Dailydave mailing list archives
Re: We have met the enemy, and the enemy is ... you.
From: Chris Anley <chris () ngssoftware com>
Date: Tue, 11 Apr 2006 10:10:45 +0100
Kyle Quest wrote:
The main idea behind solid core is API scrambling, which is done during the "solidification" process at which point the system has all of its components installed. It modifies library APIs (changing system call number or/and changing function names, etc) and then modifies the programs that use those library APIs, so they are calling the scrambled library APIs instead of the standard ones. The scrambling seems to be different on each system the "solidification" process is performed.
Sounds like a neat system; I guess anything that makes exploits harder is good. I wonder if anyone's done any work into whether it's possible to write generic exploits to bypass most of the popular HIPS in a single exploit - not that the attacker necessarily needs to. It'd be good to know which combinations of NIPS/HIPS are most troublesome for exploit writers, and why. Anyway, attacks. Maybe you could call the calls to the syscalls, rather than just calling syscalls? That also has the advantage of possibly getting around any syscall source detection, where the system is only letting syscalls happen from specified addresses. Obviously it doesn't work if they check the whole call stack but there may be ways around that too. Or maybe a generic "solidifier", based on the same idea - locate a known piece of code that makes some syscall you need, see what number that call has been mapped to, and modify your own code accordingly. Both ways should work on a non-"solidified" (dribbly?) system too. Apologies for lack of a fully-researched reply - these are random ideas rather than proven techniques. -chris.
Current thread:
- We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 10)
- <Possible follow-ups>
- RE: We have met the enemy, and the enemy is ... you. Kyle Quest (Apr 10)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. TINNES Julien RD-MAPS-ISS (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. Knape, Joe (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Joel Eriksson (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. toby (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. jnf (Apr 11)