This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Is there someone offering cygwin paid support?

On Thu, 20 Sep 2007, Christopher Faylor wrote:

> On Thu, Sep 20, 2007 at 03:08:55AM -0600, Warren Young wrote:
> >Will Parsons wrote:
> >>why would cygwin be less secure?
> >
> >The more moving parts, the more things there are to break.
> >
> >Postulate that you have a program that's been audited to the point that
> >you're absolutely certain it's 100% secure when run on Linux.
> >
> >Then you port it to Cygwin.  Is it secure?  The answer cannot be "Yes"
> >until you have also audited Cygwin itself to the same level of
> >assurance.
> >
> >Just one way it could fail is if there is a buffer overflow in the
> >implementation of one of Cygwin's interfaces, and your "100% secure"
> >program calls it.  It's then only a matter of time for a skilled hacker
> >to turn that buffer overflow into an arbitrary code execution
> >vulnerability.  At minimum, the hacker will then have the privileges of
> >the program.  Once the hacker has local access, chances are good that
> >he can parlay that into a privilege escalation attack, and it's Game
> >Over for you.
> >
> >Security is hard.
> I don't think I've given out a gold star for a clear explanation in a
> long time but can we get one over here?

Certainly: <>.
P.S. I also owe quite a few to folks on the cygwin-apps list...
      |\      _,,,---,,_ |
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Belief can be manipulated.  Only knowledge is dangerous.  -- Frank Herbert

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]