Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: gtk+ security hole.
From: Crispin Cowan <crispin () WIREX COM>
Date: Thu, 4 Jan 2001 12:29:36 -0800

Bryan Porter wrote:

I'm sorry, but this seems a bit much for me. My car has tires, and because
the tires are kind of bad and over-engineered, I should'nt drive over 10MPH
because they might explode? What? Fix the tires. Same thing here.

"Don't make GTK+ program suid/setgid because it's based on another project
with multiple potential vulnerabilites." Absolutely ridiculous. "Our tires
suck because we bought cheap rubber." What?

That's the silliest thing I've read today.  SUID programs (or in fact any
highly trusted entity) absolutely should be small.  Small size is a classic
element of good design of a Trusted Computing Base.  You cannot effectively
security-audit a large code base, so you identify the smallest possible
elements that need strong authority, and exlcude the rest from the high-trust
mode.


Bottom line, if GTK+ is broken, fix it. And if it can't safely run suid,
then it is horribly broken. It's a graphic library for christs sake. And, if
it so full of spaghetti code that it can't easily be fixed, then trash it.
But the excuses given are ridiculous, period. No professional project would
ever stand for this level of ineptitude. Qt works fine suid. And it's quite
cross-platform.

The "Don't use setuid with X" that Wichert Akkerman posted is excellent
advice.  This also applies to Qt:  I do not for one second believe that Qt or
KDE is secure.

Further, this issue is the fundamental basis for some of the security and
stability problems found in Windows NT.  Windows incorporates a large graphics
subsystem into the kernel, forcing it to be part of the trusted computing
base.  Problem: when bugs in that code break stuff, the whole kernel goes south
and you get a BSOD.

KISS (Keep It Simple, Stupid) is the soul of secure design.  More importantly,
the architecture should allow the implementor to build small & simple trusted
programs, without having to link in huge tracts of code.

Harkening back to your tire analogy:  tires (and breaks and stearing) are all
part of the car's safety systems, and thus are heavily over-engineered.  But
don't make the safety of the car depend on flakey, unnecessary components like
the radio and the power windows, or you substantially increase the risk of
failure.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]