30C3 video: "X Security: it's worse than it looks"
Alan Coopersmith
alan.coopersmith at oracle.com
Tue Dec 31 10:11:29 PST 2013
Ilja van Sprundel, the security researcher who reported the pile of
client side security bugs that led to our big advisory in May, has
given another talk on X security, this time at last week's
30th Chaos Communication Congress (30C3) in Hamburg, Germany.
The video has been posted to
http://media.ccc.de/browse/congress/2013/30C3_-_5499_-_en_-_saal_1_-_201312291830_-_x_security_-_ilja_van_sprundel.html
The first half covers those client-side issues, as well as those higher
in the stack in the toolkits. The second half talks about what he's
been looking at on the server side since then. (Key quotes: "GLX is
a horrible demotivator! 80,000 lines of sheer terror." and "In the past
couple of months I've found 120 bugs there, and I'm not close to done." )
I think it's mostly accurate (there's a couple minor details to quibble
with, and there's a bit about 10-15 minutes in everyone can fast forward
through). His point about today's world being much different than when
X was created, and nearly 30 year old hand written binary protocol parsing
code not being the best idea, is much like the rationale for xcb's creation,
but we've not been effective at getting transitioned to it. (We keep
talking about using XCB to generate server-side protocol handling & byte
swapping, but never have, and haven't made it possible for all the clients
to move to XCB, since there's still a couple missing pieces.)
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list