This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Is there someone offering cygwin paid support?


On Thu, Sep 20, 2007 at 03:08:55AM -0600, Warren Young wrote:
>Will Parsons wrote:
>>why would cygwin be less secure?
>
>The more moving parts, the more things there are to break.
>
>Postulate that you have a program that's been audited to the point that
>you're absolutely certain it's 100% secure when run on Linux.
>
>Then you port it to Cygwin.  Is it secure?  The answer cannot be "Yes"
>until you have also audited Cygwin itself to the same level of
>assurance.
>
>Just one way it could fail is if there is a buffer overflow in the
>implementation of one of Cygwin's interfaces, and your "100% secure"
>program calls it.  It's then only a matter of time for a skilled hacker
>to turn that buffer overflow into an arbitrary code execution
>vulnerability.  At minimum, the hacker will then have the privileges of
>the program.  Once the hacker has local access, chances are good that
>he can parlay that into a privilege escalation attack, and it's Game
>Over for you.
>
>Security is hard.

I don't think I've given out a gold star for a clear explanation in a
long time but can we get one over here?

cgf

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]