Re: [DotGNU]Microsoft's security blind spot

[Bill Lance]

--- Rhys Weatherley <address@hidden> wrote:
>> 
> There really is no "magic bullet" that makes a
> system
> secure/private.  It requires severe attention to
> detail in
> the code and protocols.  

That's absolutly true.  From the VRS architecute page,

"This is not a single system layer but the total
effect of a number of design priorities, trade-offs, a
specific techniques in a variety of places. Some of
these have been identified so far, but much thought
needs to be done here yet."



>Cross-checking each other,
> and performing code reviews would help.
> 
> It's rarely a good idea to design a system that will
> be
> secure/private when it's all put together.  It's
> even
> worse to rely upon some "shell" to provide security.
> 
> It's better to design the pieces to be "mutually
> distrustful", so that if one fails, it doesn't
> compromise
> everything else.  i.e. every component is
> responsible
> for its own defence.
> 

This is a good strategy.

>There are guidelines for writing secure code, but
they
>are very generic: check all buffer boundaries, never
>trust the caller to get parameters right, don't leak
>unnecessary information, et

And this all helps against certain classes of attacks.

These are the kinds of items we need to add to a
security and privacy checklist.  As you observe, there
is no "magic bullet".  The issue must be in our minds
with everything we do.

On top of all this, though, we also have to be able to
test for and detect unintended consequences as
components interact.  Of course, this is the classic
source of 'bugs'.  But we still haven't solved the
problem, so we got to keep finding 'n stomping the
little bastards.

And things get so much more complicated when we start
pushing the scope of what dotGNU is ment to cover.



__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com