LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security Innovation's Microsoft/Linux web server security study

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 17:37 UTC (Wed) by iabervon (subscriber, #722)
Parent article: Security Innovation's Microsoft/Linux web server security study

The fundamental flaw in this study is that it does not include any determination of whether the vulnerabilities actually apply at all to the configuration they are theoretically testing. While they do address some more serious flaws in other studies, this still makes their results worthless.

Early in the paper, they mention a vulnerability as an example (issues with libpng); this would generally not matter to a web server, unless someone using the machine would display images from untrusted sites. It is unclear whether this is included in the study, but it probably should not be, at least not without extensive explanation, since the theoretical administrator of this system could work around the issue in the period of risk by avoiding the behavior which triggers the bug.

They give one example of an included vulnerability. This vulnerability is inapplicable for many reasons: it requires an attacker to connect to the database, which is not accepting connections from potential attackers; it requires the attacker to provide a special DNS response, which may be impossible; it requires a library the program is using to behave differently from the one actually used. One might reasonably guess that the reason Red Hat was so slow to fix this flaw was that it did not actually permit an exploit.

In order to give an actual value for days of risk, it is necessary to test, for the configuration which would have been current on each day, whether proof-of-concept exploits can be made to violate the security model. (Or, more strictly, if a set of exploits could be used to cause damage; *nix generically has a two-tiered security model, such that some flaws will violate the security model while not individually being sufficient to cause damage, so a complementary set of vulnerabilities would be required to be known and open at the same time.) As has been pointed out many times, there are vulnerabilities in Linux which may only be exploited in situations were the security model has already been violated, and where Windows behaving as designed would permit the action classified on Linux as a vulnerability.

Furthermore, if the study is using only vulnerabilities documented as known to the general public during a period, it does not make sense to include multiple unfixed vulnerabilities for the same day. There main reason to count different vector is that an attacker may only know some of the potential attacks; but using the periods where the flaws are publically reported makes this nonsensical. (Another reason is if you want to study a range of configurations, where an attack may only apply to some of them.) A more sensible model is to assume that an attacker will attempt all of the known attacks until one works, and measure the number of days on which some attack would succeed.

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds