Fir> Date: Thu, 20 Feb 1997 10:24:49 -0500 (EST) From: "Fir
Fir> E. Walls" <walls @
com> Subject: Re: A Comment
Fir> on Content
Fir> A Question 4 U:
Fir> For all these firewall products being offered by vendors,
Fir> what proof if any, to the customer, does does the vendor
Fir> provide to guarantee correct bounds checking has been done in
Fir> their source code so the stack cannot be mangled by buffer
Fir> overflows (and hence compromised)?
In effect, you have very little proof. Neither the NSA/CSE (Canada)
AL-1 evaluation or the NCSA seal say much at all.
I would look "depth in security" (I saw this in TIS literature, but
also in other places): assume that the buffer *DOES* get overflowed. It
*WILL* happen, in *SOME* way.
What occurs that that point. Is the firewall still protected? More
importantly, is the network still protected? The SideWinder people
have some good ideas at times, but their track record in the past
for protecting the network rather than the firewall isn't good.
Ask the vendor to see their implementation of snprintf(). They
shouldn't have a problem showing that small piece of code to you. The
fact that they can find it, and know what it means should be taken as
an indication that they understand the problem. There are still lots
of OSes that do not ship snprintf() as part of libc.
Ask to see their coding practice document.
Ask to see their test case summary.
] Temporarily located in balmy Helsinki, Finland | one quark [
] Michael Richardson, Sandelman Software Works, Ottawa, ON | two quark [
] mcr @
ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [