Squeak+Web security [Was: Re: Two small articles]
John M McIntosh
johnmci at smalltalkconsulting.com
Mon Nov 3 17:27:30 UTC 2003
I'll point out we really need to audit the VM primitives and watch the
usage
of strcat/strcpy etc etc. Much of the tcp/ip logic consists of reading
bytes and dumping into
storage areas and we "assume* there are no side effects.
As an example I'll point out the serial primitive read logic right now
will check
the size of the array & start location for valid memory accessing
within the buffer, and set
the success flag to true/false, then INVOKE the serial read
primitive!!! Technically this results
in writing bits anywhere in the address space based on passed in values.
I thought I read over the weekend Microsoft released some security
audit tools. Perhaps
someone can run them against the windows VM source?
On Monday, November 3, 2003, at 02:14 AM, goran.krampe at bluefish.se
wrote:
> Cees de Groot <cg at tric.nl> wrote:
>> On Mon, 2003-11-03 at 10:31, goran.krampe at bluefish.se wrote:
>>> Well, I am not so sure about that. Security consiousness is probably
>>> strongly coupled to how much stuff you have deployed and exposed -
>>> and
>>> the importance of it. :-)
>>>
>> Sadly, yes. And if we continue down this path Squeak will be another
>> one
>> of these products regularly featuring on Bugtraq et al. That's why I'm
>> sounding alarm bells - it's early, the frameworks are overseeable, and
>> the weaknesses easily identifiable. Let's fix it.
========================================================================
===
John M. McIntosh <johnmci at smalltalkconsulting.com> 1-800-477-2659
Corporate Smalltalk Consulting Ltd. http://www.smalltalkconsulting.com
========================================================================
===
More information about the Squeak-dev
mailing list
|