[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: outside evil vs. the user (was: Please read if you use x86 -current)
On Thu Nov 13 2008 at 14:43:42 -0500, Greg A. Woods; Planix, Inc. wrote:
> On 13-Nov-2008, at 8:44 AM, Antti Kantee wrote:
> >Second, I am more concerned about outside evil, not so much the user
> >trying to exploit his own machine. Of course multiuser machines are
> >another thing, but as I already said in the previous paragraph, I do
> >not agree with your concern there either.
> When people talk about security vulnerabilities and use phrases like
> "the user" they mean a process acting at the privilege level of the
> average user.
> However it may not be a process the human user intended to run, or it
> may not be doing something the human user intended it to do.
> I.e. these concerns are part of a security threat model involving
> "outside evil" as you say. Users are not always in as direct a
> control over what they do on their own machines as you seem to suggest/
> hope they might be.
> Think phishing attacks, worms, viruses, buffer overflows, etc., etc.,
> etc. The vector is irrelevant beyond the fact that it causes code to
> run as the user which the user did not intend to run. These are all
> examples of "the user" doing something to (try to) compromise security
> of their own machine, whether they realize it or not.
"outside evil" in this case is an evil file system image very much likened
to a phishing attack, worm, virus, ... - something that compromises the
system's security in an unexpected way for the user e.g. when mounting it.
We agree on this one.
By "the user *trying* to exploit" I meant the user consciously trying
to break the system, not accidentally.
Main Index |
Thread Index |