Re: Preventing exploitation with rebasing

["David Litchfield" <david () ngssoftware com>]

> Dear David !
>
> With all the respect... I think your ideea is a BAD one ! Why ? Well...
> It might be verry efective if one to... mhm... 100 persons would aply
> this technique. That's because hackers/worms wouldn't mind loosing a few
> servers if they got the rest of the world. But if this technique would
> became a standard then the worm-industry (if there is such a thing)
> would also evolve... making it brute-force the addreses.

But often you only get one shot to gain control - if you fail the server
process dies. This happens with the buffer overflow in SQL Server. There is
no exception handling and the process just dies and does not restart.

Assuming the server did stay up, though. You've got to go through 0x7FFFFFFF
addresses looking for your code or something that will get you back to your
code. There'll be maybe 50 addresses with "jmp esp" - or whatever
instruction you're looking for - giving you a 1 in 42949672 chance or so.
Brute forcing is not reliable therefore. With all those attempts - someone's
going to notice something going on - or so one would hope, anyway.

> I admit that
> brute-forcing would slow down the worm/hacker/whatever... but this is no
> way of looking at the security.

This is exactly what security is all about. You put as many hurdles in front
of the attacker as you can - the more hurdles the less likely they are to
break in. Rebasing you're system adds another strong hurdle.

> This is like protecting a house/store by
> putting 15 doors that all could be easily broken...

Easily. Okay, if I rebase my system I'll give you 1000 shots to find a "jmp
esp" instruction. Even 2000 or 3000. You'd have to very lucky. I don't think
this is an "easy door" to break down. Sure, it _can_ be broken down but not
with ease.

> Of course there is a
> chance that a thief trying to break in would get bored breaking door
> after door... but if he's really determined... Well... I guess I made my
> point.

Sure - if someone's _really_ determined they'll eventually get in. No-one's
ever claimed anything different.



> Why was slammer so successfull... Well... Here's my oppinion: Sysadmins
> experienced in windows usually have little firewalling skills. That's
> probably because there is no powerfull firewalling tool like ipfw or
> ipchains on windows. If all the SQL ports would have been firewalled the
> worm would probably wouldn't have caused any harm.

I think you're wrong here. For a start you've mading a very sweeping
statement - and I'm sure all those Windows admins out there that know
exactly how to configure their firewall will take umbrage with this. Added
to this, a large number of boxes hit by slammer were unprotected MSDE
installs. MSDE is installed in many cases without the knowledge of the user.
They've installed something like the .NET frame work and got MSDE too.


> Rebasing might be usefull up to some point. But it contains a "mental"
> vulnerability. If one would apply this technique he would probably think
> he is safe and neglect updating his security.

Again I think you're wrong. Anyone who goes to the length of rebasing their
system "knows" what the threats are - and are not likely to be the kind of
person that relies on one method for security.

> Oh, and one more thing...
> I'm not sure about this since I have little expirience in windows:
> security-patches don't relly on the same "genetic code" as exploits ? If
> one would rebase his entire system would he still be able to properly
> apply security patches ?

You can still patch your system. However, the DLLs will be replaced so you
need to rebase the new DLLs after the patch has been applied.


The idea of rebasing your system is not supposed to be a holistic solution.
It's presented as another method of protecting your system - the more
hurdles the better. I'm not suggesting people rely on this method and
neglect to continue to install patches - the real solution.

Cheers,
David Litchfield