Re: Privilege-escalation attacks on NT-based Windows are unfixable

From: David Hopwood (david.hopwood@zetnet.co.uk)
Date: 08/23/02


Date: Fri, 23 Aug 2002 16:58:06 +0000
From: David Hopwood <david.hopwood@zetnet.co.uk>


-----BEGIN PGP SIGNED MESSAGE-----

Barry Margolin wrote:
> David Wagner <daw@mozart.cs.berkeley.edu> wrote:
> >Barry Margolin wrote:
> >>An analogy in the Unix world would be executable stacks, which many
> >>buffer-overflow exploits take advantage of.
> >
> >With respect, that seems like a poor choice of analogy. The real problem
> >is lack of array bounds checking in C and poor libraries, which is a
> >problem in the language and library, not the OS. Executable stacks are
> >not the problem, and non-executable stacks are not the fix. Making the
> >stack non-executable would not help; the restriction is easily bypassed
> >with alternate exploit techniques, and exploit scripts would quickly
> >use other methods. So I don't think this is such a great analogy.
> >
> >But that said, maybe it is a good enough analogy. The fault is
> >absolutely 100% with the C language and the standard libraries,

I wouldn't say 100%, but I would say 99%.

> >not with the applications.
>
> But given that programmers have *chosen* to program in a language with
> these known flaws, they are implicitly taking on the resposibility of doing
> their own checking. The analogy with Windows is apt: if you choose to
> write a privileged application that puts itself on the desktop, you must
> accept the responsibility of checking all messages to make sure that they
> won't violate your security.

There is a big practical difference: choosing a programming language need
not significantly limit the audience for your programs. Choosing an operating
system does necessarily limit your audience.

- --
David Hopwood <david.hopwood@zetnet.co.uk>

Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBPWZpczkCAxeYt5gVAQGu8wgAq/44ITeNDZ1EDG8L6AMUmFvoL0WTy0GB
2utCX9TGNoOcdHU0YSdKU/YKiCKyj6GhQq/PVA48ujjpI29iGT0/IN8oBRVkP99I
Yw22FWcCPmyHF6/+tFCZ8jhkkjYqlVf23E+EmFBS45xCWWeMydqR0K3/G37SzExp
GlRRj51R43lAYrJBWdpB58jbok3uKSzi0hpiFbrDAGmqAlwbiM0SnIJej7uou2/i
XV+RjOlmYcMTwauinMtBaFoo+p4QAn+YLSvn8Dr37bVTEuOwSHv57URctm4IOk5F
OdAz3pqEsTtkxWDLtnH9WbdKF+K4Zc6Uh0wvg+rAUqrx4qiheVPwRA==
=Uhg4
-----END PGP SIGNATURE-----



Relevant Pages