On Thursday 23 June 2005 18:58, Guy Harris wrote:
> Sebastien Raveau wrote:
> > That may help a bit, but buffer overflows are not the cause of most
> > security flaws. Let me quote Theo de Raadt (maintainer of OpenBSD) on
> > this:
> >
> > "Crispin Cowan has suggested that buffer overflows are the most common
> > security causing programmer error. I disagree. I believe that we found
> > more /tmp races in our source tree than buffer overflows."
>
> ...and we've found more buffer overflows than /tmp races in our code
> (the only /tmp race we know of was "fixed" a long time ago by the
> OpenBSD folks in a fashion that broke captures; we fixed it differently).
>
> I.e., whether /tmp races, buffer overflows, or other problems are the
> main source of security flaws in a particular piece of code depends on
> the code. If the code has lots of static buffers into which stuff is
> read, and not a lot of manipulation of files in /tmp, buffer overflows
> are likely to be a bigger problem.
Yeah, I know what a buffer overflow is ;)
But nowadays too many people think all security flaws are buffer overflows...
My point wasn't to discard Radek's suggestion, it was just to say that it
won't miraculously solve _all_ Ethereal's security problems :)
> > Anyway, I just find it amazing that in Ethereal more than a million lines
> > of C run with root priviledges...
>
> *No* lines of Ethereal code run on my system with root privileges.
>
> But that's because I'm running on a BSD-derived system (OS X), and can
> therefore arrange that I have read and write permissions on the /dev/bpf
> devices, and therefore don't have to run Ethereal - or tcpdump, or any
> other capture program - as root.
>
> > Ethereal has to be redesigned (as I suggested in a previous post to this
> > mailing-list, apparently ignored) to minimize the amount of code running
> > with root priviledges. Basically, the only thing Ethereal needs root
> > priviledges for is opening the capture socket,
>
> "Capture socket" suggests the person who said this is running on Linux
(Indeed, I am currently working on a Linux workstation)
> or IRIX, not BSD. It's a socket on those systems, it's a BPF device on
> BSDs (and AIX), it's a STREAMS device on some other systems, etc.. See
>
> http://wiki.ethereal.com/CaptureSetup_2fCapturePrivileges
Well, one could argue the same way about Sendmail, and how on some particular
operating system it can be considered as "secure"... So, instead of being
generically secure, your security depends on the security of the OS that
you're running, and that (IMO) is bad design :|
> In any case, we agree that, as not all systems are as nice as BSD in
> this regard, the rest of the code shouldn't run with root privileges if
> the code that opens the capture device does need to run with root
> privileges. This is a work in progress; see
>
> http://wiki.ethereal.com/Development_2fPrivilegeSeparation
Yeah, that's what I am talking about :)
Don't be angry at me for criticizing a lot ;) I know that the Ethereal project
has started before security became a real issue, and that it is difficult to
remodel that big a project now. I am just suggesting ideas to the
mailing-list, and if I had time - believe me - I would be more than happy to
implement them myself in Ethereal.
> However...
>
> > and that could take less than a hundred
> > lines of code. Once the amount of code running with root priviledges is
> > downsized to about a hundred lines, it will be easily auditable and soon
> > devoid of security flaws.
>
> ...it's not the case that you're "done" when the code running as root is
> known to be safe. Code running as the user can't do as much damage as
> code running as root, but it can still do damage; see
>
> http://wiki.ethereal.com/Security
>
> for a discussion of ways of making Ethereal dissectors (which I think
> *are* the primary source of security problems in Ethereal) safer.
I know I know, what I was refering to by "it will be easily auditable and soon
devoid of security flaws" was only the short code running as root...
Being a Mandatory Access Control (MAC) fan, I still don't see why the Ethereal
dissectors would need to run with the Ethereal user's priviledges. I just had
a five hours meeting yesterday over a blackboard with the rest of the hawKeye
team (see the temporary ugly site at the address below) to discuss the
software architecture of our project, which will be quite similar to Ethereal
except that we will focus on rendering captured data (directly displaying
webpages or playing VoIP conversations for example) and we came to the
conclusion that barely the GUI will run under the user's UID... the capture
will be done as root, and all the rest (TCP stream reassembly, dissection,
etc) will run under another UID such as "nobody".
Best regards,
--
Sébastien Raveau
computer and network security student
head of the hawKeye network monitor project
http://hawkeye.sourceforge.net/
Attachment:
pgptq0Ab3Ej2C.pgp
Description: PGP signature
