This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Is there someone offering cygwin paid support?

From: Warren Young <warren at etr-usa dot com>
To: Cygwin-L <cygwin at cygwin dot com>
Date: Thu, 20 Sep 2007 03:08:55 -0600
Subject: Re: Is there someone offering cygwin paid support?
References: <e2712e1d0709140741n37326b85x8e9ef9a573f77a79@mail.gmail.com> <2D9E96311DCA4C48BF185EA6928BC7BB026A1822@asc-mail.int.ascribe.com> <e2712e1d0709170939m61231a41k665ba93e151495bd@mail.gmail.com> <fcmgrl$m5s$1@sea.gmane.org> <e2712e1d0709171249l856e9b1wd20369091011e723@mail.gmail.com> <fcn658$vkl$1@sea.gmane.org> <20070918155829.1648@blackhawk> <20070918151831.GA27067@trixie.casa.cgf.cx> <slrnff0nrp.og.oudeis@isis.thalatta.eme>

Will Parsons wrote:

why would cygwin be less secure?

The more moving parts, the more things there are to break.

Postulate that you have a program that's been audited to the point that you're absolutely certain it's 100% secure when run on Linux.

Then you port it to Cygwin. Is it secure? The answer cannot be "Yes" until you have also audited Cygwin itself to the same level of assurance.

Just one way it could fail is if there is a buffer overflow in the implementation of one of Cygwin's interfaces, and your "100% secure" program calls it. It's then only a matter of time for a skilled hacker to turn that buffer overflow into an arbitrary code execution vulnerability. At minimum, the hacker will then have the privileges of the program. Once the hacker has local access, chances are good that he can parlay that into a privilege escalation attack, and it's Game Over for you.

Security is hard.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: Is there someone offering cygwin paid support?
  - From: Christopher Faylor
- RE: Is there someone offering cygwin paid support?
  - From: Dave Korn

References:
- Is there someone offering cygwin paid support?
  - From: Marko Loparic
- RE: Is there someone offering cygwin paid support?
  - From: Phil Betts
- Re: Is there someone offering cygwin paid support?
  - From: Marko Loparic
- Re: Is there someone offering cygwin paid support?
  - From: Steve Holden
- Re: Is there someone offering cygwin paid support?
  - From: Marko Loparic
- Re: Is there someone offering cygwin paid support?
  - From: Steve Holden
- Re: Is there someone offering cygwin paid support?
  - From: d.henman
- Re: Is there someone offering cygwin paid support?
  - From: Christopher Faylor
- Re: Is there someone offering cygwin paid support?
  - From: Will Parsons

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]