[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Which "Codebases" do these candidates really split into?

Spaf wrote:

> > Digital Unix, FreeBSD, HPUX, AIX, IRIX, Linux, OSF/1, SCO, Solaris
> >
> >QUESTION: is the appropriate codebase "Unix"?  Or do we separate it
> >into BSD and System V?  Or each individual OS?
> Systems that used the old BSD IP stack have this problem.   The Linux
> stack was developed independently, as was (I believe) AIX.   All of
> the others derived from the same underlying IP code.   However, each
> one has undergone quite a bit of change.
> MacOS is also vulnerable in some versions.   I believe VMS and
> NextStep were too.
> So here we have the problem of defining "same."
> Me feeling would be to split out each independent OS unless we know
> they use the same underlying code.

The drawback to this approach would seem to be a huge explosion of
vulnerability numbers.  We often won't know, as we don't here (correct me if
I'm wrong), if the code that contains the vulnerability is materially the
same or not in different systems.  Most CERT advisories about Unix
vulnerabilities contain a laundry list of which systems are vulnerable and
which aren't.  If every CERT advisory becomes 10 CVE numbers, that seems a
high price to pay.

Plus it seems insufficient to say that the codebase is "Solaris" vs "Solaris
versions before 2.3, 2.4 without patch foo1, 2.5 without foo2....". 

Finally, would it be really obnoxious of me to point out that the typical
Unix program on the typical Unix system is probably stuffed full of #ifdefs
that may mean a program which is identical per 'diff' will behave
differently, and possibly have different vulnerabilities, on different
systems?  I guess this is mainly a technicality - we can, at least
conceptually, imagine comparing the code after the preprocessor has been over

I don't have a constructive suggestion how to achieve this, but it seems a
desirable property would be that the CVE not split up CERT and similar
advisories into lots of different pieces (unless they were clearly referring
to two different holes to begin with.  "Same advisory, same vulnerability"?

[Note - I'm not taking a position on how to proceed and please don't count
this email as a vote.  I'm just trying to understand the issues.]


Stuart Staniford-Chen --- President --- Silicon Defense
(707) 822-4588                     (707) 826-7571 (FAX)

Page Last Updated or Reviewed: May 22, 2007