Re: Fwd: RE: We have the enemy, and the enemy is... you

[Alexander Sotirov <asotirov () determina com>]

Olef Anderson wrote:
> Stop with that please! so you are telling me that your 10
> person team (an optimistic estimate) will do a better job in hooking
> vulnerable functions on runtime in order to prevent exploitation and will
> do a safer and better job than a MS hotfix (which is backed by probably
> the world's biggest QA department) ?

Yes.

Microsoft patches usually break 3rd party apps because they disable insecure
functionality or add other security enhancements, like tightening permissions or
introducing extra authentication checks.

Of course if a HIPS vendor does the same, they will face the exact same issues
as Microsoft. The difference is that a HIPS vendor can limit the scope of a
hotpatch to a single vulnerable function and check for a clearly defined failure
condition. For example, if you have a strcpy into a buffer on the stack, a
simple strlen check before the strcpy will stop the vulnerability with no
compatibility issues.

The bad reputation of runtime hooking and patching is mostly a result of poor
implementations that are not thread safe, don't interoperate with other hookers,
or even leave the entire process space RWX after hooking. These issues can be
addressed during the design and development of the hooking engine. The limited
QA time on a Patch Tuesdays afterwards affects only the hotpatches (which are
safe because of their very limited scope), not the entire engine (where most of
the problems are found)

Disclaimer: I work for a HIPS vendor, so feel free to disregard anything I say.

Alex