RE: Media Excitement!

["Ben Nagy" <ben () iagu net>]

See Vendor Disclaimer [1] 

> -----Original Message-----
> From: dailydave-bounces () lists immunitysec com 
> [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
> Cody Hatch
[...]
> I've lurked long enough and need to participate rather than 
> be a leech.
>
> <exasperation>
> Where do we go from here, though? Why aren't solutions such as PaX,
> grsecurity, systrace, etc. finding their way into commercial operating
> systems?

Well, they are, a bit. Anti exploitation features ship standard in latest
windows (better heap management, PEB randomisation, stackguard wah wah wah).
You can build gentoo with grsecurity enabled with zero extra effort - and so
on. They have all been bypassed, but they raise the bar. It will get better.
Patience.

> Cobbling together a solution that includes these things can be done,
> but finds itself on thin ice in an enterprise environment needing
> executive buy-off and enterprise-level manageability.

Oh, so true.

> RedHat has ExecShield, which is at least an attempt, but why are we
> moving in such a slow fashion? Where is everyone else? Cisco Security
> Agent makes an attempt, but isn't enough. What's the hold-up?

It's hard. And when I say hard I mean hard to sell, as well as hard to
write. It's very difficult to explain the subtle differences between
products using this kind of tech to anybody but very, very deep technical
folks. It's virtually _impossible_ to explain the basics of what they _do_
to pointy-hair people. CSA, Sana, eEye [1], Entercept, Prevx and probably
others have solutions that try and mess with exploitation once it is
occurring - whether in kernel or userland function hooking or a combo of
both. Trouble is that once someone is running code you are doomed to a nasty
little game of splo1t-skillZ leapfrog which history tells us favours the
attacker.

Oh, and remember that the defensive and offensive approaches are
com-fricking-pletely different at the lowest levels for wintel to unix to
linux, but some people want one product which runs on everything. The thing
is that apart from having the same name and same management console they
probably all offer a totally different security profile.

That's when you start to talk about blocking the same attacks at the network
layer, which moves you into the world of marketingweasel talk about
"non-signature based IPS [1] which blocks known and unknown attacks". And
yeah, that can kind of work as well - and I see that Dave even plugs that
kind of approach in some of his presentations. But again, it's brittle. You
probably want many kinds of protection in additive layers with each one
having a 0<p<1 probability of stopping a given "attack".

So, the short answer to "what's the hold up" is "It's hard, the products are
only barely ready and the market is a long time behind the curve in terms of
the way they think about strategy".

I remain, however, patiently optomistic. :)

ben

[1] I work for eEye. We have a product that does "this kind of stuff", so
apply grains of salt as required.




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave