Date: Mon, 17 Nov 2014 07:54:54 -0800 From: Michal Zalewski <lcamtuf@...edump.cx> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less > I know that this sounds awfully impractical (at least for the time > being, because the landscape here is changing pretty rapidly), but > some would say that the best advice they can give to "average users" > now is to watch "untrusted" movies with web browsers which are > employing well-reviewed and tested sandboxing technologies and their > media decoders are well tested (also: fuzzed). I guess "regular" media > players will follow with this approach in some time. Well, but that's a tough argument. First, as you note, the primary way that things like ffmpeg have improved is fuzzing. In fact, if anything, ffmpeg has been *exceptionally* bad before that, would definitely fail the "designed for security" test, and by that criteria, should not have been used in any browser to begin with. So, it's probably not a very good argument against fuzzing bad software =) Secondly - as most people on this list know, sandboxing is a tricky beast. Firefox doesn't have it. Safari and Opera don't have it (that I know of). MSIE has a fairly limited one. Chrome has a good sandbox on most platforms, but today, it is certainly far from being a silver bullet - an RCE in a sandboxed renderer still gives access to many of your online assets (doubly so if you advise people to conduct their business in browser-accessible VMs, cloud services, or so). They are working on something better, but the difficulty of making that happen for a fairly specific use case certainly emphasizes how tricky sandboxing can be with today's monolithic, multi-purpose apps. People have been talking about lightweight, dynamic compartmentalization-on-the-fly for other tools for a very long time, but not much has gained widespread acceptance so far. Most OSes ship with a dizzying array of containment mechanisms, most of which are completely unused spare for a handful binaries built by teams passionate about infosec. I'm not sure if we have the power to change that. /mz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.