>]

On Wed, Feb 07, 2001, Blue Boar wrote:
> This type of setup also has other nice side effects. For Immunix, if I
> have some new Redhat sploit, I now have an Immunix box to try it on.

Absolutely. When working on a new vulnerability, one thing I try to do
is to build an exploit as portable as possible, so that:

- every system administrator can test whether her systems are vulnerable
or not;

- people do not assume they are safe, just because the exploit was
designed for Linux i386 for example, and they run a Linux sparc or a
patched Linux i386 (Linux kernel patch from the Openwall Project, PaX,
StackGuard or whatever).

But one of the biggest problems I am faced with when trying to develop
such a portable exploit is the lack of available resources:

- there are so many different operating systems (Linux, SunOS, OpenBSD,
FreeBSD, etc.), and they are not always (sigh) free;

- there are so many different versions (Debian GNU/Linux 2.1, 2.2, 2.3,
etc.);

- there are so many different architectures (i386, sparc, sparc64,
alpha, etc.).

It would be really nice if these different systems were publicly
accessible somewhere on the Internet, maybe:

- every vendor could maintain different publicly available machines, one
for each version and architecture, but I guess not every vendor would
agree;

- someone could maintain a sort of public machines farm, maybe something
like SourceForge (sourceforge.net) or PullThePlug (pulltheplug.com).

I do not know whether anyone would be ready to maintain such a farm, but
I think it would be really useful to the security community, and greatly
appreciated. One day, maybe.

--
MaXX