Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS D. J. Bernstein University of Illinois at Chicago http://cr.yp.to /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS 1999: djbdns (dnscache) 0.60. D. J. Bernstein 2000: djbdns (dnscache) 1.00. University of Illinois at Chicago 2001: djbdns 1.05. http://cr.yp.to /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS 1999: djbdns (dnscache) 0.60. D. J. Bernstein 2000: djbdns (dnscache) 1.00. University of Illinois at Chicago 2001: djbdns 1.05. 2007: “Some thoughts on security http://cr.yp.to after ten years of qmail 1.0.” /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS 1999: djbdns (dnscache) 0.60. D. J. Bernstein 2000: djbdns (dnscache) 1.00. University of Illinois at Chicago 2001: djbdns 1.05. 2007: “Some thoughts on security http://cr.yp.to after ten years of qmail 1.0.” /talks.html#2009.03.02

/talks.html#2009.03.03 > 1000000 of the Internet’s /talks.html#2009.03.04 SMTP servers are running qmail.

> 4000000 of the Internet’s second-level *.com names are published by djbdns. Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS 1999: djbdns (dnscache) 0.60. D. J. Bernstein 2000: djbdns (dnscache) 1.00. University of Illinois at Chicago 2001: djbdns 1.05. 2007: “Some thoughts on security http://cr.yp.to after ten years of qmail 1.0.” /talks.html#2009.03.02

/talks.html#2009.03.03 > 1000000 of the Internet’s /talks.html#2009.03.04 SMTP servers are running qmail.

> 4000000 of the Internet’s second-level *.com names are published by djbdns.

No emergency upgrades, ever. Attacks on DNS 1996: qmail 0.70. Some DNS buffer overflows 1997: qmail 1.00. Cryptography in DNS “CVE-2008-2469: Heap-based buffer 1998: qmail 1.03. overflow in the SPF dns resolv lookup Secure design and coding for DNS function in Spf dns resolv.c in libspf2 1999: djbdns (dnscache) 0.60. before 1.2.8 allows remote attackers to D. J. Bernstein 2000: djbdns (dnscache) 1.00. execute arbitrary code via a long DNS TXT record with a modified length field.” University of Illinois at Chicago 2001: djbdns 1.05. “CVE-2008-2357: Stack-based buffer 2007: “Some thoughts on security overflow in the split redraw function in http://cr.yp.to after ten years of qmail 1.0.” split.c in mtr before 0.73, when invoked /talks.html#2009.03.02 with the -p (aka –split) option, allows remote attackers to execute arbitrary > 1000000 of the Internet’s /talks.html#2009.03.03 code via a crafted DNS PTR record.” /talks.html#2009.03.04 SMTP servers are running qmail. “CVE-2008-0530: Buffer overflow in > 4000000 of the Internet’s Cisco Unified IP Phone 7940, 7940G, second-level *.com names 7960, and 7960G running SCCP and SIP are published by djbdns. firmware might allow remote attackers to execute arbitrary code via a crafted DNS No emergency upgrades, ever. response.” Attacks on DNS 1996: qmail 0.70. Some DNS buffer overflows 1997: qmail 1.00. Cryptography in DNS “CVE-2008-2469: Heap-based buffer 1998: qmail 1.03. overflow in the SPF dns resolv lookup Secure design and coding for DNS function in Spf dns resolv.c in libspf2 1999: djbdns (dnscache) 0.60. before 1.2.8 allows remote attackers to D. J. Bernstein 2000: djbdns (dnscache) 1.00. execute arbitrary code via a long DNS TXT record with a modified length field.” University of Illinois at Chicago 2001: djbdns 1.05. “CVE-2008-2357: Stack-based buffer 2007: “Some thoughts on security overflow in the split redraw function in http://cr.yp.to after ten years of qmail 1.0.” split.c in mtr before 0.73, when invoked /talks.html#2009.03.02 with the -p (aka –split) option, allows remote attackers to execute arbitrary > 1000000 of the Internet’s /talks.html#2009.03.03 code via a crafted DNS PTR record.” /talks.html#2009.03.04 SMTP servers are running qmail. “CVE-2008-0530: Buffer overflow in > 4000000 of the Internet’s Cisco Unified IP Phone 7940, 7940G, second-level *.com names 7960, and 7960G running SCCP and SIP are published by djbdns. firmware might allow remote attackers to execute arbitrary code via a crafted DNS No emergency upgrades, ever. response.” Attacks on DNS 1996: qmail 0.70. Some DNS buffer overflows 1997: qmail 1.00. Cryptography in DNS “CVE-2008-2469: Heap-based buffer 1998: qmail 1.03. overflow in the SPF dns resolv lookup Secure design and coding for DNS function in Spf dns resolv.c in libspf2 1999: djbdns (dnscache) 0.60. before 1.2.8 allows remote attackers to D. J. Bernstein 2000: djbdns (dnscache) 1.00. execute arbitrary code via a long DNS TXT record with a modified length field.” University of Illinois at Chicago 2001: djbdns 1.05. “CVE-2008-2357: Stack-based buffer 2007: “Some thoughts on security overflow in the split redraw function in http://cr.yp.to after ten years of qmail 1.0.” split.c in mtr before 0.73, when invoked /talks.html#2009.03.02 with the -p (aka –split) option, allows remote attackers to execute arbitrary > 1000000 of the Internet’s /talks.html#2009.03.03 code via a crafted DNS PTR record.” /talks.html#2009.03.04 SMTP servers are running qmail. “CVE-2008-0530: Buffer overflow in > 4000000 of the Internet’s Cisco Unified IP Phone 7940, 7940G, second-level *.com names 7960, and 7960G running SCCP and SIP are published by djbdns. firmware might allow remote attackers to execute arbitrary code via a crafted DNS No emergency upgrades, ever. response.” 1996: qmail 0.70. Some DNS buffer overflows 1997: qmail 1.00. “CVE-2008-2469: Heap-based buffer 1998: qmail 1.03. overflow in the SPF dns resolv lookup function in Spf dns resolv.c in libspf2 1999: djbdns (dnscache) 0.60. before 1.2.8 allows remote attackers to 2000: djbdns (dnscache) 1.00. execute arbitrary code via a long DNS 2001: djbdns 1.05. TXT record with a modified length field.” “CVE-2008-2357: Stack-based buffer 2007: “Some thoughts on security overflow in the split redraw function in after ten years of qmail 1.0.” split.c in mtr before 0.73, when invoked with the -p (aka –split) option, allows remote attackers to execute arbitrary > 1000000 of the Internet’s code via a crafted DNS PTR record.” SMTP servers are running qmail. “CVE-2008-0530: Buffer overflow in > 4000000 of the Internet’s Cisco Unified IP Phone 7940, 7940G, second-level *.com names 7960, and 7960G running SCCP and SIP are published by djbdns. firmware might allow remote attackers to execute arbitrary code via a crafted DNS No emergency upgrades, ever. response.” 1996: qmail 0.70. Some DNS buffer overflows “CVE-2008-0122: Off-by-one error in the 1997: qmail 1.00. inet network function in libbind in ISC “CVE-2008-2469: Heap-based buffer BIND 9.4.2 and earlier, as used in libc in 1998: qmail 1.03. overflow in the SPF dns resolv lookup FreeBSD 6.2 through 7.0-PRERELEASE, function in Spf dns resolv.c in libspf2 allows context-dependent attackers to 1999: djbdns (dnscache) 0.60. before 1.2.8 allows remote attackers to cause a denial of service (crash) and 2000: djbdns (dnscache) 1.00. execute arbitrary code via a long DNS possibly execute arbitrary code via crafted 2001: djbdns 1.05. TXT record with a modified length field.” input that triggers memory corruption.” “CVE-2008-2357: Stack-based buffer 2007: “Some thoughts on security “CVE-2007-2434: Buffer overflow in overflow in the split redraw function in asnsp.dll in Aventail Connect 4.1.2.13 after ten years of qmail 1.0.” split.c in mtr before 0.73, when invoked allows remote attackers to cause a denial with the -p (aka –split) option, allows of service (application crash) or execute remote attackers to execute arbitrary > 1000000 of the Internet’s arbitrary code via a malformed DNS code via a crafted DNS PTR record.” SMTP servers are running qmail. query.” “CVE-2008-0530: Buffer overflow in > 4000000 of the Internet’s “CVE-2007-2362: Multiple buffer Cisco Unified IP Phone 7940, 7940G, second-level *.com names overflows in MyDNS 1.1.0 allow remote 7960, and 7960G running SCCP and SIP attackers to (1) cause a denial of service are published by djbdns. firmware might allow remote attackers to (daemon crash) and possibly execute execute arbitrary code via a crafted DNS arbitrary code via a certain update, which No emergency upgrades, ever. response.” triggers a heap-based buffer overflow 1996: qmail 0.70. Some DNS buffer overflows “CVE-2008-0122: Off-by-one error in the 1997: qmail 1.00. inet network function in libbind in ISC “CVE-2008-2469: Heap-based buffer BIND 9.4.2 and earlier, as used in libc in 1998: qmail 1.03. overflow in the SPF dns resolv lookup FreeBSD 6.2 through 7.0-PRERELEASE, function in Spf dns resolv.c in libspf2 allows context-dependent attackers to 1999: djbdns (dnscache) 0.60. before 1.2.8 allows remote attackers to cause a denial of service (crash) and 2000: djbdns (dnscache) 1.00. execute arbitrary code via a long DNS possibly execute arbitrary code via crafted 2001: djbdns 1.05. TXT record with a modified length field.” input that triggers memory corruption.” “CVE-2008-2357: Stack-based buffer 2007: “Some thoughts on security “CVE-2007-2434: Buffer overflow in overflow in the split redraw function in asnsp.dll in Aventail Connect 4.1.2.13 after ten years of qmail 1.0.” split.c in mtr before 0.73, when invoked allows remote attackers to cause a denial with the -p (aka –split) option, allows of service (application crash) or execute remote attackers to execute arbitrary > 1000000 of the Internet’s arbitrary code via a malformed DNS code via a crafted DNS PTR record.” SMTP servers are running qmail. query.” “CVE-2008-0530: Buffer overflow in > 4000000 of the Internet’s “CVE-2007-2362: Multiple buffer Cisco Unified IP Phone 7940, 7940G, second-level *.com names overflows in MyDNS 1.1.0 allow remote 7960, and 7960G running SCCP and SIP attackers to (1) cause a denial of service are published by djbdns. firmware might allow remote attackers to (daemon crash) and possibly execute execute arbitrary code via a crafted DNS arbitrary code via a certain update, which No emergency upgrades, ever. response.” triggers a heap-based buffer overflow 1996: qmail 0.70. Some DNS buffer overflows “CVE-2008-0122: Off-by-one error in the 1997: qmail 1.00. inet network function in libbind in ISC “CVE-2008-2469: Heap-based buffer BIND 9.4.2 and earlier, as used in libc in 1998: qmail 1.03. overflow in the SPF dns resolv lookup FreeBSD 6.2 through 7.0-PRERELEASE, function in Spf dns resolv.c in libspf2 allows context-dependent attackers to 1999: djbdns (dnscache) 0.60. before 1.2.8 allows remote attackers to cause a denial of service (crash) and 2000: djbdns (dnscache) 1.00. execute arbitrary code via a long DNS possibly execute arbitrary code via crafted 2001: djbdns 1.05. TXT record with a modified length field.” input that triggers memory corruption.” “CVE-2008-2357: Stack-based buffer 2007: “Some thoughts on security “CVE-2007-2434: Buffer overflow in overflow in the split redraw function in asnsp.dll in Aventail Connect 4.1.2.13 after ten years of qmail 1.0.” split.c in mtr before 0.73, when invoked allows remote attackers to cause a denial with the -p (aka –split) option, allows of service (application crash) or execute remote attackers to execute arbitrary > 1000000 of the Internet’s arbitrary code via a malformed DNS code via a crafted DNS PTR record.” SMTP servers are running qmail. query.” “CVE-2008-0530: Buffer overflow in > 4000000 of the Internet’s “CVE-2007-2362: Multiple buffer Cisco Unified IP Phone 7940, 7940G, second-level *.com names overflows in MyDNS 1.1.0 allow remote 7960, and 7960G running SCCP and SIP attackers to (1) cause a denial of service are published by djbdns. firmware might allow remote attackers to (daemon crash) and possibly execute execute arbitrary code via a crafted DNS arbitrary code via a certain update, which No emergency upgrades, ever. response.” triggers a heap-based buffer overflow Some DNS buffer overflows “CVE-2008-0122: Off-by-one error in the inet network function in libbind in ISC “CVE-2008-2469: Heap-based buffer BIND 9.4.2 and earlier, as used in libc in overflow in the SPF dns resolv lookup FreeBSD 6.2 through 7.0-PRERELEASE, function in Spf dns resolv.c in libspf2 allows context-dependent attackers to before 1.2.8 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a long DNS possibly execute arbitrary code via crafted TXT record with a modified length field.” input that triggers memory corruption.” “CVE-2008-2357: Stack-based buffer “CVE-2007-2434: Buffer overflow in overflow in the split redraw function in asnsp.dll in Aventail Connect 4.1.2.13 split.c in mtr before 0.73, when invoked allows remote attackers to cause a denial with the -p (aka –split) option, allows of service (application crash) or execute remote attackers to execute arbitrary arbitrary code via a malformed DNS code via a crafted DNS PTR record.” query.”

