It is probably true that perfect analysis of arbitrary
programs for exploits is theoretically impossible.
But we are not dealing with arbitrary random programs;
and we do not have a need for perfect analysis.
I personally would lean towards a heuristic rule based
Super Lint. The rule database could be built up from
many people's experience as to what constitute warning
signs of bad coding practices, dangerous structures
and possible exploits.
It does no harm to print a warning message that says
that something should be looked at more closely. Why
bother to analyse in that detail? If you go through a
source tree and branches, then apply game theory.
Choose the worst possible value at each point, or even
just assume that there is a value such that... or
perhaps run a Monte-Carlo on it. There are lots of
imperfect but effective and useful techniques that can
be applied to our imperfect world.
I've heard quite a few good ideas. I also think there
should be a real effort to get gcc and libc to build
a few protections in. I've always had a deep dislike
for some of the built in problems in C. Run time
bounds checking certainly can't be that difficult to
add. Other languages had it before C was a gleam in the
eyes of the K&R team. I'd default it to on and have a
--switch to turn it off for those who need that last
little smidgen of performance.
It might be a good idea to talk to the libc people
about adding some test hooks for the taint checks.
In any event, we are probably talking about things
which will require some cross community coooperation.
I doubt that should be a serious problem because
we're all in this together and we all face the same
risks.
There is no such thing as perfect security. There is
no such thing as a 100% guaranteed unbreakable
daemon (a real one, not a theoretical toy construct).
But there can be ones that are extremely difficult
to crack instead of ones that are extremely easy to
crack. If you've got a rule based system you can
add a new rule every time a new type of weakness is
found... (hey, after all we can read the scripts
as well as the kiddies). And if a particular exploit
is a one off, then we are no worse off. The daemon
gets patched and the one off is gone.
It might also be a good idea to have some of these
scripts even more widely available but in a form for
local testing. It would be quite revealing to look
at exactly what versions one has that are exploitable.
(Personally I nmap my own systems and do other things
on a very regular basis.)
By all means look for a theory that will give us
perfect protection. But let the grad students do their
thesis on it and in the mean time let's keep raising
the bar as fast as we can. We are in a classic arms race.
------------------------------------------------------
Use Linux: A computer Dale Amon, CEO/MD
is a terrible thing Village Networking Ltd
to waste. Belfast, Northern Ireland
------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/