lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 18 Aug 2003 09:09:45 +1000
From: Shaun Clowes <shaun@...urereality.com.au>
To: Crispin Cowan <crispin@...unix.com>
Cc: "BUGTRAQ@...URITYFOCUS.COM" <BUGTRAQ@...URITYFOCUS.COM>
Subject: Re: Buffer overflow prevention


On Fri, Aug 15, 2003 at 11:48:14AM -0700, Crispin Cowan wrote:
> Shaun Clowes wrote:
> 
> >Perhaps I'm the only one who feels this way, but I believe that the vast
> >majority of the exploitation of systems is being performed by people
> >with no knowledge of how to write an exploit and that the vast majority
> >of exploits are fragile. Doing anything that makes you different from
> >every other installation of Linux/HPUX/Solaris/InsertOSHere will
> >drastically decrease the changes of any point and click exploit working
> >against you.
> >
> >Could a determined (and knowledgable) attacker still get through? Sure.
> >But if we're talking protections that take very little effort to
> >implement, have a minor performance impact and will save your
> >skin some of the time, it's obvious that it's worth deploying them. As
> >long as you're not kidding yourself that you're then totally secure.
> >
> Exactly: trivial changes will protect you from script kiddies. 
> Non-bypassability is required to protect you from determined attackers. 
> It depends on your threat model: how much will a penetration event cost 
> you? What is it worth to someone to hack you?

Well, you've immediately eliminated 90% or more of the threat, so it's a
good start. In any case, if we are talking about the famous determined
attacker it's reasonable to assume that they are going to get you no
matter what you do and that you need to carefully consider methods of
reducing the damage from intrusion (rather than betting on stopping the
intrusion all together).

> >Its kind of reminiscent of that old joke about the two guys running away
> >from the lion. You don't have to beat the lion, just the other person. 
> >
> But if you taste better (you are a bank and he is a basement RH box) 
> then the lion may choose to chase you anyway.

If I'm the bank I'm probably running Solaris, HP-UX, AIX, Irix etc, in
which case I don't even have the option of PaX etc. I would deploy any
kind of protection technology I could find (including non-executable
stack, moved library images etc). 

There is no such thing as a perfect protection, and most of the
protection technologies that have been discussed in this thread are
worth considering. It would seem most pragmatic to deploy whatever you
can in your environment.

I think it's generally accepted that homogenity breeds insecurity, in
which case it makes sense to try to be as different from everyone else
as possible even if that doesn't make it impossible for someone to break
you.

Cheers,
Shaun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