[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian Server Compromise -- A Fire Drill ??

Whoever broke into the Debian servers did us a big favor by raising awareness without causing any serious damage.

Seems like the critical link to be fixed is the vulnerability of daemons that run with root privilege and receive input from users.  The other links in the chain are inherently insecure.  We should not rely, for example, on keeping developers' passwords secret.  Anyone with physical access to a developer's machine can install a key logger.

Seems like we should have *absolute* security in the way these daemons operate -- the kind of security we have in microprocessors that do not allow a user process to enter supervisor mode.  If that barrier were any less than 100%, on a machine executing billions of instructions per second, we would have 100 crashes per second just from random (non-malicious) errors.

I'm no expert on OS design, but it seems like any daemon needing both root access and input from a user process should be required to read that input only through a special routine that does not allow anything dangerous to pass.  One of the arguments to the routine could be the maximum length of the input, thereby eliminating any possibility of reading a string so long that it overwrites executable code outside the buffer area.  See http://www.Linux-Sec.net/Kernel/  for a picture of buffer overflow ( Thanks to Alvin Oga for pointing me to this.)

So how many daemons need both root access and user input?

-- Dave

Reply to: