On Mon, May 25, 2009 at 6:18 PM, Kyle Sluder <kyle.slu...@gmail.com> wrote: > On Mon, May 25, 2009 at 3:08 PM, Michael Ash <michael....@gmail.com> wrote: >> Not at all. It doesn't change my point one whit. If A can command the >> privileged process to do something nasty, then C can do it too. >> (Possibly by breaking into A by one of the many mechanisms available >> and forcing it to make an evil request, possibly by imitating what A >> does.) > > Isn't that exactly what we're talking about? C impersonating A by > swapping its own evil data into the channel A is using? It's a man in > the middle attack. To defend against it, you need to authenticate the > client *and* secure the channel. The authentication part was never > mentioned because it's not pertinent to the flaw we're discussing, > which is a function of using the filesystem to shuttle data around.
Right, and since you *can't* authenticate the client beyond "running as user X", securing the channel against other code running as user X is pointless. It is very much worthwhile to protect your communications channel from other users on the system. But there's really not much point in protecting it from other *processes* running as the *same* user, because they have a dozen other ways to break into the conversation if they should so choose. The authentication stuff is pertinent, because the AEWP is an example of an API which works by having an unprivileged user process communicate with a privileged process that does the work. A technique which allows you to compromise a process which uses AEWP demonstrates how this compromise can be done with any such setup, even using a secure channel (which AEWP does). Mike _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
