[cap-talk] Dan Bernstein's qmail security lessons paper
James A. Donald
jamesd at echeque.com
Sun Dec 16 14:29:12 EST 2007
Bill Frantz wrote:
> "Some thoughts on security after ten years of qmail
> 1.0" Daniel J. Bernstein
>
> <http://cr.yp.to/qmail/qmailsec-20071101.pdf>
>
> "I have become convinced that this “principle of least
> priv- ilege” is fundamentally wrong. Minimizing
> privilege might reduce the damage done by some
> security holes but almost never fixes the holes.
> Minimizing privilege is not the same as minimizing the
> amount of trusted code, does not have the same
> benefits as minimizing the amount of trusted code, and
> does not move us any closer to a secure computer
> system."
Obviously minesweeper should not be privileged to read
your mail, record your interactions with bank sites,
mail your passwords to Nigeria, and reformat your hard
drive. Nor should any random word document that
supposedly comes from your friend in email.
But your company web server does need to be pretty much
privileged to run your business, and if a guy from
Nigeria gets control of it, the principle of least
privilege does not help much.
For things like the webserver, what can help a lot is
writing stuff in a language that is immune from buffer
overflows and the like. Buffer overflows are a
particular instance of a more general error: Type
violations - doing things with data that violates type
constraints. Languages such as Java and Lisp are
incapable of that kind of failure, and Lisp's "macros"
encourages one to create types that embody domain
specific correctness, so that one cannot use data
inappropriately for the domain of the data.
Java has dreadful performance problems: Lisp also has
performance problems, but nowhere near as bad as those
of Java, though still bad enough that businesses using
Lisp usually wind up writing key parts of their
applications in C. Still, I notice that truly great
Lisp programmers receive markedly lower pay than truly
great C programmers. Despite the compelling arguments
for using Lisp as an engineering decision, it is an
extremely bad career decision.
More information about the cap-talk
mailing list