[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developers vs Uploaders



On Wed, 21 Mar 2007, Manoj Srivastava wrote:
> Buffer overflows are _still_ being exploited, decades after it is
> known that unchecked user input fed to memory allocated on the
> stack. And it does not take a rocket scientist to spot a buffer
> overflow.

Some buffer overflows are easy to spot, but others are quite
difficult. I'd like to think that the people who have reviewed
openbsd's network stack are at least passingly familiar with buffer
overflows, and even they've missed them.

> I think that evil hacker dudes are not quite so devilishly clever;
> there are broad swathes of exploits that stem from very few, well
> known classes of programming errors.

The classes are well known, but the implementations of those errors
can be wildly inventive.

> And you do not need to be up to snuff in the latest kiddie exploit
> to do so.

To find low hanging fruit, sure, but to actually be able to say that
you've properly reviewed the code requires knowing a great deal about
all of the classes of exploits, not just the common ones.

> Nothing is ever enough. There is no last bug, security or otherwise.
> But perfection is not the enemy of the good -- and stopping efforts
> to improve security or decrease the bug density because one can not
> reach perfection is .... weak.

No one is arguing that code shouldn't be reviewed. The argument that
is being made is that we should acknowledge that some code in the
archive is not or cannot be properly reviewed, and from that position
act to minimize the damage such code can cause.


Don Armstrong

-- 
I'm wrong to criticize the valour of your brave men. It's important to
die for one's country when it means being the subject of a king who
wears a ruffled collar or a pleated one.
 -- Cyrano de Bergerac

http://www.donarmstrong.com              http://rzlab.ucr.edu



Reply to: