Re: Media Excitement!

[Cody Hatch <bytejump () gmail com>]

On 4/21/05, Ben Nagy <ben () iagu net> wrote:
> Well, they are, a bit. Anti exploitation features ship standard in latest
> windows (better heap management, PEB randomisation, stackguard wah wah wah).
> You can build gentoo with grsecurity enabled with zero extra effort - and so
> on. They have all been bypassed, but they raise the bar. It will get better.
> Patience.

PIE isn't enabled by default in SP2 or 2003 as far as I know, and
that's a big deal, though I understand why. Which apps would break if
PIE was enabled?

> It's hard. And when I say hard I mean hard to sell, as well as hard to
> write. It's very difficult to explain the subtle differences between
> products using this kind of tech to anybody but very, very deep technical
> folks. It's virtually _impossible_ to explain the basics of what they _do_
> to pointy-hair people. CSA, Sana, eEye [1], Entercept, Prevx and probably
> others have solutions that try and mess with exploitation once it is
> occurring - whether in kernel or userland function hooking or a combo of
> both. Trouble is that once someone is running code you are doomed to a nasty
> little game of splo1t-skillZ leapfrog which history tells us favours the
> attacker.

Right - the old "you can't polish a turd" problem. These seem to be
the most effective measures, however (not necessarily the most secure
or invulnerable, but it's much easier to get executive buy-in and
manage them in an enterprise environment). I'd like to see greater
inter-play with RBAC capability.

> That's when you start to talk about blocking the same attacks at the network
> layer, which moves you into the world of marketingweasel talk about
> "non-signature based IPS [1] which blocks known and unknown attacks". And
> yeah, that can kind of work as well - and I see that Dave even plugs that
> kind of approach in some of his presentations. But again, it's brittle. You
> probably want many kinds of protection in additive layers with each one
> having a 0<p<1 probability of stopping a given "attack".

IPS and any other network-based approach seems to me to be doomed to
failure from the start. They can't see encrypted sessions unless you
hack your network or reduce the security (SSL proxy, for example,
would be a goldmine for an attacker so he can see unencrypted
sessions), both of which seem unacceptable to me. Not to mention such
attacks as packet insertion, TTL evasion, etc. that could still be
theoretically possible against many of these products. Combine all of
that with the fact that an IPS has really no way of knowing whether an
attack would be successful against a destination point and "brittle"
is being charitable.

I'm not advocating the removal of IPS or IDS products, but host-based
protections seem to offer much more promise to me. Probably the most
significant hurdle that quality host-based products face is the
proliferation of crappy software out there. Too many developers write
code with such things as executable stack space in mind that, once you
remove that crutch, their app dies. Unfortunately the security product
receives the blame from the developer and the pointy-haired folks, and
this seems to be an almost insurmountable hurdle. Things like CSA are
a great compromise in the interim, but something more permanent and
solid needs to be sought.

The question is, how do we strengthen the OS while we wait for lazy
developers to get in the boat? Is RBAC the only effective answer
currently?

Later,
Cody
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave