Talking about security is “funny”. Like looking how
people react to security issues
or talking with other
developers in #gnome-hackers, where I recently claimed that
GNOME’s security sucks and got quite a backlash. Since
writing multimedia players like GStreamer or Swfdec made me
think about security (I’m still far from expert
unfortunately), I’d like to elaborate a bit on that.

Let me first mention one important thing: I don’t just
consider crashes to be stuff that shouldn’t happen.
Everything that disrupts the user’s computing experience
should not happen. Taking too many CPU ressources or too
much memory for too long effects other applications
negatively, so it should be avoided.

The biggest problem for me has always been the question of
trust. When interpreting data I have to ask myself if I
trust that data or not. If I have a number that says
“allocate this much memory”, I better trust it to report a
correct size or I’ll get an out-of-memory problem. A worse
problem are pointers: read (or write to) the memory pointed
to by this address. If you can’t trust a pointer you’ll
likely get a segfault. So you better trust every pointer in
your app. Note that this includes modifying pointers (like
array indexing), which should only be done with trusted
values. Stuff like that quickly gets my head spinning about
which values are trusted and which aren’t. Another example:
Do we trust this string to be valid UTF-8?

A lot of data is read from files these days. Now, what files
can application developers trust? Apparently we trust all
the data a user doesn’t have write access to, since I can
make apps crash easily by removing Glade files, icons or
linked-in libraries. But should applications trust stuff in
the user’s home directory?

Currently a lot of applications trust stuff in the user’s
directories unconditionally. Bash and X execute files in
there for example. However epiphany allows you to save files
from the web in there, too. What do you think clueless users
would do when a web site tells them to download a file named
.xinitrc? Probably nothing, since .xinitrc must be
executable in order to get executed, but we’re already very
close to running “rm -rf ~” on login here. And of course we
suddenly have a lot of untrusted files in the user’s home
directory. Nautilus for example knows this, since the
thumbnailing process has brought down Nautilus quite often
in the past. But I bet a lot of other applications don’t
think about that.

And then there’s the fact that it’s apparently dead
easy to find security holes in Free Software
while Windows
products have been exploited
by those issues in the
past.
So I guess when the Linux desktop gets interesting for
crackers, we’ll be in for quite a ride. And by “we”, I’m
talking about every application that reads files.