Full Disclosure mailing list archives
Re: Gates: 'You don't need perfect code' for good security
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 03 Nov 2003 12:23:06 +1300
"Matthew Murphy" <mattmurphy () kc rr com> wrote: <<humungous snip>>
Really simple change MS could do that would instantly make ALL their software more secure (not secure but more secure than it is). Have it install to random paths. So instead of everyone knowing right where the directories are, each program would install to a random named directorylike/program files/program88475 where the number is random. Now things like codered would have failed along with dozens of other exploits that rely on knowing the path. So simple yet this thought has escaped MS thus far..Code Red wouldn't have failed -- possibly Nimda, but not Code Red. In addition, this kind of thing inhibits the ability to quickly reproduce changes on multiple machines -- essential for patching. And, if one was to install in such a manner, the information about the paths would have to be kept *somewhere* in order to locate the program again. Once again, the system is exploitable.
True, but it is not being suggested as a panacea or fix-all. It is yet another simple way to raise the bar. Don't install the OS into (C:)\WINDOWS (or \WINNT or other "too obvious" things like WIN2000, WIN2K, WINXP, etc, etc, etc) and relocate "critical" install directories such as "Program Files and so on. Yes, that information has to be stored in the registry and thus can (and must) be returned by all manner of APIs available to all manner of code, BUT it still beats lots of exploits "abstracted" from those APIs. For example, an awful lot of IE vulns can only be easily (and thus "usefully") leveraged because it is (well, was -- this is a Win9x example) easy to assume that any kind of program code that could be dropped into c:\windows\start menu\programs\startup would be run next startup. Finding the actual location of the startup folder was beyond the exploit because it was running in an environment that could not query the registry or other system APIs that would reveal the location. In short, it's about hardening against exploitation rather than about making a machine exploit proof as the latter is an ideal rather than a realistic goal. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Gates: 'You don't need perfect code' for good security, (continued)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Matthew Murphy (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Geoincidents (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Dave Howe (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security George Capehart (Nov 04)
- Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Frank Knobbe (Nov 02)
- Re: Gates: 'You don't need perfect code' forgood security Lan Guy (Nov 03)
- Re: Gates: 'You don't need perfect code' for good security Nick FitzGerald (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Darren Reed (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Cedric Blancher (Nov 02)
- Re: Gates: 'You don't need perfect code' for good security Valdis . Kletnieks (Nov 03)
- Re: Re: Gates: 'You don't need perfect code' for good security Gary E. Miller (Oct 31)