“CVE-2008-0530: Buffer overflow in “CVE-2007-2362: Multiple buffer Cisco Unified IP Phone 7940, 7940G, overflows in MyDNS 1.1.0 allow remote 7960, and 7960G running SCCP and SIP attackers to (1) cause a denial of service firmware might allow remote attackers to (daemon crash) and possibly execute execute arbitrary code via a crafted DNS arbitrary code via a certain update, which response.” triggers a heap-based buffer overflow Some DNS buffer overflows “CVE-2008-0122: Off-by-one error in the in update.c; and (2) cause a denial of inet network function in libbind in ISC service (daemon crash) via unspecified “CVE-2008-2469: Heap-based buffer BIND 9.4.2 and earlier, as used in libc in vectors that trigger an off-by-one stack- overflow in the SPF dns resolv lookup FreeBSD 6.2 through 7.0-PRERELEASE, based buffer overflow in update.c.” function in Spf dns resolv.c in libspf2 allows context-dependent attackers to before 1.2.8 allows remote attackers to “CVE-2007-2187: Stack-based buffer cause a denial of service (crash) and execute arbitrary code via a long DNS possibly execute arbitrary code via crafted overflow in eXtremail 2.1.1 and earlier TXT record with a modified length field.” input that triggers memory corruption.” allows remote attackers to execute arbitrary code via a long DNS response.” “CVE-2008-2357: Stack-based buffer “CVE-2007-2434: Buffer overflow in overflow in the split redraw function in asnsp.dll in Aventail Connect 4.1.2.13 “CVE-2007-1866: Stack-based buffer split.c in mtr before 0.73, when invoked allows remote attackers to cause a denial overflow in the dns decode reverse name with the -p (aka –split) option, allows of service (application crash) or execute function in dns decode.c in dproxy-nexgen remote attackers to execute arbitrary allows remote attackers to execute arbitrary code via a malformed DNS code via a crafted DNS PTR record.” query.” arbitrary code by sending a crafted packet to port 53/udp.” “CVE-2008-0530: Buffer overflow in “CVE-2007-2362: Multiple buffer Cisco Unified IP Phone 7940, 7940G, overflows in MyDNS 1.1.0 allow remote “CVE-2007-1748: Stack-based buffer 7960, and 7960G running SCCP and SIP attackers to (1) cause a denial of service overflow in the RPC interface in the firmware might allow remote attackers to (daemon crash) and possibly execute Domain Name System (DNS) Server execute arbitrary code via a crafted DNS arbitrary code via a certain update, which Service in Microsoft Windows 2000 Server response.” triggers a heap-based buffer overflow SP 4, Server 2003 SP 1, and Server 2003 Some DNS buffer overflows “CVE-2008-0122: Off-by-one error in the in update.c; and (2) cause a denial of inet network function in libbind in ISC service (daemon crash) via unspecified “CVE-2008-2469: Heap-based buffer BIND 9.4.2 and earlier, as used in libc in vectors that trigger an off-by-one stack- overflow in the SPF dns resolv lookup FreeBSD 6.2 through 7.0-PRERELEASE, based buffer overflow in update.c.” function in Spf dns resolv.c in libspf2 allows context-dependent attackers to before 1.2.8 allows remote attackers to “CVE-2007-2187: Stack-based buffer cause a denial of service (crash) and execute arbitrary code via a long DNS possibly execute arbitrary code via crafted overflow in eXtremail 2.1.1 and earlier TXT record with a modified length field.” input that triggers memory corruption.” allows remote attackers to execute arbitrary code via a long DNS response.” “CVE-2008-2357: Stack-based buffer “CVE-2007-2434: Buffer overflow in overflow in the split redraw function in asnsp.dll in Aventail Connect 4.1.2.13 “CVE-2007-1866: Stack-based buffer split.c in mtr before 0.73, when invoked allows remote attackers to cause a denial overflow in the dns decode reverse name with the -p (aka –split) option, allows of service (application crash) or execute function in dns decode.c in dproxy-nexgen remote attackers to execute arbitrary allows remote attackers to execute arbitrary code via a malformed DNS code via a crafted DNS PTR record.” query.” arbitrary code by sending a crafted packet to port 53/udp.” “CVE-2008-0530: Buffer overflow in “CVE-2007-2362: Multiple buffer Cisco Unified IP Phone 7940, 7940G, overflows in MyDNS 1.1.0 allow remote “CVE-2007-1748: Stack-based buffer 7960, and 7960G running SCCP and SIP attackers to (1) cause a denial of service overflow in the RPC interface in the firmware might allow remote attackers to (daemon crash) and possibly execute Domain Name System (DNS) Server execute arbitrary code via a crafted DNS arbitrary code via a certain update, which Service in Microsoft Windows 2000 Server response.” triggers a heap-based buffer overflow SP 4, Server 2003 SP 1, and Server 2003 Some DNS buffer overflows “CVE-2008-0122: Off-by-one error in the in update.c; and (2) cause a denial of inet network function in libbind in ISC service (daemon crash) via unspecified “CVE-2008-2469: Heap-based buffer BIND 9.4.2 and earlier, as used in libc in vectors that trigger an off-by-one stack- overflow in the SPF dns resolv lookup FreeBSD 6.2 through 7.0-PRERELEASE, based buffer overflow in update.c.” function in Spf dns resolv.c in libspf2 allows context-dependent attackers to before 1.2.8 allows remote attackers to “CVE-2007-2187: Stack-based buffer cause a denial of service (crash) and execute arbitrary code via a long DNS possibly execute arbitrary code via crafted overflow in eXtremail 2.1.1 and earlier TXT record with a modified length field.” input that triggers memory corruption.” allows remote attackers to execute arbitrary code via a long DNS response.” “CVE-2008-2357: Stack-based buffer “CVE-2007-2434: Buffer overflow in overflow in the split redraw function in asnsp.dll in Aventail Connect 4.1.2.13 “CVE-2007-1866: Stack-based buffer split.c in mtr before 0.73, when invoked allows remote attackers to cause a denial overflow in the dns decode reverse name with the -p (aka –split) option, allows of service (application crash) or execute function in dns decode.c in dproxy-nexgen remote attackers to execute arbitrary allows remote attackers to execute arbitrary code via a malformed DNS code via a crafted DNS PTR record.” query.” arbitrary code by sending a crafted packet to port 53/udp.” “CVE-2008-0530: Buffer overflow in “CVE-2007-2362: Multiple buffer Cisco Unified IP Phone 7940, 7940G, overflows in MyDNS 1.1.0 allow remote “CVE-2007-1748: Stack-based buffer 7960, and 7960G running SCCP and SIP attackers to (1) cause a denial of service overflow in the RPC interface in the firmware might allow remote attackers to (daemon crash) and possibly execute Domain Name System (DNS) Server execute arbitrary code via a crafted DNS arbitrary code via a certain update, which Service in Microsoft Windows 2000 Server response.” triggers a heap-based buffer overflow SP 4, Server 2003 SP 1, and Server 2003 “CVE-2008-0122: Off-by-one error in the in update.c; and (2) cause a denial of inet network function in libbind in ISC service (daemon crash) via unspecified BIND 9.4.2 and earlier, as used in libc in vectors that trigger an off-by-one stack- FreeBSD 6.2 through 7.0-PRERELEASE, based buffer overflow in update.c.” allows context-dependent attackers to “CVE-2007-2187: Stack-based buffer cause a denial of service (crash) and possibly execute arbitrary code via crafted overflow in eXtremail 2.1.1 and earlier input that triggers memory corruption.” allows remote attackers to execute arbitrary code via a long DNS response.” “CVE-2007-2434: Buffer overflow in asnsp.dll in Aventail Connect 4.1.2.13 “CVE-2007-1866: Stack-based buffer allows remote attackers to cause a denial overflow in the dns decode reverse name of service (application crash) or execute function in dns decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code via a malformed DNS query.” arbitrary code by sending a crafted packet to port 53/udp.” “CVE-2007-2362: Multiple buffer overflows in MyDNS 1.1.0 allow remote “CVE-2007-1748: Stack-based buffer attackers to (1) cause a denial of service overflow in the RPC interface in the (daemon crash) and possibly execute Domain Name System (DNS) Server arbitrary code via a certain update, which Service in Microsoft Windows 2000 Server triggers a heap-based buffer overflow SP 4, Server 2003 SP 1, and Server 2003 “CVE-2008-0122: Off-by-one error in the in update.c; and (2) cause a denial of SP 2 allows remote attackers to execute inet network function in libbind in ISC service (daemon crash) via unspecified arbitrary code via a long zone name BIND 9.4.2 and earlier, as used in libc in vectors that trigger an off-by-one stack- containing character constants represented FreeBSD 6.2 through 7.0-PRERELEASE, based buffer overflow in update.c.” by escape sequences.” allows context-dependent attackers to “CVE-2007-2187: Stack-based buffer “CVE-2007-1465: Stack-based buffer cause a denial of service (crash) and possibly execute arbitrary code via crafted overflow in eXtremail 2.1.1 and earlier overflow in dproxy.c for dproxy 0.1 input that triggers memory corruption.” allows remote attackers to execute through 0.5 allows remote attackers to arbitrary code via a long DNS response.” execute arbitrary code via a long DNS “CVE-2007-2434: Buffer overflow in query packet to UDP port 53.” asnsp.dll in Aventail Connect 4.1.2.13 “CVE-2007-1866: Stack-based buffer allows remote attackers to cause a denial overflow in the dns decode reverse name “CVE-2006-5781: Stack-based buffer of service (application crash) or execute function in dns decode.c in dproxy-nexgen overflow in the handshake function in allows remote attackers to execute iodine 0.3.2 allows remote attackers to arbitrary code via a malformed DNS query.” arbitrary code by sending a crafted execute arbitrary code via a crafted DNS packet to port 53/udp.” response.” “CVE-2007-2362: Multiple buffer overflows in MyDNS 1.1.0 allow remote “CVE-2007-1748: Stack-based buffer “CVE-2006-4251: Buffer overflow in attackers to (1) cause a denial of service overflow in the RPC interface in the PowerDNS Recursor 3.1.3 and earlier (daemon crash) and possibly execute Domain Name System (DNS) Server might allow remote attackers to execute arbitrary code via a certain update, which Service in Microsoft Windows 2000 Server arbitrary code via a malformed TCP triggers a heap-based buffer overflow SP 4, Server 2003 SP 1, and Server 2003 DNS query that prevents Recursor from “CVE-2008-0122: Off-by-one error in the in update.c; and (2) cause a denial of SP 2 allows remote attackers to execute inet network function in libbind in ISC service (daemon crash) via unspecified arbitrary code via a long zone name BIND 9.4.2 and earlier, as used in libc in vectors that trigger an off-by-one stack- containing character constants represented FreeBSD 6.2 through 7.0-PRERELEASE, based buffer overflow in update.c.” by escape sequences.” allows context-dependent attackers to “CVE-2007-2187: Stack-based buffer “CVE-2007-1465: Stack-based buffer cause a denial of service (crash) and possibly execute arbitrary code via crafted overflow in eXtremail 2.1.1 and earlier overflow in dproxy.c for dproxy 0.1 input that triggers memory corruption.” allows remote attackers to execute through 0.5 allows remote attackers to arbitrary code via a long DNS response.” execute arbitrary code via a long DNS “CVE-2007-2434: Buffer overflow in query packet to UDP port 53.” asnsp.dll in Aventail Connect 4.1.2.13 “CVE-2007-1866: Stack-based buffer allows remote attackers to cause a denial overflow in the dns decode reverse name “CVE-2006-5781: Stack-based buffer of service (application crash) or execute function in dns decode.c in dproxy-nexgen overflow in the handshake function in allows remote attackers to execute iodine 0.3.2 allows remote attackers to arbitrary code via a malformed DNS query.” arbitrary code by sending a crafted execute arbitrary code via a crafted DNS packet to port 53/udp.” response.” “CVE-2007-2362: Multiple buffer overflows in MyDNS 1.1.0 allow remote “CVE-2007-1748: Stack-based buffer “CVE-2006-4251: Buffer overflow in attackers to (1) cause a denial of service overflow in the RPC interface in the PowerDNS Recursor 3.1.3 and earlier (daemon crash) and possibly execute Domain Name System (DNS) Server might allow remote attackers to execute arbitrary code via a certain update, which Service in Microsoft Windows 2000 Server arbitrary code via a malformed TCP triggers a heap-based buffer overflow SP 4, Server 2003 SP 1, and Server 2003 DNS query that prevents Recursor from “CVE-2008-0122: Off-by-one error in the in update.c; and (2) cause a denial of SP 2 allows remote attackers to execute inet network function in libbind in ISC service (daemon crash) via unspecified arbitrary code via a long zone name BIND 9.4.2 and earlier, as used in libc in vectors that trigger an off-by-one stack- containing character constants represented FreeBSD 6.2 through 7.0-PRERELEASE, based buffer overflow in update.c.” by escape sequences.” allows context-dependent attackers to “CVE-2007-2187: Stack-based buffer “CVE-2007-1465: Stack-based buffer cause a denial of service (crash) and possibly execute arbitrary code via crafted overflow in eXtremail 2.1.1 and earlier overflow in dproxy.c for dproxy 0.1 input that triggers memory corruption.” allows remote attackers to execute through 0.5 allows remote attackers to arbitrary code via a long DNS response.” execute arbitrary code via a long DNS “CVE-2007-2434: Buffer overflow in query packet to UDP port 53.” asnsp.dll in Aventail Connect 4.1.2.13 “CVE-2007-1866: Stack-based buffer allows remote attackers to cause a denial overflow in the dns decode reverse name “CVE-2006-5781: Stack-based buffer of service (application crash) or execute function in dns decode.c in dproxy-nexgen overflow in the handshake function in allows remote attackers to execute iodine 0.3.2 allows remote attackers to arbitrary code via a malformed DNS query.” arbitrary code by sending a crafted execute arbitrary code via a crafted DNS packet to port 53/udp.” response.” “CVE-2007-2362: Multiple buffer overflows in MyDNS 1.1.0 allow remote “CVE-2007-1748: Stack-based buffer “CVE-2006-4251: Buffer overflow in attackers to (1) cause a denial of service overflow in the RPC interface in the PowerDNS Recursor 3.1.3 and earlier (daemon crash) and possibly execute Domain Name System (DNS) Server might allow remote attackers to execute arbitrary code via a certain update, which Service in Microsoft Windows 2000 Server arbitrary code via a malformed TCP triggers a heap-based buffer overflow SP 4, Server 2003 SP 1, and Server 2003 DNS query that prevents Recursor from in update.c; and (2) cause a denial of SP 2 allows remote attackers to execute service (daemon crash) via unspecified arbitrary code via a long zone name vectors that trigger an off-by-one stack- containing character constants represented based buffer overflow in update.c.” by escape sequences.” “CVE-2007-2187: Stack-based buffer “CVE-2007-1465: Stack-based buffer overflow in eXtremail 2.1.1 and earlier overflow in dproxy.c for dproxy 0.1 allows remote attackers to execute through 0.5 allows remote attackers to arbitrary code via a long DNS response.” execute arbitrary code via a long DNS query packet to UDP port 53.” “CVE-2007-1866: Stack-based buffer overflow in the dns decode reverse name “CVE-2006-5781: Stack-based buffer function in dns decode.c in dproxy-nexgen overflow in the handshake function in allows remote attackers to execute iodine 0.3.2 allows remote attackers to arbitrary code by sending a crafted execute arbitrary code via a crafted DNS packet to port 53/udp.” response.” “CVE-2007-1748: Stack-based buffer “CVE-2006-4251: Buffer overflow in overflow in the RPC interface in the PowerDNS Recursor 3.1.3 and earlier Domain Name System (DNS) Server might allow remote attackers to execute Service in Microsoft Windows 2000 Server arbitrary code via a malformed TCP SP 4, Server 2003 SP 1, and Server 2003 DNS query that prevents Recursor from in update.c; and (2) cause a denial of SP 2 allows remote attackers to execute properly calculating the TCP DNS query service (daemon crash) via unspecified arbitrary code via a long zone name length.” vectors that trigger an off-by-one stack- containing character constants represented based buffer overflow in update.c.” by escape sequences.” “CVE-2006-3441: Buffer overflow in the DNS Client service in Microsoft Windows “CVE-2007-2187: Stack-based buffer “CVE-2007-1465: Stack-based buffer 2000 SP4, XP SP1 and SP2, and Server overflow in eXtremail 2.1.1 and earlier overflow in dproxy.c for dproxy 0.1 2003 SP1 allows remote attackers to allows remote attackers to execute through 0.5 allows remote attackers to execute arbitrary code via a crafted arbitrary code via a long DNS response.” execute arbitrary code via a long DNS record response. NOTE: while MS06-041 query packet to UDP port 53.” implies that there is a single issue, there “CVE-2007-1866: Stack-based buffer are multiple vectors, and likely multiple overflow in the dns decode reverse name “CVE-2006-5781: Stack-based buffer vulnerabilities, related to (1) a heap- function in dns decode.c in dproxy-nexgen overflow in the handshake function in based buffer overflow in a DNS server allows remote attackers to execute iodine 0.3.2 allows remote attackers to response to the client, (2) a DNS server arbitrary code by sending a crafted execute arbitrary code via a crafted DNS response with malformed ATMA records, packet to port 53/udp.” response.” and (3) a length miscalculation in TXT, “CVE-2007-1748: Stack-based buffer “CVE-2006-4251: Buffer overflow in HINFO, X25, and ISDN records.” overflow in the RPC interface in the PowerDNS Recursor 3.1.3 and earlier “CVE-2005-2315: Buffer overflow in Domain Name System (DNS) Server might allow remote attackers to execute Domain Name Relay Daemon (DNRD) Service in Microsoft Windows 2000 Server arbitrary code via a malformed TCP before 2.19.1 allows remote attackers to SP 4, Server 2003 SP 1, and Server 2003 DNS query that prevents Recursor from execute arbitrary code via a large number in update.c; and (2) cause a denial of SP 2 allows remote attackers to execute properly calculating the TCP DNS query service (daemon crash) via unspecified arbitrary code via a long zone name length.” vectors that trigger an off-by-one stack- containing character constants represented based buffer overflow in update.c.” by escape sequences.” “CVE-2006-3441: Buffer overflow in the DNS Client service in Microsoft Windows “CVE-2007-2187: Stack-based buffer “CVE-2007-1465: Stack-based buffer 2000 SP4, XP SP1 and SP2, and Server overflow in eXtremail 2.1.1 and earlier overflow in dproxy.c for dproxy 0.1 2003 SP1 allows remote attackers to allows remote attackers to execute through 0.5 allows remote attackers to execute arbitrary code via a crafted arbitrary code via a long DNS response.” execute arbitrary code via a long DNS record response. NOTE: while MS06-041 query packet to UDP port 53.” implies that there is a single issue, there “CVE-2007-1866: Stack-based buffer are multiple vectors, and likely multiple overflow in the dns decode reverse name “CVE-2006-5781: Stack-based buffer vulnerabilities, related to (1) a heap- function in dns decode.c in dproxy-nexgen overflow in the handshake function in based buffer overflow in a DNS server allows remote attackers to execute iodine 0.3.2 allows remote attackers to response to the client, (2) a DNS server arbitrary code by sending a crafted execute arbitrary code via a crafted DNS response with malformed ATMA records, packet to port 53/udp.” response.” and (3) a length miscalculation in TXT, “CVE-2007-1748: Stack-based buffer “CVE-2006-4251: Buffer overflow in HINFO, X25, and ISDN records.” overflow in the RPC interface in the PowerDNS Recursor 3.1.3 and earlier “CVE-2005-2315: Buffer overflow in Domain Name System (DNS) Server might allow remote attackers to execute Domain Name Relay Daemon (DNRD) Service in Microsoft Windows 2000 Server arbitrary code via a malformed TCP before 2.19.1 allows remote attackers to SP 4, Server 2003 SP 1, and Server 2003 DNS query that prevents Recursor from execute arbitrary code via a large number in update.c; and (2) cause a denial of SP 2 allows remote attackers to execute properly calculating the TCP DNS query service (daemon crash) via unspecified arbitrary code via a long zone name length.” vectors that trigger an off-by-one stack- containing character constants represented based buffer overflow in update.c.” by escape sequences.” “CVE-2006-3441: Buffer overflow in the DNS Client service in Microsoft Windows “CVE-2007-2187: Stack-based buffer “CVE-2007-1465: Stack-based buffer 2000 SP4, XP SP1 and SP2, and Server overflow in eXtremail 2.1.1 and earlier overflow in dproxy.c for dproxy 0.1 2003 SP1 allows remote attackers to allows remote attackers to execute through 0.5 allows remote attackers to execute arbitrary code via a crafted arbitrary code via a long DNS response.” execute arbitrary code via a long DNS record response. NOTE: while MS06-041 query packet to UDP port 53.” implies that there is a single issue, there “CVE-2007-1866: Stack-based buffer are multiple vectors, and likely multiple overflow in the dns decode reverse name “CVE-2006-5781: Stack-based buffer vulnerabilities, related to (1) a heap- function in dns decode.c in dproxy-nexgen overflow in the handshake function in based buffer overflow in a DNS server allows remote attackers to execute iodine 0.3.2 allows remote attackers to response to the client, (2) a DNS server arbitrary code by sending a crafted execute arbitrary code via a crafted DNS response with malformed ATMA records, packet to port 53/udp.” response.” and (3) a length miscalculation in TXT, “CVE-2007-1748: Stack-based buffer “CVE-2006-4251: Buffer overflow in HINFO, X25, and ISDN records.” overflow in the RPC interface in the PowerDNS Recursor 3.1.3 and earlier “CVE-2005-2315: Buffer overflow in Domain Name System (DNS) Server might allow remote attackers to execute Domain Name Relay Daemon (DNRD) Service in Microsoft Windows 2000 Server arbitrary code via a malformed TCP before 2.19.1 allows remote attackers to SP 4, Server 2003 SP 1, and Server 2003 DNS query that prevents Recursor from execute arbitrary code via a large number SP 2 allows remote attackers to execute properly calculating the TCP DNS query arbitrary code via a long zone name length.” containing character constants represented by escape sequences.” “CVE-2006-3441: Buffer overflow in the DNS Client service in Microsoft Windows “CVE-2007-1465: Stack-based buffer 2000 SP4, XP SP1 and SP2, and Server overflow in dproxy.c for dproxy 0.1 2003 SP1 allows remote attackers to through 0.5 allows remote attackers to execute arbitrary code via a crafted execute arbitrary code via a long DNS record response. NOTE: while MS06-041 query packet to UDP port 53.” implies that there is a single issue, there are multiple vectors, and likely multiple “CVE-2006-5781: Stack-based buffer vulnerabilities, related to (1) a heap- overflow in the handshake function in based buffer overflow in a DNS server iodine 0.3.2 allows remote attackers to response to the client, (2) a DNS server execute arbitrary code via a crafted DNS response with malformed ATMA records, response.” and (3) a length miscalculation in TXT, “CVE-2006-4251: Buffer overflow in HINFO, X25, and ISDN records.” PowerDNS Recursor 3.1.3 and earlier “CVE-2005-2315: Buffer overflow in might allow remote attackers to execute Domain Name Relay Daemon (DNRD) arbitrary code via a malformed TCP before 2.19.1 allows remote attackers to DNS query that prevents Recursor from execute arbitrary code via a large number SP 2 allows remote attackers to execute properly calculating the TCP DNS query of large DNS packets with the Z and QR arbitrary code via a long zone name length.” flags cleared.” containing character constants represented by escape sequences.” “CVE-2006-3441: Buffer overflow in the “CVE-2005-0033 Buffer overflow in the DNS Client service in Microsoft Windows code for recursion and glue fetching in “CVE-2007-1465: Stack-based buffer 2000 SP4, XP SP1 and SP2, and Server BIND 8.4.4 and 8.4.5 allows remote overflow in dproxy.c for dproxy 0.1 2003 SP1 allows remote attackers to attackers to cause a denial of service through 0.5 allows remote attackers to execute arbitrary code via a crafted (crash) via queries that trigger the execute arbitrary code via a long DNS record response. NOTE: while MS06-041 overflow in the q usedns array that tracks query packet to UDP port 53.” implies that there is a single issue, there nameservers and addresses.” are multiple vectors, and likely multiple “CVE-2006-5781: Stack-based buffer vulnerabilities, related to (1) a heap- “CVE-2004-1485: Buffer overflow in the overflow in the handshake function in based buffer overflow in a DNS server TFTP client in InetUtils 1.4.2 allows iodine 0.3.2 allows remote attackers to remote malicious DNS servers to execute response to the client, (2) a DNS server execute arbitrary code via a crafted DNS response with malformed ATMA records, arbitrary code via a large DNS response response.” and (3) a length miscalculation in TXT, that is handled by the gethostbyname function.” “CVE-2006-4251: Buffer overflow in HINFO, X25, and ISDN records.” PowerDNS Recursor 3.1.3 and earlier “CVE-2005-2315: Buffer overflow in “CVE-2004-1317: Stack-based buffer might allow remote attackers to execute Domain Name Relay Daemon (DNRD) overflow in doexec.c in Netcat for arbitrary code via a malformed TCP before 2.19.1 allows remote attackers to Windows 1.1, when running with the DNS query that prevents Recursor from execute arbitrary code via a large number -e option, allows remote attackers to SP 2 allows remote attackers to execute properly calculating the TCP DNS query of large DNS packets with the Z and QR arbitrary code via a long zone name length.” flags cleared.” containing character constants represented by escape sequences.” “CVE-2006-3441: Buffer overflow in the “CVE-2005-0033 Buffer overflow in the DNS Client service in Microsoft Windows code for recursion and glue fetching in “CVE-2007-1465: Stack-based buffer 2000 SP4, XP SP1 and SP2, and Server BIND 8.4.4 and 8.4.5 allows remote overflow in dproxy.c for dproxy 0.1 2003 SP1 allows remote attackers to attackers to cause a denial of service through 0.5 allows remote attackers to execute arbitrary code via a crafted (crash) via queries that trigger the execute arbitrary code via a long DNS record response. NOTE: while MS06-041 overflow in the q usedns array that tracks query packet to UDP port 53.” implies that there is a single issue, there nameservers and addresses.” are multiple vectors, and likely multiple “CVE-2006-5781: Stack-based buffer vulnerabilities, related to (1) a heap- “CVE-2004-1485: Buffer overflow in the overflow in the handshake function in based buffer overflow in a DNS server TFTP client in InetUtils 1.4.2 allows iodine 0.3.2 allows remote attackers to remote malicious DNS servers to execute response to the client, (2) a DNS server execute arbitrary code via a crafted DNS response with malformed ATMA records, arbitrary code via a large DNS response response.” and (3) a length miscalculation in TXT, that is handled by the gethostbyname function.” “CVE-2006-4251: Buffer overflow in HINFO, X25, and ISDN records.” PowerDNS Recursor 3.1.3 and earlier “CVE-2005-2315: Buffer overflow in “CVE-2004-1317: Stack-based buffer might allow remote attackers to execute Domain Name Relay Daemon (DNRD) overflow in doexec.c in Netcat for arbitrary code via a malformed TCP before 2.19.1 allows remote attackers to Windows 1.1, when running with the DNS query that prevents Recursor from execute arbitrary code via a large number -e option, allows remote attackers to SP 2 allows remote attackers to execute properly calculating the TCP DNS query of large DNS packets with the Z and QR arbitrary code via a long zone name length.” flags cleared.” containing character constants represented by escape sequences.” “CVE-2006-3441: Buffer overflow in the “CVE-2005-0033 Buffer overflow in the DNS Client service in Microsoft Windows code for recursion and glue fetching in “CVE-2007-1465: Stack-based buffer 2000 SP4, XP SP1 and SP2, and Server BIND 8.4.4 and 8.4.5 allows remote overflow in dproxy.c for dproxy 0.1 2003 SP1 allows remote attackers to attackers to cause a denial of service through 0.5 allows remote attackers to execute arbitrary code via a crafted (crash) via queries that trigger the execute arbitrary code via a long DNS record response. NOTE: while MS06-041 overflow in the q usedns array that tracks query packet to UDP port 53.” implies that there is a single issue, there nameservers and addresses.” are multiple vectors, and likely multiple “CVE-2006-5781: Stack-based buffer vulnerabilities, related to (1) a heap- “CVE-2004-1485: Buffer overflow in the overflow in the handshake function in based buffer overflow in a DNS server TFTP client in InetUtils 1.4.2 allows iodine 0.3.2 allows remote attackers to remote malicious DNS servers to execute response to the client, (2) a DNS server execute arbitrary code via a crafted DNS response with malformed ATMA records, arbitrary code via a large DNS response response.” and (3) a length miscalculation in TXT, that is handled by the gethostbyname function.” “CVE-2006-4251: Buffer overflow in HINFO, X25, and ISDN records.” PowerDNS Recursor 3.1.3 and earlier “CVE-2005-2315: Buffer overflow in “CVE-2004-1317: Stack-based buffer might allow remote attackers to execute Domain Name Relay Daemon (DNRD) overflow in doexec.c in Netcat for arbitrary code via a malformed TCP before 2.19.1 allows remote attackers to Windows 1.1, when running with the DNS query that prevents Recursor from execute arbitrary code via a large number -e option, allows remote attackers to properly calculating the TCP DNS query of large DNS packets with the Z and QR length.” flags cleared.” “CVE-2006-3441: Buffer overflow in the “CVE-2005-0033 Buffer overflow in the DNS Client service in Microsoft Windows code for recursion and glue fetching in 2000 SP4, XP SP1 and SP2, and Server BIND 8.4.4 and 8.4.5 allows remote 2003 SP1 allows remote attackers to attackers to cause a denial of service execute arbitrary code via a crafted (crash) via queries that trigger the record response. NOTE: while MS06-041 overflow in the q usedns array that tracks implies that there is a single issue, there nameservers and addresses.” are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap- “CVE-2004-1485: Buffer overflow in the based buffer overflow in a DNS server TFTP client in InetUtils 1.4.2 allows remote malicious DNS servers to execute response to the client, (2) a DNS server response with malformed ATMA records, arbitrary code via a large DNS response and (3) a length miscalculation in TXT, that is handled by the gethostbyname HINFO, X25, and ISDN records.” function.” “CVE-2005-2315: Buffer overflow in “CVE-2004-1317: Stack-based buffer Domain Name Relay Daemon (DNRD) overflow in doexec.c in Netcat for before 2.19.1 allows remote attackers to Windows 1.1, when running with the execute arbitrary code via a large number -e option, allows remote attackers to properly calculating the TCP DNS query of large DNS packets with the Z and QR execute arbitrary code via a long DNS length.” flags cleared.” command.” “CVE-2006-3441: Buffer overflow in the “CVE-2005-0033 Buffer overflow in the “CVE-2004-0836: Buffer overflow in the DNS Client service in Microsoft Windows code for recursion and glue fetching in mysql real connect function in MySQL 2000 SP4, XP SP1 and SP2, and Server BIND 8.4.4 and 8.4.5 allows remote 4.x before 4.0.21, and 3.x before 3.23.49, 2003 SP1 allows remote attackers to attackers to cause a denial of service allows remote DNS servers to cause a execute arbitrary code via a crafted (crash) via queries that trigger the denial of service and possibly execute record response. NOTE: while MS06-041 overflow in the q usedns array that tracks arbitrary code via a DNS response with a implies that there is a single issue, there nameservers and addresses.” large address length (h length).” are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap- “CVE-2004-1485: Buffer overflow in the “CVE-2004-0150: Buffer overflow in the based buffer overflow in a DNS server TFTP client in InetUtils 1.4.2 allows getaddrinfo function in Python 2.2 before remote malicious DNS servers to execute 2.2.2, when IPv6 support is disabled, response to the client, (2) a DNS server response with malformed ATMA records, arbitrary code via a large DNS response allows remote attackers to execute and (3) a length miscalculation in TXT, that is handled by the gethostbyname arbitrary code via an IPv6 address that HINFO, X25, and ISDN records.” function.” is obtained using DNS.” “CVE-2005-2315: Buffer overflow in “CVE-2004-1317: Stack-based buffer “CVE-2003-1377: Buffer overflow in Domain Name Relay Daemon (DNRD) overflow in doexec.c in Netcat for the reverse DNS lookup of Smart IRC before 2.19.1 allows remote attackers to Windows 1.1, when running with the Daemon (SIRCD) 0.4.0 and 0.4.4 allows execute arbitrary code via a large number -e option, allows remote attackers to properly calculating the TCP DNS query of large DNS packets with the Z and QR execute arbitrary code via a long DNS length.” flags cleared.” command.” “CVE-2006-3441: Buffer overflow in the “CVE-2005-0033 Buffer overflow in the “CVE-2004-0836: Buffer overflow in the DNS Client service in Microsoft Windows code for recursion and glue fetching in mysql real connect function in MySQL 2000 SP4, XP SP1 and SP2, and Server BIND 8.4.4 and 8.4.5 allows remote 4.x before 4.0.21, and 3.x before 3.23.49, 2003 SP1 allows remote attackers to attackers to cause a denial of service allows remote DNS servers to cause a execute arbitrary code via a crafted (crash) via queries that trigger the denial of service and possibly execute record response. NOTE: while MS06-041 overflow in the q usedns array that tracks arbitrary code via a DNS response with a implies that there is a single issue, there nameservers and addresses.” large address length (h length).” are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap- “CVE-2004-1485: Buffer overflow in the “CVE-2004-0150: Buffer overflow in the based buffer overflow in a DNS server TFTP client in InetUtils 1.4.2 allows getaddrinfo function in Python 2.2 before remote malicious DNS servers to execute 2.2.2, when IPv6 support is disabled, response to the client, (2) a DNS server response with malformed ATMA records, arbitrary code via a large DNS response allows remote attackers to execute and (3) a length miscalculation in TXT, that is handled by the gethostbyname arbitrary code via an IPv6 address that HINFO, X25, and ISDN records.” function.” is obtained using DNS.” “CVE-2005-2315: Buffer overflow in “CVE-2004-1317: Stack-based buffer “CVE-2003-1377: Buffer overflow in Domain Name Relay Daemon (DNRD) overflow in doexec.c in Netcat for the reverse DNS lookup of Smart IRC before 2.19.1 allows remote attackers to Windows 1.1, when running with the Daemon (SIRCD) 0.4.0 and 0.4.4 allows execute arbitrary code via a large number -e option, allows remote attackers to properly calculating the TCP DNS query of large DNS packets with the Z and QR execute arbitrary code via a long DNS length.” flags cleared.” command.” “CVE-2006-3441: Buffer overflow in the “CVE-2005-0033 Buffer overflow in the “CVE-2004-0836: Buffer overflow in the DNS Client service in Microsoft Windows code for recursion and glue fetching in mysql real connect function in MySQL 2000 SP4, XP SP1 and SP2, and Server BIND 8.4.4 and 8.4.5 allows remote 4.x before 4.0.21, and 3.x before 3.23.49, 2003 SP1 allows remote attackers to attackers to cause a denial of service allows remote DNS servers to cause a execute arbitrary code via a crafted (crash) via queries that trigger the denial of service and possibly execute record response. NOTE: while MS06-041 overflow in the q usedns array that tracks arbitrary code via a DNS response with a implies that there is a single issue, there nameservers and addresses.” large address length (h length).” are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap- “CVE-2004-1485: Buffer overflow in the “CVE-2004-0150: Buffer overflow in the based buffer overflow in a DNS server TFTP client in InetUtils 1.4.2 allows getaddrinfo function in Python 2.2 before remote malicious DNS servers to execute 2.2.2, when IPv6 support is disabled, response to the client, (2) a DNS server response with malformed ATMA records, arbitrary code via a large DNS response allows remote attackers to execute and (3) a length miscalculation in TXT, that is handled by the gethostbyname arbitrary code via an IPv6 address that HINFO, X25, and ISDN records.” function.” is obtained using DNS.” “CVE-2005-2315: Buffer overflow in “CVE-2004-1317: Stack-based buffer “CVE-2003-1377: Buffer overflow in Domain Name Relay Daemon (DNRD) overflow in doexec.c in Netcat for the reverse DNS lookup of Smart IRC before 2.19.1 allows remote attackers to Windows 1.1, when running with the Daemon (SIRCD) 0.4.0 and 0.4.4 allows execute arbitrary code via a large number -e option, allows remote attackers to of large DNS packets with the Z and QR execute arbitrary code via a long DNS flags cleared.” command.” “CVE-2005-0033 Buffer overflow in the “CVE-2004-0836: Buffer overflow in the code for recursion and glue fetching in mysql real connect function in MySQL BIND 8.4.4 and 8.4.5 allows remote 4.x before 4.0.21, and 3.x before 3.23.49, attackers to cause a denial of service allows remote DNS servers to cause a (crash) via queries that trigger the denial of service and possibly execute overflow in the q usedns array that tracks arbitrary code via a DNS response with a nameservers and addresses.” large address length (h length).”

“CVE-2004-1485: Buffer overflow in the “CVE-2004-0150: Buffer overflow in the TFTP client in InetUtils 1.4.2 allows getaddrinfo function in Python 2.2 before remote malicious DNS servers to execute 2.2.2, when IPv6 support is disabled, arbitrary code via a large DNS response allows remote attackers to execute that is handled by the gethostbyname arbitrary code via an IPv6 address that function.” is obtained using DNS.” “CVE-2004-1317: Stack-based buffer “CVE-2003-1377: Buffer overflow in overflow in doexec.c in Netcat for the reverse DNS lookup of Smart IRC Windows 1.1, when running with the Daemon (SIRCD) 0.4.0 and 0.4.4 allows -e option, allows remote attackers to of large DNS packets with the Z and QR execute arbitrary code via a long DNS remote attackers to execute arbitrary flags cleared.” command.” code via a client with a long hostname.” “CVE-2005-0033 Buffer overflow in the “CVE-2004-0836: Buffer overflow in the “CVE-2002-1219: Buffer overflow in code for recursion and glue fetching in mysql real connect function in MySQL named in BIND 4 versions 4.9.10 and BIND 8.4.4 and 8.4.5 allows remote 4.x before 4.0.21, and 3.x before 3.23.49, earlier, and 8 versions 8.3.3 and earlier, attackers to cause a denial of service allows remote DNS servers to cause a allows remote attackers to execute (crash) via queries that trigger the denial of service and possibly execute arbitrary code via a certain DNS server overflow in the q usedns array that tracks arbitrary code via a DNS response with a response containing SIG resource records nameservers and addresses.” large address length (h length).” (RR).”

“CVE-2004-1485: Buffer overflow in the “CVE-2004-0150: Buffer overflow in the “CVE-2002-0910: Buffer overflows in TFTP client in InetUtils 1.4.2 allows getaddrinfo function in Python 2.2 before netstd 3.07-17 package allows remote remote malicious DNS servers to execute 2.2.2, when IPv6 support is disabled, DNS servers to execute arbitrary code via arbitrary code via a large DNS response allows remote attackers to execute a long FQDN reply, as observed in the that is handled by the gethostbyname arbitrary code via an IPv6 address that utilities (1) linux-ftpd, (2) pcnfsd, (3) function.” is obtained using DNS.” tftp, (4) traceroute, or (5) from/to.” “CVE-2004-1317: Stack-based buffer “CVE-2003-1377: Buffer overflow in “CVE-2002-0906: Buffer overflow in overflow in doexec.c in Netcat for the reverse DNS lookup of Smart IRC Sendmail before 8.12.5, when configured Windows 1.1, when running with the Daemon (SIRCD) 0.4.0 and 0.4.4 allows to use a custom DNS map to query -e option, allows remote attackers to TXT records, allows remote attackers of large DNS packets with the Z and QR execute arbitrary code via a long DNS remote attackers to execute arbitrary flags cleared.” command.” code via a client with a long hostname.” “CVE-2005-0033 Buffer overflow in the “CVE-2004-0836: Buffer overflow in the “CVE-2002-1219: Buffer overflow in code for recursion and glue fetching in mysql real connect function in MySQL named in BIND 4 versions 4.9.10 and BIND 8.4.4 and 8.4.5 allows remote 4.x before 4.0.21, and 3.x before 3.23.49, earlier, and 8 versions 8.3.3 and earlier, attackers to cause a denial of service allows remote DNS servers to cause a allows remote attackers to execute (crash) via queries that trigger the denial of service and possibly execute arbitrary code via a certain DNS server overflow in the q usedns array that tracks arbitrary code via a DNS response with a response containing SIG resource records nameservers and addresses.” large address length (h length).” (RR).”

“CVE-2004-1485: Buffer overflow in the “CVE-2004-0150: Buffer overflow in the “CVE-2002-0910: Buffer overflows in TFTP client in InetUtils 1.4.2 allows getaddrinfo function in Python 2.2 before netstd 3.07-17 package allows remote remote malicious DNS servers to execute 2.2.2, when IPv6 support is disabled, DNS servers to execute arbitrary code via arbitrary code via a large DNS response allows remote attackers to execute a long FQDN reply, as observed in the that is handled by the gethostbyname arbitrary code via an IPv6 address that utilities (1) linux-ftpd, (2) pcnfsd, (3) function.” is obtained using DNS.” tftp, (4) traceroute, or (5) from/to.” “CVE-2004-1317: Stack-based buffer “CVE-2003-1377: Buffer overflow in “CVE-2002-0906: Buffer overflow in overflow in doexec.c in Netcat for the reverse DNS lookup of Smart IRC Sendmail before 8.12.5, when configured Windows 1.1, when running with the Daemon (SIRCD) 0.4.0 and 0.4.4 allows to use a custom DNS map to query -e option, allows remote attackers to TXT records, allows remote attackers of large DNS packets with the Z and QR execute arbitrary code via a long DNS remote attackers to execute arbitrary flags cleared.” command.” code via a client with a long hostname.” “CVE-2005-0033 Buffer overflow in the “CVE-2004-0836: Buffer overflow in the “CVE-2002-1219: Buffer overflow in code for recursion and glue fetching in mysql real connect function in MySQL named in BIND 4 versions 4.9.10 and BIND 8.4.4 and 8.4.5 allows remote 4.x before 4.0.21, and 3.x before 3.23.49, earlier, and 8 versions 8.3.3 and earlier, attackers to cause a denial of service allows remote DNS servers to cause a allows remote attackers to execute (crash) via queries that trigger the denial of service and possibly execute arbitrary code via a certain DNS server overflow in the q usedns array that tracks arbitrary code via a DNS response with a response containing SIG resource records nameservers and addresses.” large address length (h length).” (RR).”

“CVE-2004-1485: Buffer overflow in the “CVE-2004-0150: Buffer overflow in the “CVE-2002-0910: Buffer overflows in TFTP client in InetUtils 1.4.2 allows getaddrinfo function in Python 2.2 before netstd 3.07-17 package allows remote remote malicious DNS servers to execute 2.2.2, when IPv6 support is disabled, DNS servers to execute arbitrary code via arbitrary code via a large DNS response allows remote attackers to execute a long FQDN reply, as observed in the that is handled by the gethostbyname arbitrary code via an IPv6 address that utilities (1) linux-ftpd, (2) pcnfsd, (3) function.” is obtained using DNS.” tftp, (4) traceroute, or (5) from/to.” “CVE-2004-1317: Stack-based buffer “CVE-2003-1377: Buffer overflow in “CVE-2002-0906: Buffer overflow in overflow in doexec.c in Netcat for the reverse DNS lookup of Smart IRC Sendmail before 8.12.5, when configured Windows 1.1, when running with the Daemon (SIRCD) 0.4.0 and 0.4.4 allows to use a custom DNS map to query -e option, allows remote attackers to TXT records, allows remote attackers execute arbitrary code via a long DNS remote attackers to execute arbitrary command.” code via a client with a long hostname.” “CVE-2004-0836: Buffer overflow in the “CVE-2002-1219: Buffer overflow in mysql real connect function in MySQL named in BIND 4 versions 4.9.10 and 4.x before 4.0.21, and 3.x before 3.23.49, earlier, and 8 versions 8.3.3 and earlier, allows remote DNS servers to cause a allows remote attackers to execute denial of service and possibly execute arbitrary code via a certain DNS server arbitrary code via a DNS response with a response containing SIG resource records large address length (h length).” (RR).”

