Ralf S. Engelschall wrote:
> And now I ask me why _isn't_ this better? I don't understand it, Ben. IMHO
> this non-assertion way _is_ better, because it prevents the system from being
> dropped down (kind of DoS) by a local attacker....
I'm happy to admit that is is a marginal improvement wrt a local
attacker, but I can't see that it makes a significant difference to your
defences against a local attacker, for the following reasons:
1. You should be using a UNIX domain socket. With appropriate
permissions, this cannot be exploited as described.
2. The local attacker can DoS you trivially simply by overloading the
HTTP/HTTPS port.
3. On most OSes a local attacker can kill you anyway in many othe ways.
4. No secure server should have local attackers.
The downside is that, in the event of a remote attack that makes Apache
behave incorrectly, you will continue to run. Whether it is worth
defending against a local attacker (given that if you even have one,
you've got a serious problem) rather than against the (rather more
likely) remote attacker is a difficult question. So, on balance, I can't
answer the question "is it better?". All I can say is that it is
different, and addresses a different threat model. My threat model says
that if I've got a local attacker, I've already lost, so that makes my
solution better. I don't know what your threat model is, so I can't tell
what your evaluation will be (except I can guess it won't favour me).
The bottom line is that neither of our solutions should ever be
exercised, so the relative merit is largely academic.
BTW, I'm not claiming that I can defend every piece of code I've ever
written. If I've got it wrong, I'm keen to hear about it, especially if
accompanied by patches. Where I draw the line is with statements like
"assertions are inherently bad".
I'll also admit that my coding style is more biased towards defending
against programmer error than attackers, but it is programmer errors
that attackers exploit, of course.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
