KHB: Failure-oblivious computing
Posted Jul 4, 2006 9:29 UTC (Tue) by walterh
In reply to: KHB: Failure-oblivious computing
Parent article: KHB: Failure-oblivious computing
> Might be; then do think a bit harder to come with a reasonable example
> proving it; the ones you suggested are absolutely irrelevant.
Just to show you how relevant these examples are, think about the ACL example again: Say a server has a block list which is consists of a dynamic part supplied by the IDS and a static part supplied by the administrator. Joe Hacker has been put on the static part by the administrator. To get around the block, he injects forged packets into the IDS to grow the dynamic block list to the point where the buffer for the combined block list overruns. Now, as the buffer contains just IP addresses this would result in a program crash enabling a denial of service attack. But, when the buffer just gets clipped so that the static part of the block list is gone, Joe Hacker can get access.
Or, another example: A PHP app checks user+password combinations with the following SQL command:
SELECT * FROM users WHERE user='%s' AND password='%s';
Of course, it will escape and special characters like ' in input. Now Joe Hacker supplies
as username. The ' at the end gets escaped to \'. Assume that due to some buffer magic the last character is clipped. Now the string is
or 1=1 limit 1;
for the password the SQL command now becomes
SELECT * FROM users WHERE user='looooo....ongname\' AND password=' or 1=1 limit 1;';
which will let Joe hacker in.
So you can see that is is easy to come up with examples where the technique advertised in the article creates gaping security holes.
To be honest, I think it is very worrying how some people here defend a broken idea. If those are the ones writing critical applications, then there is plenty or reason to be afraid.
to post comments)