Re: [ISN] How To Save The Internet

To: jericho@xxxxxxxxxxxxx
Subject: Re: [ISN] How To Save The Internet
From: Jason Coombs <jasonc@xxxxxxxxxxx>
Date: Tue, 22 Mar 2005 10:24:53 +1200
Cc: isn@xxxxxxx, sberinato@xxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.44.0503180128570.9539-100000@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.44.0503180128570.9539-100000@xxxxxxxxxxxxxxxxxx>
Reply-to: jasonc@xxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

InfoSec News wrote:

Forwarded from: security curmudgeon <jericho@xxxxxxxxxxxxx>
Cc: sberinato@xxxxxxx
... Big load of crap ...
: http://www.cio.com/archive/031505/security.html
: BY SCOTT BERINATO
: serial numbers and control their distribution. James Whittaker says: programmable PCs are dangerous, so why not treat them like guns?


jericho@xxxxxxxxxxxxx wrote:

In 2001, 2002, 2003 and 2004, how many deaths were attributed tocomputers?

Programmable PCs *are* dangerous, but only to themselves and otherprogrammable PCs that aren't operated by skilled people who know how todefend against the execution of unwanted machine code.

The problem with programmable PCs is that they execute machine codewithout considering whether any of the instructions are desired by theowner of the CPU. A no execute (NX) stack and heap [1] is a step in theright direction, but everyone in the computer industry who has giventhis any thought already knows that the core problem with computersecurity is that our CPUs make no effort to restrict the execution ofmachine code to that very small subset of all possible machine codewhich constitutes the code that the owner of the CPU desires it to run.

Until this security defect is solved, we will still have problems causedby rampant technical bugs in our programmable PCs. Insecure softwarewould not be a threat except in rare circumstances if there were only away for our CPUs to be configured to execute *only* the insecuresoftware that we desire, and block anything else that is added to ourboxes by buffers, bullies, or buffoons.

If anyone really cared about solving this core security problem withcomputing today, it would be solved in just a few months. We would thenbe left with all of the wonderful array of security problems that arecaused by human behavior (theft, misuse, physical intrusion,eavesdropping, scam artists, etc) and these are problems we can all livewith in relative harmony [7].

The marketplace is not demanding this solution, and it appears from thenoise of the media and marketing and PR machines of our revered industryleaders that nobody is even trying to build awareness of the problemmuch less devise and deliver solutions.

Programmable CPUs are not suitable for use in data communicationsdevices without hardware defenses that restrict the machine codeinstruction sequences that the CPU will accept. Programmable CPUs arebarely suitable for anything without this simple security addition.


We're all so busy pushing bits around urgently we've forgotten to care.

CIO should be ashamed to be perpetuating the pointless and fraudulentbusiness ideas of an industry addicted to extracting profit from victimsby causing them unnecessary problems and then selling inadequate fixes.


Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx


[1] MSDN Security Developer Center: Execution Protection
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx

[7] Why Was Intel a No-Show on No Execute?
http://www.eweek.com/article2/0,1759,1599193,00.asp

Follow-Ups:
- RE: [ISN] How To Save The Internet
  - From: David Gillett

Prev by Date: SecurityForest Exploitation Framework Beta has been released!
Next by Date: Re: Thoughts and a possible solution on homograph attacks
Previous by thread: SecurityForest Exploitation Framework Beta has been released!
Next by thread: RE: [ISN] How To Save The Internet
Index(es):
- Date
- Thread