Hi Jakob, Boy this is an argumentative list at times....
As a Win32 guy, I understand your the finer points you are making. Unfortunately, there are implicit assumptions that are being made which are undermining your arguments. Put another way, its the attacks which you *don't* know about which will burn you with these NULL DACLs. In the discussion with Patrick Eisenacher [2], I claimed a wilcard cert violated principle of least privilege. Patrick pressed me for the next attack using wildcard certs, which I did not have. In this case, I have the next attacks. We have not released the paper yet, though its been shared with those affected, including Microsoft. The response to "This is plain wrong" is inlined. I did not claim a NULL DACL violates Principle of Least Privilige this time around (I'm trying to learn from my mistakes). I cited the guys who wrote the proverbial security book at Microsoft. Hopefully their opinion will be weighed more appropriately. I could also cite Richter, but he usually offers Win32 best practices (Richter will also tell you not to use NULL DACLs). But its fairly obvious (to me) if one is going to discard a security related best practice and the SDLC, one is probably not going to follow Win32 best practices (is this 'too much' of a leap?). On Fri, Jun 25, 2010 at 5:01 AM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 24-06-2010 23:31, Jeffrey Walton wrote: >> >> [SNIP] >> >> Critical sections have the added benefit that you don't have to supply >> a SECURITY_ATTRIBUTES. Mutexes take a SECURITY_ATTRIBUTES, which many >> folks leave unspecified (NULL) so the net effect is "Everyone, Full >> Control". Code which uses a NULL SECURITY_ATTRIBUTES *should* fail a >> security audit. >> > > This is plain wrong, and I certainly hope nobody uses this misunderstanding > in security audits. > NULL DALCS and other Dangerous ACE Types: "A NULL DACL is a way of granting all accessd to all users of an object, including attackers. I sometimes quip that NULL DACL == No Defense. And its absolutely true. If you don't care that anyone can do anything to your object - including read from it, write to it, delete existing data, modify existing data, and deny others access to the object - a NULL DACL is fine. However, I have yet to see a product for which such a requirement is of benefit, which, of course, completely rules out the use of NULL DACLs in your product". [1] > > [SNIP] > Jeff [1] Howard and LeBlanc, 'Writing Secure Code', ISBN 0-7356-1722-8, p 195. [2] http://www.mail-archive.com/openssl-users@openssl.org/msg61152.html ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
