Penetration Testing mailing list archives
Re: Exploiting code: The Future
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Sat, 24 Jun 2006 15:13:04 +0200
Salut, On Fri, 2006-06-23 at 13:13 +0800, Mike Gilligan wrote:
Stack and heap based overflows were the traditional methods of exploiting C/C++ code. then the previously unknown Format string attacks were brought to the communities attention around 2000. Is it likely that in 5 years time or sooner we will be talking about an as-yet unknown form of exploitation or have we exhausted all methods of attacking C/C++ based code/apps?
There is in fact already a variety of different attack vectors, such as input validation issues, insufficient authentication verification (Hello, DTAG), signal handler vulnerabilities (Ok, those are related to double free attacks most of the time), etc. Alan Turing taught us that there is no limit to what can be done with a "Turing complete" programming language. Consequently, the amount of things that can be done wrong is probably infinite. Tonnerre -- SyGroup GmbH Tonnerre Lombard Loesungen mit System Tel:+41 61 333 80 33 Roeschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach Web:www.sygroup.ch tonnerre.lombard () sygroup ch
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Exploiting code: The Future Mike Gilligan (Jun 23)
- Re: Exploiting code: The Future Michal Zalewski (Jun 23)
- Re: Exploiting code: The Future Gadi Evron (Jun 24)
- Re: [funsec] Re: Exploiting code: The Future Troy Solo (Jun 24)
- Message not available
- Re: [funsec] Re: Exploiting code: The Future Valdis . Kletnieks (Jun 24)
- Re: [funsec] Re: Exploiting code: The Future Nervox (Jun 25)
- Re: Exploiting code: The Future Gadi Evron (Jun 24)
- Re: Exploiting code: The Future Michal Zalewski (Jun 23)
- Re: Exploiting code: The Future Tonnerre Lombard (Jun 24)
- Re: Exploiting code: The Future Brendan Dolan-Gavitt (Jun 25)