“CVE-2004-0150: Buffer overflow in the “CVE-2002-0910: Buffer overflows in getaddrinfo function in Python 2.2 before netstd 3.07-17 package allows remote 2.2.2, when IPv6 support is disabled, DNS servers to execute arbitrary code via allows remote attackers to execute a long FQDN reply, as observed in the arbitrary code via an IPv6 address that utilities (1) linux-ftpd, (2) pcnfsd, (3) is obtained using DNS.” tftp, (4) traceroute, or (5) from/to.” “CVE-2003-1377: Buffer overflow in “CVE-2002-0906: Buffer overflow in the reverse DNS lookup of Smart IRC Sendmail before 8.12.5, when configured Daemon (SIRCD) 0.4.0 and 0.4.4 allows to use a custom DNS map to query TXT records, allows remote attackers execute arbitrary code via a long DNS remote attackers to execute arbitrary to cause a denial of service and possibly command.” code via a client with a long hostname.” execute arbitrary code via a malicious DNS server.” “CVE-2004-0836: Buffer overflow in the “CVE-2002-1219: Buffer overflow in mysql real connect function in MySQL named in BIND 4 versions 4.9.10 and “CVE-2002-0825: Buffer overflow in 4.x before 4.0.21, and 3.x before 3.23.49, earlier, and 8 versions 8.3.3 and earlier, the DNS SRV code for nss ldap before allows remote DNS servers to cause a allows remote attackers to execute nss ldap-198 allows remote attackers to denial of service and possibly execute arbitrary code via a certain DNS server cause a denial of service and possibly arbitrary code via a DNS response with a response containing SIG resource records execute arbitrary code.” large address length (h length).” (RR).” “CVE-2002-0698: Buffer overflow in “CVE-2004-0150: Buffer overflow in the “CVE-2002-0910: Buffer overflows in Internet Mail Connector (IMC) for getaddrinfo function in Python 2.2 before netstd 3.07-17 package allows remote Microsoft Exchange Server 5.5 allows 2.2.2, when IPv6 support is disabled, DNS servers to execute arbitrary code via remote attackers to execute arbitrary allows remote attackers to execute a long FQDN reply, as observed in the code via an EHLO request from a system arbitrary code via an IPv6 address that utilities (1) linux-ftpd, (2) pcnfsd, (3) with a long name as obtained through a is obtained using DNS.” tftp, (4) traceroute, or (5) from/to.” reverse DNS lookup, which triggers the overflow in IMC’s hello response.” “CVE-2003-1377: Buffer overflow in “CVE-2002-0906: Buffer overflow in the reverse DNS lookup of Smart IRC Sendmail before 8.12.5, when configured “CVE-2002-0684: Buffer overflow in DNS Daemon (SIRCD) 0.4.0 and 0.4.4 allows to use a custom DNS map to query resolver functions that perform lookup of TXT records, allows remote attackers network names and addresses, as used execute arbitrary code via a long DNS remote attackers to execute arbitrary to cause a denial of service and possibly command.” code via a client with a long hostname.” execute arbitrary code via a malicious DNS server.” “CVE-2004-0836: Buffer overflow in the “CVE-2002-1219: Buffer overflow in mysql real connect function in MySQL named in BIND 4 versions 4.9.10 and “CVE-2002-0825: Buffer overflow in 4.x before 4.0.21, and 3.x before 3.23.49, earlier, and 8 versions 8.3.3 and earlier, the DNS SRV code for nss ldap before allows remote DNS servers to cause a allows remote attackers to execute nss ldap-198 allows remote attackers to denial of service and possibly execute arbitrary code via a certain DNS server cause a denial of service and possibly arbitrary code via a DNS response with a response containing SIG resource records execute arbitrary code.” large address length (h length).” (RR).” “CVE-2002-0698: Buffer overflow in “CVE-2004-0150: Buffer overflow in the “CVE-2002-0910: Buffer overflows in Internet Mail Connector (IMC) for getaddrinfo function in Python 2.2 before netstd 3.07-17 package allows remote Microsoft Exchange Server 5.5 allows 2.2.2, when IPv6 support is disabled, DNS servers to execute arbitrary code via remote attackers to execute arbitrary allows remote attackers to execute a long FQDN reply, as observed in the code via an EHLO request from a system arbitrary code via an IPv6 address that utilities (1) linux-ftpd, (2) pcnfsd, (3) with a long name as obtained through a is obtained using DNS.” tftp, (4) traceroute, or (5) from/to.” reverse DNS lookup, which triggers the overflow in IMC’s hello response.” “CVE-2003-1377: Buffer overflow in “CVE-2002-0906: Buffer overflow in the reverse DNS lookup of Smart IRC Sendmail before 8.12.5, when configured “CVE-2002-0684: Buffer overflow in DNS Daemon (SIRCD) 0.4.0 and 0.4.4 allows to use a custom DNS map to query resolver functions that perform lookup of TXT records, allows remote attackers network names and addresses, as used execute arbitrary code via a long DNS remote attackers to execute arbitrary to cause a denial of service and possibly command.” code via a client with a long hostname.” execute arbitrary code via a malicious DNS server.” “CVE-2004-0836: Buffer overflow in the “CVE-2002-1219: Buffer overflow in mysql real connect function in MySQL named in BIND 4 versions 4.9.10 and “CVE-2002-0825: Buffer overflow in 4.x before 4.0.21, and 3.x before 3.23.49, earlier, and 8 versions 8.3.3 and earlier, the DNS SRV code for nss ldap before allows remote DNS servers to cause a allows remote attackers to execute nss ldap-198 allows remote attackers to denial of service and possibly execute arbitrary code via a certain DNS server cause a denial of service and possibly arbitrary code via a DNS response with a response containing SIG resource records execute arbitrary code.” large address length (h length).” (RR).” “CVE-2002-0698: Buffer overflow in “CVE-2004-0150: Buffer overflow in the “CVE-2002-0910: Buffer overflows in Internet Mail Connector (IMC) for getaddrinfo function in Python 2.2 before netstd 3.07-17 package allows remote Microsoft Exchange Server 5.5 allows 2.2.2, when IPv6 support is disabled, DNS servers to execute arbitrary code via remote attackers to execute arbitrary allows remote attackers to execute a long FQDN reply, as observed in the code via an EHLO request from a system arbitrary code via an IPv6 address that utilities (1) linux-ftpd, (2) pcnfsd, (3) with a long name as obtained through a is obtained using DNS.” tftp, (4) traceroute, or (5) from/to.” reverse DNS lookup, which triggers the overflow in IMC’s hello response.” “CVE-2003-1377: Buffer overflow in “CVE-2002-0906: Buffer overflow in the reverse DNS lookup of Smart IRC Sendmail before 8.12.5, when configured “CVE-2002-0684: Buffer overflow in DNS Daemon (SIRCD) 0.4.0 and 0.4.4 allows to use a custom DNS map to query resolver functions that perform lookup of TXT records, allows remote attackers network names and addresses, as used remote attackers to execute arbitrary to cause a denial of service and possibly code via a client with a long hostname.” execute arbitrary code via a malicious DNS server.” “CVE-2002-1219: Buffer overflow in named in BIND 4 versions 4.9.10 and “CVE-2002-0825: Buffer overflow in earlier, and 8 versions 8.3.3 and earlier, the DNS SRV code for nss ldap before allows remote attackers to execute nss ldap-198 allows remote attackers to arbitrary code via a certain DNS server cause a denial of service and possibly response containing SIG resource records execute arbitrary code.” (RR).” “CVE-2002-0698: Buffer overflow in “CVE-2002-0910: Buffer overflows in Internet Mail Connector (IMC) for netstd 3.07-17 package allows remote Microsoft Exchange Server 5.5 allows DNS servers to execute arbitrary code via remote attackers to execute arbitrary a long FQDN reply, as observed in the code via an EHLO request from a system utilities (1) linux-ftpd, (2) pcnfsd, (3) with a long name as obtained through a tftp, (4) traceroute, or (5) from/to.” reverse DNS lookup, which triggers the overflow in IMC’s hello response.” “CVE-2002-0906: Buffer overflow in Sendmail before 8.12.5, when configured “CVE-2002-0684: Buffer overflow in DNS to use a custom DNS map to query resolver functions that perform lookup of TXT records, allows remote attackers network names and addresses, as used remote attackers to execute arbitrary to cause a denial of service and possibly in BIND 4.9.8 and ported to glibc 2.2.5 code via a client with a long hostname.” execute arbitrary code via a malicious and earlier, allows remote malicious DNS DNS server.” servers to execute arbitrary code through “CVE-2002-1219: Buffer overflow in a subroutine used by functions such as named in BIND 4 versions 4.9.10 and “CVE-2002-0825: Buffer overflow in getnetbyname and getnetbyaddr.” earlier, and 8 versions 8.3.3 and earlier, the DNS SRV code for nss ldap before allows remote attackers to execute nss ldap-198 allows remote attackers to “CVE-2002-0651: Buffer overflow in the arbitrary code via a certain DNS server cause a denial of service and possibly DNS resolver code used in libc, glibc, response containing SIG resource records execute arbitrary code.” and libbind, as derived from ISC BIND, (RR).” allows remote malicious DNS servers to “CVE-2002-0698: Buffer overflow in cause a denial of service and possibly “CVE-2002-0910: Buffer overflows in Internet Mail Connector (IMC) for execute arbitrary code via the stub netstd 3.07-17 package allows remote Microsoft Exchange Server 5.5 allows resolvers.” DNS servers to execute arbitrary code via remote attackers to execute arbitrary a long FQDN reply, as observed in the code via an EHLO request from a system “CVE-2002-0423: Buffer overflow in utilities (1) linux-ftpd, (2) pcnfsd, (3) with a long name as obtained through a efingerd 1.5 and earlier, and possibly up tftp, (4) traceroute, or (5) from/to.” reverse DNS lookup, which triggers the to 1.61, allows remote attackers to cause overflow in IMC’s hello response.” a denial of service and possibly execute “CVE-2002-0906: Buffer overflow in arbitrary code via a finger request from Sendmail before 8.12.5, when configured “CVE-2002-0684: Buffer overflow in DNS an IP address with a long hostname that to use a custom DNS map to query resolver functions that perform lookup of is obtained via a reverse DNS lookup.” TXT records, allows remote attackers network names and addresses, as used remote attackers to execute arbitrary to cause a denial of service and possibly in BIND 4.9.8 and ported to glibc 2.2.5 code via a client with a long hostname.” execute arbitrary code via a malicious and earlier, allows remote malicious DNS DNS server.” servers to execute arbitrary code through “CVE-2002-1219: Buffer overflow in a subroutine used by functions such as named in BIND 4 versions 4.9.10 and “CVE-2002-0825: Buffer overflow in getnetbyname and getnetbyaddr.” earlier, and 8 versions 8.3.3 and earlier, the DNS SRV code for nss ldap before allows remote attackers to execute nss ldap-198 allows remote attackers to “CVE-2002-0651: Buffer overflow in the arbitrary code via a certain DNS server cause a denial of service and possibly DNS resolver code used in libc, glibc, response containing SIG resource records execute arbitrary code.” and libbind, as derived from ISC BIND, (RR).” allows remote malicious DNS servers to “CVE-2002-0698: Buffer overflow in cause a denial of service and possibly “CVE-2002-0910: Buffer overflows in Internet Mail Connector (IMC) for execute arbitrary code via the stub netstd 3.07-17 package allows remote Microsoft Exchange Server 5.5 allows resolvers.” DNS servers to execute arbitrary code via remote attackers to execute arbitrary a long FQDN reply, as observed in the code via an EHLO request from a system “CVE-2002-0423: Buffer overflow in utilities (1) linux-ftpd, (2) pcnfsd, (3) with a long name as obtained through a efingerd 1.5 and earlier, and possibly up tftp, (4) traceroute, or (5) from/to.” reverse DNS lookup, which triggers the to 1.61, allows remote attackers to cause overflow in IMC’s hello response.” a denial of service and possibly execute “CVE-2002-0906: Buffer overflow in arbitrary code via a finger request from Sendmail before 8.12.5, when configured “CVE-2002-0684: Buffer overflow in DNS an IP address with a long hostname that to use a custom DNS map to query resolver functions that perform lookup of is obtained via a reverse DNS lookup.” TXT records, allows remote attackers network names and addresses, as used remote attackers to execute arbitrary to cause a denial of service and possibly in BIND 4.9.8 and ported to glibc 2.2.5 code via a client with a long hostname.” execute arbitrary code via a malicious and earlier, allows remote malicious DNS DNS server.” servers to execute arbitrary code through “CVE-2002-1219: Buffer overflow in a subroutine used by functions such as named in BIND 4 versions 4.9.10 and “CVE-2002-0825: Buffer overflow in getnetbyname and getnetbyaddr.” earlier, and 8 versions 8.3.3 and earlier, the DNS SRV code for nss ldap before allows remote attackers to execute nss ldap-198 allows remote attackers to “CVE-2002-0651: Buffer overflow in the arbitrary code via a certain DNS server cause a denial of service and possibly DNS resolver code used in libc, glibc, response containing SIG resource records execute arbitrary code.” and libbind, as derived from ISC BIND, (RR).” allows remote malicious DNS servers to “CVE-2002-0698: Buffer overflow in cause a denial of service and possibly “CVE-2002-0910: Buffer overflows in Internet Mail Connector (IMC) for execute arbitrary code via the stub netstd 3.07-17 package allows remote Microsoft Exchange Server 5.5 allows resolvers.” DNS servers to execute arbitrary code via remote attackers to execute arbitrary a long FQDN reply, as observed in the code via an EHLO request from a system “CVE-2002-0423: Buffer overflow in utilities (1) linux-ftpd, (2) pcnfsd, (3) with a long name as obtained through a efingerd 1.5 and earlier, and possibly up tftp, (4) traceroute, or (5) from/to.” reverse DNS lookup, which triggers the to 1.61, allows remote attackers to cause overflow in IMC’s hello response.” a denial of service and possibly execute “CVE-2002-0906: Buffer overflow in arbitrary code via a finger request from Sendmail before 8.12.5, when configured “CVE-2002-0684: Buffer overflow in DNS an IP address with a long hostname that to use a custom DNS map to query resolver functions that perform lookup of is obtained via a reverse DNS lookup.” TXT records, allows remote attackers network names and addresses, as used to cause a denial of service and possibly in BIND 4.9.8 and ported to glibc 2.2.5 execute arbitrary code via a malicious and earlier, allows remote malicious DNS DNS server.” servers to execute arbitrary code through a subroutine used by functions such as “CVE-2002-0825: Buffer overflow in getnetbyname and getnetbyaddr.” the DNS SRV code for nss ldap before nss ldap-198 allows remote attackers to “CVE-2002-0651: Buffer overflow in the cause a denial of service and possibly DNS resolver code used in libc, glibc, execute arbitrary code.” and libbind, as derived from ISC BIND, allows remote malicious DNS servers to “CVE-2002-0698: Buffer overflow in cause a denial of service and possibly Internet Mail Connector (IMC) for execute arbitrary code via the stub Microsoft Exchange Server 5.5 allows resolvers.” remote attackers to execute arbitrary code via an EHLO request from a system “CVE-2002-0423: Buffer overflow in with a long name as obtained through a efingerd 1.5 and earlier, and possibly up reverse DNS lookup, which triggers the to 1.61, allows remote attackers to cause overflow in IMC’s hello response.” a denial of service and possibly execute arbitrary code via a finger request from “CVE-2002-0684: Buffer overflow in DNS an IP address with a long hostname that resolver functions that perform lookup of is obtained via a reverse DNS lookup.” network names and addresses, as used to cause a denial of service and possibly in BIND 4.9.8 and ported to glibc 2.2.5 “CVE-2002-0332: Buffer overflows in execute arbitrary code via a malicious and earlier, allows remote malicious DNS xtell (xtelld) 1.91.1 and earlier, and 2.x DNS server.” servers to execute arbitrary code through before 2.7, allows remote attackers to a subroutine used by functions such as execute arbitrary code via (1) a long “CVE-2002-0825: Buffer overflow in getnetbyname and getnetbyaddr.” DNS hostname that is determined using the DNS SRV code for nss ldap before reverse DNS lookups, (2) a long AUTH nss ldap-198 allows remote attackers to “CVE-2002-0651: Buffer overflow in the string, or (3) certain data in the xtell cause a denial of service and possibly DNS resolver code used in libc, glibc, request.” execute arbitrary code.” and libbind, as derived from ISC BIND, allows remote malicious DNS servers to “CVE-2002-0180: Buffer overflow in “CVE-2002-0698: Buffer overflow in cause a denial of service and possibly Webalizer 2.01-06, when configured to Internet Mail Connector (IMC) for execute arbitrary code via the stub use reverse DNS lookups, allows remote Microsoft Exchange Server 5.5 allows resolvers.” attackers to execute arbitrary code by remote attackers to execute arbitrary connecting to the monitored web server code via an EHLO request from a system “CVE-2002-0423: Buffer overflow in from an IP address that resolves to a with a long name as obtained through a efingerd 1.5 and earlier, and possibly up long hostname.” reverse DNS lookup, which triggers the to 1.61, allows remote attackers to cause overflow in IMC’s hello response.” a denial of service and possibly execute “CVE-2002-0163: Heap-based buffer arbitrary code via a finger request from overflow in Squid before 2.4 STABLE4, “CVE-2002-0684: Buffer overflow in DNS an IP address with a long hostname that and Squid 2.5 and 2.6 until March resolver functions that perform lookup of is obtained via a reverse DNS lookup.” 12, 2002 distributions, allows remote network names and addresses, as used attackers to cause a denial of service, to cause a denial of service and possibly in BIND 4.9.8 and ported to glibc 2.2.5 “CVE-2002-0332: Buffer overflows in execute arbitrary code via a malicious and earlier, allows remote malicious DNS xtell (xtelld) 1.91.1 and earlier, and 2.x DNS server.” servers to execute arbitrary code through before 2.7, allows remote attackers to a subroutine used by functions such as execute arbitrary code via (1) a long “CVE-2002-0825: Buffer overflow in getnetbyname and getnetbyaddr.” DNS hostname that is determined using the DNS SRV code for nss ldap before reverse DNS lookups, (2) a long AUTH nss ldap-198 allows remote attackers to “CVE-2002-0651: Buffer overflow in the string, or (3) certain data in the xtell cause a denial of service and possibly DNS resolver code used in libc, glibc, request.” execute arbitrary code.” and libbind, as derived from ISC BIND, allows remote malicious DNS servers to “CVE-2002-0180: Buffer overflow in “CVE-2002-0698: Buffer overflow in cause a denial of service and possibly Webalizer 2.01-06, when configured to Internet Mail Connector (IMC) for execute arbitrary code via the stub use reverse DNS lookups, allows remote Microsoft Exchange Server 5.5 allows resolvers.” attackers to execute arbitrary code by remote attackers to execute arbitrary connecting to the monitored web server code via an EHLO request from a system “CVE-2002-0423: Buffer overflow in from an IP address that resolves to a with a long name as obtained through a efingerd 1.5 and earlier, and possibly up long hostname.” reverse DNS lookup, which triggers the to 1.61, allows remote attackers to cause overflow in IMC’s hello response.” a denial of service and possibly execute “CVE-2002-0163: Heap-based buffer arbitrary code via a finger request from overflow in Squid before 2.4 STABLE4, “CVE-2002-0684: Buffer overflow in DNS an IP address with a long hostname that and Squid 2.5 and 2.6 until March resolver functions that perform lookup of is obtained via a reverse DNS lookup.” 12, 2002 distributions, allows remote network names and addresses, as used attackers to cause a denial of service, to cause a denial of service and possibly in BIND 4.9.8 and ported to glibc 2.2.5 “CVE-2002-0332: Buffer overflows in execute arbitrary code via a malicious and earlier, allows remote malicious DNS xtell (xtelld) 1.91.1 and earlier, and 2.x DNS server.” servers to execute arbitrary code through before 2.7, allows remote attackers to a subroutine used by functions such as execute arbitrary code via (1) a long “CVE-2002-0825: Buffer overflow in getnetbyname and getnetbyaddr.” DNS hostname that is determined using the DNS SRV code for nss ldap before reverse DNS lookups, (2) a long AUTH nss ldap-198 allows remote attackers to “CVE-2002-0651: Buffer overflow in the string, or (3) certain data in the xtell cause a denial of service and possibly DNS resolver code used in libc, glibc, request.” execute arbitrary code.” and libbind, as derived from ISC BIND, allows remote malicious DNS servers to “CVE-2002-0180: Buffer overflow in “CVE-2002-0698: Buffer overflow in cause a denial of service and possibly Webalizer 2.01-06, when configured to Internet Mail Connector (IMC) for execute arbitrary code via the stub use reverse DNS lookups, allows remote Microsoft Exchange Server 5.5 allows resolvers.” attackers to execute arbitrary code by remote attackers to execute arbitrary connecting to the monitored web server code via an EHLO request from a system “CVE-2002-0423: Buffer overflow in from an IP address that resolves to a with a long name as obtained through a efingerd 1.5 and earlier, and possibly up long hostname.” reverse DNS lookup, which triggers the to 1.61, allows remote attackers to cause overflow in IMC’s hello response.” a denial of service and possibly execute “CVE-2002-0163: Heap-based buffer arbitrary code via a finger request from overflow in Squid before 2.4 STABLE4, “CVE-2002-0684: Buffer overflow in DNS an IP address with a long hostname that and Squid 2.5 and 2.6 until March resolver functions that perform lookup of is obtained via a reverse DNS lookup.” 12, 2002 distributions, allows remote network names and addresses, as used attackers to cause a denial of service, in BIND 4.9.8 and ported to glibc 2.2.5 “CVE-2002-0332: Buffer overflows in and earlier, allows remote malicious DNS xtell (xtelld) 1.91.1 and earlier, and 2.x servers to execute arbitrary code through before 2.7, allows remote attackers to a subroutine used by functions such as execute arbitrary code via (1) a long getnetbyname and getnetbyaddr.” DNS hostname that is determined using reverse DNS lookups, (2) a long AUTH “CVE-2002-0651: Buffer overflow in the string, or (3) certain data in the xtell DNS resolver code used in libc, glibc, request.” and libbind, as derived from ISC BIND, allows remote malicious DNS servers to “CVE-2002-0180: Buffer overflow in cause a denial of service and possibly Webalizer 2.01-06, when configured to execute arbitrary code via the stub use reverse DNS lookups, allows remote resolvers.” attackers to execute arbitrary code by connecting to the monitored web server “CVE-2002-0423: Buffer overflow in from an IP address that resolves to a efingerd 1.5 and earlier, and possibly up long hostname.” to 1.61, allows remote attackers to cause a denial of service and possibly execute “CVE-2002-0163: Heap-based buffer arbitrary code via a finger request from overflow in Squid before 2.4 STABLE4, an IP address with a long hostname that and Squid 2.5 and 2.6 until March is obtained via a reverse DNS lookup.” 12, 2002 distributions, allows remote attackers to cause a denial of service, in BIND 4.9.8 and ported to glibc 2.2.5 “CVE-2002-0332: Buffer overflows in and possibly execute arbitrary code, via and earlier, allows remote malicious DNS xtell (xtelld) 1.91.1 and earlier, and 2.x compressed DNS responses.” servers to execute arbitrary code through before 2.7, allows remote attackers to a subroutine used by functions such as execute arbitrary code via (1) a long “CVE-2002-0029: Buffer overflows in getnetbyname and getnetbyaddr.” DNS hostname that is determined using the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other reverse DNS lookups, (2) a long AUTH “CVE-2002-0651: Buffer overflow in the string, or (3) certain data in the xtell derived libraries such as BSD libc and DNS resolver code used in libc, glibc, request.” GNU glibc, allow remote attackers to and libbind, as derived from ISC BIND, execute arbitrary code via DNS server allows remote malicious DNS servers to “CVE-2002-0180: Buffer overflow in responses that trigger the overflow in the cause a denial of service and possibly Webalizer 2.01-06, when configured to (1) getnetbyname, or (2) getnetbyaddr execute arbitrary code via the stub use reverse DNS lookups, allows remote functions.” resolvers.” attackers to execute arbitrary code by “CVE-2001-0207: Buffer overflow connecting to the monitored web server “CVE-2002-0423: Buffer overflow in from an IP address that resolves to a in bing allows remote attackers to efingerd 1.5 and earlier, and possibly up long hostname.” execute arbitrary commands via a long to 1.61, allows remote attackers to cause hostname, which is copied to a small a denial of service and possibly execute “CVE-2002-0163: Heap-based buffer buffer after a reverse DNS lookup using arbitrary code via a finger request from overflow in Squid before 2.4 STABLE4, the gethostbyaddr function.” an IP address with a long hostname that and Squid 2.5 and 2.6 until March is obtained via a reverse DNS lookup.” 12, 2002 distributions, allows remote “CVE-2001-0050: Buffer overflow in attackers to cause a denial of service, BitchX IRC client allows remote attackers in BIND 4.9.8 and ported to glibc 2.2.5 “CVE-2002-0332: Buffer overflows in and possibly execute arbitrary code, via and earlier, allows remote malicious DNS xtell (xtelld) 1.91.1 and earlier, and 2.x compressed DNS responses.” servers to execute arbitrary code through before 2.7, allows remote attackers to a subroutine used by functions such as execute arbitrary code via (1) a long “CVE-2002-0029: Buffer overflows in getnetbyname and getnetbyaddr.” DNS hostname that is determined using the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other reverse DNS lookups, (2) a long AUTH “CVE-2002-0651: Buffer overflow in the string, or (3) certain data in the xtell derived libraries such as BSD libc and DNS resolver code used in libc, glibc, request.” GNU glibc, allow remote attackers to and libbind, as derived from ISC BIND, execute arbitrary code via DNS server allows remote malicious DNS servers to “CVE-2002-0180: Buffer overflow in responses that trigger the overflow in the cause a denial of service and possibly Webalizer 2.01-06, when configured to (1) getnetbyname, or (2) getnetbyaddr execute arbitrary code via the stub use reverse DNS lookups, allows remote functions.” resolvers.” attackers to execute arbitrary code by “CVE-2001-0207: Buffer overflow connecting to the monitored web server “CVE-2002-0423: Buffer overflow in from an IP address that resolves to a in bing allows remote attackers to efingerd 1.5 and earlier, and possibly up long hostname.” execute arbitrary commands via a long to 1.61, allows remote attackers to cause hostname, which is copied to a small a denial of service and possibly execute “CVE-2002-0163: Heap-based buffer buffer after a reverse DNS lookup using arbitrary code via a finger request from overflow in Squid before 2.4 STABLE4, the gethostbyaddr function.” an IP address with a long hostname that and Squid 2.5 and 2.6 until March is obtained via a reverse DNS lookup.” 12, 2002 distributions, allows remote “CVE-2001-0050: Buffer overflow in attackers to cause a denial of service, BitchX IRC client allows remote attackers in BIND 4.9.8 and ported to glibc 2.2.5 “CVE-2002-0332: Buffer overflows in and possibly execute arbitrary code, via and earlier, allows remote malicious DNS xtell (xtelld) 1.91.1 and earlier, and 2.x compressed DNS responses.” servers to execute arbitrary code through before 2.7, allows remote attackers to a subroutine used by functions such as execute arbitrary code via (1) a long “CVE-2002-0029: Buffer overflows in getnetbyname and getnetbyaddr.” DNS hostname that is determined using the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other reverse DNS lookups, (2) a long AUTH “CVE-2002-0651: Buffer overflow in the string, or (3) certain data in the xtell derived libraries such as BSD libc and DNS resolver code used in libc, glibc, request.” GNU glibc, allow remote attackers to and libbind, as derived from ISC BIND, execute arbitrary code via DNS server allows remote malicious DNS servers to “CVE-2002-0180: Buffer overflow in responses that trigger the overflow in the cause a denial of service and possibly Webalizer 2.01-06, when configured to (1) getnetbyname, or (2) getnetbyaddr execute arbitrary code via the stub use reverse DNS lookups, allows remote functions.” resolvers.” attackers to execute arbitrary code by “CVE-2001-0207: Buffer overflow connecting to the monitored web server “CVE-2002-0423: Buffer overflow in from an IP address that resolves to a in bing allows remote attackers to efingerd 1.5 and earlier, and possibly up long hostname.” execute arbitrary commands via a long to 1.61, allows remote attackers to cause hostname, which is copied to a small a denial of service and possibly execute “CVE-2002-0163: Heap-based buffer buffer after a reverse DNS lookup using arbitrary code via a finger request from overflow in Squid before 2.4 STABLE4, the gethostbyaddr function.” an IP address with a long hostname that and Squid 2.5 and 2.6 until March is obtained via a reverse DNS lookup.” 12, 2002 distributions, allows remote “CVE-2001-0050: Buffer overflow in attackers to cause a denial of service, BitchX IRC client allows remote attackers “CVE-2002-0332: Buffer overflows in and possibly execute arbitrary code, via xtell (xtelld) 1.91.1 and earlier, and 2.x compressed DNS responses.” before 2.7, allows remote attackers to execute arbitrary code via (1) a long “CVE-2002-0029: Buffer overflows in DNS hostname that is determined using the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other reverse DNS lookups, (2) a long AUTH string, or (3) certain data in the xtell derived libraries such as BSD libc and request.” GNU glibc, allow remote attackers to execute arbitrary code via DNS server “CVE-2002-0180: Buffer overflow in responses that trigger the overflow in the Webalizer 2.01-06, when configured to (1) getnetbyname, or (2) getnetbyaddr use reverse DNS lookups, allows remote functions.” attackers to execute arbitrary code by “CVE-2001-0207: Buffer overflow connecting to the monitored web server from an IP address that resolves to a in bing allows remote attackers to long hostname.” execute arbitrary commands via a long hostname, which is copied to a small “CVE-2002-0163: Heap-based buffer buffer after a reverse DNS lookup using overflow in Squid before 2.4 STABLE4, the gethostbyaddr function.” and Squid 2.5 and 2.6 until March 12, 2002 distributions, allows remote “CVE-2001-0050: Buffer overflow in attackers to cause a denial of service, BitchX IRC client allows remote attackers “CVE-2002-0332: Buffer overflows in and possibly execute arbitrary code, via to cause a denial of service and possibly xtell (xtelld) 1.91.1 and earlier, and 2.x compressed DNS responses.” execute arbitrary commands via an IP before 2.7, allows remote attackers to address that resolves to a long DNS execute arbitrary code via (1) a long “CVE-2002-0029: Buffer overflows in hostname or domain name.” DNS hostname that is determined using the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other “CVE-2001-0029: Buffer overflow in oops reverse DNS lookups, (2) a long AUTH string, or (3) certain data in the xtell derived libraries such as BSD libc and WWW proxy server 1.4.6 (and possibly request.” GNU glibc, allow remote attackers to other versions) allows remote attackers execute arbitrary code via DNS server to execute arbitrary commands via a long “CVE-2002-0180: Buffer overflow in responses that trigger the overflow in the host or domain name that is obtained Webalizer 2.01-06, when configured to (1) getnetbyname, or (2) getnetbyaddr from a reverse DNS lookup.” use reverse DNS lookups, allows remote functions.” attackers to execute arbitrary code by “CVE-2001-0011: Buffer overflow in “CVE-2001-0207: Buffer overflow nslookupComplain function in BIND connecting to the monitored web server from an IP address that resolves to a in bing allows remote attackers to 4 allows remote attackers to gain root long hostname.” execute arbitrary commands via a long privileges.” hostname, which is copied to a small “CVE-2002-0163: Heap-based buffer buffer after a reverse DNS lookup using “CVE-2001-0010: Buffer overflow in overflow in Squid before 2.4 STABLE4, the gethostbyaddr function.” transaction signature (TSIG) handling and Squid 2.5 and 2.6 until March code in BIND 8 allows remote attackers 12, 2002 distributions, allows remote “CVE-2001-0050: Buffer overflow in to gain root privileges.” attackers to cause a denial of service, BitchX IRC client allows remote attackers “CVE-2002-0332: Buffer overflows in and possibly execute arbitrary code, via to cause a denial of service and possibly xtell (xtelld) 1.91.1 and earlier, and 2.x compressed DNS responses.” execute arbitrary commands via an IP before 2.7, allows remote attackers to address that resolves to a long DNS execute arbitrary code via (1) a long “CVE-2002-0029: Buffer overflows in hostname or domain name.” DNS hostname that is determined using the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other “CVE-2001-0029: Buffer overflow in oops reverse DNS lookups, (2) a long AUTH string, or (3) certain data in the xtell derived libraries such as BSD libc and WWW proxy server 1.4.6 (and possibly request.” GNU glibc, allow remote attackers to other versions) allows remote attackers execute arbitrary code via DNS server to execute arbitrary commands via a long “CVE-2002-0180: Buffer overflow in responses that trigger the overflow in the host or domain name that is obtained Webalizer 2.01-06, when configured to (1) getnetbyname, or (2) getnetbyaddr from a reverse DNS lookup.” use reverse DNS lookups, allows remote functions.” attackers to execute arbitrary code by “CVE-2001-0011: Buffer overflow in “CVE-2001-0207: Buffer overflow nslookupComplain function in BIND connecting to the monitored web server from an IP address that resolves to a in bing allows remote attackers to 4 allows remote attackers to gain root long hostname.” execute arbitrary commands via a long privileges.” hostname, which is copied to a small “CVE-2002-0163: Heap-based buffer buffer after a reverse DNS lookup using “CVE-2001-0010: Buffer overflow in overflow in Squid before 2.4 STABLE4, the gethostbyaddr function.” transaction signature (TSIG) handling and Squid 2.5 and 2.6 until March code in BIND 8 allows remote attackers 12, 2002 distributions, allows remote “CVE-2001-0050: Buffer overflow in to gain root privileges.” attackers to cause a denial of service, BitchX IRC client allows remote attackers “CVE-2002-0332: Buffer overflows in and possibly execute arbitrary code, via to cause a denial of service and possibly xtell (xtelld) 1.91.1 and earlier, and 2.x compressed DNS responses.” execute arbitrary commands via an IP before 2.7, allows remote attackers to address that resolves to a long DNS execute arbitrary code via (1) a long “CVE-2002-0029: Buffer overflows in hostname or domain name.” DNS hostname that is determined using the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other “CVE-2001-0029: Buffer overflow in oops reverse DNS lookups, (2) a long AUTH string, or (3) certain data in the xtell derived libraries such as BSD libc and WWW proxy server 1.4.6 (and possibly request.” GNU glibc, allow remote attackers to other versions) allows remote attackers execute arbitrary code via DNS server to execute arbitrary commands via a long “CVE-2002-0180: Buffer overflow in responses that trigger the overflow in the host or domain name that is obtained Webalizer 2.01-06, when configured to (1) getnetbyname, or (2) getnetbyaddr from a reverse DNS lookup.” use reverse DNS lookups, allows remote functions.” attackers to execute arbitrary code by “CVE-2001-0011: Buffer overflow in “CVE-2001-0207: Buffer overflow nslookupComplain function in BIND connecting to the monitored web server from an IP address that resolves to a in bing allows remote attackers to 4 allows remote attackers to gain root long hostname.” execute arbitrary commands via a long privileges.” hostname, which is copied to a small “CVE-2002-0163: Heap-based buffer buffer after a reverse DNS lookup using “CVE-2001-0010: Buffer overflow in overflow in Squid before 2.4 STABLE4, the gethostbyaddr function.” transaction signature (TSIG) handling and Squid 2.5 and 2.6 until March code in BIND 8 allows remote attackers 12, 2002 distributions, allows remote “CVE-2001-0050: Buffer overflow in to gain root privileges.” attackers to cause a denial of service, BitchX IRC client allows remote attackers and possibly execute arbitrary code, via to cause a denial of service and possibly compressed DNS responses.” execute arbitrary commands via an IP address that resolves to a long DNS “CVE-2002-0029: Buffer overflows in hostname or domain name.” the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other “CVE-2001-0029: Buffer overflow in oops derived libraries such as BSD libc and WWW proxy server 1.4.6 (and possibly GNU glibc, allow remote attackers to other versions) allows remote attackers execute arbitrary code via DNS server to execute arbitrary commands via a long responses that trigger the overflow in the host or domain name that is obtained (1) getnetbyname, or (2) getnetbyaddr from a reverse DNS lookup.” functions.” “CVE-2001-0011: Buffer overflow in “CVE-2001-0207: Buffer overflow nslookupComplain function in BIND in bing allows remote attackers to 4 allows remote attackers to gain root execute arbitrary commands via a long privileges.” hostname, which is copied to a small buffer after a reverse DNS lookup using “CVE-2001-0010: Buffer overflow in the gethostbyaddr function.” transaction signature (TSIG) handling code in BIND 8 allows remote attackers “CVE-2001-0050: Buffer overflow in to gain root privileges.” BitchX IRC client allows remote attackers and possibly execute arbitrary code, via to cause a denial of service and possibly “CVE-2000-0405: Buffer overflow in compressed DNS responses.” execute arbitrary commands via an IP L0pht AntiSniff allows remote attackers address that resolves to a long DNS to execute arbitrary commands via a “CVE-2002-0029: Buffer overflows in hostname or domain name.” malformed DNS response packet.” the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other “CVE-2001-0029: Buffer overflow in oops “CVE-1999-1321: Buffer overflow in ssh derived libraries such as BSD libc and WWW proxy server 1.4.6 (and possibly 1.2.26 client with Kerberos V enabled GNU glibc, allow remote attackers to other versions) allows remote attackers could allow remote attackers to cause execute arbitrary code via DNS server to execute arbitrary commands via a long a denial of service or execute arbitrary responses that trigger the overflow in the host or domain name that is obtained commands via a long DNS hostname that (1) getnetbyname, or (2) getnetbyaddr from a reverse DNS lookup.” is not properly handled during TGT ticket functions.” passing.” “CVE-2001-0011: Buffer overflow in “CVE-2001-0207: Buffer overflow nslookupComplain function in BIND “CVE-1999-1060: Buffer overflow in in bing allows remote attackers to 4 allows remote attackers to gain root Tetrix TetriNet daemon 1.13.16 allows execute arbitrary commands via a long privileges.” remote attackers to cause a denial of hostname, which is copied to a small service and possibly execute arbitrary buffer after a reverse DNS lookup using “CVE-2001-0010: Buffer overflow in commands by connecting to port 31457 the gethostbyaddr function.” transaction signature (TSIG) handling from a host with a long DNS hostname.” code in BIND 8 allows remote attackers “CVE-2001-0050: Buffer overflow in to gain root privileges.” “CVE-1999-0833: Buffer overflow in BitchX IRC client allows remote attackers BIND 8.2 via NXT records.” and possibly execute arbitrary code, via to cause a denial of service and possibly “CVE-2000-0405: Buffer overflow in compressed DNS responses.” execute arbitrary commands via an IP L0pht AntiSniff allows remote attackers address that resolves to a long DNS to execute arbitrary commands via a “CVE-2002-0029: Buffer overflows in hostname or domain name.” malformed DNS response packet.” the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other “CVE-2001-0029: Buffer overflow in oops “CVE-1999-1321: Buffer overflow in ssh derived libraries such as BSD libc and WWW proxy server 1.4.6 (and possibly 1.2.26 client with Kerberos V enabled GNU glibc, allow remote attackers to other versions) allows remote attackers could allow remote attackers to cause execute arbitrary code via DNS server to execute arbitrary commands via a long a denial of service or execute arbitrary responses that trigger the overflow in the host or domain name that is obtained commands via a long DNS hostname that (1) getnetbyname, or (2) getnetbyaddr from a reverse DNS lookup.” is not properly handled during TGT ticket functions.” passing.” “CVE-2001-0011: Buffer overflow in “CVE-2001-0207: Buffer overflow nslookupComplain function in BIND “CVE-1999-1060: Buffer overflow in in bing allows remote attackers to 4 allows remote attackers to gain root Tetrix TetriNet daemon 1.13.16 allows execute arbitrary commands via a long privileges.” remote attackers to cause a denial of hostname, which is copied to a small service and possibly execute arbitrary buffer after a reverse DNS lookup using “CVE-2001-0010: Buffer overflow in commands by connecting to port 31457 the gethostbyaddr function.” transaction signature (TSIG) handling from a host with a long DNS hostname.” code in BIND 8 allows remote attackers “CVE-2001-0050: Buffer overflow in to gain root privileges.” “CVE-1999-0833: Buffer overflow in BitchX IRC client allows remote attackers BIND 8.2 via NXT records.” and possibly execute arbitrary code, via to cause a denial of service and possibly “CVE-2000-0405: Buffer overflow in compressed DNS responses.” execute arbitrary commands via an IP L0pht AntiSniff allows remote attackers address that resolves to a long DNS to execute arbitrary commands via a “CVE-2002-0029: Buffer overflows in hostname or domain name.” malformed DNS response packet.” the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other “CVE-2001-0029: Buffer overflow in oops “CVE-1999-1321: Buffer overflow in ssh derived libraries such as BSD libc and WWW proxy server 1.4.6 (and possibly 1.2.26 client with Kerberos V enabled GNU glibc, allow remote attackers to other versions) allows remote attackers could allow remote attackers to cause execute arbitrary code via DNS server to execute arbitrary commands via a long a denial of service or execute arbitrary responses that trigger the overflow in the host or domain name that is obtained commands via a long DNS hostname that (1) getnetbyname, or (2) getnetbyaddr from a reverse DNS lookup.” is not properly handled during TGT ticket functions.” passing.” “CVE-2001-0011: Buffer overflow in “CVE-2001-0207: Buffer overflow nslookupComplain function in BIND “CVE-1999-1060: Buffer overflow in in bing allows remote attackers to 4 allows remote attackers to gain root Tetrix TetriNet daemon 1.13.16 allows execute arbitrary commands via a long privileges.” remote attackers to cause a denial of hostname, which is copied to a small service and possibly execute arbitrary buffer after a reverse DNS lookup using “CVE-2001-0010: Buffer overflow in commands by connecting to port 31457 the gethostbyaddr function.” transaction signature (TSIG) handling from a host with a long DNS hostname.” code in BIND 8 allows remote attackers “CVE-2001-0050: Buffer overflow in to gain root privileges.” “CVE-1999-0833: Buffer overflow in BitchX IRC client allows remote attackers BIND 8.2 via NXT records.” to cause a denial of service and possibly “CVE-2000-0405: Buffer overflow in execute arbitrary commands via an IP L0pht AntiSniff allows remote attackers address that resolves to a long DNS to execute arbitrary commands via a hostname or domain name.” malformed DNS response packet.” “CVE-2001-0029: Buffer overflow in oops “CVE-1999-1321: Buffer overflow in ssh WWW proxy server 1.4.6 (and possibly 1.2.26 client with Kerberos V enabled other versions) allows remote attackers could allow remote attackers to cause to execute arbitrary commands via a long a denial of service or execute arbitrary host or domain name that is obtained commands via a long DNS hostname that from a reverse DNS lookup.” is not properly handled during TGT ticket passing.” “CVE-2001-0011: Buffer overflow in nslookupComplain function in BIND “CVE-1999-1060: Buffer overflow in 4 allows remote attackers to gain root Tetrix TetriNet daemon 1.13.16 allows privileges.” remote attackers to cause a denial of service and possibly execute arbitrary “CVE-2001-0010: Buffer overflow in commands by connecting to port 31457 transaction signature (TSIG) handling from a host with a long DNS hostname.” code in BIND 8 allows remote attackers to gain root privileges.” “CVE-1999-0833: Buffer overflow in BIND 8.2 via NXT records.” to cause a denial of service and possibly “CVE-2000-0405: Buffer overflow in “CVE-1999-0299: Buffer overflow execute arbitrary commands via an IP L0pht AntiSniff allows remote attackers in FreeBSD lpd through long DNS address that resolves to a long DNS to execute arbitrary commands via a hostnames.” hostname or domain name.” malformed DNS response packet.” “CVE-1999-0101: Buffer overflow in AIX “CVE-2001-0029: Buffer overflow in oops “CVE-1999-1321: Buffer overflow in ssh and Solaris ”gethostbyname” library call WWW proxy server 1.4.6 (and possibly 1.2.26 client with Kerberos V enabled allows root access through corrupt DNS other versions) allows remote attackers could allow remote attackers to cause host names.” to execute arbitrary commands via a long a denial of service or execute arbitrary host or domain name that is obtained commands via a long DNS hostname that “CVE-1999-0009: Inverse query buffer from a reverse DNS lookup.” is not properly handled during TGT ticket overflow in BIND 4.9 and BIND 8 passing.” Releases.” “CVE-2001-0011: Buffer overflow in nslookupComplain function in BIND “CVE-1999-1060: Buffer overflow in 4 allows remote attackers to gain root Tetrix TetriNet daemon 1.13.16 allows privileges.” remote attackers to cause a denial of service and possibly execute arbitrary “CVE-2001-0010: Buffer overflow in commands by connecting to port 31457 transaction signature (TSIG) handling from a host with a long DNS hostname.” code in BIND 8 allows remote attackers to gain root privileges.” “CVE-1999-0833: Buffer overflow in BIND 8.2 via NXT records.” to cause a denial of service and possibly “CVE-2000-0405: Buffer overflow in “CVE-1999-0299: Buffer overflow execute arbitrary commands via an IP L0pht AntiSniff allows remote attackers in FreeBSD lpd through long DNS address that resolves to a long DNS to execute arbitrary commands via a hostnames.” hostname or domain name.” malformed DNS response packet.” “CVE-1999-0101: Buffer overflow in AIX “CVE-2001-0029: Buffer overflow in oops “CVE-1999-1321: Buffer overflow in ssh and Solaris ”gethostbyname” library call WWW proxy server 1.4.6 (and possibly 1.2.26 client with Kerberos V enabled allows root access through corrupt DNS other versions) allows remote attackers could allow remote attackers to cause host names.” to execute arbitrary commands via a long a denial of service or execute arbitrary host or domain name that is obtained commands via a long DNS hostname that “CVE-1999-0009: Inverse query buffer from a reverse DNS lookup.” is not properly handled during TGT ticket overflow in BIND 4.9 and BIND 8 passing.” Releases.” “CVE-2001-0011: Buffer overflow in nslookupComplain function in BIND “CVE-1999-1060: Buffer overflow in 4 allows remote attackers to gain root Tetrix TetriNet daemon 1.13.16 allows privileges.” remote attackers to cause a denial of service and possibly execute arbitrary “CVE-2001-0010: Buffer overflow in commands by connecting to port 31457 transaction signature (TSIG) handling from a host with a long DNS hostname.” code in BIND 8 allows remote attackers to gain root privileges.” “CVE-1999-0833: Buffer overflow in BIND 8.2 via NXT records.” to cause a denial of service and possibly “CVE-2000-0405: Buffer overflow in “CVE-1999-0299: Buffer overflow execute arbitrary commands via an IP L0pht AntiSniff allows remote attackers in FreeBSD lpd through long DNS address that resolves to a long DNS to execute arbitrary commands via a hostnames.” hostname or domain name.” malformed DNS response packet.” “CVE-1999-0101: Buffer overflow in AIX “CVE-2001-0029: Buffer overflow in oops “CVE-1999-1321: Buffer overflow in ssh and Solaris ”gethostbyname” library call WWW proxy server 1.4.6 (and possibly 1.2.26 client with Kerberos V enabled allows root access through corrupt DNS other versions) allows remote attackers could allow remote attackers to cause host names.” to execute arbitrary commands via a long a denial of service or execute arbitrary host or domain name that is obtained commands via a long DNS hostname that “CVE-1999-0009: Inverse query buffer from a reverse DNS lookup.” is not properly handled during TGT ticket overflow in BIND 4.9 and BIND 8 passing.” Releases.” “CVE-2001-0011: Buffer overflow in nslookupComplain function in BIND “CVE-1999-1060: Buffer overflow in 4 allows remote attackers to gain root Tetrix TetriNet daemon 1.13.16 allows privileges.” remote attackers to cause a denial of service and possibly execute arbitrary “CVE-2001-0010: Buffer overflow in commands by connecting to port 31457 transaction signature (TSIG) handling from a host with a long DNS hostname.” code in BIND 8 allows remote attackers to gain root privileges.” “CVE-1999-0833: Buffer overflow in BIND 8.2 via NXT records.” “CVE-2000-0405: Buffer overflow in “CVE-1999-0299: Buffer overflow L0pht AntiSniff allows remote attackers in FreeBSD lpd through long DNS to execute arbitrary commands via a hostnames.” malformed DNS response packet.” “CVE-1999-0101: Buffer overflow in AIX “CVE-1999-1321: Buffer overflow in ssh and Solaris ”gethostbyname” library call 1.2.26 client with Kerberos V enabled allows root access through corrupt DNS could allow remote attackers to cause host names.” a denial of service or execute arbitrary commands via a long DNS hostname that “CVE-1999-0009: Inverse query buffer is not properly handled during TGT ticket overflow in BIND 4.9 and BIND 8 passing.” Releases.” “CVE-1999-1060: Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.”

