[3482] in cryptography@c2.net mail archive
Re: Medium-term real fix for buffer overruns
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Oct 15 16:12:16 1998
To: Tom Perrine <tep@sdsc.edu>
cc: karn@qualcomm.com, gnu@toad.com, reinhold@world.std.com,
decius@ninja.techwood.org, cryptography@c2.net
Date: Thu, 15 Oct 1998 07:48:41 -0400
From: "Steven M. Bellovin" <smb@research.att.com>
In message <199810150457.VAA08585@lart>, Tom Perrine writes:
>
>These days, we have to remember that anything which runs with any
>non-user privileges is really part of the OS (or the TCB, if you
>prefer), and should be subject to the same examination as the rest of
>the kernel. A buffer overflow is not bad. A buffer overflow in
>trusted code is bad.
The problem is that the notion of the TCB is obsolete -- in a network
security setting, the first-order problem is penetration of the system,
via failures of daemons that don't have elevated privileges. The Worm
is a classic example; neither its penetration of sendmail nor its
exploitation of the 'finger' buffer overrun relied on those programs
having 'root' privileges. The same applies today, where buffer overruns
in network browsers could be used to steal user files. In other words,
far too much of the system would have to be part of the TCB for the
concept to survive. (Actually, that was always true -- more or less by
fiat, the compilers used to build the OS are part of the TCB; remember
Thompson's paper?)
Assuming that we do solve the buffer overrun problem, I claim that the
next generic threat is mobile code. Today's examples are Javascript,
plug-ins, and macro viruses. Nor do we have an adequate formal model
for how to deal with these. Consider Word, for example, running on
an A1-rated version of Windows. It may not be able to get at the system's
normal.dot file, but it can sure get at the user's equivalent that he
or she uses to customize Word. From there, it gets to every other Word
document that that user touches. Sure, it can't wipe out the OS. But
it can sure do nasty things to the user.
