Re: stop the presses, security is solved!

["Dave Korn" <dave.korn () artimi com>]

On 10 January 2007 06:05, Arun Koshy wrote:

> I'm seeing this post with fascination. Are we really this starved for
> contrived humor or personal potshots that lead nowhere ?
>
> Very very few things in this world are original and elegant. 

  Which is why when somebody makes extraordinary claims to have achieved
fundamental breakthroughs, it is legitimate to point out that they are full of
humbug.  It's not just that their claims are smothered in marketing hype, it's
that once you've removed the hype they are either false or meaningless.  Or
both.  Take these claims:

" Not an ineffective behavior-based approach "

"Innervue is based on such internal activity as disk writes, page faults,
network access, internal exceptions and much more."

  That /is/ behaviour.

"this is all done without file scanning or overhead"

  Of course it involves overhead.  To claim that it doesn't is as garbage as
claiming to have invented a perpetual motion machine.

  When you read in depth, 

"The answer is to take a positive approach. At any one time the software on a
computer is fixed and is from well-known suppliers. Further, newly installed
software comes at predictable times and is under the user's control. It is a
much smaller and easier task to approve current and new valid software than to
identify all attacker software now and in the future. Greencastle takes this
positive approach."

you see that all they have done is reinvented some combination of whitelisting
and tripwire.

" New software is identified well before it even starts to run and then is
watched closely after it begins executing. "

  If they aren't using syscall hooking to do this, they aren't doing it
effectively, and if they are, their claims of stability and low overhead are
bogus.

"Greencastle is the first technology that goes to the level beneath which
attacks simply cannot go "

  If that's not syscall hooking, it's not the "level beneath which attacks
simply cannot go".  Actually, if that's not a hypervisor, it's not "the level
beneath which attacks simply cannot go".  And since attacks (currently only
POCs, AFAIK, but that's not the point) already have been demonstrated at the
syscall, hypervisor, ACPI and BIOS levels, there really is no such level.  So
either attacks can go beneath it, or it's not the first at whatever level it's
actually at.

  I'm also curious how all this "we prevent new executables from even being
launched" would help prevent a buffer overflow or other redirection of control
of an already-running thread in a white-listed application.

  At least if you read their own descriptions, there is nothing new or
original about any of it.  I'm sure it could stop idiots double-clicking
executables they've been emailed, and prevent malicious websites from forcing
an executable download via the browser, but that's nothing new.

  I remain to be proven wrong, but extraordinary claims require extraordinary
proof, and all we've seen here is very ordinary marketing.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave