Re: Extreme Hacking

[Crispin Cowan <crispin () cse ogi edu>]

"Marcus J. Ranum" wrote:

> Ge' Weijers wrote:
> > On the other hand: those who need to develop security-related code,
> > protocols etc. do need to have an awareness of common exploits.
>
> Yes, and no. They need to know classes of bugs to avoid, and
> categories of common mistakes. For example, if you're developing
> security critical code you need to know what buffer overruns are
> and how to prevent them -- you do not need an exploit script that
> tickles a bug in the latest version of BIND.

I do.  Consider StackGuard:  I claim that StackGuard-protected programs
are impervious to stack smashing buffer overflows, and I have some
lovely viewgraphs that explain why this is so, but why should anyone
believe me?  To prove my claim, we went out and got a bunch of live
exploits and vulnerable programs, demonstrated that the exploits
actually do give you root shells.  Then we recompile the vulnerable
programs with StackGuards, and try the attacks again.  Result:
StackGuard intrusion attempt warnings.

Live exploits were a vital part of this experiment.  In particular, live
exploits for vulnerabilities announced AFTER we built StackGuard prove
the point that StackGuard can stop future, unknown attacks.

I understand how much nicer the world would be for defenders if exploits
did not find their way into the hands of script kiddies.  But there
really are fully legitimate uses for current attack programs in building
defensive systems.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/