Date: Mon, 09 Jan 2012 14:57:37 +0100 From: Ludwig Nussel <ludwig.nussel@...e.de> To: oss-security@...ts.openwall.com Subject: Re: Malicious devices & vulnerabilties Alistair Crooks wrote: > On Mon, Jan 09, 2012 at 03:48:20AM +0800, Eugene Teo wrote: >> On 01/08/2012 07:19 PM, Florian Weimer wrote: >>>> I am wondering where to draw the line. Should such device drivers >>>> be considered vulnerable or not? Thanks. >>> >>> I think they should be considered vulnerable. Some applications need >>> some robustness to attacks even from the local console (e.g., student >>> computer rooms). >>> >>> USB is also a popular transport in many air-gapped environments. >> >> I would consider them vulnerable with low security impacts. If you are >> fixing such issues, do post them to the list. > > One very interesting datapoint here is Antti Kantee's rump subsystem > in NetBSD > > http://www.netbsd.org/docs/rump/ > http://blog.netbsd.org/tnf/entry/runnable_userspace_meta_programs_in > > which allows for userspace-mounting of devices and filesystems > thereon. Unknown provenance USB sticks are one of the use cases > mentioned. Nice. Using fuse for mounting hot plugged devices where performance isn't a priority anyways is what I dream about sometimes too :-) I wonder how hard it would be to create some glue code and re-use the existing kernel fs drivers 1:1. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