“CVE-1999-0833: Buffer overflow in BIND 8.2 via NXT records.” “CVE-2000-0405: Buffer overflow in “CVE-1999-0299: Buffer overflow More security problems L0pht AntiSniff allows remote attackers in FreeBSD lpd through long DNS to execute arbitrary commands via a hostnames.” What we’ve learned so far: malformed DNS response packet.” “CVE-1999-0101: Buffer overflow in AIX Attacker easily breaks DNS “CVE-1999-1321: Buffer overflow in ssh and Solaris ”gethostbyname” library call 1.2.26 client with Kerberos V enabled allows root access through corrupt DNS through packet forgery, could allow remote attackers to cause host names.” thanks to bad protocol. a denial of service or execute arbitrary “CVE-1999-0009: Inverse query buffer commands via a long DNS hostname that Or through buffer overflows, is not properly handled during TGT ticket overflow in BIND 4.9 and BIND 8 passing.” Releases.” thanks to bad software. “CVE-1999-1060: Buffer overflow in But wait, there’s more! Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.”

“CVE-1999-0833: Buffer overflow in BIND 8.2 via NXT records.” “CVE-2000-0405: Buffer overflow in “CVE-1999-0299: Buffer overflow More security problems L0pht AntiSniff allows remote attackers in FreeBSD lpd through long DNS to execute arbitrary commands via a hostnames.” What we’ve learned so far: malformed DNS response packet.” “CVE-1999-0101: Buffer overflow in AIX Attacker easily breaks DNS “CVE-1999-1321: Buffer overflow in ssh and Solaris ”gethostbyname” library call 1.2.26 client with Kerberos V enabled allows root access through corrupt DNS through packet forgery, could allow remote attackers to cause host names.” thanks to bad protocol. a denial of service or execute arbitrary “CVE-1999-0009: Inverse query buffer commands via a long DNS hostname that Or through buffer overflows, is not properly handled during TGT ticket overflow in BIND 4.9 and BIND 8 passing.” Releases.” thanks to bad software. “CVE-1999-1060: Buffer overflow in But wait, there’s more! Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.”

“CVE-1999-0833: Buffer overflow in BIND 8.2 via NXT records.” “CVE-2000-0405: Buffer overflow in “CVE-1999-0299: Buffer overflow More security problems L0pht AntiSniff allows remote attackers in FreeBSD lpd through long DNS to execute arbitrary commands via a hostnames.” What we’ve learned so far: malformed DNS response packet.” “CVE-1999-0101: Buffer overflow in AIX Attacker easily breaks DNS “CVE-1999-1321: Buffer overflow in ssh and Solaris ”gethostbyname” library call 1.2.26 client with Kerberos V enabled allows root access through corrupt DNS through packet forgery, could allow remote attackers to cause host names.” thanks to bad protocol. a denial of service or execute arbitrary “CVE-1999-0009: Inverse query buffer commands via a long DNS hostname that Or through buffer overflows, is not properly handled during TGT ticket overflow in BIND 4.9 and BIND 8 passing.” Releases.” thanks to bad software. “CVE-1999-1060: Buffer overflow in But wait, there’s more! Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.”

“CVE-1999-0833: Buffer overflow in BIND 8.2 via NXT records.” “CVE-1999-0299: Buffer overflow More security problems in FreeBSD lpd through long DNS hostnames.” What we’ve learned so far:

“CVE-1999-0101: Buffer overflow in AIX Attacker easily breaks DNS and Solaris ”gethostbyname” library call allows root access through corrupt DNS through packet forgery, host names.” thanks to bad protocol. “CVE-1999-0009: Inverse query buffer overflow in BIND 4.9 and BIND 8 Or through buffer overflows, Releases.” thanks to bad software. But wait, there’s more! “CVE-1999-0299: Buffer overflow More security problems “CVE-2008-5077: OpenSSL 0.9.8i and in FreeBSD lpd through long DNS earlier does not properly check the return hostnames.” What we’ve learned so far: value from the EVP VerifyFinal function, which allows remote attackers to bypass “CVE-1999-0101: Buffer overflow in AIX Attacker easily breaks DNS validation of the certificate chain via a and Solaris ”gethostbyname” library call through packet forgery, malformed SSL/TLS signature for DSA allows root access through corrupt DNS and ECDSA keys.” host names.” thanks to bad protocol. “CVE-1999-0009: Inverse query buffer This bug (announced 2009.01) Or through buffer overflows, overflow in BIND 4.9 and BIND 8 allowed trivial forgery of Releases.” thanks to bad software. DNSSEC DSA signatures. But wait, there’s more! “CVE-1999-0299: Buffer overflow More security problems “CVE-2008-5077: OpenSSL 0.9.8i and in FreeBSD lpd through long DNS earlier does not properly check the return hostnames.” What we’ve learned so far: value from the EVP VerifyFinal function, which allows remote attackers to bypass “CVE-1999-0101: Buffer overflow in AIX Attacker easily breaks DNS validation of the certificate chain via a and Solaris ”gethostbyname” library call through packet forgery, malformed SSL/TLS signature for DSA allows root access through corrupt DNS and ECDSA keys.” host names.” thanks to bad protocol. “CVE-1999-0009: Inverse query buffer This bug (announced 2009.01) Or through buffer overflows, overflow in BIND 4.9 and BIND 8 allowed trivial forgery of Releases.” thanks to bad software. DNSSEC DSA signatures. But wait, there’s more! “CVE-1999-0299: Buffer overflow More security problems “CVE-2008-5077: OpenSSL 0.9.8i and in FreeBSD lpd through long DNS earlier does not properly check the return hostnames.” What we’ve learned so far: value from the EVP VerifyFinal function, which allows remote attackers to bypass “CVE-1999-0101: Buffer overflow in AIX Attacker easily breaks DNS validation of the certificate chain via a and Solaris ”gethostbyname” library call through packet forgery, malformed SSL/TLS signature for DSA allows root access through corrupt DNS and ECDSA keys.” host names.” thanks to bad protocol. “CVE-1999-0009: Inverse query buffer This bug (announced 2009.01) Or through buffer overflows, overflow in BIND 4.9 and BIND 8 allowed trivial forgery of Releases.” thanks to bad software. DNSSEC DSA signatures. But wait, there’s more! More security problems “CVE-2008-5077: OpenSSL 0.9.8i and earlier does not properly check the return What we’ve learned so far: value from the EVP VerifyFinal function, which allows remote attackers to bypass Attacker easily breaks DNS validation of the certificate chain via a through packet forgery, malformed SSL/TLS signature for DSA and ECDSA keys.” thanks to bad protocol. This bug (announced 2009.01) Or through buffer overflows, allowed trivial forgery of thanks to bad software. DNSSEC DSA signatures. But wait, there’s more! More security problems “CVE-2008-5077: OpenSSL 0.9.8i and earlier does not properly check the return What we’ve learned so far: value from the EVP VerifyFinal function, which allows remote attackers to bypass Attacker easily breaks DNS validation of the certificate chain via a through packet forgery, malformed SSL/TLS signature for DSA and ECDSA keys.” thanks to bad protocol. This bug (announced 2009.01) Or through buffer overflows, allowed trivial forgery of thanks to bad software. DNSSEC DSA signatures.

But wait, there’s more!

: : : which was a big deal for the 20 people on Earth who use DNSSEC DSA signatures. More security problems “CVE-2008-5077: OpenSSL 0.9.8i and “CVE-2007-2925: The default access earlier does not properly check the return control lists (ACL) in ISC BIND 9.4.0, What we’ve learned so far: value from the EVP VerifyFinal function, 9.4.1, and 9.5.0a1 through 9.5.0a5 do which allows remote attackers to bypass not set the allow-recursion and allow- Attacker easily breaks DNS validation of the certificate chain via a query-cache ACLs, which allows remote through packet forgery, malformed SSL/TLS signature for DSA attackers to make recursive queries and and ECDSA keys.” query the cache.” thanks to bad protocol. This bug (announced 2009.01) Documentation said that Or through buffer overflows, allowed trivial forgery of cache was (by default) thanks to bad software. DNSSEC DSA signatures. usable only by local network.

But wait, there’s more!

: : : which was a big deal for This bug hurt confidentiality: the 20 people on Earth who use attackers easily see which DNSSEC DSA signatures. names have been looked up. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. More security problems “CVE-2008-5077: OpenSSL 0.9.8i and “CVE-2007-2925: The default access earlier does not properly check the return control lists (ACL) in ISC BIND 9.4.0, What we’ve learned so far: value from the EVP VerifyFinal function, 9.4.1, and 9.5.0a1 through 9.5.0a5 do which allows remote attackers to bypass not set the allow-recursion and allow- Attacker easily breaks DNS validation of the certificate chain via a query-cache ACLs, which allows remote through packet forgery, malformed SSL/TLS signature for DSA attackers to make recursive queries and and ECDSA keys.” query the cache.” thanks to bad protocol. This bug (announced 2009.01) Documentation said that Or through buffer overflows, allowed trivial forgery of cache was (by default) thanks to bad software. DNSSEC DSA signatures. usable only by local network.

But wait, there’s more!

: : : which was a big deal for This bug hurt confidentiality: the 20 people on Earth who use attackers easily see which DNSSEC DSA signatures. names have been looked up. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. More security problems “CVE-2008-5077: OpenSSL 0.9.8i and “CVE-2007-2925: The default access earlier does not properly check the return control lists (ACL) in ISC BIND 9.4.0, What we’ve learned so far: value from the EVP VerifyFinal function, 9.4.1, and 9.5.0a1 through 9.5.0a5 do which allows remote attackers to bypass not set the allow-recursion and allow- Attacker easily breaks DNS validation of the certificate chain via a query-cache ACLs, which allows remote through packet forgery, malformed SSL/TLS signature for DSA attackers to make recursive queries and and ECDSA keys.” query the cache.” thanks to bad protocol. This bug (announced 2009.01) Documentation said that Or through buffer overflows, allowed trivial forgery of cache was (by default) thanks to bad software. DNSSEC DSA signatures. usable only by local network.

But wait, there’s more!

: : : which was a big deal for This bug hurt confidentiality: the 20 people on Earth who use attackers easily see which DNSSEC DSA signatures. names have been looked up. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “CVE-2008-5077: OpenSSL 0.9.8i and “CVE-2007-2925: The default access earlier does not properly check the return control lists (ACL) in ISC BIND 9.4.0, value from the EVP VerifyFinal function, 9.4.1, and 9.5.0a1 through 9.5.0a5 do which allows remote attackers to bypass not set the allow-recursion and allow- validation of the certificate chain via a query-cache ACLs, which allows remote malformed SSL/TLS signature for DSA attackers to make recursive queries and and ECDSA keys.” query the cache.”

This bug (announced 2009.01) Documentation said that allowed trivial forgery of cache was (by default)

DNSSEC DSA signatures. usable only by local network.

: : : which was a big deal for This bug hurt confidentiality: the 20 people on Earth who use attackers easily see which DNSSEC DSA signatures. names have been looked up. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “CVE-2008-5077: OpenSSL 0.9.8i and “CVE-2007-2925: The default access “2004 Symantec Enterprise Firewall earlier does not properly check the return control lists (ACL) in ISC BIND 9.4.0, DNSD DNS Cache Poisoning value from the EVP VerifyFinal function, 9.4.1, and 9.5.0a1 through 9.5.0a5 do Vulnerability: Dnsd does not ensure that which allows remote attackers to bypass not set the allow-recursion and allow- the data returned from a remote DNS validation of the certificate chain via a query-cache ACLs, which allows remote server contains related information about malformed SSL/TLS signature for DSA attackers to make recursive queries and the requested records. An attacker could and ECDSA keys.” query the cache.” exploit this vulnerability to deny service to legitimate users by redirecting traffic This bug (announced 2009.01) Documentation said that to inappropriate hosts. Man-in-the-middle allowed trivial forgery of cache was (by default) attacks, impersonation of sites, and other attacks may be possible.” DNSSEC DSA signatures. usable only by local network.

Nobody had told Symantec

: : : which was a big deal for This bug hurt confidentiality: about the bailiwick fix. the 20 people on Earth who use attackers easily see which DNSSEC DSA signatures. names have been looked up. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “CVE-2008-5077: OpenSSL 0.9.8i and “CVE-2007-2925: The default access “2004 Symantec Enterprise Firewall earlier does not properly check the return control lists (ACL) in ISC BIND 9.4.0, DNSD DNS Cache Poisoning value from the EVP VerifyFinal function, 9.4.1, and 9.5.0a1 through 9.5.0a5 do Vulnerability: Dnsd does not ensure that which allows remote attackers to bypass not set the allow-recursion and allow- the data returned from a remote DNS validation of the certificate chain via a query-cache ACLs, which allows remote server contains related information about malformed SSL/TLS signature for DSA attackers to make recursive queries and the requested records. An attacker could and ECDSA keys.” query the cache.” exploit this vulnerability to deny service to legitimate users by redirecting traffic This bug (announced 2009.01) Documentation said that to inappropriate hosts. Man-in-the-middle allowed trivial forgery of cache was (by default) attacks, impersonation of sites, and other attacks may be possible.” DNSSEC DSA signatures. usable only by local network.

Nobody had told Symantec

: : : which was a big deal for This bug hurt confidentiality: about the bailiwick fix. the 20 people on Earth who use attackers easily see which DNSSEC DSA signatures. names have been looked up. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “CVE-2008-5077: OpenSSL 0.9.8i and “CVE-2007-2925: The default access “2004 Symantec Enterprise Firewall earlier does not properly check the return control lists (ACL) in ISC BIND 9.4.0, DNSD DNS Cache Poisoning value from the EVP VerifyFinal function, 9.4.1, and 9.5.0a1 through 9.5.0a5 do Vulnerability: Dnsd does not ensure that which allows remote attackers to bypass not set the allow-recursion and allow- the data returned from a remote DNS validation of the certificate chain via a query-cache ACLs, which allows remote server contains related information about malformed SSL/TLS signature for DSA attackers to make recursive queries and the requested records. An attacker could and ECDSA keys.” query the cache.” exploit this vulnerability to deny service to legitimate users by redirecting traffic This bug (announced 2009.01) Documentation said that to inappropriate hosts. Man-in-the-middle allowed trivial forgery of cache was (by default) attacks, impersonation of sites, and other attacks may be possible.” DNSSEC DSA signatures. usable only by local network.

