Dailydave mailing list archives
Re: We have met the enemy, and the enemy is ... you.
From: Joel Eriksson <je () bitnux com>
Date: Tue, 11 Apr 2006 15:05:33 +0200
Hi Joe & the rest of the list, I'm curious about that too. Exploit prevention using dynamic binary translation techniques is extremely interesting, although I'm not completely convinced yet. :) Specifically I don't see how the "program shepherding" technique would protect against overwritten function pointers, when still pointing them into valid functions (e.g. not injected shellcode)? I also wonder if the Determina implementation protects the code cache memory during all times that application code is executed or if that has been removed for optimization purposes? How large is the slowdown by Determina now btw? Some reading for those of you that didn't know that Determina is based on techniques that were originally developed using the DynamoRIO framework: http://www.cag.lcs.mit.edu/dynamorio/ http://www.burningcutlery.com/derek/docs/phd.pdf http://www.burningcutlery.com/derek/docs/security-usenix.pdf A question to the Determina people (that I know are present on this list): Is Determina still using DynamoRIO code or has everything been implemented from scratch? The biggest flaw with this technique is that a kernel bug would circumvent it completely though. Of course, kernel bugs are game over anyway, but since kernel bugs are getting pretty popular and since Determina gives the impression of protecting against pretty much everything it should be pointed out. As with pretty much any other vulnerability protection technology it also can't protect against logical bugs and other bugs that doesn't rely on direct execution flow manipulation. The conclusion, as expected, is that people still need to run software (and operating systems) with an originally secure design and implementation. :) Very interesting research though and I hope the Determina people here can answer my questions. Best Regards, Joel Eriksson On Mon, Apr 10, 2006 at 04:13:23PM -0500, Knape, Joe wrote:
My "group" has also been looking at a "suite" of products that includes a "Memory Firewall" and "LiveShield" from a company called Determina. They make some bold claims and I've been testing it in a lab setup but I'd like to hear if anyone has been using it in a real-world environment? Joe Knape EIS - Security Compliance & Configuration Management Cingular Wireless
-- Best Regards, Joel Eriksson ------------------------------------------------- Cellphone: +46-70 228 64 16 Home: +46-18-30 35 55 Security Research & Systems Development at Bitnux PGP Key Server pgp.mit.edu, PGP Key ID 0x08811B44 DF38 5806 0EFB 196E E4B6 34B5 4C01 73BB 0881 1B44 -------------------------------------------------
Current thread:
- We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 10)
- <Possible follow-ups>
- RE: We have met the enemy, and the enemy is ... you. Kyle Quest (Apr 10)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. TINNES Julien RD-MAPS-ISS (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. Chris Anley (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. Knape, Joe (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Joel Eriksson (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. toby (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 11)
- Re: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. jnf (Apr 11)
- RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 12)
- Re: We have met the enemy, and the enemy is ... you. Michael Spath (Apr 13)
- Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 13)