[56] in WWW Security List Archive
Re: GSS API (as a DLL)...
daemon@ATHENA.MIT.EDU (Alec H. Peterson)
Wed Aug 17 19:39:58 1994
From: "Alec H. Peterson" <chuckie@panix.com>
To: rpa@netcom.com (Ramin Firoozye)
Date: Wed, 17 Aug 1994 16:46:01 -0400 (EDT)
Cc: www-security@ns1.rutgers.edu
In-Reply-To: <199408171803.LAA20899@netcom10.netcom.com> from "Ramin Firoozye" at Aug 17, 94 11:03:29 am
Ramin Firoozye writes:
[...]
>
>The BIG problem specific to security DLL's is that someone bent on breaking
>security can write a "wrapper" DLL around a security DLL, store all the
>stuff it gets from the caller, pass on the result onto the actual DLL and
>store away the replies as well before passing the reply back up to the
>caller. In other words, it becomes much easier to implement a "spoof the
>login" type scheme.
This is one of the reasons why most (if not all) applications that deal with
secure data (like /bin/login and /bin/su) should be statically linked.
Alec
--
Alec Peterson Panix Public Access UNIX and Internet
chuckie@panix.com New York City, NY