Nobody had told Symantec

: : : which was a big deal for This bug hurt confidentiality: about the bailiwick fix. the 20 people on Earth who use attackers easily see which DNSSEC DSA signatures. names have been looked up. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “CVE-2007-2925: The default access “2004 Symantec Enterprise Firewall control lists (ACL) in ISC BIND 9.4.0, DNSD DNS Cache Poisoning 9.4.1, and 9.5.0a1 through 9.5.0a5 do Vulnerability: Dnsd does not ensure that not set the allow-recursion and allow- the data returned from a remote DNS query-cache ACLs, which allows remote server contains related information about attackers to make recursive queries and the requested records. An attacker could query the cache.” exploit this vulnerability to deny service to legitimate users by redirecting traffic Documentation said that to inappropriate hosts. Man-in-the-middle cache was (by default) attacks, impersonation of sites, and other attacks may be possible.” usable only by local network. Nobody had told Symantec This bug hurt confidentiality: about the bailiwick fix. attackers easily see which names have been looked up. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “CVE-2007-2925: The default access “2004 Symantec Enterprise Firewall “CVE-2003-0914: ISC BIND 8.3.x before control lists (ACL) in ISC BIND 9.4.0, DNSD DNS Cache Poisoning 8.3.7, and 8.4.x before 8.4.3, allows 9.4.1, and 9.5.0a1 through 9.5.0a5 do Vulnerability: Dnsd does not ensure that remote attackers to poison the cache not set the allow-recursion and allow- the data returned from a remote DNS via a malicious name server that returns query-cache ACLs, which allows remote server contains related information about negative responses with a large TTL attackers to make recursive queries and the requested records. An attacker could (time-to-live) value.” query the cache.” exploit this vulnerability to deny service to legitimate users by redirecting traffic Cache wouldn’t allow Documentation said that to inappropriate hosts. Man-in-the-middle microsoft.com servers cache was (by default) attacks, impersonation of sites, and other attacks may be possible.” to declare an address usable only by local network. for www.google.com, Nobody had told Symantec This bug hurt confidentiality: but would allow about the bailiwick fix. attackers easily see which microsoft.com servers names have been looked up. to declare nonexistence of www.google.com. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “CVE-2007-2925: The default access “2004 Symantec Enterprise Firewall “CVE-2003-0914: ISC BIND 8.3.x before control lists (ACL) in ISC BIND 9.4.0, DNSD DNS Cache Poisoning 8.3.7, and 8.4.x before 8.4.3, allows 9.4.1, and 9.5.0a1 through 9.5.0a5 do Vulnerability: Dnsd does not ensure that remote attackers to poison the cache not set the allow-recursion and allow- the data returned from a remote DNS via a malicious name server that returns query-cache ACLs, which allows remote server contains related information about negative responses with a large TTL attackers to make recursive queries and the requested records. An attacker could (time-to-live) value.” query the cache.” exploit this vulnerability to deny service to legitimate users by redirecting traffic Cache wouldn’t allow Documentation said that to inappropriate hosts. Man-in-the-middle microsoft.com servers cache was (by default) attacks, impersonation of sites, and other attacks may be possible.” to declare an address usable only by local network. for www.google.com, Nobody had told Symantec This bug hurt confidentiality: but would allow about the bailiwick fix. attackers easily see which microsoft.com servers names have been looked up. to declare nonexistence of www.google.com. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “CVE-2007-2925: The default access “2004 Symantec Enterprise Firewall “CVE-2003-0914: ISC BIND 8.3.x before control lists (ACL) in ISC BIND 9.4.0, DNSD DNS Cache Poisoning 8.3.7, and 8.4.x before 8.4.3, allows 9.4.1, and 9.5.0a1 through 9.5.0a5 do Vulnerability: Dnsd does not ensure that remote attackers to poison the cache not set the allow-recursion and allow- the data returned from a remote DNS via a malicious name server that returns query-cache ACLs, which allows remote server contains related information about negative responses with a large TTL attackers to make recursive queries and the requested records. An attacker could (time-to-live) value.” query the cache.” exploit this vulnerability to deny service to legitimate users by redirecting traffic Cache wouldn’t allow Documentation said that to inappropriate hosts. Man-in-the-middle microsoft.com servers cache was (by default) attacks, impersonation of sites, and other attacks may be possible.” to declare an address usable only by local network. for www.google.com, Nobody had told Symantec This bug hurt confidentiality: but would allow about the bailiwick fix. attackers easily see which microsoft.com servers names have been looked up. to declare nonexistence of www.google.com. Also hurt availability: e.g., attackers easily use cache as DDoS amplifier. “2004 Symantec Enterprise Firewall “CVE-2003-0914: ISC BIND 8.3.x before DNSD DNS Cache Poisoning 8.3.7, and 8.4.x before 8.4.3, allows Vulnerability: Dnsd does not ensure that remote attackers to poison the cache the data returned from a remote DNS via a malicious name server that returns server contains related information about negative responses with a large TTL the requested records. An attacker could (time-to-live) value.” exploit this vulnerability to deny service to legitimate users by redirecting traffic Cache wouldn’t allow to inappropriate hosts. Man-in-the-middle microsoft.com servers attacks, impersonation of sites, and other attacks may be possible.” to declare an address for www.google.com, Nobody had told Symantec but would allow about the bailiwick fix. microsoft.com servers to declare nonexistence of www.google.com. “2004 Symantec Enterprise Firewall “CVE-2003-0914: ISC BIND 8.3.x before “CVE-2001-0497: dnskeygen in BIND DNSD DNS Cache Poisoning 8.3.7, and 8.4.x before 8.4.3, allows 8.2.4 and earlier, and dnssec-keygen Vulnerability: Dnsd does not ensure that remote attackers to poison the cache in BIND 9.1.2 and earlier, set insecure the data returned from a remote DNS via a malicious name server that returns permissions for a HMAC-MD5 shared server contains related information about negative responses with a large TTL secret key file used for DNS Transactional the requested records. An attacker could (time-to-live) value.” Signatures (TSIG), which allows attackers exploit this vulnerability to deny service to obtain the keys and perform dynamic to legitimate users by redirecting traffic Cache wouldn’t allow DNS updates.” to inappropriate hosts. Man-in-the-middle microsoft.com servers attacks, impersonation of sites, and other “Perform dynamic DNS updates” to declare an address attacks may be possible.” = “change all your DNS data.” for www.google.com, Nobody had told Symantec Lack of confidentiality of keys but would allow about the bailiwick fix. compromises integrity of data. microsoft.com servers to declare nonexistence Exploitable on multiuser of www.google.com. machines, and on machines where another server has been taken over by an attacker. “2004 Symantec Enterprise Firewall “CVE-2003-0914: ISC BIND 8.3.x before “CVE-2001-0497: dnskeygen in BIND DNSD DNS Cache Poisoning 8.3.7, and 8.4.x before 8.4.3, allows 8.2.4 and earlier, and dnssec-keygen Vulnerability: Dnsd does not ensure that remote attackers to poison the cache in BIND 9.1.2 and earlier, set insecure the data returned from a remote DNS via a malicious name server that returns permissions for a HMAC-MD5 shared server contains related information about negative responses with a large TTL secret key file used for DNS Transactional the requested records. An attacker could (time-to-live) value.” Signatures (TSIG), which allows attackers exploit this vulnerability to deny service to obtain the keys and perform dynamic to legitimate users by redirecting traffic Cache wouldn’t allow DNS updates.” to inappropriate hosts. Man-in-the-middle microsoft.com servers attacks, impersonation of sites, and other “Perform dynamic DNS updates” to declare an address attacks may be possible.” = “change all your DNS data.” for www.google.com, Nobody had told Symantec Lack of confidentiality of keys but would allow about the bailiwick fix. compromises integrity of data. microsoft.com servers to declare nonexistence Exploitable on multiuser of www.google.com. machines, and on machines where another server has been taken over by an attacker. “2004 Symantec Enterprise Firewall “CVE-2003-0914: ISC BIND 8.3.x before “CVE-2001-0497: dnskeygen in BIND DNSD DNS Cache Poisoning 8.3.7, and 8.4.x before 8.4.3, allows 8.2.4 and earlier, and dnssec-keygen Vulnerability: Dnsd does not ensure that remote attackers to poison the cache in BIND 9.1.2 and earlier, set insecure the data returned from a remote DNS via a malicious name server that returns permissions for a HMAC-MD5 shared server contains related information about negative responses with a large TTL secret key file used for DNS Transactional the requested records. An attacker could (time-to-live) value.” Signatures (TSIG), which allows attackers exploit this vulnerability to deny service to obtain the keys and perform dynamic to legitimate users by redirecting traffic Cache wouldn’t allow DNS updates.” to inappropriate hosts. Man-in-the-middle microsoft.com servers attacks, impersonation of sites, and other “Perform dynamic DNS updates” to declare an address attacks may be possible.” = “change all your DNS data.” for www.google.com, Nobody had told Symantec Lack of confidentiality of keys but would allow about the bailiwick fix. compromises integrity of data. microsoft.com servers to declare nonexistence Exploitable on multiuser of www.google.com. machines, and on machines where another server has been taken over by an attacker. “CVE-2003-0914: ISC BIND 8.3.x before “CVE-2001-0497: dnskeygen in BIND 8.3.7, and 8.4.x before 8.4.3, allows 8.2.4 and earlier, and dnssec-keygen remote attackers to poison the cache in BIND 9.1.2 and earlier, set insecure via a malicious name server that returns permissions for a HMAC-MD5 shared negative responses with a large TTL secret key file used for DNS Transactional (time-to-live) value.” Signatures (TSIG), which allows attackers to obtain the keys and perform dynamic Cache wouldn’t allow DNS updates.” microsoft.com servers “Perform dynamic DNS updates” to declare an address = “change all your DNS data.” for www.google.com, Lack of confidentiality of keys but would allow compromises integrity of data. microsoft.com servers to declare nonexistence Exploitable on multiuser of www.google.com. machines, and on machines where another server has been taken over by an attacker. “CVE-2003-0914: ISC BIND 8.3.x before “CVE-2001-0497: dnskeygen in BIND Isn’t this embarrassing? 8.3.7, and 8.4.x before 8.4.3, allows 8.2.4 and earlier, and dnssec-keygen remote attackers to poison the cache in BIND 9.1.2 and earlier, set insecure Public goal of via a malicious name server that returns permissions for a HMAC-MD5 shared computer-security research: negative responses with a large TTL secret key file used for DNS Transactional (time-to-live) value.” Signatures (TSIG), which allows attackers Protection of to obtain the keys and perform dynamic the average home computer; Cache wouldn’t allow DNS updates.” critical-infrastructure computers; microsoft.com servers “Perform dynamic DNS updates” and everything in between. to declare an address = “change all your DNS data.” for www.google.com, Lack of confidentiality of keys but would allow compromises integrity of data. microsoft.com servers to declare nonexistence Exploitable on multiuser of www.google.com. machines, and on machines where another server has been taken over by an attacker. “CVE-2003-0914: ISC BIND 8.3.x before “CVE-2001-0497: dnskeygen in BIND Isn’t this embarrassing? 8.3.7, and 8.4.x before 8.4.3, allows 8.2.4 and earlier, and dnssec-keygen remote attackers to poison the cache in BIND 9.1.2 and earlier, set insecure Public goal of via a malicious name server that returns permissions for a HMAC-MD5 shared computer-security research: negative responses with a large TTL secret key file used for DNS Transactional (time-to-live) value.” Signatures (TSIG), which allows attackers Protection of to obtain the keys and perform dynamic the average home computer; Cache wouldn’t allow DNS updates.” critical-infrastructure computers; microsoft.com servers “Perform dynamic DNS updates” and everything in between. to declare an address = “change all your DNS data.” for www.google.com, Lack of confidentiality of keys but would allow compromises integrity of data. microsoft.com servers to declare nonexistence Exploitable on multiuser of www.google.com. machines, and on machines where another server has been taken over by an attacker. “CVE-2003-0914: ISC BIND 8.3.x before “CVE-2001-0497: dnskeygen in BIND Isn’t this embarrassing? 8.3.7, and 8.4.x before 8.4.3, allows 8.2.4 and earlier, and dnssec-keygen remote attackers to poison the cache in BIND 9.1.2 and earlier, set insecure Public goal of via a malicious name server that returns permissions for a HMAC-MD5 shared computer-security research: negative responses with a large TTL secret key file used for DNS Transactional (time-to-live) value.” Signatures (TSIG), which allows attackers Protection of to obtain the keys and perform dynamic the average home computer; Cache wouldn’t allow DNS updates.” critical-infrastructure computers; microsoft.com servers “Perform dynamic DNS updates” and everything in between. to declare an address = “change all your DNS data.” for www.google.com, Lack of confidentiality of keys but would allow compromises integrity of data. microsoft.com servers to declare nonexistence Exploitable on multiuser of www.google.com. machines, and on machines where another server has been taken over by an attacker. “CVE-2001-0497: dnskeygen in BIND Isn’t this embarrassing? 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2 and earlier, set insecure Public goal of permissions for a HMAC-MD5 shared computer-security research: secret key file used for DNS Transactional Signatures (TSIG), which allows attackers Protection of to obtain the keys and perform dynamic the average home computer; DNS updates.” critical-infrastructure computers; “Perform dynamic DNS updates” and everything in between. = “change all your DNS data.” Lack of confidentiality of keys compromises integrity of data.

Exploitable on multiuser machines, and on machines where another server has been taken over by an attacker. “CVE-2001-0497: dnskeygen in BIND Isn’t this embarrassing? 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2 and earlier, set insecure Public goal of permissions for a HMAC-MD5 shared computer-security research: secret key file used for DNS Transactional Signatures (TSIG), which allows attackers Protection of to obtain the keys and perform dynamic the average home computer; DNS updates.” critical-infrastructure computers; “Perform dynamic DNS updates” and everything in between. = “change all your DNS data.” Secret goal of Lack of confidentiality of keys computer-security research: compromises integrity of data. Lifetime employment Exploitable on multiuser for computer-security researchers. machines, and on machines where another server has been taken over by an attacker. “CVE-2001-0497: dnskeygen in BIND Isn’t this embarrassing? ECRYPT is a consortium of 8.2.4 and earlier, and dnssec-keygen European crypto researchers. in BIND 9.1.2 and earlier, set insecure Public goal of permissions for a HMAC-MD5 shared computer-security research: eSTREAM is the “ECRYPT secret key file used for DNS Transactional Signatures (TSIG), which allows attackers Protection of Stream Cipher Project.” to obtain the keys and perform dynamic the average home computer; DNS updates.” 2004.11: eSTREAM calls for critical-infrastructure computers; submissions of stream ciphers. “Perform dynamic DNS updates” and everything in between. Receives 34 submissions from 97 = “change all your DNS data.” Secret goal of cryptographers around the world. Lack of confidentiality of keys computer-security research: compromises integrity of data. 2008.04: After two hundred Lifetime employment papers and several conferences, Exploitable on multiuser for computer-security researchers. eSTREAM selects portfolio of machines, and on machines 4 SW ciphers and 4 HW ciphers. where another server has been taken over by an attacker. 2008.09: 4 SW, 3 HW. “CVE-2001-0497: dnskeygen in BIND Isn’t this embarrassing? ECRYPT is a consortium of 8.2.4 and earlier, and dnssec-keygen European crypto researchers. in BIND 9.1.2 and earlier, set insecure Public goal of permissions for a HMAC-MD5 shared computer-security research: eSTREAM is the “ECRYPT secret key file used for DNS Transactional Signatures (TSIG), which allows attackers Protection of Stream Cipher Project.” to obtain the keys and perform dynamic the average home computer; DNS updates.” 2004.11: eSTREAM calls for critical-infrastructure computers; submissions of stream ciphers. “Perform dynamic DNS updates” and everything in between. Receives 34 submissions from 97 = “change all your DNS data.” Secret goal of cryptographers around the world. Lack of confidentiality of keys computer-security research: compromises integrity of data. 2008.04: After two hundred Lifetime employment papers and several conferences, Exploitable on multiuser for computer-security researchers. eSTREAM selects portfolio of machines, and on machines 4 SW ciphers and 4 HW ciphers. where another server has been taken over by an attacker. 2008.09: 4 SW, 3 HW. “CVE-2001-0497: dnskeygen in BIND Isn’t this embarrassing? ECRYPT is a consortium of 8.2.4 and earlier, and dnssec-keygen European crypto researchers. in BIND 9.1.2 and earlier, set insecure Public goal of permissions for a HMAC-MD5 shared computer-security research: eSTREAM is the “ECRYPT secret key file used for DNS Transactional Signatures (TSIG), which allows attackers Protection of Stream Cipher Project.” to obtain the keys and perform dynamic the average home computer; DNS updates.” 2004.11: eSTREAM calls for critical-infrastructure computers; submissions of stream ciphers. “Perform dynamic DNS updates” and everything in between. Receives 34 submissions from 97 = “change all your DNS data.” Secret goal of cryptographers around the world. Lack of confidentiality of keys computer-security research: compromises integrity of data. 2008.04: After two hundred Lifetime employment papers and several conferences, Exploitable on multiuser for computer-security researchers. eSTREAM selects portfolio of machines, and on machines 4 SW ciphers and 4 HW ciphers. where another server has been taken over by an attacker. 2008.09: 4 SW, 3 HW. Isn’t this embarrassing? ECRYPT is a consortium of European crypto researchers. Public goal of computer-security research: eSTREAM is the “ECRYPT Protection of Stream Cipher Project.” the average home computer; 2004.11: eSTREAM calls for critical-infrastructure computers; submissions of stream ciphers. and everything in between. Receives 34 submissions from 97 Secret goal of cryptographers around the world. computer-security research: 2008.04: After two hundred Lifetime employment papers and several conferences, for computer-security researchers. eSTREAM selects portfolio of 4 SW ciphers and 4 HW ciphers.

2008.09: 4 SW, 3 HW. Isn’t this embarrassing? ECRYPT is a consortium of eSTREAM says: The HW ciphers European crypto researchers. are aimed at “deployment on Public goal of passive RFID tags or low-cost computer-security research: eSTREAM is the “ECRYPT devices such as might be used Protection of Stream Cipher Project.” in sensor networks. Such devices the average home computer; 2004.11: eSTREAM calls for are exceptionally constrained

critical-infrastructure computers;

: : submissions of stream ciphers. in computing potential : and everything in between. Receives 34 submissions from 97 [Keys are] 80 bits which we Secret goal of cryptographers around the world. believe to be adequate for the computer-security research: 2008.04: After two hundred lower-security applications where Lifetime employment papers and several conferences, such devices might be used.” for computer-security researchers. eSTREAM selects portfolio of Obviously these ciphers 4 SW ciphers and 4 HW ciphers. will be built into many chips 2008.09: 4 SW, 3 HW. over the next 5 or 10 years. Isn’t this embarrassing? ECRYPT is a consortium of eSTREAM says: The HW ciphers European crypto researchers. are aimed at “deployment on Public goal of passive RFID tags or low-cost computer-security research: eSTREAM is the “ECRYPT devices such as might be used Protection of Stream Cipher Project.” in sensor networks. Such devices the average home computer; 2004.11: eSTREAM calls for are exceptionally constrained

critical-infrastructure computers;

: : submissions of stream ciphers. in computing potential : and everything in between. Receives 34 submissions from 97 [Keys are] 80 bits which we Secret goal of cryptographers around the world. believe to be adequate for the computer-security research: 2008.04: After two hundred lower-security applications where Lifetime employment papers and several conferences, such devices might be used.” for computer-security researchers. eSTREAM selects portfolio of Obviously these ciphers 4 SW ciphers and 4 HW ciphers. will be built into many chips 2008.09: 4 SW, 3 HW. over the next 5 or 10 years. Isn’t this embarrassing? ECRYPT is a consortium of eSTREAM says: The HW ciphers European crypto researchers. are aimed at “deployment on Public goal of passive RFID tags or low-cost computer-security research: eSTREAM is the “ECRYPT devices such as might be used Protection of Stream Cipher Project.” in sensor networks. Such devices the average home computer; 2004.11: eSTREAM calls for are exceptionally constrained

critical-infrastructure computers;

: : submissions of stream ciphers. in computing potential : and everything in between. Receives 34 submissions from 97 [Keys are] 80 bits which we Secret goal of cryptographers around the world. believe to be adequate for the computer-security research: 2008.04: After two hundred lower-security applications where Lifetime employment papers and several conferences, such devices might be used.” for computer-security researchers. eSTREAM selects portfolio of Obviously these ciphers 4 SW ciphers and 4 HW ciphers. will be built into many chips 2008.09: 4 SW, 3 HW. over the next 5 or 10 years. ECRYPT is a consortium of eSTREAM says: The HW ciphers European crypto researchers. are aimed at “deployment on passive RFID tags or low-cost eSTREAM is the “ECRYPT devices such as might be used Stream Cipher Project.” in sensor networks. Such devices

2004.11: eSTREAM calls for are exceptionally constrained

: : submissions of stream ciphers. in computing potential : Receives 34 submissions from 97 [Keys are] 80 bits which we cryptographers around the world. believe to be adequate for the 2008.04: After two hundred lower-security applications where papers and several conferences, such devices might be used.” eSTREAM selects portfolio of Obviously these ciphers 4 SW ciphers and 4 HW ciphers. will be built into many chips 2008.09: 4 SW, 3 HW. over the next 5 or 10 years. ECRYPT is a consortium of eSTREAM says: The HW ciphers Iain Devlin, Alan Purvis, European crypto researchers. are aimed at “deployment on “Assessing the security passive RFID tags or low-cost of key length,” 2007: eSTREAM is the “ECRYPT devices such as might be used Buy FPGAs for $3 million; Stream Cipher Project.” in sensor networks. Such devices break 80-bit keys in 1 year.

2004.11: eSTREAM calls for are exceptionally constrained Or: $165 million; 1 week.

: : submissions of stream ciphers. in computing potential : Cost will continue to drop. Receives 34 submissions from 97 [Keys are] 80 bits which we Will come within reach cryptographers around the world. believe to be adequate for the of more and more attackers. 2008.04: After two hundred lower-security applications where Same story in public-key crypto. papers and several conferences, such devices might be used.” 1024-bit RSA will be broken. eSTREAM selects portfolio of Obviously these ciphers 160-bit ECC will be broken. 4 SW ciphers and 4 HW ciphers. will be built into many chips 2008.09: 4 SW, 3 HW. over the next 5 or 10 years. ECRYPT is a consortium of eSTREAM says: The HW ciphers Iain Devlin, Alan Purvis, European crypto researchers. are aimed at “deployment on “Assessing the security passive RFID tags or low-cost of key length,” 2007: eSTREAM is the “ECRYPT devices such as might be used Buy FPGAs for $3 million; Stream Cipher Project.” in sensor networks. Such devices break 80-bit keys in 1 year.

2004.11: eSTREAM calls for are exceptionally constrained Or: $165 million; 1 week.

: : submissions of stream ciphers. in computing potential : Cost will continue to drop. Receives 34 submissions from 97 [Keys are] 80 bits which we Will come within reach cryptographers around the world. believe to be adequate for the of more and more attackers. 2008.04: After two hundred lower-security applications where Same story in public-key crypto. papers and several conferences, such devices might be used.” 1024-bit RSA will be broken. eSTREAM selects portfolio of Obviously these ciphers 160-bit ECC will be broken. 4 SW ciphers and 4 HW ciphers. will be built into many chips 2008.09: 4 SW, 3 HW. over the next 5 or 10 years. ECRYPT is a consortium of eSTREAM says: The HW ciphers Iain Devlin, Alan Purvis, European crypto researchers. are aimed at “deployment on “Assessing the security passive RFID tags or low-cost of key length,” 2007: eSTREAM is the “ECRYPT devices such as might be used Buy FPGAs for $3 million; Stream Cipher Project.” in sensor networks. Such devices break 80-bit keys in 1 year.

2004.11: eSTREAM calls for are exceptionally constrained Or: $165 million; 1 week.

: : submissions of stream ciphers. in computing potential : Cost will continue to drop. Receives 34 submissions from 97 [Keys are] 80 bits which we Will come within reach cryptographers around the world. believe to be adequate for the of more and more attackers. 2008.04: After two hundred lower-security applications where Same story in public-key crypto. papers and several conferences, such devices might be used.” 1024-bit RSA will be broken. eSTREAM selects portfolio of Obviously these ciphers 160-bit ECC will be broken. 4 SW ciphers and 4 HW ciphers. will be built into many chips 2008.09: 4 SW, 3 HW. over the next 5 or 10 years. eSTREAM says: The HW ciphers Iain Devlin, Alan Purvis, are aimed at “deployment on “Assessing the security passive RFID tags or low-cost of key length,” 2007: devices such as might be used Buy FPGAs for $3 million; in sensor networks. Such devices break 80-bit keys in 1 year.

are exceptionally constrained Or: $165 million; 1 week.

: : in computing potential : Cost will continue to drop. [Keys are] 80 bits which we Will come within reach believe to be adequate for the of more and more attackers. lower-security applications where such devices might be used.” Same story in public-key crypto. 1024-bit RSA will be broken. Obviously these ciphers 160-bit ECC will be broken. will be built into many chips over the next 5 or 10 years. eSTREAM says: The HW ciphers Iain Devlin, Alan Purvis, So users will pay us for are aimed at “deployment on “Assessing the security 96-bit ciphers and 192-bit ECC. passive RFID tags or low-cost of key length,” 2007: And then those will be broken. devices such as might be used Buy FPGAs for $3 million; Continue for decades. in sensor networks. Such devices break 80-bit keys in 1 year.

are exceptionally constrained Or: $165 million; 1 week.

: : in computing potential : Cost will continue to drop. [Keys are] 80 bits which we Will come within reach believe to be adequate for the of more and more attackers. lower-security applications where such devices might be used.” Same story in public-key crypto. 1024-bit RSA will be broken. Obviously these ciphers 160-bit ECC will be broken. will be built into many chips over the next 5 or 10 years. eSTREAM says: The HW ciphers Iain Devlin, Alan Purvis, So users will pay us for are aimed at “deployment on “Assessing the security 96-bit ciphers and 192-bit ECC. passive RFID tags or low-cost of key length,” 2007: And then those will be broken. devices such as might be used Buy FPGAs for $3 million; Continue for decades. in sensor networks. Such devices break 80-bit keys in 1 year.

are exceptionally constrained Or: $165 million; 1 week.

: : in computing potential : Cost will continue to drop. [Keys are] 80 bits which we Will come within reach believe to be adequate for the of more and more attackers. lower-security applications where such devices might be used.” Same story in public-key crypto. 1024-bit RSA will be broken. Obviously these ciphers 160-bit ECC will be broken. will be built into many chips over the next 5 or 10 years. eSTREAM says: The HW ciphers Iain Devlin, Alan Purvis, So users will pay us for are aimed at “deployment on “Assessing the security 96-bit ciphers and 192-bit ECC. passive RFID tags or low-cost of key length,” 2007: And then those will be broken. devices such as might be used Buy FPGAs for $3 million; Continue for decades. in sensor networks. Such devices break 80-bit keys in 1 year.

are exceptionally constrained Or: $165 million; 1 week.

: : in computing potential : Cost will continue to drop. [Keys are] 80 bits which we Will come within reach believe to be adequate for the of more and more attackers. lower-security applications where such devices might be used.” Same story in public-key crypto. 1024-bit RSA will be broken. Obviously these ciphers 160-bit ECC will be broken. will be built into many chips over the next 5 or 10 years. Iain Devlin, Alan Purvis, So users will pay us for “Assessing the security 96-bit ciphers and 192-bit ECC. of key length,” 2007: And then those will be broken. Buy FPGAs for $3 million; Continue for decades. break 80-bit keys in 1 year. Or: $165 million; 1 week.

Cost will continue to drop. Will come within reach of more and more attackers.

