Dailydave mailing list archives
Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"!
From: Chris Anley <chris () ngssoftware com>
Date: Fri, 08 Jul 2005 09:16:14 +0100
Assumption: <quote> 1. All network-based malicious overflow attacks must contain executable code in machine language. </quote>...surely means that return-to-libc style exploits and non-shellcode overflow exploits (e.g. Solaris TTYPROMPT) inherently bypass this?
Also, reference was made to a three-phase detection process; first, find executable code (tricky since there's not much redundancy in most instruction sets) then simulate execution, then, within the set of executable code, find "malicious" code.
So it'd be fun to find out what the definition of "malicious" is in this case. Fair enough, code that calls WinExec, execve, CreateProcessA or whatever is probably malicious. Is code that unprotects, changes, then re-protects another portion of code malicious? Is code that changes data malicious?
Is code that doesn't halt malicious? :o)That said, for all our pointing and hooting, research into these generic protection mechanisms has got to be a worthwhile thing, absurd patent issues aside. If it protects people, it's a good thing, right?
-chris. (btw, Fnord is an excellent name) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! Tiago Assumpcao (Jul 06)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! H D Moore (Jul 06)
- Re: Check Point Invented (R)(TM) the great sand-boxingand now protects you against "Day0"! halvar (Jul 06)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! Matt LeGrow (Jul 07)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! byte_jump (Jul 07)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! Jonatan B (Jul 07)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! Chris Anley (Jul 08)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! Pete Herzog (Jul 08)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! Daniel (Jul 08)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! Karl-Heinz Kreis (Jul 08)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! Steve Lord (Jul 08)
- Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"! H D Moore (Jul 06)