Dailydave mailing list archives
RE: Media Excitement!
From: "Ben Nagy" <ben () iagu net>
Date: Fri, 22 Apr 2005 03:11:00 +0200
See Vendor Disclaimer [1]
-----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Cody Hatch
[...]
I've lurked long enough and need to participate rather than be a leech. <exasperation> Where do we go from here, though? Why aren't solutions such as PaX, grsecurity, systrace, etc. finding their way into commercial operating systems?
Well, they are, a bit. Anti exploitation features ship standard in latest windows (better heap management, PEB randomisation, stackguard wah wah wah). You can build gentoo with grsecurity enabled with zero extra effort - and so on. They have all been bypassed, but they raise the bar. It will get better. Patience.
Cobbling together a solution that includes these things can be done, but finds itself on thin ice in an enterprise environment needing executive buy-off and enterprise-level manageability.
Oh, so true.
RedHat has ExecShield, which is at least an attempt, but why are we moving in such a slow fashion? Where is everyone else? Cisco Security Agent makes an attempt, but isn't enough. What's the hold-up?
It's hard. And when I say hard I mean hard to sell, as well as hard to write. It's very difficult to explain the subtle differences between products using this kind of tech to anybody but very, very deep technical folks. It's virtually _impossible_ to explain the basics of what they _do_ to pointy-hair people. CSA, Sana, eEye [1], Entercept, Prevx and probably others have solutions that try and mess with exploitation once it is occurring - whether in kernel or userland function hooking or a combo of both. Trouble is that once someone is running code you are doomed to a nasty little game of splo1t-skillZ leapfrog which history tells us favours the attacker. Oh, and remember that the defensive and offensive approaches are com-fricking-pletely different at the lowest levels for wintel to unix to linux, but some people want one product which runs on everything. The thing is that apart from having the same name and same management console they probably all offer a totally different security profile. That's when you start to talk about blocking the same attacks at the network layer, which moves you into the world of marketingweasel talk about "non-signature based IPS [1] which blocks known and unknown attacks". And yeah, that can kind of work as well - and I see that Dave even plugs that kind of approach in some of his presentations. But again, it's brittle. You probably want many kinds of protection in additive layers with each one having a 0<p<1 probability of stopping a given "attack". So, the short answer to "what's the hold up" is "It's hard, the products are only barely ready and the market is a long time behind the curve in terms of the way they think about strategy". I remain, however, patiently optomistic. :) ben [1] I work for eEye. We have a product that does "this kind of stuff", so apply grains of salt as required. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Media Excitement!, (continued)
- Re: Media Excitement! pageexec (May 09)
- Re: Media Excitement! robert (May 09)
- Laptop Abuse halvar (Apr 25)
- Re: Media Excitement! robert (Apr 24)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! robert (Apr 26)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! byte_jump (Apr 26)
- Re: Media Excitement! robert (Apr 26)
- Re: Media Excitement! Anton A. Chuvakin (Apr 21)
- RE: Media Excitement! Ben Nagy (Apr 21)
- Re: Media Excitement! Cody Hatch (Apr 22)
- Re: Media Excitement! robert (Apr 22)
- Re: Media Excitement! Cody Hatch (Apr 22)
- Re: Media Excitement! Roman Medina-Heigl Hernandez (Apr 22)
- Message not available
- RE: Media Excitement! Ron Gula (Apr 21)
- Re: Media Excitement! Brian (Apr 21)
- Re: Media Excitement! Brian Caswell (Apr 21)