[Info-vax] A DCL wish list of sorts...

Dave Froble davef at tsoft-inc.com
Fri Mar 22 12:45:09 EDT 2019 

On 3/22/2019 12:16 PM, Stephen Hoffman wrote:
> On 2019-03-22 14:26:17 +0000, pcanagnostopoulos at gmail.com said:
>
>> But I don't understand the descriptions. They talk about a malformed
>> command table. How is such a thing created? By a user-defined command
>> that exploits a compiler bug?
>
> Correct.  Parsers are notorious for security vulnerabilities.  This
> given many parsers are routinely processing what should be entirely
> untrusted input.  In the DCL case, the flaw Simon found permitted a
> local privilege escalation to system compromise.
>
> Parsers with privileges and kernel-mode parsers (such as the kernel-mode
> ASN.1 parsers that can be involved with network security) are
> particularly popular targets for fuzzing and for related shenanigans.
>
> Non-privileged and non-escalating flaws in some components can have
> serious security implications.  Flaws in a DNS server, for instance. And
> DNS servers parse untrusted data.
>
> Isolating the parser is a technique for increasing the difficulty of
> exploitation.  Same for isolating apps in general, beyond what can be
> provided with techniques using ACLs and discretionary access controls.
>
> Here's a recent writeup on one approach:
> https://security.googleblog.com/2019/03/open-sourcing-sandboxed-api.html
>
>

I can imagine that those writing system and utility level code make some 
assumptions, such as "reasonable" users.

Try writing apps.  One learns quite quickly to trust nothing, and check 
everything.  Nothing like a casual user to find ways to screw up just 
about anything.  There was a phrase I used to know, went something like 
"Why would you ever do that?", and the thing was, many times the user 
had a perfectly valid reason for doing so.

Trust nothing!

Check everything!

And then wait for some user to still screw up the works ....

-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list