Dailydave mailing list archives
RE: We have met the enemy, and the enemy is ... you.
From: "Knape, Joe" <joe.knape () cingular com>
Date: Mon, 10 Apr 2006 16:13:23 -0500
My "group" has also been looking at a "suite" of products that includes a "Memory Firewall" and "LiveShield" from a company called Determina. They make some bold claims and I've been testing it in a lab setup but I'd like to hear if anyone has been using it in a real-world environment? Joe Knape EIS - Security Compliance & Configuration Management Cingular Wireless -----Original Message----- From: Kyle Quest [mailto:Kyle.Quest () networkengines com] Sent: Monday, April 10, 2006 11:14 AM To: dailydave Subject: RE: [Dailydave] We have met the enemy, and the enemy is ... you. Speaking of HIDS systems... Has anybody looked at SolidCore. It's not for end users. It's more for appliances that have everything installed during manufacturing. ISS recently decided to use it for their security appliances... The main idea behind solid core is API scrambling, which is done during the "solidification" process at which point the system has all of its components installed. It modifies library APIs (changing system call number or/and changing function names, etc) and then modifies the programs that use those library APIs, so they are calling the scrambled library APIs instead of the standard ones. The scrambling seems to be different on each system the "solidification" process is performed. This whole API scrambling is suppose to prevent shellcode from running because it uses the original standard API calls, which would make it fail. I found a couple of cases where this protection mechanism could be bypassed and one way when shellcode would still execute even with those scrambled function names/numbers. Has anybody else looked into this HIDS and found ways to bypass its protection? K
Current thread:
- We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 10)
- <Possible follow-ups>
- RE: We have met the enemy, and the enemy is ... you. Kyle Quest (Apr 10)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. TINNES Julien RD-MAPS-ISS (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. Knape, Joe (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Joel Eriksson (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. toby (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. jnf (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Michael Spath (Apr 13)