lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 21 Aug 2003 20:56:51 -0700
From: Crispin Cowan <crispin@...unix.com>
To: Bob Rogers <rogers-bt2@...jr.dyndns.org>
Cc: "BUGTRAQ@...URITYFOCUS.COM" <BUGTRAQ@...URITYFOCUS.COM>
Subject: Re: Heterogeneity as a form of obscurity, and its usefulness


Bob Rogers wrote:

>   Heterogeneity increases survivability of the *species*, but does little 
>   to protect the individual . . .
>
>I don't think that stands up, at least not for digital species.  I can
>run Apache on Linux/x86, for which tons of shellcode is available, or I
>can run the same version of Apache on Linux/sparc, for which much less
>is available, and exists within a smaller and more specialized
>community....
>
>   . . . At most, you could say that running the most common system
>   makes you somewhat more vulnerable to attack, and you should take
>   that into consideration when planning your security.
>
These statements seem to agree. Is there a point?

>Yes; and it would be interesting (though probably difficult) to quantify
>that.
>
It is difficult to quantify just about any security benefit.

>   So heterogeneity is really just security by obscurity, dressed up to
>   sound pretty . . .
>
>Seems to me that obscurity is the *only* defence against exploits for
>unpublished/unpatched vulnerabilities that are spreading in the cracker
>community; if you can avoid being a target, by whatever means, then you
>are ahead of the game.
>
Now that is just not true. All of the technologies in the previous 
thread (StackGuard, PointGuard, ProPolice, PaX, W^X, etc.) have some 
capacity to resist attacks based on unpublished/unpatched 
vulnerabilities. That is their entire purpose.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