Results, Not Resolutions

Bill Frantz frantz at pwpconsult.com
Sun Jan 27 01:17:38 EST 2002 

At 7:42 PM -0800 1/25/02, R. A. Hettinga quoted Schneier and Shostack:
>http://www.securityfocus.com/news/315
>I. Data/Control Path Separation
>
>
>"Security models should be easy for developers to understand and build into
>their applications." -Gates memo.
>
>One of the simplest, strongest, and safest models is to enforce a rigid
>separation of data and code. The commingling of data and code is
>responsible for a great many security problems, and Microsoft has been the
>Internet's worst offender.
>
>Here's one example: Originally, e-mail was text only, and e-mail viruses
>were impossible. ...

Well, the line between code and data is fuzzier than that.  That 7 bit
ASCII email is properly thought of as a series of instructions for a text
rendering engine which is implemented in software on modern machines.  If
there is a bug in that rendering software, then it may be possible to
design a sequence of text which executes arbitrary code on the receiving
machine.

Admittedly ASCII text isn't a very powerful instruction set, and rendering
code tends to be well debugged, but deciding what is instructions, and what
is text is not as easy as it might seem.  I believe that certain JPEG
renderers have been found to have exploitable flaws.

There is really no substitute for limiting the authority of code which
processes potentially hostile input, such as email and web pages, so that
the consequences of flaws are limited.  One way to limit authority in
current systems is to use an operating system that provides a measure of
real security between users, and then have an account which is only used
for email, web surfing etc.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | The principal effect of| Periwinkle -- Consulting
(408)356-8506         | DMCA/SDMI is to prevent| 16345 Englewood Ave.
frantz at pwpconsult.com | fair use.              | Los Gatos, CA 95032, USA





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list