bdonlan:
> (4) load plugins
> (5) Access the RTC
> (6) Get access to raw video RAM...
> Shall I go on? :)
So? Yes, acquire those capabilities at initialization time, even
ones you may not necessarily use. But drop those that you _know_ you
won't need.
And if, say, you have some circumstance where it would be convenient
to grab an uncomfortable number of privileges, you can likely use
code uploading to isolate the part of your program responsible and
ensure that those capabilities are used one way and not another.
> Er, uploaded to the OS? What would be the point? Uploading code to
> the local system is unnecessary.
Here's another example. Say I have a program that prompts for and
accepts some user input from the terminal:
What is the URL of the next movie you want to watch? _
You enter one URL... the movie is malicious, loads its own code
through a buffer overflow, and prints this:
Segmentation fault (core dumped)
bash$
It starts up a fake shell with a keystroke logger attached, waits
for you to input your root password, and mails it off to the
attacker.
The problem here is that you wanted to use the terminal in one very
specific way, and it was used instead in a radically different way
by the exploited code.
With code uploading, you could make _sure_ that the terminal would
only be capable of outputting questions and reading answers in the
style you want.
void prompt_user(char question[128], char answer[128])
{
printf("%s? ", question);
scanf("%127s", answer);
puts("Thank you for your valuable input.");
}
That code is piped up to the kernel, where it is kept safe from
modification, and executes with its own special set of priviliges.
In this case, it would be capable of reading from and writing to the
terminal, whereas your program proper would not be capable of doing
that.
_______________________________________________
devl mailing list
[EMAIL PROTECTED]
http://hawk.freenetproject.org:8080/cgi-bin/mailman/listinfo/devl
