Re: We have met the enemy, and the enemy is ... you.

[Chris Anley <chris () ngssoftware com>]

Kyle Quest wrote:
> The main idea behind solid core is API
> scrambling, which is done during the
> "solidification" process at which point
> the system has all of its components
> installed. It modifies library APIs
> (changing system call number or/and
> changing function names, etc) and
> then modifies the programs that use
> those library APIs, so they are calling
> the scrambled library APIs instead
> of the standard ones. The scrambling
> seems to be different on each system
> the "solidification" process is performed.

Sounds like a neat system; I guess anything that makes exploits harder
is good. I wonder if anyone's done any work into whether it's possible
to write generic exploits to bypass most of the popular HIPS in a single
exploit - not that the attacker necessarily needs to. It'd be good to
know which combinations of NIPS/HIPS are most troublesome for exploit
writers, and why.

Anyway, attacks. Maybe you could call the calls to the syscalls, rather
than just calling syscalls? That also has the advantage of possibly
getting around any syscall source detection, where the system is only
letting syscalls happen from specified addresses. Obviously it doesn't
work if they check the whole call stack but there may be ways around
that too.

Or maybe a generic "solidifier", based on the same idea - locate a known
piece of code that makes some syscall you need, see what number that
call has been mapped to, and modify your own code accordingly. Both ways
should work on a non-"solidified" (dribbly?) system too.

Apologies for lack of a fully-researched reply - these are random ideas
rather than proven techniques.

     -chris.