Same story in public-key crypto. 1024-bit RSA will be broken. 160-bit ECC will be broken. Iain Devlin, Alan Purvis, So users will pay us for “Assessing the security 96-bit ciphers and 192-bit ECC. of key length,” 2007: And then those will be broken. Buy FPGAs for $3 million; Continue for decades. break 80-bit keys in 1 year. Success: Lifetime employment! Or: $165 million; 1 week. This is not a new pattern. Cost will continue to drop. Consider, e.g., 56-bit DES, Will come within reach or 48-bit Mifare CRYPTO1, of more and more attackers. or MD5, or Keeloq. Same story in public-key crypto. All breakable by brute force, 1024-bit RSA will be broken. and often by faster methods. 160-bit ECC will be broken. Iain Devlin, Alan Purvis, So users will pay us for Naive conclusion “Assessing the security 96-bit ciphers and 192-bit ECC. from all these attacks: of key length,” 2007: And then those will be broken. “There is no such thing as Buy FPGAs for $3 million; Continue for decades. 100% secure cryptography! break 80-bit keys in 1 year. Crypto breaks are inevitable!” Success: Lifetime employment! Or: $165 million; 1 week. This is not a new pattern. Cost will continue to drop. Consider, e.g., 56-bit DES, Will come within reach or 48-bit Mifare CRYPTO1, of more and more attackers. or MD5, or Keeloq. Same story in public-key crypto. All breakable by brute force, 1024-bit RSA will be broken. and often by faster methods. 160-bit ECC will be broken. Iain Devlin, Alan Purvis, So users will pay us for Naive conclusion “Assessing the security 96-bit ciphers and 192-bit ECC. from all these attacks: of key length,” 2007: And then those will be broken. “There is no such thing as Buy FPGAs for $3 million; Continue for decades. 100% secure cryptography! break 80-bit keys in 1 year. Crypto breaks are inevitable!” Success: Lifetime employment! Or: $165 million; 1 week. This is not a new pattern. Cost will continue to drop. Consider, e.g., 56-bit DES, Will come within reach or 48-bit Mifare CRYPTO1, of more and more attackers. or MD5, or Keeloq. Same story in public-key crypto. All breakable by brute force, 1024-bit RSA will be broken. and often by faster methods. 160-bit ECC will be broken. Iain Devlin, Alan Purvis, So users will pay us for Naive conclusion “Assessing the security 96-bit ciphers and 192-bit ECC. from all these attacks: of key length,” 2007: And then those will be broken. “There is no such thing as Buy FPGAs for $3 million; Continue for decades. 100% secure cryptography! break 80-bit keys in 1 year. Crypto breaks are inevitable!” Success: Lifetime employment! Or: $165 million; 1 week. This is not a new pattern. Cost will continue to drop. Consider, e.g., 56-bit DES, Will come within reach or 48-bit Mifare CRYPTO1, of more and more attackers. or MD5, or Keeloq. Same story in public-key crypto. All breakable by brute force, 1024-bit RSA will be broken. and often by faster methods. 160-bit ECC will be broken. So users will pay us for Naive conclusion 96-bit ciphers and 192-bit ECC. from all these attacks: And then those will be broken. “There is no such thing as Continue for decades. 100% secure cryptography! Crypto breaks are inevitable!” Success: Lifetime employment! This is not a new pattern. Consider, e.g., 56-bit DES, or 48-bit Mifare CRYPTO1, or MD5, or Keeloq. All breakable by brute force, and often by faster methods. So users will pay us for Naive conclusion 96-bit ciphers and 192-bit ECC. from all these attacks: And then those will be broken. “There is no such thing as Continue for decades. 100% secure cryptography! Crypto breaks are inevitable!” Success: Lifetime employment! This conclusion is unjustified This is not a new pattern. and almost certainly wrong. Consider, e.g., 56-bit DES, or 48-bit Mifare CRYPTO1, Nobody has found patterns or MD5, or Keeloq. in output of 256-bit AES. All breakable by brute force, Most cryptographers think and often by faster methods. that nobody ever will. So users will pay us for Naive conclusion “AES software leaks keys 96-bit ciphers and 192-bit ECC. from all these attacks: to cache-timing attacks!” And then those will be broken. “There is no such thing as True, but we know how Continue for decades. 100% secure cryptography! to eliminate this problem Crypto breaks are inevitable!” Success: Lifetime employment! by (for example) bitslicing. This conclusion is unjustified This is not a new pattern. and almost certainly wrong. Consider, e.g., 56-bit DES, or 48-bit Mifare CRYPTO1, Nobody has found patterns or MD5, or Keeloq. in output of 256-bit AES. All breakable by brute force, Most cryptographers think and often by faster methods. that nobody ever will. So users will pay us for Naive conclusion “AES software leaks keys 96-bit ciphers and 192-bit ECC. from all these attacks: to cache-timing attacks!” And then those will be broken. “There is no such thing as True, but we know how Continue for decades. 100% secure cryptography! to eliminate this problem Crypto breaks are inevitable!” Success: Lifetime employment! by (for example) bitslicing. This conclusion is unjustified This is not a new pattern. and almost certainly wrong. Consider, e.g., 56-bit DES, or 48-bit Mifare CRYPTO1, Nobody has found patterns or MD5, or Keeloq. in output of 256-bit AES. All breakable by brute force, Most cryptographers think and often by faster methods. that nobody ever will. So users will pay us for Naive conclusion “AES software leaks keys 96-bit ciphers and 192-bit ECC. from all these attacks: to cache-timing attacks!” And then those will be broken. “There is no such thing as True, but we know how Continue for decades. 100% secure cryptography! to eliminate this problem Crypto breaks are inevitable!” Success: Lifetime employment! by (for example) bitslicing. This conclusion is unjustified This is not a new pattern. and almost certainly wrong. Consider, e.g., 56-bit DES, or 48-bit Mifare CRYPTO1, Nobody has found patterns or MD5, or Keeloq. in output of 256-bit AES. All breakable by brute force, Most cryptographers think and often by faster methods. that nobody ever will. Naive conclusion “AES software leaks keys from all these attacks: to cache-timing attacks!” “There is no such thing as True, but we know how 100% secure cryptography! to eliminate this problem Crypto breaks are inevitable!” by (for example) bitslicing. This conclusion is unjustified and almost certainly wrong. Nobody has found patterns in output of 256-bit AES. Most cryptographers think that nobody ever will. Naive conclusion “AES software leaks keys from all these attacks: to cache-timing attacks!” “There is no such thing as True, but we know how 100% secure cryptography! to eliminate this problem Crypto breaks are inevitable!” by (for example) bitslicing. This conclusion is unjustified “Maybe secret-key crypto is okay, and almost certainly wrong. but large quantum computers will Nobody has found patterns kill public-key cryptography!” in output of 256-bit AES. If large quantum computers are Most cryptographers think built, they’ll break RSA and ECC, that nobody ever will. but we have replacements. See PQCrypto workshops. Naive conclusion “AES software leaks keys Enough crypto for this talk. from all these attacks: to cache-timing attacks!” How about all the rest “There is no such thing as of computer security? True, but we know how 100% secure cryptography! to eliminate this problem Flood of successful attacks, Crypto breaks are inevitable!” by (for example) bitslicing. even more than in crypto. This conclusion is unjustified “Maybe secret-key crypto is okay, Conventional wisdom: and almost certainly wrong. but large quantum computers will We’ll never stop the flood. Nobody has found patterns kill public-key cryptography!” Viega and McGraw: “Because in output of 256-bit AES. If large quantum computers are there is no such thing as 100% Most cryptographers think built, they’ll break RSA and ECC, security, attacks will happen.” that nobody ever will. but we have replacements. Schneier: “Software bugs See PQCrypto workshops. (and therefore security flaws) are inevitable.” Naive conclusion “AES software leaks keys Enough crypto for this talk. from all these attacks: to cache-timing attacks!” How about all the rest “There is no such thing as of computer security? True, but we know how 100% secure cryptography! to eliminate this problem Flood of successful attacks, Crypto breaks are inevitable!” by (for example) bitslicing. even more than in crypto. This conclusion is unjustified “Maybe secret-key crypto is okay, Conventional wisdom: and almost certainly wrong. but large quantum computers will We’ll never stop the flood. Nobody has found patterns kill public-key cryptography!” Viega and McGraw: “Because in output of 256-bit AES. If large quantum computers are there is no such thing as 100% Most cryptographers think built, they’ll break RSA and ECC, security, attacks will happen.” that nobody ever will. but we have replacements. Schneier: “Software bugs See PQCrypto workshops. (and therefore security flaws) are inevitable.” Naive conclusion “AES software leaks keys Enough crypto for this talk. from all these attacks: to cache-timing attacks!” How about all the rest “There is no such thing as of computer security? True, but we know how 100% secure cryptography! to eliminate this problem Flood of successful attacks, Crypto breaks are inevitable!” by (for example) bitslicing. even more than in crypto. This conclusion is unjustified “Maybe secret-key crypto is okay, Conventional wisdom: and almost certainly wrong. but large quantum computers will We’ll never stop the flood. Nobody has found patterns kill public-key cryptography!” Viega and McGraw: “Because in output of 256-bit AES. If large quantum computers are there is no such thing as 100% Most cryptographers think built, they’ll break RSA and ECC, security, attacks will happen.” that nobody ever will. but we have replacements. Schneier: “Software bugs See PQCrypto workshops. (and therefore security flaws) are inevitable.” “AES software leaks keys Enough crypto for this talk. to cache-timing attacks!” How about all the rest of computer security? True, but we know how to eliminate this problem Flood of successful attacks, by (for example) bitslicing. even more than in crypto. “Maybe secret-key crypto is okay, Conventional wisdom: but large quantum computers will We’ll never stop the flood. kill public-key cryptography!” Viega and McGraw: “Because If large quantum computers are there is no such thing as 100% built, they’ll break RSA and ECC, security, attacks will happen.” but we have replacements. Schneier: “Software bugs See PQCrypto workshops. (and therefore security flaws) are inevitable.” “AES software leaks keys Enough crypto for this talk. Analogy: to cache-timing attacks!” How about all the rest “We’ll never build a tunnel of computer security? from England to France.” True, but we know how to eliminate this problem Flood of successful attacks, Why not? “It’s impossible.” by (for example) bitslicing. even more than in crypto. Or: “Maybe it’s possible, but it’s much too expensive.” “Maybe secret-key crypto is okay, Conventional wisdom: but large quantum computers will We’ll never stop the flood. Engineer’s reaction: kill public-key cryptography!” How expensive is it? Viega and McGraw: “Because How big a tunnel can we build? If large quantum computers are there is no such thing as 100% How can we reduce the costs? built, they’ll break RSA and ECC, security, attacks will happen.” but we have replacements. Eventually a tunnel was built Schneier: “Software bugs See PQCrypto workshops. from England to France. (and therefore security flaws) are inevitable.” “AES software leaks keys Enough crypto for this talk. Analogy: to cache-timing attacks!” How about all the rest “We’ll never build a tunnel of computer security? from England to France.” True, but we know how to eliminate this problem Flood of successful attacks, Why not? “It’s impossible.” by (for example) bitslicing. even more than in crypto. Or: “Maybe it’s possible, but it’s much too expensive.” “Maybe secret-key crypto is okay, Conventional wisdom: but large quantum computers will We’ll never stop the flood. Engineer’s reaction: kill public-key cryptography!” How expensive is it? Viega and McGraw: “Because How big a tunnel can we build? If large quantum computers are there is no such thing as 100% How can we reduce the costs? built, they’ll break RSA and ECC, security, attacks will happen.” but we have replacements. Eventually a tunnel was built Schneier: “Software bugs See PQCrypto workshops. from England to France. (and therefore security flaws) are inevitable.” “AES software leaks keys Enough crypto for this talk. Analogy: to cache-timing attacks!” How about all the rest “We’ll never build a tunnel of computer security? from England to France.” True, but we know how to eliminate this problem Flood of successful attacks, Why not? “It’s impossible.” by (for example) bitslicing. even more than in crypto. Or: “Maybe it’s possible, but it’s much too expensive.” “Maybe secret-key crypto is okay, Conventional wisdom: but large quantum computers will We’ll never stop the flood. Engineer’s reaction: kill public-key cryptography!” How expensive is it? Viega and McGraw: “Because How big a tunnel can we build? If large quantum computers are there is no such thing as 100% How can we reduce the costs? built, they’ll break RSA and ECC, security, attacks will happen.” but we have replacements. Eventually a tunnel was built Schneier: “Software bugs See PQCrypto workshops. from England to France. (and therefore security flaws) are inevitable.” Enough crypto for this talk. Analogy: How about all the rest “We’ll never build a tunnel of computer security? from England to France.”

Flood of successful attacks, Why not? “It’s impossible.” even more than in crypto. Or: “Maybe it’s possible, but it’s much too expensive.” Conventional wisdom: We’ll never stop the flood. Engineer’s reaction: How expensive is it? Viega and McGraw: “Because How big a tunnel can we build? there is no such thing as 100% How can we reduce the costs? security, attacks will happen.” Eventually a tunnel was built Schneier: “Software bugs from England to France. (and therefore security flaws) are inevitable.” Enough crypto for this talk. Analogy: Here’s what I think: How about all the rest “We’ll never build a tunnel Invulnerable software systems of computer security? from England to France.” can and will be built, Flood of successful attacks, Why not? “It’s impossible.” and will become standard. even more than in crypto. Or: “Maybe it’s possible, Most “security” research today but it’s much too expensive.” Conventional wisdom: doesn’t aim for invulnerability, We’ll never stop the flood. Engineer’s reaction: doesn’t contribute to it, How expensive is it? and will be discarded once Viega and McGraw: “Because How big a tunnel can we build? we have invulnerable software. there is no such thing as 100% How can we reduce the costs? security, attacks will happen.” Eventually a tunnel was built Schneier: “Software bugs from England to France. (and therefore security flaws) are inevitable.” Enough crypto for this talk. Analogy: Here’s what I think: How about all the rest “We’ll never build a tunnel Invulnerable software systems of computer security? from England to France.” can and will be built, Flood of successful attacks, Why not? “It’s impossible.” and will become standard. even more than in crypto. Or: “Maybe it’s possible, Most “security” research today but it’s much too expensive.” Conventional wisdom: doesn’t aim for invulnerability, We’ll never stop the flood. Engineer’s reaction: doesn’t contribute to it, How expensive is it? and will be discarded once Viega and McGraw: “Because How big a tunnel can we build? we have invulnerable software. there is no such thing as 100% How can we reduce the costs? security, attacks will happen.” Eventually a tunnel was built Schneier: “Software bugs from England to France. (and therefore security flaws) are inevitable.” Enough crypto for this talk. Analogy: Here’s what I think: How about all the rest “We’ll never build a tunnel Invulnerable software systems of computer security? from England to France.” can and will be built, Flood of successful attacks, Why not? “It’s impossible.” and will become standard. even more than in crypto. Or: “Maybe it’s possible, Most “security” research today but it’s much too expensive.” Conventional wisdom: doesn’t aim for invulnerability, We’ll never stop the flood. Engineer’s reaction: doesn’t contribute to it, How expensive is it? and will be discarded once Viega and McGraw: “Because How big a tunnel can we build? we have invulnerable software. there is no such thing as 100% How can we reduce the costs? security, attacks will happen.” Eventually a tunnel was built Schneier: “Software bugs from England to France. (and therefore security flaws) are inevitable.” Analogy: Here’s what I think: “We’ll never build a tunnel Invulnerable software systems from England to France.” can and will be built, Why not? “It’s impossible.” and will become standard. Or: “Maybe it’s possible, Most “security” research today but it’s much too expensive.” doesn’t aim for invulnerability, Engineer’s reaction: doesn’t contribute to it, How expensive is it? and will be discarded once How big a tunnel can we build? we have invulnerable software. How can we reduce the costs? Eventually a tunnel was built from England to France. Analogy: Here’s what I think: Eliminating bugs “We’ll never build a tunnel Invulnerable software systems Bug: Software feature from England to France.” can and will be built, that violates the user’s Why not? “It’s impossible.” and will become standard. requirements. Or: “Maybe it’s possible, Most “security” research today Security hole: Software feature but it’s much too expensive.” doesn’t aim for invulnerability, that violates the user’s Engineer’s reaction: doesn’t contribute to it, security requirements. How expensive is it? and will be discarded once How big a tunnel can we build? we have invulnerable software. How can we reduce the costs? Eventually a tunnel was built from England to France. Analogy: Here’s what I think: Eliminating bugs “We’ll never build a tunnel Invulnerable software systems Bug: Software feature from England to France.” can and will be built, that violates the user’s Why not? “It’s impossible.” and will become standard. requirements. Or: “Maybe it’s possible, Most “security” research today Security hole: Software feature but it’s much too expensive.” doesn’t aim for invulnerability, that violates the user’s Engineer’s reaction: doesn’t contribute to it, security requirements. How expensive is it? and will be discarded once How big a tunnel can we build? we have invulnerable software. How can we reduce the costs? Eventually a tunnel was built from England to France. Analogy: Here’s what I think: Eliminating bugs “We’ll never build a tunnel Invulnerable software systems Bug: Software feature from England to France.” can and will be built, that violates the user’s Why not? “It’s impossible.” and will become standard. requirements. Or: “Maybe it’s possible, Most “security” research today Security hole: Software feature but it’s much too expensive.” doesn’t aim for invulnerability, that violates the user’s Engineer’s reaction: doesn’t contribute to it, security requirements. How expensive is it? and will be discarded once How big a tunnel can we build? we have invulnerable software. How can we reduce the costs? Eventually a tunnel was built from England to France. Here’s what I think: Eliminating bugs Invulnerable software systems Bug: Software feature can and will be built, that violates the user’s and will become standard. requirements.

Most “security” research today Security hole: Software feature doesn’t aim for invulnerability, that violates the user’s doesn’t contribute to it, security requirements. and will be discarded once we have invulnerable software. Here’s what I think: Eliminating bugs Invulnerable software systems Bug: Software feature can and will be built, that violates the user’s and will become standard. requirements.

Most “security” research today Security hole: Software feature doesn’t aim for invulnerability, that violates the user’s doesn’t contribute to it, security requirements. and will be discarded once Every security hole is a bug. we have invulnerable software. Is every bug a security hole? No. Many user requirements are not security requirements. Here’s what I think: Eliminating bugs Everyone agrees that we can eliminate all bugs Invulnerable software systems Bug: Software feature (and therefore eliminate can and will be built, that violates the user’s all security holes) and will become standard. requirements. in extremely small programs. Most “security” research today Security hole: Software feature What about larger programs? doesn’t aim for invulnerability, that violates the user’s doesn’t contribute to it, security requirements. Space-shuttle software: and will be discarded once “The last three versions of the Every security hole is a bug. we have invulnerable software. program—each 420000 lines Is every bug a security hole? long—had just one error each. No. Many user requirements The last 11 versions of this are not security requirements. software had a total of 17 errors.” Here’s what I think: Eliminating bugs Everyone agrees that we can eliminate all bugs Invulnerable software systems Bug: Software feature (and therefore eliminate can and will be built, that violates the user’s all security holes) and will become standard. requirements. in extremely small programs. Most “security” research today Security hole: Software feature What about larger programs? doesn’t aim for invulnerability, that violates the user’s doesn’t contribute to it, security requirements. Space-shuttle software: and will be discarded once “The last three versions of the Every security hole is a bug. we have invulnerable software. program—each 420000 lines Is every bug a security hole? long—had just one error each. No. Many user requirements The last 11 versions of this are not security requirements. software had a total of 17 errors.” Here’s what I think: Eliminating bugs Everyone agrees that we can eliminate all bugs Invulnerable software systems Bug: Software feature (and therefore eliminate can and will be built, that violates the user’s all security holes) and will become standard. requirements. in extremely small programs. Most “security” research today Security hole: Software feature What about larger programs? doesn’t aim for invulnerability, that violates the user’s doesn’t contribute to it, security requirements. Space-shuttle software: and will be discarded once “The last three versions of the Every security hole is a bug. we have invulnerable software. program—each 420000 lines Is every bug a security hole? long—had just one error each. No. Many user requirements The last 11 versions of this are not security requirements. software had a total of 17 errors.” Eliminating bugs Everyone agrees that we can eliminate all bugs Bug: Software feature (and therefore eliminate that violates the user’s all security holes) requirements. in extremely small programs. Security hole: Software feature What about larger programs? that violates the user’s security requirements. Space-shuttle software: “The last three versions of the Every security hole is a bug. program—each 420000 lines Is every bug a security hole? long—had just one error each. No. Many user requirements The last 11 versions of this are not security requirements. software had a total of 17 errors.” Eliminating bugs Everyone agrees that Estimate bug rate of we can eliminate all bugs software-engineering processes Bug: Software feature (and therefore eliminate by carefully reviewing code. that violates the user’s all security holes) (Estimate is reliable enough; requirements. in extremely small programs. “all bugs are shallow.”) Security hole: Software feature What about larger programs? Meta-engineer processes that violates the user’s that have lower bug rates. security requirements. Space-shuttle software: Note: progress is quantified. “The last three versions of the Every security hole is a bug. program—each 420000 lines Well-known example: Is every bug a security hole? long—had just one error each. Drastically reduce bug rate No. Many user requirements The last 11 versions of this of typical engineering process are not security requirements. software had a total of 17 errors.” by adding coverage tests. Eliminating bugs Everyone agrees that Estimate bug rate of we can eliminate all bugs software-engineering processes Bug: Software feature (and therefore eliminate by carefully reviewing code. that violates the user’s all security holes) (Estimate is reliable enough; requirements. in extremely small programs. “all bugs are shallow.”) Security hole: Software feature What about larger programs? Meta-engineer processes that violates the user’s that have lower bug rates. security requirements. Space-shuttle software: Note: progress is quantified. “The last three versions of the Every security hole is a bug. program—each 420000 lines Well-known example: Is every bug a security hole? long—had just one error each. Drastically reduce bug rate No. Many user requirements The last 11 versions of this of typical engineering process are not security requirements. software had a total of 17 errors.” by adding coverage tests. Eliminating bugs Everyone agrees that Estimate bug rate of we can eliminate all bugs software-engineering processes Bug: Software feature (and therefore eliminate by carefully reviewing code. that violates the user’s all security holes) (Estimate is reliable enough; requirements. in extremely small programs. “all bugs are shallow.”) Security hole: Software feature What about larger programs? Meta-engineer processes that violates the user’s that have lower bug rates. security requirements. Space-shuttle software: Note: progress is quantified. “The last three versions of the Every security hole is a bug. program—each 420000 lines Well-known example: Is every bug a security hole? long—had just one error each. Drastically reduce bug rate No. Many user requirements The last 11 versions of this of typical engineering process are not security requirements. software had a total of 17 errors.” by adding coverage tests. Everyone agrees that Estimate bug rate of we can eliminate all bugs software-engineering processes (and therefore eliminate by carefully reviewing code. all security holes) (Estimate is reliable enough; in extremely small programs. “all bugs are shallow.”)

What about larger programs? Meta-engineer processes that have lower bug rates. Space-shuttle software: Note: progress is quantified. “The last three versions of the program—each 420000 lines Well-known example: long—had just one error each. Drastically reduce bug rate The last 11 versions of this of typical engineering process software had a total of 17 errors.” by adding coverage tests. Everyone agrees that Estimate bug rate of Example where djbdns did well: we can eliminate all bugs software-engineering processes “Don’t parse.” (and therefore eliminate by carefully reviewing code. Typical user interfaces all security holes) (Estimate is reliable enough; copy “normal” inputs and in extremely small programs. “all bugs are shallow.”) quote “abnormal” inputs. What about larger programs? Meta-engineer processes Inherently bug-prone: that have lower bug rates. simpler copying is wrong Space-shuttle software: Note: progress is quantified. but passes “normal” tests. “The last three versions of the Example (1996 Bernstein): program—each 420000 lines Well-known example: format-string danger in logger. long—had just one error each. Drastically reduce bug rate The last 11 versions of this of typical engineering process djbdns’s internal file structures software had a total of 17 errors.” by adding coverage tests. and program-level interfaces don’t have exceptional cases. Simplest code is correct code. Everyone agrees that Estimate bug rate of Example where djbdns did well: we can eliminate all bugs software-engineering processes “Don’t parse.” (and therefore eliminate by carefully reviewing code. Typical user interfaces all security holes) (Estimate is reliable enough; copy “normal” inputs and in extremely small programs. “all bugs are shallow.”) quote “abnormal” inputs. What about larger programs? Meta-engineer processes Inherently bug-prone: that have lower bug rates. simpler copying is wrong Space-shuttle software: Note: progress is quantified. but passes “normal” tests. “The last three versions of the Example (1996 Bernstein): program—each 420000 lines Well-known example: format-string danger in logger. long—had just one error each. Drastically reduce bug rate The last 11 versions of this of typical engineering process djbdns’s internal file structures software had a total of 17 errors.” by adding coverage tests. and program-level interfaces don’t have exceptional cases. Simplest code is correct code. Everyone agrees that Estimate bug rate of Example where djbdns did well: we can eliminate all bugs software-engineering processes “Don’t parse.” (and therefore eliminate by carefully reviewing code. Typical user interfaces all security holes) (Estimate is reliable enough; copy “normal” inputs and in extremely small programs. “all bugs are shallow.”) quote “abnormal” inputs. What about larger programs? Meta-engineer processes Inherently bug-prone: that have lower bug rates. simpler copying is wrong Space-shuttle software: Note: progress is quantified. but passes “normal” tests. “The last three versions of the Example (1996 Bernstein): program—each 420000 lines Well-known example: format-string danger in logger. long—had just one error each. Drastically reduce bug rate The last 11 versions of this of typical engineering process djbdns’s internal file structures software had a total of 17 errors.” by adding coverage tests. and program-level interfaces don’t have exceptional cases. Simplest code is correct code. Estimate bug rate of Example where djbdns did well: software-engineering processes “Don’t parse.” by carefully reviewing code. Typical user interfaces (Estimate is reliable enough; copy “normal” inputs and “all bugs are shallow.”) quote “abnormal” inputs. Meta-engineer processes Inherently bug-prone: that have lower bug rates. simpler copying is wrong Note: progress is quantified. but passes “normal” tests. Example (1996 Bernstein): Well-known example: format-string danger in logger. Drastically reduce bug rate of typical engineering process djbdns’s internal file structures by adding coverage tests. and program-level interfaces don’t have exceptional cases. Simplest code is correct code. Estimate bug rate of Example where djbdns did well: Example where djbdns did badly: software-engineering processes “Don’t parse.” integer arithmetic. by carefully reviewing code. Typical user interfaces In C et al., a+b usually means (Estimate is reliable enough; copy “normal” inputs and exactly what it says, “all bugs are shallow.”) quote “abnormal” inputs. but occasionally doesn’t. Meta-engineer processes Inherently bug-prone: To detect these occasions, that have lower bug rates. simpler copying is wrong need to check for overflows. Note: progress is quantified. but passes “normal” tests. Extra work for programmer. Example (1996 Bernstein): Well-known example: format-string danger in logger. To guarantee sane semantics, Drastically reduce bug rate extending integer range and of typical engineering process djbdns’s internal file structures failing only if out of memory, by adding coverage tests. and program-level interfaces need to use large-integer library. don’t have exceptional cases. Extra work for programmer. Simplest code is correct code. Estimate bug rate of Example where djbdns did well: Example where djbdns did badly: software-engineering processes “Don’t parse.” integer arithmetic. by carefully reviewing code. Typical user interfaces In C et al., a+b usually means (Estimate is reliable enough; copy “normal” inputs and exactly what it says, “all bugs are shallow.”) quote “abnormal” inputs. but occasionally doesn’t. Meta-engineer processes Inherently bug-prone: To detect these occasions, that have lower bug rates. simpler copying is wrong need to check for overflows. Note: progress is quantified. but passes “normal” tests. Extra work for programmer. Example (1996 Bernstein): Well-known example: format-string danger in logger. To guarantee sane semantics, Drastically reduce bug rate extending integer range and of typical engineering process djbdns’s internal file structures failing only if out of memory, by adding coverage tests. and program-level interfaces need to use large-integer library. don’t have exceptional cases. Extra work for programmer. Simplest code is correct code. Estimate bug rate of Example where djbdns did well: Example where djbdns did badly: software-engineering processes “Don’t parse.” integer arithmetic. by carefully reviewing code. Typical user interfaces In C et al., a+b usually means (Estimate is reliable enough; copy “normal” inputs and exactly what it says, “all bugs are shallow.”) quote “abnormal” inputs. but occasionally doesn’t. Meta-engineer processes Inherently bug-prone: To detect these occasions, that have lower bug rates. simpler copying is wrong need to check for overflows. Note: progress is quantified. but passes “normal” tests. Extra work for programmer. Example (1996 Bernstein): Well-known example: format-string danger in logger. To guarantee sane semantics, Drastically reduce bug rate extending integer range and of typical engineering process djbdns’s internal file structures failing only if out of memory, by adding coverage tests. and program-level interfaces need to use large-integer library. don’t have exceptional cases. Extra work for programmer. Simplest code is correct code. Example where djbdns did well: Example where djbdns did badly: “Don’t parse.” integer arithmetic. Typical user interfaces In C et al., a+b usually means copy “normal” inputs and exactly what it says, quote “abnormal” inputs. but occasionally doesn’t. Inherently bug-prone: To detect these occasions, simpler copying is wrong need to check for overflows. but passes “normal” tests. Extra work for programmer. Example (1996 Bernstein): format-string danger in logger. To guarantee sane semantics, extending integer range and djbdns’s internal file structures failing only if out of memory, and program-level interfaces need to use large-integer library. don’t have exceptional cases. Extra work for programmer. Simplest code is correct code. Example where djbdns did well: Example where djbdns did badly: The closest that qmail “Don’t parse.” integer arithmetic. has come to a security hole (Guninski): potential overflow Typical user interfaces In C et al., a+b usually means of an unchecked counter. copy “normal” inputs and exactly what it says, quote “abnormal” inputs. but occasionally doesn’t. Fortunately, counter growth Inherently bug-prone: was limited by memory To detect these occasions, simpler copying is wrong and thus by configuration, need to check for overflows. but passes “normal” tests. but this was pure luck. Extra work for programmer. Example (1996 Bernstein): Anti-bug meta-engineering: format-string danger in logger. To guarantee sane semantics, Use language where a+b extending integer range and djbdns’s internal file structures means exactly what it says. failing only if out of memory, and program-level interfaces need to use large-integer library. don’t have exceptional cases. Extra work for programmer. Simplest code is correct code. Example where djbdns did well: Example where djbdns did badly: The closest that qmail “Don’t parse.” integer arithmetic. has come to a security hole (Guninski): potential overflow Typical user interfaces In C et al., a+b usually means of an unchecked counter. copy “normal” inputs and exactly what it says, quote “abnormal” inputs. but occasionally doesn’t. Fortunately, counter growth Inherently bug-prone: was limited by memory To detect these occasions, simpler copying is wrong and thus by configuration, need to check for overflows. but passes “normal” tests. but this was pure luck. Extra work for programmer. Example (1996 Bernstein): Anti-bug meta-engineering: format-string danger in logger. To guarantee sane semantics, Use language where a+b extending integer range and djbdns’s internal file structures means exactly what it says. failing only if out of memory, and program-level interfaces need to use large-integer library. don’t have exceptional cases. Extra work for programmer. Simplest code is correct code. Example where djbdns did well: Example where djbdns did badly: The closest that qmail “Don’t parse.” integer arithmetic. has come to a security hole (Guninski): potential overflow Typical user interfaces In C et al., a+b usually means of an unchecked counter. copy “normal” inputs and exactly what it says, quote “abnormal” inputs. but occasionally doesn’t. Fortunately, counter growth Inherently bug-prone: was limited by memory To detect these occasions, simpler copying is wrong and thus by configuration, need to check for overflows. but passes “normal” tests. but this was pure luck. Extra work for programmer. Example (1996 Bernstein): Anti-bug meta-engineering: format-string danger in logger. To guarantee sane semantics, Use language where a+b extending integer range and djbdns’s internal file structures means exactly what it says. failing only if out of memory, and program-level interfaces need to use large-integer library. don’t have exceptional cases. Extra work for programmer. Simplest code is correct code. Example where djbdns did badly: The closest that qmail integer arithmetic. has come to a security hole (Guninski): potential overflow In C et al., a+b usually means of an unchecked counter. exactly what it says, but occasionally doesn’t. Fortunately, counter growth was limited by memory To detect these occasions, and thus by configuration, need to check for overflows. but this was pure luck. Extra work for programmer. Anti-bug meta-engineering: To guarantee sane semantics, Use language where a+b extending integer range and means exactly what it says. failing only if out of memory, need to use large-integer library. Extra work for programmer. Example where djbdns did badly: The closest that qmail Security hole in djbdns integer arithmetic. has come to a security hole (2009.02.25 Dempsky): overflow (Guninski): potential overflow of an unchecked counter In C et al., a+b usually means of an unchecked counter. copied into compressed packets. exactly what it says, but occasionally doesn’t. Fortunately, counter growth Decompressing those packets was limited by memory produces incorrect results. To detect these occasions, and thus by configuration, Problem for packets that mix need to check for overflows. but this was pure luck. data from different sources. Extra work for programmer. Anti-bug meta-engineering: Impact: If administrator of To guarantee sane semantics, Use language where a+b lsec.be copies foo.lsec.be extending integer range and means exactly what it says. from an untrusted third party, failing only if out of memory, the third party can control need to use large-integer library. cache entries for lsec.be, Extra work for programmer. not just foo.lsec.be. Example where djbdns did badly: The closest that qmail Security hole in djbdns integer arithmetic. has come to a security hole (2009.02.25 Dempsky): overflow (Guninski): potential overflow of an unchecked counter In C et al., a+b usually means of an unchecked counter. copied into compressed packets. exactly what it says, but occasionally doesn’t. Fortunately, counter growth Decompressing those packets was limited by memory produces incorrect results. To detect these occasions, and thus by configuration, Problem for packets that mix need to check for overflows. but this was pure luck. data from different sources. Extra work for programmer. Anti-bug meta-engineering: Impact: If administrator of To guarantee sane semantics, Use language where a+b lsec.be copies foo.lsec.be extending integer range and means exactly what it says. from an untrusted third party, failing only if out of memory, the third party can control need to use large-integer library. cache entries for lsec.be, Extra work for programmer. not just foo.lsec.be. Example where djbdns did badly: The closest that qmail Security hole in djbdns integer arithmetic. has come to a security hole (2009.02.25 Dempsky): overflow (Guninski): potential overflow of an unchecked counter In C et al., a+b usually means of an unchecked counter. copied into compressed packets. exactly what it says, but occasionally doesn’t. Fortunately, counter growth Decompressing those packets was limited by memory produces incorrect results. To detect these occasions, and thus by configuration, Problem for packets that mix need to check for overflows. but this was pure luck. data from different sources. Extra work for programmer. Anti-bug meta-engineering: Impact: If administrator of To guarantee sane semantics, Use language where a+b lsec.be copies foo.lsec.be extending integer range and means exactly what it says. from an untrusted third party, failing only if out of memory, the third party can control need to use large-integer library. cache entries for lsec.be, Extra work for programmer. not just foo.lsec.be. The closest that qmail Security hole in djbdns has come to a security hole (2009.02.25 Dempsky): overflow (Guninski): potential overflow of an unchecked counter of an unchecked counter. copied into compressed packets.

