Dailydave mailing list archives
Re: Media Excitement!
From: Cody Hatch <bytejump () gmail com>
Date: Fri, 22 Apr 2005 12:25:39 -0600
On 4/21/05, Ben Nagy <ben () iagu net> wrote:
Well, they are, a bit. Anti exploitation features ship standard in latest windows (better heap management, PEB randomisation, stackguard wah wah wah). You can build gentoo with grsecurity enabled with zero extra effort - and so on. They have all been bypassed, but they raise the bar. It will get better. Patience.
PIE isn't enabled by default in SP2 or 2003 as far as I know, and that's a big deal, though I understand why. Which apps would break if PIE was enabled?
It's hard. And when I say hard I mean hard to sell, as well as hard to write. It's very difficult to explain the subtle differences between products using this kind of tech to anybody but very, very deep technical folks. It's virtually _impossible_ to explain the basics of what they _do_ to pointy-hair people. CSA, Sana, eEye [1], Entercept, Prevx and probably others have solutions that try and mess with exploitation once it is occurring - whether in kernel or userland function hooking or a combo of both. Trouble is that once someone is running code you are doomed to a nasty little game of splo1t-skillZ leapfrog which history tells us favours the attacker.
Right - the old "you can't polish a turd" problem. These seem to be the most effective measures, however (not necessarily the most secure or invulnerable, but it's much easier to get executive buy-in and manage them in an enterprise environment). I'd like to see greater inter-play with RBAC capability.
That's when you start to talk about blocking the same attacks at the network layer, which moves you into the world of marketingweasel talk about "non-signature based IPS [1] which blocks known and unknown attacks". And yeah, that can kind of work as well - and I see that Dave even plugs that kind of approach in some of his presentations. But again, it's brittle. You probably want many kinds of protection in additive layers with each one having a 0<p<1 probability of stopping a given "attack".
IPS and any other network-based approach seems to me to be doomed to failure from the start. They can't see encrypted sessions unless you hack your network or reduce the security (SSL proxy, for example, would be a goldmine for an attacker so he can see unencrypted sessions), both of which seem unacceptable to me. Not to mention such attacks as packet insertion, TTL evasion, etc. that could still be theoretically possible against many of these products. Combine all of that with the fact that an IPS has really no way of knowing whether an attack would be successful against a destination point and "brittle" is being charitable. I'm not advocating the removal of IPS or IDS products, but host-based protections seem to offer much more promise to me. Probably the most significant hurdle that quality host-based products face is the proliferation of crappy software out there. Too many developers write code with such things as executable stack space in mind that, once you remove that crutch, their app dies. Unfortunately the security product receives the blame from the developer and the pointy-haired folks, and this seems to be an almost insurmountable hurdle. Things like CSA are a great compromise in the interim, but something more permanent and solid needs to be sought. The question is, how do we strengthen the OS while we wait for lazy developers to get in the boat? Is RBAC the only effective answer currently? Later, Cody _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Media Excitement!, (continued)
- Re: Media Excitement! robert (May 09)
- Laptop Abuse halvar (Apr 25)
- Re: Media Excitement! robert (Apr 24)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! robert (Apr 26)
- Re: Media Excitement! pageexec (Apr 26)
- Re: Media Excitement! byte_jump (Apr 26)
- Re: Media Excitement! robert (Apr 26)
- Re: Media Excitement! Anton A. Chuvakin (Apr 21)
- RE: Media Excitement! Ben Nagy (Apr 21)
- Re: Media Excitement! Cody Hatch (Apr 22)
- Re: Media Excitement! robert (Apr 22)
- Re: Media Excitement! Cody Hatch (Apr 22)
- Re: Media Excitement! Roman Medina-Heigl Hernandez (Apr 22)
- Message not available
- RE: Media Excitement! Ron Gula (Apr 21)
- Re: Media Excitement! Brian (Apr 21)
- Re: Media Excitement! Brian Caswell (Apr 21)