Dailydave mailing list archives
Re: Staying on the treadmill.
From: Joanna Rutkowska <joanna () invisiblethingslab com>
Date: Tue, 14 Jul 2009 16:07:21 +0200
dave wrote:
People (this means you) like to think hard about game changing events in the world of hacking. But just staying on the treadmill of exploit after exploit can be a game changing event. For example, today you may have noticed that Intevydis (http://www.intevydis.com/vulndisco.shtml) released as part of their latest exploit pack, some exploits for all the major access point/mini-router firmwares. Not CSRF "exploits" or XSS "exploits". I mean "Here's a shell, now you get to install new programs and muck with the router's configuration" exploits. For a lot of people (not you) it's hard to care about such things. The inevitable ennui sets in: "oh, not another one", "that one is similar to one I found in 1992AD", "well, if you had good patch management that's the best you can do!", etc. etc. The magic is in finding each one of these things unique and special and worth of attention.
... or, instead of being an exploit fetishist, one might try to design their network in such a way that a compromise of your network devices is not fatal. Same for PDF viewers, browsers, etc. and how you design your computer system. Sure, it's cool to write exploits -- that always impresses people. We also do that at ITL. E.g. we will be showing a couple of VM escape exploits during our upcoming virtualization training (and we really are excited about those exploits!), but the whole point is to illustrate how a good design (in that particular case of your hypervisor) and new technologies (e.g. VT-d or TXT) can mitigate a problem of exploits, even if we cannot find and patch them all. I think one should not forget that an exploit, no matter how cool, is only an illustration of a problem. The actual solutions often have nothing to do with how exploits are written. Do you really think VT-d designers were heap-overflow ninjas? I doubt. joanna.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Staying on the treadmill. dave (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. nnp (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Don Bailey (Jul 14)
- Re: Staying on the treadmill. Matthew Wollenweber (Jul 15)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 15)
- Message not available
- Message not available
- Re: Staying on the treadmill. Halvar Flake (Jul 15)
- Re: Staying on the treadmill. nnp (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Joanna Rutkowska (Jul 14)
- Re: Staying on the treadmill. Halvar Flake (Jul 14)