From owner-freebsd-audit Wed Dec 1 8:23:15 1999 Delivered-To: freebsd-audit@freebsd.org Received: from tank.skynet.be (tank.skynet.be [195.238.2.35]) by hub.freebsd.org (Postfix) with ESMTP id C5E0415832 for ; Wed, 1 Dec 1999 08:23:06 -0800 (PST) (envelope-from root@foxbert.skynet.be) Received: from foxbert.skynet.be (foxbert.skynet.be [195.238.1.45]) by tank.skynet.be (8.9.3/odie-relay-v1.0) with ESMTP id RAA10980; Wed, 1 Dec 1999 17:22:42 +0100 (MET) Received: (from root@localhost) by foxbert.skynet.be (8.9.1/jovi-pop-2.1) id RAA21841; Wed, 1 Dec 1999 17:22:39 +0100 (MET) Mime-Version: 1.0 X-Sender: blk@foxbert.skynet.be Message-Id: In-Reply-To: <199912011609.JAA02320@harmony.village.org> References: <384527B9.3A3E3C41@rtci.com> <38445A6A.50245AF5@rtci.com> <199911302322.QAA05983@harmony.village.org> <199912011609.JAA02320@harmony.village.org> Date: Wed, 1 Dec 1999 17:22:27 +0100 To: Warner Losh , tstromberg@rtci.com From: Brad Knowles Subject: Re: Where to start? Heres a few overflows. Cc: freebsd-audit@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 9:09 AM -0700 1999/12/1, Warner Losh wrote: > Yes. However, this buffer overflow appears to be benign given the > memory layout. I did an extensive analysis of this which I sent to > Thomas a while ago which showed that it was a bug, but not a > penetration bug. As I recall, one of the goals that OpenBSD used in their audit process was that they fixed bugs wherever they ran across them, regardless of whether they believed they were exploitable. This has protected them against a number of exploits that have since become known, since the bug that someone is trying to exploit simply no longer exists under OpenBSD. Do we not want to employ the same kind of methodology, or have I missed something here? Also, what about the OpenBSD approach whereby security becomes inherently integrated into the entire development process, as opposed to something you try to add later? Maybe I'm missing something, but it seems to me that the entire audit project is doomed to ultimately fail if we can't ensure that bugs, once fixed, remain that way. -- These are my opinions -- not to be taken as official Skynet policy ____________________________________________________________________ |o| Brad Knowles, Belgacom Skynet NV/SA |o| |o| Systems Architect, News & FTP Admin Rue Col. Bourg, 124 |o| |o| Phone/Fax: +32-2-706.11.11/12.49 B-1140 Brussels |o| |o| http://www.skynet.be Belgium |o| \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. Unix is very user-friendly. It's just picky who its friends are. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message