[Owasp-codereview] No input paths still not 100% secure?

Jeff Williams jeff.williams at owasp.org
Mon Jun 23 11:32:35 EDT 2008


I really think this is a ridiculous hypothetical. Nobody cares about hello
world. And it's such a trivial program that it's unlikely (certainly not
impossible) that there are exploitable vulnerabilities.

In the first place, human generated input is not the only source of attacks.
It's very easy these days to tunnel attacks through other "trusted" systems.
You need to validate anything that isn't guaranteed to be safe.  By
"guaranteed" I mean that someone else will compensate you for any loss
related to an attack in the data.

But more importantly, malicious input is not even close to the only way that
an application can be attacked. An attacker could monitor the running
application (in memory or swap) and breach confidentiality. They could
change the underlying platform (keylogging, dll injection, virtualization).
The attacker might bypass authentication or access controls. They might
replay They can deny service by exhausting resources or locking. The
application might not properly handle errors (not input related like out of
memory, file not found, etc..) and it might disclose implementation details
or crash. The application might not log properly. It might have concurrency
problems that intermittently disclose sensitive information. And a million
others.

The idea that input validation is the only security mechanism is absurd.

--Jeff

-----Original Message-----
From: owasp-codereview-bounces at lists.owasp.org
[mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Mario de Boer
Sent: Monday, June 23, 2008 9:32 AM
To: Nam Nguyen
Cc: Owasp-codereview at lists.owasp.org
Subject: Re: [Owasp-codereview] No input paths still not 100% secure?

At least, "heIIo world" outputs something. This is interpreted by
something, in this case a human. The fact that I wrote two capital "i"
instead of a lowercase "l" indicates that there might be a security
problem with this program in some applications. You can probably
conjure up more of these.
Moreover, the program uses library calls (or an interpreter), for
example printf. In some hostile environments this may not be secure.
The only secure program is NOP (though this may be disputed by some).
Regards, Mario

On 6/23/08, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> Mark Roxberry, OWASP.ORG wrote:
> > Hello world is probably not my target.
> >
> > For a better example of an apparently input less application, say you
have a
> > win32 service for file I/O.
>
> Doesn't "file I/O" spell out in full as "file *Input*/Output"?
>
> I know, I know. I'm being annoying here...
>
> Nam
>
> We may need this to give that service higher
> > privileged authority than direct user access to a file repository as
part of
> > a web application.  In this case, I can deny the service access by
changing
> > access control to a directory, also by changing the service account to
run
> > as another account.  In day to day security configuration settings are
> > usually not considered as input (at least in my experience).  So if you
have
> > a configuration setting for a file location in my previous example, and
you
> > can change that, there's a vector that is not technically input.
> >
> >
> > -----Original Message-----
> > From: owasp-codereview-bounces at lists.owasp.org
> > [mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Nam
Nguyen
> > Sent: Monday, June 23, 2008 6:45 AM
> > To: Eoin
> > Cc: Owasp-codereview at lists.owasp.org
> > Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
> >
> > Eoin wrote:
> >> I suppose all systems have some sort of data?
> >> be it from a user or a B2B system or from a legacy database, or a batch
> > file
> >> feed?
> >
> >> The data has to come from somewhere and such data must be validated and
> > the
> >> transactions relating to the input of such data must be examined.
> >
> > Agreed.
> >
> > However, the statement that we are discussing about assumes that such
> > system does not take in any data at all. In that sense, I could only
> > imagine "hello world". And how could "hello world" not be 100% secure?
> >
> > Maybe I'm missing something here. By "input mechanism", do you only
> > consider inputs entered by a human, not taken from other systems?
> >
> > Cheers
> > Nam
> >
> >
> >
> >> On 23/06/2008, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> >>> Hi
> >>>
> >>> I'm reviewing the newly added chapter Transaction Analysis (or is it
> >>> Transactional Analysis?).
> >>>
> >>> This statement caught my eyes and I kept pondering how it could be
> >>> exemplified.
> >>>
> >>> "Would systems lacking an input mechanism be 100% secure? Probably
not."
> >>>
> >>> I mean, "hello world" is not 100% secure?
> >>>
> >>> Could someone share with me an example of such vulnerable system
please?
> >>>
> >>> Thanks
> >>> Nam
> >
> > _______________________________________________
> > Owasp-codereview mailing list
> > Owasp-codereview at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-codereview
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>
_______________________________________________
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-codereview



More information about the Owasp-codereview mailing list