Vulnerability Development mailing list archives

Re: ScriptGuard

From: ztang () WEBER LCS MIT EDU (Chon-Chon Tang)
Date: Tue, 16 May 2000 11:11:42 -0400

As you say, scripts can be written that appear obscured, and then
de-cloak themselves as they run.  The documentation on the
http://www.tlsecurity.net/cleaner/scriptguard.htm site definitely needs
to have it's claims softened.  In particular, someone should explain
Alan Turing's Halting Problem to them :-)


Just to be pedantic, their claims aren't necessarily off.  In fact, they
claim to warn about any potentially "dangerous" code.  Certainly the
halting problem can be solved for the set of scripts that have no loops
(for example).  They can just warn for the set of scripts that do have
loops.

If their static analysis was sufficiently comprehensive, it should
definitely be a powerful tool.... probably overly conservative (rejecting
safe scripts, obviously)... but powerful.

I do question the part about it not being needed to be "updated".  What,
does it do a combination of natural language parsing of comments and
psycho-analysis to figure out that someone wrote a malicious script, even
if it's attempting to do something Script Guard has never seen?

Current thread:

Re: New worm?, (continued)
- Re: New worm? mick chang (May 04)
- Re: New worm? Rich Corbett (May 04)
- Re: New worm? Edwin Concepcion (May 04)
- Re: New worm? Todd C. Campbell (May 10)
- Re: New worm? Dan Schrader (May 11)
  - Re: New worm? Dimitry Andric (May 12)
    - Re: New worm? Thierry Zoller (Apr 13)
    - ScriptGuard Crispin Cowan (May 16)
    - Re: ScriptGuard Thierry Zoller (Mar 16)
    - Re: ScriptGuard Tim Wort (May 16)
    - Re: ScriptGuard Chon-Chon Tang (May 16)
    - warftpd exploit? Martin Ixter (May 16)
  - Re: New worm? Bernie Cosell (May 12)
  - ALERT: Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator (fwd) Bluefish (May 13)