27 Apr
2016
27 Apr
'16
5:11 p.m.
On Apr 27, 2016, at 5:58 PM, Noel Chiappa <jnc at
mercury.lcs.mit.edu> wrote:
Sure, all that is obvious. But the problem is that some attacks require only the
application and the data it IS supposed to have access to -- just get the application to
do the wrong thing to the right data. That kind of malfunction can only be cured by
writing correct applications. For example, it isn't much consolation if your banking
app writes only to the correct bank accounts database, if it sends your money to the wrong
account for the wrong reason.
paul
From: Paul Koning
while Unix is reasonably secure, application
writers have managed to
create massive numbers of security holes that have nothing to do with
defects of the OS, and aren't cured by a better OS.
On a secure system (i.e. OS plus underlying hardware), _nothing_ an
application does (whether merely buggy, or guidely malevolent) can i) write
data it's not supposed to have write access to, ii) read such data, iii)
interfere with any another application, etc, etc.