| version 1.34, 1998/02/24 19:47:15 |
version 1.35, 1998/02/24 21:15:26 |
|
|
| programming errors in code and then only months later discovered that |
programming errors in code and then only months later discovered that |
| the problems were in fact exploitable. In other cases we have been |
the problems were in fact exploitable. In other cases we have been |
| saved from full exploitability of complex step-by-step attacks because |
saved from full exploitability of complex step-by-step attacks because |
| we had fixed one of the steps. An example of where we did this is the |
we had fixed one of the steps. An example of where we managed such a |
| |
success is the |
| <a href=http://www.secnet.com/sni-advisories/sni-19.bsd.lpd.advisory.html> |
<a href=http://www.secnet.com/sni-advisories/sni-19.bsd.lpd.advisory.html> |
| lpd advisory from |
lpd advisory from Secure Networks.</a><p> |
| Secure Networks.</a><p> |
|
| |
|
| This proactive auditing |
This proactive auditing process has really paid off. Statements like |
| process has really paid off. Statements like ``This problem was fixed |
``This problem was fixed in OpenBSD about 6 months ago'' have become |
| in OpenBSD about 6 months ago'' have become commonplace in security |
commonplace in security forums like <a |
| forums like <a href=http://www.geek-girl.com/bugtraq/index.html>BUGTRAQ</a>.<p> |
href=http://www.geek-girl.com/bugtraq/index.html>BUGTRAQ</a>.<p> |
| |
|
| |
Most of our security auditing happened immediately before the OpenBSD |
| |
2.0 release and during the 2.0->2.1 transition. Thousands of security |
| |
issues were fixed rapidly over almost a year, like the standard buffer |
| |
overflows, protocol implementation weaknesses, and filesystem races. |
| |
In the time since then, the types of security problems we find and fix |
| |
have tended to be more obscure or complicated. Still we will persist |
| |
for a number of reasons: |
| |
<ul> |
| |
<li>Occasionally we find a simple one we missed before. |
| |
<li>Security is like an arms race; the best attackers will continue |
| |
to search for more complicated exploits, so we should too. |
| |
</ul> |
| |
|
| The auditing process is not over yet, and as you can see we continue |
The auditing process is not over yet, and as you can see we continue |
| to find and fix new security flaws.<p> |
to find and fix new security flaws.<p> |
![[BACK]](/icons/back.gif){kind=icon}
Return to security.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www