Re: Debian Server Compromise -- A Fire Drill ??
On Thu, Dec 04, 2003 at 11:17:32AM -0700, Dave wrote:
> That is my assumption. The only thing that would give me confidence
> that there are no holes would be a common process for connecting raw
> input to privileged routines -- a process which is so simple that
> everyone can see it is robust. Such a process exists to isolate
> different privilege levels in the instruction set of a microprocessor.
> It seems like something similar could be done to isolate routines that
> run with root privilege.
There are always attempts being made to make the security boundaries in
the system as small as possible. It's an ongoing and long-term task,
though. Unix systems are very complex beasts.
I doubt that an isolated input-validation process would do much to
improve security, and it certainly wouldn't give me any confidence at
all about the absence of vulnerabilities. The validation required varies
enormously from application to application: for instance, that required
on data received by sshd over the network has practically nothing in
common with that required on cron's saved crontab state. By the time you
implemented something general enough to serve the needs of everything
that receives user input, even as root, you'd be right back to what we
have right now, namely read() and write(). There's no magic bullet in
security design, only thoughtfulness and care.
If you want some ideas, you might try having a look at the userv
package, which provides a facility to help make security boundaries as
narrow as possible. Of course, even with this, care is needed to make
sure that the data passed over the security boundary is not so
complicated as to take you back to square one.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: