[Fwd: FW: We have met the enemy, and the enemy is ... you.]

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mailman dropped this one too.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEPl6fB8JNm+PA+iURAt0WAJ9aMHUJjjFjZVuSNlQWULKm5n4QSgCgqB+2
d76ccCKywYpNXWmfcoSYBGw=
=QSGs
-----END PGP SIGNATURE-----

> --- Begin Message ---
>
>
> From: "Murat Korkmaz" <m.korkmaz () determina com>
>
> Date: Wed, 12 Apr 2006 12:42:54 -0700
>
> FYI ..
>
> -----Original Message-----
> From: Murat Korkmaz 
> Sent: Wednesday, April 12, 2006 12:21 AM
> To: 'toby'; dailydave
> Subject: RE: [Dailydave] We have met the enemy, and the enemy is ...
> you.
>
> This is a very good point, indeed.
>
> That is why our product gives the complete snapshot of the CPU registers
> and the affected, should I say offended, memory at the time the attack
> and/or the anomalous behavior is detected, when one turns on the
> forensics flag in protection settings.
>
> Hope this answer your question.
>
> Murat Korkmaz
> Sr. Security Product Manager
>
> -----Original Message-----
> From: toby [mailto:toby00 () gmail com] 
> Sent: Tuesday, April 11, 2006 7:22 PM
> To: dailydave
> Subject: Re: [Dailydave] We have met the enemy, and the enemy is ...
> you.
>
> I can't tell you the number of times I've had to explain that
> "anomalous" != bad.
> Even for very well developed/tuned systems where it actually does, the
> worst thing I've run into with these products is that they really give
> horrible log data.
> With a NIDS you can at least get a complete packet trace. I'd love
> just once to see a HIDS/HIPS product that gave me something resembling
> a complete stack and execution trace along with all the various data
> bits (variables, arguments, file names, etc...) I need to properly
> figure out what it saw and whether it was right or not.
> Oh, they also seem to have a nasty tendency of not actually telling
> you what application requested some function from any of the core OS
> libraries or services. Which means that a rediculous amount of the
> time, you see a log entry that says svchost or explorer or csrss or
> rundll32, etc...
>
> <sigh> all you vendors out there, don't pay any attention to this, I
> only have a 150,000+ client environment that I have to use solutions
> like this for. It's not like there would be any real business ROI for
> you to listen and do something about these issues.
>
> t
>
> On 4/11/06, Dave Aitel <dave () immunityinc com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > The major weakness with HIDS is still the extremely tiny market share
> > any of them has managed to get.  :>
> >
> > I would imagine one hard thing with a Determina type solution is any
> > kind of code that doesn't lend itself to modification or static
> > analysis. Python, PHP, .Net or Java code, for example, would be
> > extremely hard to profile looking at basic code blocks. And the
> > problem with any anomoly based system is that when something goes
> > wrong, you have no real way to describe to the user what went wrong or
> > why. So you end up on the signature treadmill again, taking every
> > basic block and applying little if statements to the end of them to
> > check for particular vulnerabilities - not because you can't protect
> > the machine already, but because you need to tell the user exactly
> > what is going on. And, of course, checking basic blocks doesn't
> > protect you at all from heap overflows or other techniques when used
> > to change variables themselves - it just prevents you from changing
> > execution path. But execution path and "give me admin" can be two
> > different things.
> >
> > It's potentially the lack of "completeness" and the managability
> > issues which are causing the market to say "Let's just wait for MS to
> > fix their own stuff".
> >
> > Just a few thoughts while everyone spends time debugging the thousand
> > and one IE bugs. :>
> >
> > - -dave
> >
> >
> > redsand wrote:
> >
> > > Black Security is also currently doing some audits on the Determina
> > > Software Suite. Nothing has come of it yet but hopefully some
> > > positive results will come out of our testing soon. Any
> > > information may/hopefully will make it to our blogs or a formal
> > > piece of documentation.
> > >
> > > In the sales meeting, a Determina rep even claimed that ISS had a
> > > hack for it but couldn't prove it.
> > >
> > > On Tue, 2006-04-11 at 17:43 +0200, pageexec () freemail hu wrote:
> > >
> > > > On 10 Apr 2006 at 16:13, Knape, Joe wrote:
> > > >
> > > > > My "group" has also been looking at a "suite" of products that
> > > > > includes a "Memory Firewall" and "LiveShield" from a company
> > > > > called Determina. They make some bold claims and I've been
> > > > > testing it in a lab setup but I'd like to hear if anyone has
> > > > > been using it in a real-world environment?
> > > >
> > > > Determina's product is based on the research done at MIT under
> > > > the DynamoRIO project. google for "program shepherding" (and the
> > > > mispelled "sheperding" version) to find all you wanted to know.
> > > > in my opinion, program shepherding is the only other technology
> > > > that measures up to PaX, and for now it does even more in fact
> > > > (deterministic ret2libc attack prevention).
> > > >
> > > > unfortunately source code has never been published, so some
> > > > claims of security cannot be verified (e.g., their research paper
> > > > mentions then unresolved issues with multithreaded apps).
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.1 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >
> > iD8DBQFEO/4HB8JNm+PA+iURAjvEAKDQC4AeDTajGTRvGxG9U6c9YLLtrACfUQjk
> > DvcX/LaU2jBdhKfbD0UTmNE=
> > =QVro
> > -----END PGP SIGNATURE-----
>
> --- End Message ---