"TrustedBSD" addons

Kevin Lyons kevin_lyons at ofdengineering.com
Tue Jun 29 13:30:37 PDT 2004 

Paul Robinson wrote:

> On Tue, Jun 29, 2004 at 01:40:35PM -0500, Kevin Lyons wrote:
> 
> 
>>Well, point being that more layers/lines of code added, the more
>>potential vulnerabilities. 
> 
> 
> Myth. Which is more vulnerable to attack - the kernel that gets compiled 
> when you build GENERIC, or a few lines that strcpy's some input recieved 
> over a socket running as root?
> 
> LOC is about as effective a measure of potential vulnerabilities as it is a 
> measure of how productive a developer is or the quality of the design 
> process - i.e. it's useless and the myth has been thrown around for god 
> knows how long by people who really should know better.*
> 
> Well-written code is well-written, no matter how many lines long it is.
> Ditto for badly-written code. I've seen 20-liners that could be broken by a 
> competent 13-year old, and 20,000-liners that were impregnable. I am not 
> alone.

Hmmm, sounds like the exception that proves the rule.  This is a nice 
argument, but with real world large projects, i.e. with all things being 
more-or-less equal, more (normal distribution quality i.e. AVG) code is 
more potential vulnerabilities.  I (and microsoft no doubt) would love 
to hear of any proof that contradicts this apparent common sense 
construction. Is there an ACM or IEEE article that quantifies this?

> 
>>I don't think we can say the FreeBSD or
>>TrustedBSD developers are any more exploit immune than other folks.
> 
> 
> Based on the number of security announcements over the last 5 years, I could 
> argue very convincingly that the FreeBSD and TrustedBSD developers are far 
> more exploit immune than the Microsoft OS developers.
> 
> Of course, it would be complete bullshit, but that's not the point. :-)
> 
>>Not ranting/trolling.  Thanks for the info, that is good.  As I said, i
>>have not installed/configured it yet.  I have been noticing feaping
>>creaturism in freebsd as of late so I was simply concerned about it.
> 
> 
> "Of late"? You've *JUST* noticed? Wow. :-)

I will rephrase, I noticed enough to finally comment.

> 
> * - yes, I know. I expect this now to explode into a silly thread. People 
> really should know better.
>  

-- 
Kevin Lyons
OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079
Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons at ofdengineering.com

More information about the freebsd-chat mailing list