Security is Inconvenient, Deal With It!

Monday, December 17, 2012

Keith Mendoza

Af9c34417f8e5e0d240850bb353b5d40

ZD Net had an article entitled "Kernel vulnerability places Samsung devices at risk" and I thought "so, what's new" until I followed the link to the forum post on xda-developers. Then I just lost it because I'm certain that this is a result of plain and simple laziness.

Here are my arguments for why I think it's laziness: First, This is Samsung we're talking about here. This error was should have been caught in code review or QA. Second, according to the first post the primary users of /dev/exynos-mem is

graphic usage like camera, graphic memory allocation, hdmi. By activating pid display in kmsg, surfaceflinger do mmap on the device (via one of the three shared libraries above ?? I have not see reference in binary to these libraires).

Third, the documentation clearly states that "This maps the platforms RAM, and typically maps all platform RAM in a 1:1 relationship." Therefore, I would say that allowing a global read-write of /dev/exynos-mem was a design decision and the decision was probably made by someone with enough clout in the company to effectively silence anyone who pointed the obvious error in taking this route.

Well guess what, security is inconvenient. It gets in the way of getting things done quickly. It'll slow your application down. It'll add to the development effort. It's hard to get it completely right. However, getting inconvenienced beats looking like a dumb idiot.

Cross-posted on Home+Power

Possibly Related Articles:
10281
Operating Systems Viruses & Malware Security Awareness General PDAs/Smart Phones
Vulnerabilities Secure Coding Information Security Quality Assurance
Post Rating I Like this!
3237cf65a4830bede042669561653080
Alex Brook How many Samsung consumers are going to care though? Security is inconvenient, you are obviously right there but are you Samsung aren't dealing with it through intentional ignorance?
1355868891
65c1700fde3e9a94cc060a7e3777287c
Simon Moffatt Unfortunately, security is inconvenient at lots of levels. The SDLC see it as slowly down time to delivery, users see it as being restrictive. Unless security is implicitly embedded, the inconvenience case is a hard one to overcome.
1355995765
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.