Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Check Point Invented (R)(TM) the great sand-boxing and now protects you against "Day0"!

From: Chris Anley <chris () ngssoftware com>
Date: Fri, 08 Jul 2005 09:16:14 +0100
Assumption:

<quote>
1. All network-based malicious overflow attacks must contain executable
code in machine language.
</quote>
...surely means that return-to-libc style exploits and non-shellcode overflow exploits (e.g. Solaris TTYPROMPT) inherently bypass this?
Also, reference was made to a three-phase detection process; first, find executable code (tricky since there's not much redundancy in most instruction sets) then simulate execution, then, within the set of executable code, find "malicious" code.
So it'd be fun to find out what the definition of "malicious" is in this case. Fair enough, code that calls WinExec, execve, CreateProcessA or whatever is probably malicious. Is code that unprotects, changes, then re-protects another portion of code malicious? Is code that changes data malicious? 

Is code that doesn't halt malicious? :o)
That said, for all our pointing and hooting, research into these generic protection mechanisms has got to be a worthwhile thing, absurd patent issues aside. If it protects people, it's a good thing, right? 

     -chris.

(btw, Fnord is an excellent name)
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: