15 Apr 2007 company   » (Master)

Talking about security is "funny". Like looking how people react to security issues or talking with other developers in #gnome-hackers, where I recently claimed that GNOME's security sucks and got quite a backlash. Since writing multimedia players like GStreamer or Swfdec made me think about security (I'm still far from expert unfortunately), I'd like to elaborate a bit on that.

Let me first mention one important thing: I don't just consider crashes to be stuff that shouldn't happen. Everything that disrupts the user's computing experience should not happen. Taking too many CPU ressources or too much memory for too long effects other applications negatively, so it should be avoided.

The biggest problem for me has always been the question of trust. When interpreting data I have to ask myself if I trust that data or not. If I have a number that says "allocate this much memory", I better trust it to report a correct size or I'll get an out-of-memory problem. A worse problem are pointers: read (or write to) the memory pointed to by this address. If you can't trust a pointer you'll likely get a segfault. So you better trust every pointer in your app. Note that this includes modifying pointers (like array indexing), which should only be done with trusted values. Stuff like that quickly gets my head spinning about which values are trusted and which aren't. Another example: Do we trust this string to be valid UTF-8?

A lot of data is read from files these days. Now, what files can application developers trust? Apparently we trust all the data a user doesn't have write access to, since I can make apps crash easily by removing Glade files, icons or linked-in libraries. But should applications trust stuff in the user's home directory?

Currently a lot of applications trust stuff in the user's directories unconditionally. Bash and X execute files in there for example. However epiphany allows you to save files from the web in there, too. What do you think clueless users would do when a web site tells them to download a file named .xinitrc? Probably nothing, since .xinitrc must be executable in order to get executed, but we're already very close to running "rm -rf ~" on login here. And of course we suddenly have a lot of untrusted files in the user's home directory. Nautilus for example knows this, since the thumbnailing process has brought down Nautilus quite often in the past. But I bet a lot of other applications don't think about that.

And then there's the fact that it's apparently dead easy to find security holes in Free Software while Windows products have been exploited by those issues in the past.
So I guess when the Linux desktop gets interesting for crackers, we'll be in for quite a ride. And by "we", I'm talking about every application that reads files.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!