Fortunately, counter growth Decompressing those packets was limited by memory produces incorrect results. and thus by configuration, Problem for packets that mix but this was pure luck. data from different sources.

Anti-bug meta-engineering: Impact: If administrator of Use language where a+b lsec.be copies foo.lsec.be means exactly what it says. from an untrusted third party, the third party can control cache entries for lsec.be, not just foo.lsec.be. The closest that qmail Security hole in djbdns “Large-integer libraries are slow!” has come to a security hole (2009.02.25 Dempsky): overflow That’s a silly objection. (Guninski): potential overflow of an unchecked counter We need invulnerable systems, of an unchecked counter. copied into compressed packets. and we need them today,

Fortunately, counter growth Decompressing those packets even if they are 10¢ slower was limited by memory produces incorrect results. than our current systems. and thus by configuration, Problem for packets that mix Tomorrow we’ll make them faster. but this was pure luck. data from different sources. Most CPU time is consumed Anti-bug meta-engineering: Impact: If administrator of by a very small portion Use language where a+b lsec.be copies foo.lsec.be of all the system’s code. means exactly what it says. from an untrusted third party, Most large-integer overheads the third party can control are removed by smart compilers. cache entries for lsec.be, Occasional exceptions can be not just foo.lsec.be. handled manually at low cost. The closest that qmail Security hole in djbdns “Large-integer libraries are slow!” has come to a security hole (2009.02.25 Dempsky): overflow That’s a silly objection. (Guninski): potential overflow of an unchecked counter We need invulnerable systems, of an unchecked counter. copied into compressed packets. and we need them today,

Fortunately, counter growth Decompressing those packets even if they are 10¢ slower was limited by memory produces incorrect results. than our current systems. and thus by configuration, Problem for packets that mix Tomorrow we’ll make them faster. but this was pure luck. data from different sources. Most CPU time is consumed Anti-bug meta-engineering: Impact: If administrator of by a very small portion Use language where a+b lsec.be copies foo.lsec.be of all the system’s code. means exactly what it says. from an untrusted third party, Most large-integer overheads the third party can control are removed by smart compilers. cache entries for lsec.be, Occasional exceptions can be not just foo.lsec.be. handled manually at low cost. The closest that qmail Security hole in djbdns “Large-integer libraries are slow!” has come to a security hole (2009.02.25 Dempsky): overflow That’s a silly objection. (Guninski): potential overflow of an unchecked counter We need invulnerable systems, of an unchecked counter. copied into compressed packets. and we need them today,

Fortunately, counter growth Decompressing those packets even if they are 10¢ slower was limited by memory produces incorrect results. than our current systems. and thus by configuration, Problem for packets that mix Tomorrow we’ll make them faster. but this was pure luck. data from different sources. Most CPU time is consumed Anti-bug meta-engineering: Impact: If administrator of by a very small portion Use language where a+b lsec.be copies foo.lsec.be of all the system’s code. means exactly what it says. from an untrusted third party, Most large-integer overheads the third party can control are removed by smart compilers. cache entries for lsec.be, Occasional exceptions can be not just foo.lsec.be. handled manually at low cost. Security hole in djbdns “Large-integer libraries are slow!” (2009.02.25 Dempsky): overflow That’s a silly objection. of an unchecked counter We need invulnerable systems, copied into compressed packets. and we need them today,

Decompressing those packets even if they are 10¢ slower produces incorrect results. than our current systems. Problem for packets that mix Tomorrow we’ll make them faster. data from different sources. Most CPU time is consumed Impact: If administrator of by a very small portion lsec.be copies foo.lsec.be of all the system’s code. from an untrusted third party, Most large-integer overheads the third party can control are removed by smart compilers. cache entries for lsec.be, Occasional exceptions can be not just foo.lsec.be. handled manually at low cost. Security hole in djbdns “Large-integer libraries are slow!” More anti-bug meta-engineering (2009.02.25 Dempsky): overflow examples in my qmail paper: That’s a silly objection. of an unchecked counter automatic array extensions; We need invulnerable systems, copied into compressed packets. partitioning variables and we need them today, to make data flow visible;

Decompressing those packets even if they are 10¢ slower automatic updates of produces incorrect results. than our current systems. “summary” variables; Problem for packets that mix Tomorrow we’ll make them faster. abstraction for testability. data from different sources. Most CPU time is consumed “Okay, we can achieve Impact: If administrator of by a very small portion much smaller bug rates. lsec.be copies foo.lsec.be of all the system’s code. But in a large system from an untrusted third party, Most large-integer overheads we’ll still have many bugs, the third party can control are removed by smart compilers. including many security holes!” cache entries for lsec.be, Occasional exceptions can be not just foo.lsec.be. handled manually at low cost. Security hole in djbdns “Large-integer libraries are slow!” More anti-bug meta-engineering (2009.02.25 Dempsky): overflow examples in my qmail paper: That’s a silly objection. of an unchecked counter automatic array extensions; We need invulnerable systems, copied into compressed packets. partitioning variables and we need them today, to make data flow visible;

Decompressing those packets even if they are 10¢ slower automatic updates of produces incorrect results. than our current systems. “summary” variables; Problem for packets that mix Tomorrow we’ll make them faster. abstraction for testability. data from different sources. Most CPU time is consumed “Okay, we can achieve Impact: If administrator of by a very small portion much smaller bug rates. lsec.be copies foo.lsec.be of all the system’s code. But in a large system from an untrusted third party, Most large-integer overheads we’ll still have many bugs, the third party can control are removed by smart compilers. including many security holes!” cache entries for lsec.be, Occasional exceptions can be not just foo.lsec.be. handled manually at low cost. Security hole in djbdns “Large-integer libraries are slow!” More anti-bug meta-engineering (2009.02.25 Dempsky): overflow examples in my qmail paper: That’s a silly objection. of an unchecked counter automatic array extensions; We need invulnerable systems, copied into compressed packets. partitioning variables and we need them today, to make data flow visible;

Decompressing those packets even if they are 10¢ slower automatic updates of produces incorrect results. than our current systems. “summary” variables; Problem for packets that mix Tomorrow we’ll make them faster. abstraction for testability. data from different sources. Most CPU time is consumed “Okay, we can achieve Impact: If administrator of by a very small portion much smaller bug rates. lsec.be copies foo.lsec.be of all the system’s code. But in a large system from an untrusted third party, Most large-integer overheads we’ll still have many bugs, the third party can control are removed by smart compilers. including many security holes!” cache entries for lsec.be, Occasional exceptions can be not just foo.lsec.be. handled manually at low cost. “Large-integer libraries are slow!” More anti-bug meta-engineering examples in my qmail paper: That’s a silly objection. automatic array extensions; We need invulnerable systems, partitioning variables and we need them today, to make data flow visible; even if they are 10¢ slower automatic updates of than our current systems. “summary” variables; Tomorrow we’ll make them faster. abstraction for testability. Most CPU time is consumed “Okay, we can achieve by a very small portion much smaller bug rates. of all the system’s code. But in a large system Most large-integer overheads we’ll still have many bugs, are removed by smart compilers. including many security holes!” Occasional exceptions can be handled manually at low cost. “Large-integer libraries are slow!” More anti-bug meta-engineering Eliminating code examples in my qmail paper: That’s a silly objection. Measure code rate of automatic array extensions; We need invulnerable systems, software-engineering processes. partitioning variables and we need them today, to make data flow visible; Meta-engineer processes even if they are 10¢ slower automatic updates of that spend less code than our current systems. “summary” variables; to get the same job done. Tomorrow we’ll make them faster. abstraction for testability. Note: progress is quantified. Most CPU time is consumed “Okay, we can achieve This is another classic topic by a very small portion much smaller bug rates. of software-engineering research. of all the system’s code. But in a large system Combines reasonably well Most large-integer overheads we’ll still have many bugs, with reducing bug rate. are removed by smart compilers. including many security holes!” Occasional exceptions can be handled manually at low cost. “Large-integer libraries are slow!” More anti-bug meta-engineering Eliminating code examples in my qmail paper: That’s a silly objection. Measure code rate of automatic array extensions; We need invulnerable systems, software-engineering processes. partitioning variables and we need them today, to make data flow visible; Meta-engineer processes even if they are 10¢ slower automatic updates of that spend less code than our current systems. “summary” variables; to get the same job done. Tomorrow we’ll make them faster. abstraction for testability. Note: progress is quantified. Most CPU time is consumed “Okay, we can achieve This is another classic topic by a very small portion much smaller bug rates. of software-engineering research. of all the system’s code. But in a large system Combines reasonably well Most large-integer overheads we’ll still have many bugs, with reducing bug rate. are removed by smart compilers. including many security holes!” Occasional exceptions can be handled manually at low cost. “Large-integer libraries are slow!” More anti-bug meta-engineering Eliminating code examples in my qmail paper: That’s a silly objection. Measure code rate of automatic array extensions; We need invulnerable systems, software-engineering processes. partitioning variables and we need them today, to make data flow visible; Meta-engineer processes even if they are 10¢ slower automatic updates of that spend less code than our current systems. “summary” variables; to get the same job done. Tomorrow we’ll make them faster. abstraction for testability. Note: progress is quantified. Most CPU time is consumed “Okay, we can achieve This is another classic topic by a very small portion much smaller bug rates. of software-engineering research. of all the system’s code. But in a large system Combines reasonably well Most large-integer overheads we’ll still have many bugs, with reducing bug rate. are removed by smart compilers. including many security holes!” Occasional exceptions can be handled manually at low cost. More anti-bug meta-engineering Eliminating code examples in my qmail paper: Measure code rate of automatic array extensions; software-engineering processes. partitioning variables to make data flow visible; Meta-engineer processes automatic updates of that spend less code “summary” variables; to get the same job done. abstraction for testability. Note: progress is quantified. “Okay, we can achieve This is another classic topic much smaller bug rates. of software-engineering research. But in a large system Combines reasonably well we’ll still have many bugs, with reducing bug rate. including many security holes!” More anti-bug meta-engineering Eliminating code Example where qmail did well: examples in my qmail paper: reusing access-control code. Measure code rate of automatic array extensions; software-engineering processes. A story from twenty years ago: partitioning variables My .forward ran a program to make data flow visible; Meta-engineer processes creating a new file in /tmp. automatic updates of that spend less code Surprise: the program was “summary” variables; to get the same job done. sometimes run under another uid! abstraction for testability. Note: progress is quantified. How Sendmail handles .forward: “Okay, we can achieve This is another classic topic Check whether user can read it. much smaller bug rates. of software-engineering research. (Prohibit symlinks to secrets!) But in a large system Combines reasonably well Extract delivery instructions. we’ll still have many bugs, with reducing bug rate. Keep track (often via queue file) including many security holes!” of instructions and user.

Many disastrous bugs here. More anti-bug meta-engineering Eliminating code Example where qmail did well: examples in my qmail paper: reusing access-control code. Measure code rate of automatic array extensions; software-engineering processes. A story from twenty years ago: partitioning variables My .forward ran a program to make data flow visible; Meta-engineer processes creating a new file in /tmp. automatic updates of that spend less code Surprise: the program was “summary” variables; to get the same job done. sometimes run under another uid! abstraction for testability. Note: progress is quantified. How Sendmail handles .forward: “Okay, we can achieve This is another classic topic Check whether user can read it. much smaller bug rates. of software-engineering research. (Prohibit symlinks to secrets!) But in a large system Combines reasonably well Extract delivery instructions. we’ll still have many bugs, with reducing bug rate. Keep track (often via queue file) including many security holes!” of instructions and user.

Many disastrous bugs here. More anti-bug meta-engineering Eliminating code Example where qmail did well: examples in my qmail paper: reusing access-control code. Measure code rate of automatic array extensions; software-engineering processes. A story from twenty years ago: partitioning variables My .forward ran a program to make data flow visible; Meta-engineer processes creating a new file in /tmp. automatic updates of that spend less code Surprise: the program was “summary” variables; to get the same job done. sometimes run under another uid! abstraction for testability. Note: progress is quantified. How Sendmail handles .forward: “Okay, we can achieve This is another classic topic Check whether user can read it. much smaller bug rates. of software-engineering research. (Prohibit symlinks to secrets!) But in a large system Combines reasonably well Extract delivery instructions. we’ll still have many bugs, with reducing bug rate. Keep track (often via queue file) including many security holes!” of instructions and user.

Many disastrous bugs here. Eliminating code Example where qmail did well: reusing access-control code. Measure code rate of software-engineering processes. A story from twenty years ago: My .forward ran a program Meta-engineer processes creating a new file in /tmp. that spend less code Surprise: the program was to get the same job done. sometimes run under another uid! Note: progress is quantified. How Sendmail handles .forward: This is another classic topic Check whether user can read it. of software-engineering research. (Prohibit symlinks to secrets!) Combines reasonably well Extract delivery instructions. with reducing bug rate. Keep track (often via queue file) of instructions and user.

Many disastrous bugs here. Eliminating code Example where qmail did well: Kernel already tracks users. reusing access-control code. Kernel already checks readability. Measure code rate of Why not reuse this code? software-engineering processes. A story from twenty years ago: My .forward ran a program How qmail delivers to a user: Meta-engineer processes creating a new file in /tmp. Start qmail-local that spend less code Surprise: the program was under the right uid. to get the same job done. sometimes run under another uid! Note: progress is quantified. When qmail-local reads How Sendmail handles .forward: the user’s delivery instructions, This is another classic topic Check whether user can read it. the kernel checks readability. of software-engineering research. (Prohibit symlinks to secrets!) When qmail-local runs a Combines reasonably well Extract delivery instructions. program, the kernel assigns with reducing bug rate. Keep track (often via queue file) the same uid to that program. of instructions and user. No extra code required!

Many disastrous bugs here. Eliminating code Example where qmail did well: Kernel already tracks users. reusing access-control code. Kernel already checks readability. Measure code rate of Why not reuse this code? software-engineering processes. A story from twenty years ago: My .forward ran a program How qmail delivers to a user: Meta-engineer processes creating a new file in /tmp. Start qmail-local that spend less code Surprise: the program was under the right uid. to get the same job done. sometimes run under another uid! Note: progress is quantified. When qmail-local reads How Sendmail handles .forward: the user’s delivery instructions, This is another classic topic Check whether user can read it. the kernel checks readability. of software-engineering research. (Prohibit symlinks to secrets!) When qmail-local runs a Combines reasonably well Extract delivery instructions. program, the kernel assigns with reducing bug rate. Keep track (often via queue file) the same uid to that program. of instructions and user. No extra code required!

Many disastrous bugs here. Eliminating code Example where qmail did well: Kernel already tracks users. reusing access-control code. Kernel already checks readability. Measure code rate of Why not reuse this code? software-engineering processes. A story from twenty years ago: My .forward ran a program How qmail delivers to a user: Meta-engineer processes creating a new file in /tmp. Start qmail-local that spend less code Surprise: the program was under the right uid. to get the same job done. sometimes run under another uid! Note: progress is quantified. When qmail-local reads How Sendmail handles .forward: the user’s delivery instructions, This is another classic topic Check whether user can read it. the kernel checks readability. of software-engineering research. (Prohibit symlinks to secrets!) When qmail-local runs a Combines reasonably well Extract delivery instructions. program, the kernel assigns with reducing bug rate. Keep track (often via queue file) the same uid to that program. of instructions and user. No extra code required!

Many disastrous bugs here. Example where qmail did well: Kernel already tracks users. reusing access-control code. Kernel already checks readability. Why not reuse this code? A story from twenty years ago: My .forward ran a program How qmail delivers to a user: creating a new file in /tmp. Start qmail-local Surprise: the program was under the right uid. sometimes run under another uid! When qmail-local reads How Sendmail handles .forward: the user’s delivery instructions, Check whether user can read it. the kernel checks readability. (Prohibit symlinks to secrets!) When qmail-local runs a Extract delivery instructions. program, the kernel assigns Keep track (often via queue file) the same uid to that program. of instructions and user. No extra code required!

Many disastrous bugs here. Example where qmail did well: Kernel already tracks users. Example where qmail and djbdns reusing access-control code. Kernel already checks readability. did badly: exception handling. Why not reuse this code? A story from twenty years ago: djbdns has thousands My .forward ran a program How qmail delivers to a user: of conditional branches. creating a new file in /tmp. Start qmail-local About half are simply Surprise: the program was under the right uid. checking for temporary errors. sometimes run under another uid! When qmail-local reads Same for qmail. How Sendmail handles .forward: the user’s delivery instructions, Easy to get wrong: e.g., Check whether user can read it. the kernel checks readability. “if ipme init() returned -1, (Prohibit symlinks to secrets!) When qmail-local runs a qmail-remote would continue” Extract delivery instructions. program, the kernel assigns (fixed in qmail 0.92). Keep track (often via queue file) the same uid to that program. Easily fixed by better language. of instructions and user. No extra code required!

Many disastrous bugs here. Example where qmail did well: Kernel already tracks users. Example where qmail and djbdns reusing access-control code. Kernel already checks readability. did badly: exception handling. Why not reuse this code? A story from twenty years ago: djbdns has thousands My .forward ran a program How qmail delivers to a user: of conditional branches. creating a new file in /tmp. Start qmail-local About half are simply Surprise: the program was under the right uid. checking for temporary errors. sometimes run under another uid! When qmail-local reads Same for qmail. How Sendmail handles .forward: the user’s delivery instructions, Easy to get wrong: e.g., Check whether user can read it. the kernel checks readability. “if ipme init() returned -1, (Prohibit symlinks to secrets!) When qmail-local runs a qmail-remote would continue” Extract delivery instructions. program, the kernel assigns (fixed in qmail 0.92). Keep track (often via queue file) the same uid to that program. Easily fixed by better language. of instructions and user. No extra code required!

Many disastrous bugs here. Example where qmail did well: Kernel already tracks users. Example where qmail and djbdns reusing access-control code. Kernel already checks readability. did badly: exception handling. Why not reuse this code? A story from twenty years ago: djbdns has thousands My .forward ran a program How qmail delivers to a user: of conditional branches. creating a new file in /tmp. Start qmail-local About half are simply Surprise: the program was under the right uid. checking for temporary errors. sometimes run under another uid! When qmail-local reads Same for qmail. How Sendmail handles .forward: the user’s delivery instructions, Easy to get wrong: e.g., Check whether user can read it. the kernel checks readability. “if ipme init() returned -1, (Prohibit symlinks to secrets!) When qmail-local runs a qmail-remote would continue” Extract delivery instructions. program, the kernel assigns (fixed in qmail 0.92). Keep track (often via queue file) the same uid to that program. Easily fixed by better language. of instructions and user. No extra code required!

Many disastrous bugs here. Kernel already tracks users. Example where qmail and djbdns Kernel already checks readability. did badly: exception handling. Why not reuse this code? djbdns has thousands How qmail delivers to a user: of conditional branches. Start qmail-local About half are simply under the right uid. checking for temporary errors. When qmail-local reads Same for qmail. the user’s delivery instructions, Easy to get wrong: e.g., the kernel checks readability. “if ipme init() returned -1, When qmail-local runs a qmail-remote would continue” program, the kernel assigns (fixed in qmail 0.92). the same uid to that program. Easily fixed by better language. No extra code required! Kernel already tracks users. Example where qmail and djbdns More small-code meta-engineering Kernel already checks readability. did badly: exception handling. examples in my qmail paper: Why not reuse this code? identifying common functions; djbdns has thousands reusing network tools; How qmail delivers to a user: of conditional branches. reusing the filesystem. Start qmail-local About half are simply under the right uid. checking for temporary errors. “Okay, we can build a system with less code, When qmail-local reads Same for qmail. and write code with fewer bugs. the user’s delivery instructions, Easy to get wrong: e.g., But in a large system the kernel checks readability. “if ipme init() returned -1, we’ll still have bugs, When qmail-local runs a qmail-remote would continue” including security holes!” program, the kernel assigns (fixed in qmail 0.92). the same uid to that program. Easily fixed by better language. No extra code required! Kernel already tracks users. Example where qmail and djbdns More small-code meta-engineering Kernel already checks readability. did badly: exception handling. examples in my qmail paper: Why not reuse this code? identifying common functions; djbdns has thousands reusing network tools; How qmail delivers to a user: of conditional branches. reusing the filesystem. Start qmail-local About half are simply under the right uid. checking for temporary errors. “Okay, we can build a system with less code, When qmail-local reads Same for qmail. and write code with fewer bugs. the user’s delivery instructions, Easy to get wrong: e.g., But in a large system the kernel checks readability. “if ipme init() returned -1, we’ll still have bugs, When qmail-local runs a qmail-remote would continue” including security holes!” program, the kernel assigns (fixed in qmail 0.92). the same uid to that program. Easily fixed by better language. No extra code required! Kernel already tracks users. Example where qmail and djbdns More small-code meta-engineering Kernel already checks readability. did badly: exception handling. examples in my qmail paper: Why not reuse this code? identifying common functions; djbdns has thousands reusing network tools; How qmail delivers to a user: of conditional branches. reusing the filesystem. Start qmail-local About half are simply under the right uid. checking for temporary errors. “Okay, we can build a system with less code, When qmail-local reads Same for qmail. and write code with fewer bugs. the user’s delivery instructions, Easy to get wrong: e.g., But in a large system the kernel checks readability. “if ipme init() returned -1, we’ll still have bugs, When qmail-local runs a qmail-remote would continue” including security holes!” program, the kernel assigns (fixed in qmail 0.92). the same uid to that program. Easily fixed by better language. No extra code required! Example where qmail and djbdns More small-code meta-engineering did badly: exception handling. examples in my qmail paper: identifying common functions; djbdns has thousands reusing network tools; of conditional branches. reusing the filesystem. About half are simply checking for temporary errors. “Okay, we can build a system with less code, Same for qmail. and write code with fewer bugs. Easy to get wrong: e.g., But in a large system “if ipme init() returned -1, we’ll still have bugs, qmail-remote would continue” including security holes!” (fixed in qmail 0.92). Easily fixed by better language. Example where qmail and djbdns More small-code meta-engineering Eliminating trusted code did badly: exception handling. examples in my qmail paper: Can architect computer systems identifying common functions; djbdns has thousands to place most of the code reusing network tools; of conditional branches. into untrusted prisons. reusing the filesystem. About half are simply Definition of “untrusted”: checking for temporary errors. “Okay, we can no matter what the code does, build a system with less code, Same for qmail. no matter how badly it behaves, and write code with fewer bugs. Easy to get wrong: e.g., no matter how many bugs it has, But in a large system “if ipme init() returned -1, it cannot violate the we’ll still have bugs, qmail-remote would continue” user’s security requirements. including security holes!” (fixed in qmail 0.92). Measure trusted code volume, Easily fixed by better language. and meta-engineer processes that reduce this volume. Note: progress is quantified. Example where qmail and djbdns More small-code meta-engineering Eliminating trusted code did badly: exception handling. examples in my qmail paper: Can architect computer systems identifying common functions; djbdns has thousands to place most of the code reusing network tools; of conditional branches. into untrusted prisons. reusing the filesystem. About half are simply Definition of “untrusted”: checking for temporary errors. “Okay, we can no matter what the code does, build a system with less code, Same for qmail. no matter how badly it behaves, and write code with fewer bugs. Easy to get wrong: e.g., no matter how many bugs it has, But in a large system “if ipme init() returned -1, it cannot violate the we’ll still have bugs, qmail-remote would continue” user’s security requirements. including security holes!” (fixed in qmail 0.92). Measure trusted code volume, Easily fixed by better language. and meta-engineer processes that reduce this volume. Note: progress is quantified. Example where qmail and djbdns More small-code meta-engineering Eliminating trusted code did badly: exception handling. examples in my qmail paper: Can architect computer systems identifying common functions; djbdns has thousands to place most of the code reusing network tools; of conditional branches. into untrusted prisons. reusing the filesystem. About half are simply Definition of “untrusted”: checking for temporary errors. “Okay, we can no matter what the code does, build a system with less code, Same for qmail. no matter how badly it behaves, and write code with fewer bugs. Easy to get wrong: e.g., no matter how many bugs it has, But in a large system “if ipme init() returned -1, it cannot violate the we’ll still have bugs, qmail-remote would continue” user’s security requirements. including security holes!” (fixed in qmail 0.92). Measure trusted code volume, Easily fixed by better language. and meta-engineer processes that reduce this volume. Note: progress is quantified. More small-code meta-engineering Eliminating trusted code examples in my qmail paper: Can architect computer systems identifying common functions; to place most of the code reusing network tools; into untrusted prisons. reusing the filesystem. Definition of “untrusted”: “Okay, we can no matter what the code does, build a system with less code, no matter how badly it behaves, and write code with fewer bugs. no matter how many bugs it has, But in a large system it cannot violate the we’ll still have bugs, user’s security requirements. including security holes!” Measure trusted code volume, and meta-engineer processes that reduce this volume. Note: progress is quantified. More small-code meta-engineering Eliminating trusted code Warning: “Minimizing privilege” examples in my qmail paper: rarely eliminates trusted code. Can architect computer systems identifying common functions; to place most of the code Every security mechanism, reusing network tools; into untrusted prisons. no matter how pointless, reusing the filesystem. says it’s “minimizing privilege.” Definition of “untrusted”: “Okay, we can This is not a useful concept. no matter what the code does, build a system with less code, no matter how badly it behaves, qmail and djbdns did very badly and write code with fewer bugs. no matter how many bugs it has, here: almost all code is trusted. But in a large system it cannot violate the I spent considerable effort we’ll still have bugs, user’s security requirements. “minimizing privilege”; stupid! including security holes!” This distracted me from Measure trusted code volume, eliminating trusted code. and meta-engineer processes that reduce this volume. Note: progress is quantified. More small-code meta-engineering Eliminating trusted code Warning: “Minimizing privilege” examples in my qmail paper: rarely eliminates trusted code. Can architect computer systems identifying common functions; to place most of the code Every security mechanism, reusing network tools; into untrusted prisons. no matter how pointless, reusing the filesystem. says it’s “minimizing privilege.” Definition of “untrusted”: “Okay, we can This is not a useful concept. no matter what the code does, build a system with less code, no matter how badly it behaves, qmail and djbdns did very badly and write code with fewer bugs. no matter how many bugs it has, here: almost all code is trusted. But in a large system it cannot violate the I spent considerable effort we’ll still have bugs, user’s security requirements. “minimizing privilege”; stupid! including security holes!” This distracted me from Measure trusted code volume, eliminating trusted code. and meta-engineer processes that reduce this volume. Note: progress is quantified. More small-code meta-engineering Eliminating trusted code Warning: “Minimizing privilege” examples in my qmail paper: rarely eliminates trusted code. Can architect computer systems identifying common functions; to place most of the code Every security mechanism, reusing network tools; into untrusted prisons. no matter how pointless, reusing the filesystem. says it’s “minimizing privilege.” Definition of “untrusted”: “Okay, we can This is not a useful concept. no matter what the code does, build a system with less code, no matter how badly it behaves, qmail and djbdns did very badly and write code with fewer bugs. no matter how many bugs it has, here: almost all code is trusted. But in a large system it cannot violate the I spent considerable effort we’ll still have bugs, user’s security requirements. “minimizing privilege”; stupid! including security holes!” This distracted me from Measure trusted code volume, eliminating trusted code. and meta-engineer processes that reduce this volume. Note: progress is quantified. Eliminating trusted code Warning: “Minimizing privilege” rarely eliminates trusted code. Can architect computer systems to place most of the code Every security mechanism, into untrusted prisons. no matter how pointless, says it’s “minimizing privilege.” Definition of “untrusted”: This is not a useful concept. no matter what the code does, no matter how badly it behaves, qmail and djbdns did very badly no matter how many bugs it has, here: almost all code is trusted. it cannot violate the I spent considerable effort user’s security requirements. “minimizing privilege”; stupid! This distracted me from Measure trusted code volume, eliminating trusted code. and meta-engineer processes that reduce this volume. Note: progress is quantified. Eliminating trusted code Warning: “Minimizing privilege” What are the user’s rarely eliminates trusted code. security requirements? Can architect computer systems to place most of the code Every security mechanism, My fundamental requirement: into untrusted prisons. no matter how pointless, The system keeps track says it’s “minimizing privilege.” of sources of data. Definition of “untrusted”: This is not a useful concept. no matter what the code does, When the system is asked

no matter how badly it behaves, qmail and djbdns did very badly for data from source X , no matter how many bugs it has, here: almost all code is trusted. it does not allow

it cannot violate the I spent considerable effort data from source Y user’s security requirements. “minimizing privilege”; stupid! to influence the result. This distracted me from Measure trusted code volume, Example: When I view an eliminating trusted code. and meta-engineer processes account statement from my bank, that reduce this volume. I am not seeing data from other Note: progress is quantified. web pages or email messages. Eliminating trusted code Warning: “Minimizing privilege” What are the user’s rarely eliminates trusted code. security requirements? Can architect computer systems to place most of the code Every security mechanism, My fundamental requirement: into untrusted prisons. no matter how pointless, The system keeps track says it’s “minimizing privilege.” of sources of data. Definition of “untrusted”: This is not a useful concept. no matter what the code does, When the system is asked

no matter how badly it behaves, qmail and djbdns did very badly for data from source X , no matter how many bugs it has, here: almost all code is trusted. it does not allow

it cannot violate the I spent considerable effort data from source Y user’s security requirements. “minimizing privilege”; stupid! to influence the result. This distracted me from Measure trusted code volume, Example: When I view an eliminating trusted code. and meta-engineer processes account statement from my bank, that reduce this volume. I am not seeing data from other Note: progress is quantified. web pages or email messages. Eliminating trusted code Warning: “Minimizing privilege” What are the user’s rarely eliminates trusted code. security requirements? Can architect computer systems to place most of the code Every security mechanism, My fundamental requirement: into untrusted prisons. no matter how pointless, The system keeps track says it’s “minimizing privilege.” of sources of data. Definition of “untrusted”: This is not a useful concept. no matter what the code does, When the system is asked

no matter how badly it behaves, qmail and djbdns did very badly for data from source X , no matter how many bugs it has, here: almost all code is trusted. it does not allow

it cannot violate the I spent considerable effort data from source Y user’s security requirements. “minimizing privilege”; stupid! to influence the result. This distracted me from Measure trusted code volume, Example: When I view an eliminating trusted code. and meta-engineer processes account statement from my bank, that reduce this volume. I am not seeing data from other Note: progress is quantified. web pages or email messages. Warning: “Minimizing privilege” What are the user’s rarely eliminates trusted code. security requirements? Every security mechanism, My fundamental requirement: no matter how pointless, The system keeps track says it’s “minimizing privilege.” of sources of data. This is not a useful concept. When the system is asked

qmail and djbdns did very badly for data from source X , here: almost all code is trusted. it does not allow

