I'm giving up on seccomp

Eric S. Raymond esr at thyrsus.com
Thu Sep 3 00:35:38 UTC 2020


Gary E. Miller via devel <devel at ntpsec.org>:
> Buffer overruns are just one way a program might make unexpected system
> calls.  Even if you can guarantee that a Go program could never be
> maliciously corrupted externally, you can never guarantee that the
> Go program can not be trojaned.

Everything is cost gradients.

Yes, a Go program could be Trojaned, but (a) that is far less likely
than a buffer overrun is in C, and (b) there are reasonably efficient
auditing methods to detect Trojanning, good enough that even static
analyzers lilke Coverity and LGTM can usually catch them by looking
for shellouts.  Syscall blocking is not really the best-fit tool for
defense against this kind of attack.

Daniel knows more about this sort of thing than I do and might correct
me, but it's my impression that syscall blocking is *specifically* a
best-fit defence against object-code weird machines prpoduced by
buffer-overrun and stack-corruption attacks, and its utility drops off
sharply for other kinds of attacks that are better foiked in different
ways.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200902/0f82f435/attachment-0001.bin>


More information about the devel mailing list