Dailydave mailing list archives
Re: We have met the enemy, and the enemy is ... you.
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 11 Apr 2006 15:05:43 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The major weakness with HIDS is still the extremely tiny market share any of them has managed to get. :> I would imagine one hard thing with a Determina type solution is any kind of code that doesn't lend itself to modification or static analysis. Python, PHP, .Net or Java code, for example, would be extremely hard to profile looking at basic code blocks. And the problem with any anomoly based system is that when something goes wrong, you have no real way to describe to the user what went wrong or why. So you end up on the signature treadmill again, taking every basic block and applying little if statements to the end of them to check for particular vulnerabilities - not because you can't protect the machine already, but because you need to tell the user exactly what is going on. And, of course, checking basic blocks doesn't protect you at all from heap overflows or other techniques when used to change variables themselves - it just prevents you from changing execution path. But execution path and "give me admin" can be two different things. It's potentially the lack of "completeness" and the managability issues which are causing the market to say "Let's just wait for MS to fix their own stuff". Just a few thoughts while everyone spends time debugging the thousand and one IE bugs. :> - -dave redsand wrote:
Black Security is also currently doing some audits on the Determina Software Suite. Nothing has come of it yet but hopefully some positive results will come out of our testing soon. Any information may/hopefully will make it to our blogs or a formal piece of documentation. In the sales meeting, a Determina rep even claimed that ISS had a hack for it but couldn't prove it. On Tue, 2006-04-11 at 17:43 +0200, pageexec () freemail hu wrote:On 10 Apr 2006 at 16:13, Knape, Joe wrote:My "group" has also been looking at a "suite" of products that includes a "Memory Firewall" and "LiveShield" from a company called Determina. They make some bold claims and I've been testing it in a lab setup but I'd like to hear if anyone has been using it in a real-world environment?Determina's product is based on the research done at MIT under the DynamoRIO project. google for "program shepherding" (and the mispelled "sheperding" version) to find all you wanted to know. in my opinion, program shepherding is the only other technology that measures up to PaX, and for now it does even more in fact (deterministic ret2libc attack prevention). unfortunately source code has never been published, so some claims of security cannot be verified (e.g., their research paper mentions then unresolved issues with multithreaded apps).
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEO/4HB8JNm+PA+iURAjvEAKDQC4AeDTajGTRvGxG9U6c9YLLtrACfUQjk DvcX/LaU2jBdhKfbD0UTmNE= =QVro -----END PGP SIGNATURE-----
Current thread:
- We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 10)
- <Possible follow-ups>
- RE: We have met the enemy, and the enemy is ... you. Kyle Quest (Apr 10)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. TINNES Julien RD-MAPS-ISS (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. Knape, Joe (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Joel Eriksson (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. toby (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. jnf (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Michael Spath (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. jnf (Apr 14)
- Re: We have met the enemy, and the enemy is ... you. Halvar Flake (Apr 14)
- Re: We have met the enemy, and the enemy is ... you. Oezguer Kesim (Apr 14)