I spent considerable effort data from source Y “minimizing privilege”; stupid! to influence the result. This distracted me from Example: When I view an eliminating trusted code. account statement from my bank, I am not seeing data from other web pages or email messages. Warning: “Minimizing privilege” What are the user’s There is no obstacle to rarely eliminates trusted code. security requirements? centralization and minimization of source-tracking code. Every security mechanism, My fundamental requirement: Can and should be small enough no matter how pointless, The system keeps track to eliminate all bugs. says it’s “minimizing privilege.” of sources of data. This is not a useful concept. Classic military TCBs When the system is asked used very few lines of code qmail and djbdns did very badly for data from source X , to track (e.g.) Top Secret data. here: almost all code is trusted. it does not allow VAX VMM Security Kernel

I spent considerable effort data from source Y

had < 50000 lines of code. “minimizing privilege”; stupid! to influence the result. This distracted me from Minor programming problem to Example: When I view an eliminating trusted code. support arbitrary source labels account statement from my bank, instead of Top Secret etc. I am not seeing data from other web pages or email messages. Warning: “Minimizing privilege” What are the user’s There is no obstacle to rarely eliminates trusted code. security requirements? centralization and minimization of source-tracking code. Every security mechanism, My fundamental requirement: Can and should be small enough no matter how pointless, The system keeps track to eliminate all bugs. says it’s “minimizing privilege.” of sources of data. This is not a useful concept. Classic military TCBs When the system is asked used very few lines of code qmail and djbdns did very badly for data from source X , to track (e.g.) Top Secret data. here: almost all code is trusted. it does not allow VAX VMM Security Kernel

I spent considerable effort data from source Y

had < 50000 lines of code. “minimizing privilege”; stupid! to influence the result. This distracted me from Minor programming problem to Example: When I view an eliminating trusted code. support arbitrary source labels account statement from my bank, instead of Top Secret etc. I am not seeing data from other web pages or email messages. Warning: “Minimizing privilege” What are the user’s There is no obstacle to rarely eliminates trusted code. security requirements? centralization and minimization of source-tracking code. Every security mechanism, My fundamental requirement: Can and should be small enough no matter how pointless, The system keeps track to eliminate all bugs. says it’s “minimizing privilege.” of sources of data. This is not a useful concept. Classic military TCBs When the system is asked used very few lines of code qmail and djbdns did very badly for data from source X , to track (e.g.) Top Secret data. here: almost all code is trusted. it does not allow VAX VMM Security Kernel

I spent considerable effort data from source Y

had < 50000 lines of code. “minimizing privilege”; stupid! to influence the result. This distracted me from Minor programming problem to Example: When I view an eliminating trusted code. support arbitrary source labels account statement from my bank, instead of Top Secret etc. I am not seeing data from other web pages or email messages. What are the user’s There is no obstacle to security requirements? centralization and minimization of source-tracking code. My fundamental requirement: Can and should be small enough The system keeps track to eliminate all bugs. of sources of data. Classic military TCBs When the system is asked used very few lines of code for data from source X , to track (e.g.) Top Secret data. it does not allow VAX VMM Security Kernel data from source Y

had < 50000 lines of code. to influence the result. Minor programming problem to Example: When I view an support arbitrary source labels account statement from my bank, instead of Top Secret etc. I am not seeing data from other web pages or email messages. What are the user’s There is no obstacle to “Doesn’t the UNIX/Linux kernel security requirements? centralization and minimization already track sources?” of source-tracking code. My fundamental requirement: If I log into a system, Can and should be small enough The system keeps track the kernel copies my uid to eliminate all bugs. of sources of data. to my login process, Classic military TCBs to other processes I start, When the system is asked used very few lines of code to files I create, etc. for data from source X , to track (e.g.) Top Secret data. it does not allow But if I transfer data VAX VMM Security Kernel data from source Y to another user’s processes—

had < 50000 lines of code. to influence the result. through the network or a file— Minor programming problem to the kernel doesn’t remember Example: When I view an support arbitrary source labels that I’m the source. account statement from my bank, instead of Top Secret etc. I am not seeing data from other web pages or email messages. What are the user’s There is no obstacle to “Doesn’t the UNIX/Linux kernel security requirements? centralization and minimization already track sources?” of source-tracking code. My fundamental requirement: If I log into a system, Can and should be small enough The system keeps track the kernel copies my uid to eliminate all bugs. of sources of data. to my login process, Classic military TCBs to other processes I start, When the system is asked used very few lines of code to files I create, etc. for data from source X , to track (e.g.) Top Secret data. it does not allow But if I transfer data VAX VMM Security Kernel data from source Y to another user’s processes—

had < 50000 lines of code. to influence the result. through the network or a file— Minor programming problem to the kernel doesn’t remember Example: When I view an support arbitrary source labels that I’m the source. account statement from my bank, instead of Top Secret etc. I am not seeing data from other web pages or email messages. What are the user’s There is no obstacle to “Doesn’t the UNIX/Linux kernel security requirements? centralization and minimization already track sources?” of source-tracking code. My fundamental requirement: If I log into a system, Can and should be small enough The system keeps track the kernel copies my uid to eliminate all bugs. of sources of data. to my login process, Classic military TCBs to other processes I start, When the system is asked used very few lines of code to files I create, etc. for data from source X , to track (e.g.) Top Secret data. it does not allow But if I transfer data VAX VMM Security Kernel data from source Y to another user’s processes—

had < 50000 lines of code. to influence the result. through the network or a file— Minor programming problem to the kernel doesn’t remember Example: When I view an support arbitrary source labels that I’m the source. account statement from my bank, instead of Top Secret etc. I am not seeing data from other web pages or email messages. There is no obstacle to “Doesn’t the UNIX/Linux kernel centralization and minimization already track sources?” of source-tracking code. If I log into a system, Can and should be small enough the kernel copies my uid to eliminate all bugs. to my login process, Classic military TCBs to other processes I start, used very few lines of code to files I create, etc. to track (e.g.) Top Secret data. But if I transfer data VAX VMM Security Kernel to another user’s processes— had < 50000 lines of code. through the network or a file— Minor programming problem to the kernel doesn’t remember support arbitrary source labels that I’m the source. instead of Top Secret etc. There is no obstacle to “Doesn’t the UNIX/Linux kernel Source tracking today centralization and minimization already track sources?” is implemented by programmers of source-tracking code. writing web browsers, mail clients, If I log into a system, Can and should be small enough PHP scripts, etc. the kernel copies my uid to eliminate all bugs. to my login process, All of this code is trusted. Classic military TCBs to other processes I start, All other code in these programs used very few lines of code to files I create, etc. is also trusted, thanks to to track (e.g.) Top Secret data. nonexistent internal partitioning. But if I transfer data VAX VMM Security Kernel to another user’s processes— Your laptop has tens of millions had < 50000 lines of code. through the network or a file— of lines of trusted code written by Minor programming problem to the kernel doesn’t remember thousands of novice programmers. support arbitrary source labels that I’m the source. A screwup anywhere in that code instead of Top Secret etc. can violate security requirements. There is no obstacle to “Doesn’t the UNIX/Linux kernel Source tracking today centralization and minimization already track sources?” is implemented by programmers of source-tracking code. writing web browsers, mail clients, If I log into a system, Can and should be small enough PHP scripts, etc. the kernel copies my uid to eliminate all bugs. to my login process, All of this code is trusted. Classic military TCBs to other processes I start, All other code in these programs used very few lines of code to files I create, etc. is also trusted, thanks to to track (e.g.) Top Secret data. nonexistent internal partitioning. But if I transfer data VAX VMM Security Kernel to another user’s processes— Your laptop has tens of millions had < 50000 lines of code. through the network or a file— of lines of trusted code written by Minor programming problem to the kernel doesn’t remember thousands of novice programmers. support arbitrary source labels that I’m the source. A screwup anywhere in that code instead of Top Secret etc. can violate security requirements. There is no obstacle to “Doesn’t the UNIX/Linux kernel Source tracking today centralization and minimization already track sources?” is implemented by programmers of source-tracking code. writing web browsers, mail clients, If I log into a system, Can and should be small enough PHP scripts, etc. the kernel copies my uid to eliminate all bugs. to my login process, All of this code is trusted. Classic military TCBs to other processes I start, All other code in these programs used very few lines of code to files I create, etc. is also trusted, thanks to to track (e.g.) Top Secret data. nonexistent internal partitioning. But if I transfer data VAX VMM Security Kernel to another user’s processes— Your laptop has tens of millions had < 50000 lines of code. through the network or a file— of lines of trusted code written by Minor programming problem to the kernel doesn’t remember thousands of novice programmers. support arbitrary source labels that I’m the source. A screwup anywhere in that code instead of Top Secret etc. can violate security requirements. “Doesn’t the UNIX/Linux kernel Source tracking today already track sources?” is implemented by programmers writing web browsers, mail clients, If I log into a system, PHP scripts, etc. the kernel copies my uid to my login process, All of this code is trusted. to other processes I start, All other code in these programs to files I create, etc. is also trusted, thanks to nonexistent internal partitioning. But if I transfer data to another user’s processes— Your laptop has tens of millions through the network or a file— of lines of trusted code written by the kernel doesn’t remember thousands of novice programmers. that I’m the source. A screwup anywhere in that code can violate security requirements. “Doesn’t the UNIX/Linux kernel Source tracking today “Teach every programmer already track sources?” is implemented by programmers how to write secure code.” writing web browsers, mail clients, If I log into a system, No, no, no! PHP scripts, etc. the kernel copies my uid If every programmer to my login process, All of this code is trusted. is writing trusted code to other processes I start, All other code in these programs then the system has to files I create, etc. is also trusted, thanks to far too much trusted code. nonexistent internal partitioning. But if I transfer data We need new systems to another user’s processes— Your laptop has tens of millions with far less trusted code. through the network or a file— of lines of trusted code written by Enforce security in TCB the kernel doesn’t remember thousands of novice programmers. so that typical programmers that I’m the source. A screwup anywhere in that code don’t have to worry about it. can violate security requirements. “Doesn’t the UNIX/Linux kernel Source tracking today “Teach every programmer already track sources?” is implemented by programmers how to write secure code.” writing web browsers, mail clients, If I log into a system, No, no, no! PHP scripts, etc. the kernel copies my uid If every programmer to my login process, All of this code is trusted. is writing trusted code to other processes I start, All other code in these programs then the system has to files I create, etc. is also trusted, thanks to far too much trusted code. nonexistent internal partitioning. But if I transfer data We need new systems to another user’s processes— Your laptop has tens of millions with far less trusted code. through the network or a file— of lines of trusted code written by Enforce security in TCB the kernel doesn’t remember thousands of novice programmers. so that typical programmers that I’m the source. A screwup anywhere in that code don’t have to worry about it. can violate security requirements. “Doesn’t the UNIX/Linux kernel Source tracking today “Teach every programmer already track sources?” is implemented by programmers how to write secure code.” writing web browsers, mail clients, If I log into a system, No, no, no! PHP scripts, etc. the kernel copies my uid If every programmer to my login process, All of this code is trusted. is writing trusted code to other processes I start, All other code in these programs then the system has to files I create, etc. is also trusted, thanks to far too much trusted code. nonexistent internal partitioning. But if I transfer data We need new systems to another user’s processes— Your laptop has tens of millions with far less trusted code. through the network or a file— of lines of trusted code written by Enforce security in TCB the kernel doesn’t remember thousands of novice programmers. so that typical programmers that I’m the source. A screwup anywhere in that code don’t have to worry about it. can violate security requirements. Source tracking today “Teach every programmer is implemented by programmers how to write secure code.” writing web browsers, mail clients, No, no, no! PHP scripts, etc. If every programmer All of this code is trusted. is writing trusted code All other code in these programs then the system has is also trusted, thanks to far too much trusted code. nonexistent internal partitioning. We need new systems Your laptop has tens of millions with far less trusted code. of lines of trusted code written by Enforce security in TCB thousands of novice programmers. so that typical programmers A screwup anywhere in that code don’t have to worry about it. can violate security requirements. Source tracking today “Teach every programmer Imagine a TCB tracking sources. is implemented by programmers how to write secure code.” Alice’s process reads Bob’s file. writing web browsers, mail clients, No, no, no! TCB automatically labels PHP scripts, etc. If every programmer process as /Alice/Bob. All of this code is trusted. is writing trusted code Process creates a file. All other code in these programs then the system has TCB automatically labels is also trusted, thanks to far too much trusted code. file as /Alice/Bob nonexistent internal partitioning. We need new systems (and refuses to touch a file Your laptop has tens of millions with far less trusted code. labelled only /Alice). of lines of trusted code written by Enforce security in TCB Joe’s process reads the file thousands of novice programmers. so that typical programmers and another file from Charlie. A screwup anywhere in that code don’t have to worry about it. Process then has two labels: can violate security requirements. /Joe/Alice/Bob; /Joe/Charlie. Source tracking today “Teach every programmer Imagine a TCB tracking sources. is implemented by programmers how to write secure code.” Alice’s process reads Bob’s file. writing web browsers, mail clients, No, no, no! TCB automatically labels PHP scripts, etc. If every programmer process as /Alice/Bob. All of this code is trusted. is writing trusted code Process creates a file. All other code in these programs then the system has TCB automatically labels is also trusted, thanks to far too much trusted code. file as /Alice/Bob nonexistent internal partitioning. We need new systems (and refuses to touch a file Your laptop has tens of millions with far less trusted code. labelled only /Alice). of lines of trusted code written by Enforce security in TCB Joe’s process reads the file thousands of novice programmers. so that typical programmers and another file from Charlie. A screwup anywhere in that code don’t have to worry about it. Process then has two labels: can violate security requirements. /Joe/Alice/Bob; /Joe/Charlie. Source tracking today “Teach every programmer Imagine a TCB tracking sources. is implemented by programmers how to write secure code.” Alice’s process reads Bob’s file. writing web browsers, mail clients, No, no, no! TCB automatically labels PHP scripts, etc. If every programmer process as /Alice/Bob. All of this code is trusted. is writing trusted code Process creates a file. All other code in these programs then the system has TCB automatically labels is also trusted, thanks to far too much trusted code. file as /Alice/Bob nonexistent internal partitioning. We need new systems (and refuses to touch a file Your laptop has tens of millions with far less trusted code. labelled only /Alice). of lines of trusted code written by Enforce security in TCB Joe’s process reads the file thousands of novice programmers. so that typical programmers and another file from Charlie. A screwup anywhere in that code don’t have to worry about it. Process then has two labels: can violate security requirements. /Joe/Alice/Bob; /Joe/Charlie. “Teach every programmer Imagine a TCB tracking sources. how to write secure code.” Alice’s process reads Bob’s file. No, no, no! TCB automatically labels If every programmer process as /Alice/Bob. is writing trusted code Process creates a file. then the system has TCB automatically labels far too much trusted code. file as /Alice/Bob We need new systems (and refuses to touch a file with far less trusted code. labelled only /Alice). Enforce security in TCB Joe’s process reads the file so that typical programmers and another file from Charlie. don’t have to worry about it. Process then has two labels: /Joe/Alice/Bob; /Joe/Charlie. “Teach every programmer Imagine a TCB tracking sources. A web-browsing process how to write secure code.” that reads from mbna.com Alice’s process reads Bob’s file. and from nytimes.com No, no, no! TCB automatically labels will have both labels. If every programmer process as /Alice/Bob. TCB won’t allow process is writing trusted code Process creates a file. to write under just one label. then the system has TCB automatically labels far too much trusted code. Solution 1: Rewrite browser file as /Alice/Bob in the classic UNIX style, We need new systems (and refuses to touch a file one process for each page. with far less trusted code. labelled only /Alice). Enforce security in TCB Solution 2: Track sources Joe’s process reads the file so that typical programmers separately for each variable and another file from Charlie. don’t have to worry about it. inside the web-browsing process. Process then has two labels: /Joe/Alice/Bob; /Joe/Charlie. “Teach every programmer Imagine a TCB tracking sources. A web-browsing process how to write secure code.” that reads from mbna.com Alice’s process reads Bob’s file. and from nytimes.com No, no, no! TCB automatically labels will have both labels. If every programmer process as /Alice/Bob. TCB won’t allow process is writing trusted code Process creates a file. to write under just one label. then the system has TCB automatically labels far too much trusted code. Solution 1: Rewrite browser file as /Alice/Bob in the classic UNIX style, We need new systems (and refuses to touch a file one process for each page. with far less trusted code. labelled only /Alice). Enforce security in TCB Solution 2: Track sources Joe’s process reads the file so that typical programmers separately for each variable and another file from Charlie. don’t have to worry about it. inside the web-browsing process. Process then has two labels: /Joe/Alice/Bob; /Joe/Charlie. “Teach every programmer Imagine a TCB tracking sources. A web-browsing process how to write secure code.” that reads from mbna.com Alice’s process reads Bob’s file. and from nytimes.com No, no, no! TCB automatically labels will have both labels. If every programmer process as /Alice/Bob. TCB won’t allow process is writing trusted code Process creates a file. to write under just one label. then the system has TCB automatically labels far too much trusted code. Solution 1: Rewrite browser file as /Alice/Bob in the classic UNIX style, We need new systems (and refuses to touch a file one process for each page. with far less trusted code. labelled only /Alice). Enforce security in TCB Solution 2: Track sources Joe’s process reads the file so that typical programmers separately for each variable and another file from Charlie. don’t have to worry about it. inside the web-browsing process. Process then has two labels: /Joe/Alice/Bob; /Joe/Charlie. Imagine a TCB tracking sources. A web-browsing process that reads from mbna.com Alice’s process reads Bob’s file. and from nytimes.com TCB automatically labels will have both labels. process as /Alice/Bob. TCB won’t allow process Process creates a file. to write under just one label. TCB automatically labels Solution 1: Rewrite browser file as /Alice/Bob in the classic UNIX style, (and refuses to touch a file one process for each page. labelled only /Alice). Solution 2: Track sources Joe’s process reads the file separately for each variable and another file from Charlie. inside the web-browsing process. Process then has two labels: /Joe/Alice/Bob; /Joe/Charlie. Imagine a TCB tracking sources. A web-browsing process Suppose a DNS cache that reads from mbna.com receives a packet from Alice’s process reads Bob’s file. and from nytimes.com the microsoft.com servers TCB automatically labels will have both labels. with www.google.com data. process as /Alice/Bob. TCB won’t allow process Packet is a string. Process creates a file. to write under just one label. TCB attaches to the string TCB automatically labels Solution 1: Rewrite browser a microsoft.com source label. file as /Alice/Bob in the classic UNIX style, (and refuses to touch a file Packet-parsing code one process for each page. labelled only /Alice). extracts www.google.com Solution 2: Track sources information from the packet. Joe’s process reads the file separately for each variable and another file from Charlie. TCB automatically copies inside the web-browsing process. Process then has two labels: the microsoft.com source label /Joe/Alice/Bob; /Joe/Charlie. to derived variables such as the string www.google.com. Imagine a TCB tracking sources. A web-browsing process Suppose a DNS cache that reads from mbna.com receives a packet from Alice’s process reads Bob’s file. and from nytimes.com the microsoft.com servers TCB automatically labels will have both labels. with www.google.com data. process as /Alice/Bob. TCB won’t allow process Packet is a string. Process creates a file. to write under just one label. TCB attaches to the string TCB automatically labels Solution 1: Rewrite browser a microsoft.com source label. file as /Alice/Bob in the classic UNIX style, (and refuses to touch a file Packet-parsing code one process for each page. labelled only /Alice). extracts www.google.com Solution 2: Track sources information from the packet. Joe’s process reads the file separately for each variable and another file from Charlie. TCB automatically copies inside the web-browsing process. Process then has two labels: the microsoft.com source label /Joe/Alice/Bob; /Joe/Charlie. to derived variables such as the string www.google.com. Imagine a TCB tracking sources. A web-browsing process Suppose a DNS cache that reads from mbna.com receives a packet from Alice’s process reads Bob’s file. and from nytimes.com the microsoft.com servers TCB automatically labels will have both labels. with www.google.com data. process as /Alice/Bob. TCB won’t allow process Packet is a string. Process creates a file. to write under just one label. TCB attaches to the string TCB automatically labels Solution 1: Rewrite browser a microsoft.com source label. file as /Alice/Bob in the classic UNIX style, (and refuses to touch a file Packet-parsing code one process for each page. labelled only /Alice). extracts www.google.com Solution 2: Track sources information from the packet. Joe’s process reads the file separately for each variable and another file from Charlie. TCB automatically copies inside the web-browsing process. Process then has two labels: the microsoft.com source label /Joe/Alice/Bob; /Joe/Charlie. to derived variables such as the string www.google.com. A web-browsing process Suppose a DNS cache that reads from mbna.com receives a packet from and from nytimes.com the microsoft.com servers will have both labels. with www.google.com data. TCB won’t allow process Packet is a string. to write under just one label. TCB attaches to the string Solution 1: Rewrite browser a microsoft.com source label. in the classic UNIX style, Packet-parsing code one process for each page. extracts www.google.com Solution 2: Track sources information from the packet. separately for each variable TCB automatically copies inside the web-browsing process. the microsoft.com source label to derived variables such as the string www.google.com. A web-browsing process Suppose a DNS cache The cache remembers information that reads from mbna.com receives a packet from in a big associative array. and from nytimes.com the microsoft.com servers Post-packet-parsing code will have both labels. with www.google.com data. tries to store www.google.com TCB won’t allow process Packet is a string. in the associative array. to write under just one label. TCB attaches to the string Cache policy: only root, .com, Solution 1: Rewrite browser a microsoft.com source label. .google.com, .www.google.com in the classic UNIX style, Packet-parsing code are allowed to store one process for each page. extracts www.google.com www.google.com information. Solution 2: Track sources information from the packet. TCB enforces this policy: separately for each variable TCB automatically copies sees microsoft.com label, inside the web-browsing process. the microsoft.com source label refuses www.google.com data. to derived variables such as the string www.google.com. A web-browsing process Suppose a DNS cache The cache remembers information that reads from mbna.com receives a packet from in a big associative array. and from nytimes.com the microsoft.com servers Post-packet-parsing code will have both labels. with www.google.com data. tries to store www.google.com TCB won’t allow process Packet is a string. in the associative array. to write under just one label. TCB attaches to the string Cache policy: only root, .com, Solution 1: Rewrite browser a microsoft.com source label. .google.com, .www.google.com in the classic UNIX style, Packet-parsing code are allowed to store one process for each page. extracts www.google.com www.google.com information. Solution 2: Track sources information from the packet. TCB enforces this policy: separately for each variable TCB automatically copies sees microsoft.com label, inside the web-browsing process. the microsoft.com source label refuses www.google.com data. to derived variables such as the string www.google.com. A web-browsing process Suppose a DNS cache The cache remembers information that reads from mbna.com receives a packet from in a big associative array. and from nytimes.com the microsoft.com servers Post-packet-parsing code will have both labels. with www.google.com data. tries to store www.google.com TCB won’t allow process Packet is a string. in the associative array. to write under just one label. TCB attaches to the string Cache policy: only root, .com, Solution 1: Rewrite browser a microsoft.com source label. .google.com, .www.google.com in the classic UNIX style, Packet-parsing code are allowed to store one process for each page. extracts www.google.com www.google.com information. Solution 2: Track sources information from the packet. TCB enforces this policy: separately for each variable TCB automatically copies sees microsoft.com label, inside the web-browsing process. the microsoft.com source label refuses www.google.com data. to derived variables such as the string www.google.com. Suppose a DNS cache The cache remembers information receives a packet from in a big associative array. the microsoft.com servers Post-packet-parsing code with www.google.com data. tries to store www.google.com Packet is a string. in the associative array. TCB attaches to the string Cache policy: only root, .com, a microsoft.com source label. .google.com, .www.google.com Packet-parsing code are allowed to store extracts www.google.com www.google.com information. information from the packet. TCB enforces this policy: TCB automatically copies sees microsoft.com label, the microsoft.com source label refuses www.google.com data. to derived variables such as the string www.google.com. Suppose a DNS cache The cache remembers information How much code is required receives a packet from in a big associative array. for a TCB that enforces the microsoft.com servers source-tracking policy Post-packet-parsing code with www.google.com data. against all other code? tries to store www.google.com Packet is a string. in the associative array. How many bugs do we expect TCB attaches to the string in a TCB of this size? Cache policy: only root, .com, a microsoft.com source label. Note: Can afford expensive .google.com, .www.google.com techniques to reduce bug rate. Packet-parsing code are allowed to store extracts www.google.com www.google.com information. If code volume is small enough, information from the packet. and bug rate is small enough, TCB enforces this policy: then we will be confident TCB automatically copies sees microsoft.com label, that sources are tracked. the microsoft.com source label refuses www.google.com data. to derived variables such as the string www.google.com. Suppose a DNS cache The cache remembers information How much code is required receives a packet from in a big associative array. for a TCB that enforces the microsoft.com servers source-tracking policy Post-packet-parsing code with www.google.com data. against all other code? tries to store www.google.com Packet is a string. in the associative array. How many bugs do we expect TCB attaches to the string in a TCB of this size? Cache policy: only root, .com, a microsoft.com source label. Note: Can afford expensive .google.com, .www.google.com techniques to reduce bug rate. Packet-parsing code are allowed to store extracts www.google.com www.google.com information. If code volume is small enough, information from the packet. and bug rate is small enough, TCB enforces this policy: then we will be confident TCB automatically copies sees microsoft.com label, that sources are tracked. the microsoft.com source label refuses www.google.com data. to derived variables such as the string www.google.com. Suppose a DNS cache The cache remembers information How much code is required receives a packet from in a big associative array. for a TCB that enforces the microsoft.com servers source-tracking policy Post-packet-parsing code with www.google.com data. against all other code? tries to store www.google.com Packet is a string. in the associative array. How many bugs do we expect TCB attaches to the string in a TCB of this size? Cache policy: only root, .com, a microsoft.com source label. Note: Can afford expensive .google.com, .www.google.com techniques to reduce bug rate. Packet-parsing code are allowed to store extracts www.google.com www.google.com information. If code volume is small enough, information from the packet. and bug rate is small enough, TCB enforces this policy: then we will be confident TCB automatically copies sees microsoft.com label, that sources are tracked. the microsoft.com source label refuses www.google.com data. to derived variables such as the string www.google.com. The cache remembers information How much code is required in a big associative array. for a TCB that enforces source-tracking policy Post-packet-parsing code against all other code? tries to store www.google.com in the associative array. How many bugs do we expect in a TCB of this size? Cache policy: only root, .com, Note: Can afford expensive .google.com, .www.google.com techniques to reduce bug rate. are allowed to store www.google.com information. If code volume is small enough, and bug rate is small enough, TCB enforces this policy: then we will be confident sees microsoft.com label, that sources are tracked. refuses www.google.com data.