RE: We have met the enemy, and the enemy is ... you.

[jnf <jnf () nosec net>]

What I've never understood is why functionality available on the platform
itself is not used as a means of preventing common vulnerabilities?

For instance on the x86 platform you have the bound and into instructions
that determine if a pointer is still within bounds and if an int overflow
has occured respectively.

A while back Theo made a big deal about int overflows and how they were
undetectable to the program, however thats only at the level of the
source, at the assembly level they are detectable and preventable.

Surely it would impact performance to some degree, but at least in some
arena's high security is valued over high performance.

Whats interesting about this approach is that it could be accomplished at
the layer of abstraction where the problem itself exists and be
transparent to the user of the api. (for instance when a new variable is
allocated we would allocate the bounds data structure and then wrap every
write to the region with the bounds instruction)

This could be implemented at a compiler level and significantly affect the
overall security. Thoughts?

--

There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?


On Tue, 11 Apr 2006 pageexec () freemail hu wrote:

> Date: Tue, 11 Apr 2006 17:43:58 +0200
> From: pageexec () freemail hu
> To: dailydave <dailydave () lists immunitysec com>,
>     "Knape, Joe" <joe.knape () cingular com>
> Subject: RE: [Dailydave] We have met the enemy, and the enemy is ... you.
>
> On 10 Apr 2006 at 16:13, Knape, Joe wrote:
> > My "group" has also been looking at a "suite" of products that includes
> > a "Memory Firewall" and "LiveShield" from a company called Determina.
> > They make some bold claims and I've been testing it in a lab setup but
> > I'd like to hear if anyone has been using it in a real-world
> > environment?
>
> Determina's product is based on the research done at MIT under
> the DynamoRIO project. google for "program shepherding" (and
> the mispelled "sheperding" version) to find all you wanted to
> know. in my opinion, program shepherding is the only other
> technology that measures up to PaX, and for now it does even
> more in fact (deterministic ret2libc attack prevention).
>
> unfortunately source code has never been published, so some
> claims of security cannot be verified (e.g., their research
> paper mentions then unresolved issues with multithreaded apps).