From owner-freebsd-security  Tue Jul 21 11:59:35 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA16813
          for freebsd-security-outgoing; Tue, 21 Jul 1998 11:59:35 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16794
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 11:59:29 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id MAA14931;
	Tue, 21 Jul 1998 12:59:02 -0600 (MDT)
Message-Id: <199807211859.MAA14931@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Tue, 21 Jul 1998 12:58:59 -0600
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: Projects to improve security (related to C) 
Cc: security@FreeBSD.ORG
In-Reply-To: <8134.901020116@time.cdrom.com>
References: <Your message of "Tue, 21 Jul 1998 05:20:24 MDT."             <199807211120.FAA07335@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 04:21 AM 7/21/98 -0700, Jordan K. Hubbard wrote:
 
>I suspect Theo would disagree with you, but short of switching
>everyone over to Java or installing a series of band-aid patches which
>only fix _some_ of the problems (and, in security, that really is
>locking the door while leaving the window open) I fail to see how you
>intend to deal with it in any more pragmatic a fashion.

Well, I've looked this week at the possibility of doing a mechanical
translation of FreeBSD into a type-safe language with range and bounds
checking, then fixing the trouble spots manually. Apparently, there's
a company called Reasoning Systems that actually has tools that can
do such things.

In the meantime, there are some things that can be done even with the
code still written in C. we can (and must!) bite the bullet and kick sprintf, 
vsprintf, and similar functions OUT of the libraries. Yes, it'll be a
bit of a pain, but... no pain, no gain.

Other exploits will, of course, have to be handled in other ways. But
taking a hopeless attitude (i.e. we can't close all the holes right
away, so why close any?) is leaving ALL the doors and windows open. And
that's worse.

--Brett

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message