[Owasp-codereview] No input paths still not 100% secure?

Eoin eoinkeary at gmail.com
Tue Jun 24 04:37:24 EDT 2008


Im not sure who said "Input validation is the only security mechanisim" but
anyways I agree with Jeff here.

The purpose of a code review guide reviewer is to perfrom an objective
review of the technical content and suggest any improvements on structure or
content, NOT to suggest theorethical "what if's" and other garbage. I am
tired of the academic approach to subjects such as security and wish to
guide to be pragmatic.


On 23/06/2008, Jeff Williams <jeff.williams at owasp.org> wrote:
>
> I really think this is a ridiculous hypothetical. Nobody cares about hello
> world. And it's such a trivial program that it's unlikely (certainly not
> impossible) that there are exploitable vulnerabilities.
>
> In the first place, human generated input is not the only source of
> attacks.
> It's very easy these days to tunnel attacks through other "trusted"
> systems.
> You need to validate anything that isn't guaranteed to be safe.  By
> "guaranteed" I mean that someone else will compensate you for any loss
> related to an attack in the data.
>
> But more importantly, malicious input is not even close to the only way
> that
> an application can be attacked. An attacker could monitor the running
> application (in memory or swap) and breach confidentiality. They could
> change the underlying platform (keylogging, dll injection, virtualization).
> The attacker might bypass authentication or access controls. They might
> replay They can deny service by exhausting resources or locking. The
> application might not properly handle errors (not input related like out of
> memory, file not found, etc..) and it might disclose implementation details
> or crash. The application might not log properly. It might have concurrency
> problems that intermittently disclose sensitive information. And a million
> others.
>
> The idea that input validation is the only security mechanism is absurd.
>
> --Jeff
>
> -----Original Message-----
> From: owasp-codereview-bounces at lists.owasp.org
> [mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Mario de
> Boer
> Sent: Monday, June 23, 2008 9:32 AM
> To: Nam Nguyen
> Cc: Owasp-codereview at lists.owasp.org
> Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
>
> At least, "heIIo world" outputs something. This is interpreted by
> something, in this case a human. The fact that I wrote two capital "i"
> instead of a lowercase "l" indicates that there might be a security
> problem with this program in some applications. You can probably
> conjure up more of these.
> Moreover, the program uses library calls (or an interpreter), for
> example printf. In some hostile environments this may not be secure.
> The only secure program is NOP (though this may be disputed by some).
> Regards, Mario
>
> On 6/23/08, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> > Mark Roxberry, OWASP.ORG wrote:
> > > Hello world is probably not my target.
> > >
> > > For a better example of an apparently input less application, say you
> have a
> > > win32 service for file I/O.
> >
> > Doesn't "file I/O" spell out in full as "file *Input*/Output"?
> >
> > I know, I know. I'm being annoying here...
> >
> > Nam
> >
> > We may need this to give that service higher
> > > privileged authority than direct user access to a file repository as
> part of
> > > a web application.  In this case, I can deny the service access by
> changing
> > > access control to a directory, also by changing the service account to
> run
> > > as another account.  In day to day security configuration settings are
> > > usually not considered as input (at least in my experience).  So if you
> have
> > > a configuration setting for a file location in my previous example, and
> you
> > > can change that, there's a vector that is not technically input.
> > >
> > >
> > > -----Original Message-----
> > > From: owasp-codereview-bounces at lists.owasp.org
> > > [mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Nam
> Nguyen
> > > Sent: Monday, June 23, 2008 6:45 AM
> > > To: Eoin
> > > Cc: Owasp-codereview at lists.owasp.org
> > > Subject: Re: [Owasp-codereview] No input paths still not 100% secure?
> > >
> > > Eoin wrote:
> > >> I suppose all systems have some sort of data?
> > >> be it from a user or a B2B system or from a legacy database, or a
> batch
> > > file
> > >> feed?
> > >
> > >> The data has to come from somewhere and such data must be validated
> and
> > > the
> > >> transactions relating to the input of such data must be examined.
> > >
> > > Agreed.
> > >
> > > However, the statement that we are discussing about assumes that such
> > > system does not take in any data at all. In that sense, I could only
> > > imagine "hello world". And how could "hello world" not be 100% secure?
> > >
> > > Maybe I'm missing something here. By "input mechanism", do you only
> > > consider inputs entered by a human, not taken from other systems?
> > >
> > > Cheers
> > > Nam
> > >
> > >
> > >
> > >> On 23/06/2008, Nam Nguyen <namn at bluemoon.com.vn> wrote:
> > >>> Hi
> > >>>
> > >>> I'm reviewing the newly added chapter Transaction Analysis (or is it
> > >>> Transactional Analysis?).
> > >>>
> > >>> This statement caught my eyes and I kept pondering how it could be
> > >>> exemplified.
> > >>>
> > >>> "Would systems lacking an input mechanism be 100% secure? Probably
> not."
> > >>>
> > >>> I mean, "hello world" is not 100% secure?
> > >>>
> > >>> Could someone share with me an example of such vulnerable system
> please?
> > >>>
> > >>> Thanks
> > >>> Nam
> > >
> > > _______________________________________________
> > > Owasp-codereview mailing list
> > > Owasp-codereview at lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-codereview
> > _______________________________________________
> > Owasp-codereview mailing list
> > Owasp-codereview at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-codereview
> >
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>



-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080624/a61be1e2/attachment.html 


More information about the Owasp-codereview mailing list