mailing list archives
Re: Buffer overflow prevention
From: Peter Busser <peter () trusteddebian org>
Date: Mon, 18 Aug 2003 22:41:48 +0200
In fact, the amount of security in OpenBSD is only slightly less horrible than
that of most *NIX operating systems (which includes Adamantix for that matter).
Again, ISTM that the only way to get close to a reasonably secure system
is to only rely on the smallest, most audited codebase possible to enforce
I think you are right about that.
To me this means something enforced by the kernel
itself, like standard POSIX permissions and capabilities, NSA Flask,
Systrace, SubDomain, LIDS, GRSecurity, etc. (note that this is not a
particularly accurate list).
And this is in contradiction to the above, because normally, *NIX kernels do
not fit the ``smallest, most audited code base possible''. *NIX kernels are way
too big and too complex to be seriously audited. That is exactly why I say that
the if you believe that OpenBSD provides more security than others, it can only
be slightly less insecure compared to other *NIX systems.
There is no proof that adding security to a *NIX kernel afterwards results in a
highly secure system. It is like putting a powerfull engine in a family car and
then claiming it is a formula 1 racing car. It simply isn't because it wasn't
designed to be a F1 racing car. Similarly claiming that a *NIX system is
``secure'' is either a sign of ignorance or an attempt to deceive people (or
In any event, implementing the above is a far more complicated affair than
can be accomplished by even an intelligent, knowledgeable and dedicated
sysadmin. The only way that there will be significant uptake of more
comprehensive access control/policy enforcement systems such as the above
is if they are correctly configured and included by the OS manufacturer.
Agreed, that is why the Adamantix project was started, to create a distribution
that provides this.
OpenBSD seems to be taking the right approach here by developing systrace
and including systrace profiles for the base system, which is much better
than the previous approach of trying to perfect the crufty and inadequate
UNIX "security" model.
Well, it is quite elegant, I wouldn't call it crufty. And it was adequate for
an environment with only trustworthy users (including the system
administrator). It clearly wasn't designed for the kind of environment people
find themselves in on the Internet today. For that it is horribly insufficient.
Anyway, I always thought that perfecting this, what you call, crufty and
inadequate UNIX ``security'' model, is exactly what OpenBSD has been putting a
lot of effort in so far.
As far as Systrace profiles go: Personally, I'd rather have profiles for a
useful system, and not just for a base system. Furthermore, systrace is too
low level and too inflexible to be useful, which makes it too complex. That is
why it is taking people so long to effectively use it. And complexity is the
enemy of security.
I'd like to see the other major OS distributors, Microsoft, RedHat, SuSE,
Sun, IBM, Novell, etc. take an active part in this and not only provide
systems with advanced security controls, but also ship them fully
configured rather than relying on the system administrator who can't
possibly understand the system well enough to fully configure them.
Right, you have described the next Adamantix release that is under development
at this moment. :-)
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world
Re: Buffer overflow prevention Thomas Sjögren (Aug 14)
Re: Buffer overflow prevention Shaun Clowes (Aug 15)
Heterogeneity as a form of obscurity, and its usefulness Bob Rogers (Aug 22)
Re: Heterogeneity as a form of obscurity, and its usefulness Crispin Cowan (Aug 22)
Re: Heterogeneity as a form of obscurity, and its usefulness Nicholas Weaver (Aug 22)