lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTin2koZuHoYnq4cOynXr77BuUZJXmhi0yR90cQEm@mail.gmail.com>
Date: Thu, 2 Sep 2010 13:15:12 -0700
From: coderman <coderman@...il.com>
To: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL hijacking with Autorun on a USB drive

On Thu, Sep 2, 2010 at 11:47 AM, Pavel Kankovsky
<peak@...o.troja.mff.cuni.cz> wrote:
> ...
> If your OS's security model "understands" programs and data belong in
> different security domains then every instruction of code on your computer
> is trusted to enforce that policy. Your line of defence goes through every
> program and any bug can breach it. The failure is inevitable. [1]
>
> [1] ... "The Inevitability of Failure: The Flawed
> Assumption of Security in Modern Computing Environments"

there are some useful mitigations around these inevitable failures,
  http://qubes-os.org/Architecture.html is an example of isolation
rather than correctness i've liked since NetTop wrapped RSBAC policy
around vmware guest isolation...

defense in depth loves company, so application correctness, in
addition to NX / other hw protections on guest/host, in addition to
virtual machine isolation, in addition to RSBAC constraints, in
addition to ... are all useful and can be combined in many ways to fit
various threat models and usability requirements.

this is "hard" to design, implement, and maintain compared to the
cheap and slutty coding and configuration pervasively deployed in our
current reality, however.  don't hold your breath; just stay ahead of
all the other low hanging fruit running un-patched, un-managed Windows
installs.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