Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What could have been done differently?

  • From: Michael.Dillon
  • Date: Wed Jan 29 08:36:15 2003

> His main thesis was basically that every
> OS in common use today, from Windows to UNIX variants, has a fundamental
> flaw in the way privileges and permissions are handled - the concept of
> superuser/administrator. He argued instead that OSes should be 
redesigned to
> implement the principle of least privilege from the ground up, down to 
the
> architecture they run on. OpenSSH's PrivSep (now making its way into 
other
> daemons in the OpenBSD tree) is a step in the right direction.

Capability-based systems like EROS-OS are a way of addressing this issue. 
Have a look at http://www.eros-os.org/
If you only read one article then pick this summary from IEEE Software 
magazine http://www.eros-os.org/papers/IEEE-Software-Jan-2002.pdf

The slammer worm made its way into some very unexpected places. It seems 
that in many organizations, once the UDP packet made its way to one MS-SQL 
server through one hole, it then acquired all the privileges of the IP 
address that supposedly belonged to a database server. Since traffic from 
the database server was considered to be trustworthy, it was able to 
easily reach and infect many more internal MS-SQL servers that were on 
internal networks unconnected to the Internet. In other words, there were 
MS-SQL servers acting as Application Layer Gateways to transport the worm 
into protected networks. 

The random nature of the addresses chosen by the worm virtually guaranteed 
that every single network path in the world containing MS-SQL servers 
would be infected.

--Michael Dillon





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.