Date: Wed, 1 Dec 1999 17:22:27 +0100 From: Brad Knowles <blk@skynet.be> To: Warner Losh <imp@village.org>, tstromberg@rtci.com Cc: freebsd-audit@FreeBSD.ORG Subject: Re: Where to start? Heres a few overflows. Message-ID: <v04205513b46afa98c429@[195.238.21.204]> In-Reply-To: <199912011609.JAA02320@harmony.village.org> References: <384527B9.3A3E3C41@rtci.com> <38445A6A.50245AF5@rtci.com> <199911302322.QAA05983@harmony.village.org> <199912011609.JAA02320@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 9:09 AM -0700 1999/12/1, Warner Losh wrote: > Yes. However, this buffer overflow appears to be benign given the > memory layout. I did an extensive analysis of this which I sent to > Thomas a while ago which showed that it was a bug, but not a > penetration bug. As I recall, one of the goals that OpenBSD used in their audit process was that they fixed bugs wherever they ran across them, regardless of whether they believed they were exploitable. This has protected them against a number of exploits that have since become known, since the bug that someone is trying to exploit simply no longer exists under OpenBSD. Do we not want to employ the same kind of methodology, or have I missed something here? Also, what about the OpenBSD approach whereby security becomes inherently integrated into the entire development process, as opposed to something you try to add later? Maybe I'm missing something, but it seems to me that the entire audit project is doomed to ultimately fail if we can't ensure that bugs, once fixed, remain that way. -- These are my opinions -- not to be taken as official Skynet policy ____________________________________________________________________ |o| Brad Knowles, <blk@skynet.be> Belgacom Skynet NV/SA |o| |o| Systems Architect, News & FTP Admin Rue Col. Bourg, 124 |o| |o| Phone/Fax: +32-2-706.11.11/12.49 B-1140 Brussels |o| |o| http://www.skynet.be Belgium |o| \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. Unix is very user-friendly. It's just picky who its friends are. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04205513b46afa98c429>