RE: We have met the enemy, and the enemy is ... you.

["Knape, Joe" <joe.knape () cingular com>]

My "group" has also been looking at a "suite" of products that includes
a "Memory Firewall" and "LiveShield" from a company called Determina.
They make some bold claims and I've been testing it in a lab setup but
I'd like to hear if anyone has been using it in a real-world
environment?

Joe Knape
EIS - Security Compliance & Configuration Management
Cingular Wireless

-----Original Message-----
From: Kyle Quest [mailto:Kyle.Quest () networkengines com] 
Sent: Monday, April 10, 2006 11:14 AM
To: dailydave
Subject: RE: [Dailydave] We have met the enemy, and the enemy is ...
you.

Speaking of HIDS systems... Has anybody looked
at SolidCore. It's not for end users. It's more
for appliances that have everything installed
during manufacturing. ISS recently decided
to use it for their security appliances...

The main idea behind solid core is API 
scrambling, which is done during the
"solidification" process at which point
the system has all of its components 
installed. It modifies library APIs
(changing system call number or/and
changing function names, etc) and
then modifies the programs that use
those library APIs, so they are calling
the scrambled library APIs instead
of the standard ones. The scrambling
seems to be different on each system
the "solidification" process is performed.

This whole API scrambling is suppose
to prevent shellcode from running
because it uses the original standard
API calls, which would make it fail.

I found a couple of cases where this
protection mechanism could be bypassed
and one way when shellcode would still
execute even with those scrambled function
names/numbers.

Has anybody else looked into this HIDS
and found ways to bypass its protection?

K