Re: our recent security stuff

[tmarinis99_(_at_)_netscape_(_dot_)_net (tom)]

Theo de Raadt <deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org> wrote:

>The most amazing thing about this new buffer overflow stuff is that it
>appears noone in any other project has commented on it in a public
>mailing list anywhere.  Eerie silence.

The emperor's new toys :)

I think I remember the FREEBSD group tried this type of
thing in 2000, but that it broke a few of applications.

I'm sure someone here can provide a cite for this somewhere...


>I don't know about how you guys view that, but to me it is pretty
>depressing that none of these other projects (or their users) see the
>impact and import of these changes; that indicates a large lack of
>vision.

No one yet has the same vision as you to have a locked
down OS from installation.  

Although many people, users, and customers complain about it, 
very few of us in the know can really appreciate it.

However, on the usability side, many things that we take for
granted now may be broken later, and by that, I mean
KDE, Mozilla, Gnome, maybe even X itself.

With ProPolice, there may be many gains, but I see in
the early stages that there will be many losses as well.


>The interesting side of ProPolice is that it will, once we ship 3.3,
>be on everyone's OpenBSD machines.  People will run buggy software.
>ProPolice catches bugs at run-time.  When a buffer overflow is
>accidentally (or purposefully) hit, a syslog will be delivered naming
>the function where the problem happened, before the program aborts.
>Since our noses are stuck in the source, and our run-time testing
>methodology is weak (as weak as the entire industry) many bugs will be
>found; safely.  Many bugs will be found, because there's only a few of
>us running this stuff now, in the way we run it.  But when these
>runtime errors are caught, it will be easy to find the actual bugs.
>And easy for an attacker to attack the same software on another
>system.  I don't know how large this impact will be.

The impact is big, yes, and it may give you some relief
from sitting down for a few hours over something like BIND :),
but Propolice is still only a tool.

However Theo, I am skeptical that ProPolice is the magic
bullet that you believe it to be.  I'm skeptical, since most
code developed is not geared for security, but for functionality
first.  And in some cases, to get paid.

So this may also be bad.  New implementation may make developers
frustrated with doing large re-writes, with a lot of excessive
time involved in doing so, with the OpenBSD group.

So only time and testing can only prove this out. 

I find it very interesting that FREEBSD has not already proceeded
with implementation with ProPolice already.  For 2 years
they have this port already available to them, but do not
implement it in their package releases.

>From what I have learned about security Theo, is that only true
constant is vigilance, and by solely relying on ProPolice and 
ignoring a 'second glance' at the code may set a dangerous precident.

>However, it is possible it might be big.
>
>I used to ask Crispin Cowan if StackGuard had ever found any regular
>bugs; and he never said yes... well, since integrating ProPolice we've
>already found a whole bunch of bugs as a result of it.  So, this
>might be very interesting...


I hope ProPolice does what you say.  

If its impact is small, by killing a lot of software, I hope you 
won't get stuck.


---tm---

__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/