Security Basics mailing list archives
Re: considerations about exploits tricks
From: krymson () gmail com
Date: 5 Nov 2007 21:38:58 -0000
Can we defeat overflows? Well, sure, but one (or both) of three things need to happen. First, you need to teach every software programmer and engineer how to properly bound their code. Second, you need to write a program that will inspect and intelligently decide whether code in memory needs to be bounded. Good luck with that. Or three, randomize memory so much that an attacker can't predict it. This last piece is where a lot of progress has been made, but who is to say we even know about all the possible overflows that may happen? In 3 years, will some new technique be discovered? Will some new programming or technology recover old overflows we thought were fixed? Let alone everything else about security such as the people as others have already mentioned. We can't win the whole battle against attackers, but we can be successful in our defenses and risk management. And the OS dramatically changes often, due to economics and human technological progress...which can usher in whole new classes of vulns... If you want to think otherwise, I will point to teen pregnancy, murder, and drug use as other evils, and ask you why we've not "solved" these issues to the point that they are eradicated and the battle won... <- snip -> Hello, I wonder about security holes which are still present in our OS, which let attackers take over control. I have heard about PAX system, ProPolice and other, which in consolidation should well defend system against attacks like buffer overflow. Is it not enough? Can't we really win the battle against buffer overflow and heap overflow? opexoc
Current thread:
- considerations about exploits tricks opexoc (Nov 04)
- Re: considerations about exploits tricks PCSC Information Services (Nov 05)
- <Possible follow-ups>
- Re: considerations about exploits tricks jfvanmeter (Nov 05)
- Re: considerations about exploits tricks krymson (Nov 05)
- RE: considerations about exploits tricks Craig Wright (Nov 05)
- Re: RE: considerations about exploits tricks opexoc (Nov 08)