Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CALx_OUDCb-ho1P4dR-ABeRBBBWT=LxXSWMK6yjLP1qsty98UOA@mail.gmail.com>
Date: Mon, 17 Nov 2014 07:54:54 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Fuzzing findings (and maybe CVE requests) -
 Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

> I know that this sounds awfully impractical (at least for the time
> being, because the landscape here is changing pretty rapidly), but
> some would say that the best advice they can give to "average users"
> now is to watch "untrusted" movies with web browsers which are
> employing well-reviewed and tested sandboxing technologies and their
> media decoders are well tested (also: fuzzed). I guess "regular" media
> players will follow with this approach in some time.

Well, but that's a tough argument.

First, as you note, the primary way that things like ffmpeg have
improved is fuzzing. In fact, if anything, ffmpeg has been
*exceptionally* bad before that, would definitely fail the "designed
for security" test, and by that criteria, should not have been used in
any browser to begin with. So, it's probably not a very good argument
against fuzzing bad software =)

Secondly - as most people on this list know, sandboxing is a tricky
beast. Firefox doesn't have it. Safari and Opera don't have it (that I
know of). MSIE has a fairly limited one. Chrome has a good sandbox on
most platforms, but today, it is certainly far from being a silver
bullet - an RCE in a sandboxed renderer still gives access to many of
your online assets (doubly so if you advise people to conduct their
business in browser-accessible VMs, cloud services, or so).

They are working on something better, but the difficulty of making
that happen for a fairly specific use case certainly emphasizes how
tricky sandboxing can be with today's monolithic, multi-purpose apps.
People have been talking about lightweight, dynamic
compartmentalization-on-the-fly for other tools for a very long time,
but not much has gained widespread acceptance so far. Most OSes ship
with a dizzying array of containment mechanisms, most of which are
completely unused spare for a handful binaries built by teams
passionate about infosec. I'm not sure if we have the power to change
that.

/mz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.