Bob Rogers wrote: > Heterogeneity increases survivability of the *species*, but does little > to protect the individual . . . > >I don't think that stands up, at least not for digital species. I can >run Apache on Linux/x86, for which tons of shellcode is available, or I >can run the same version of Apache on Linux/sparc, for which much less >is available, and exists within a smaller and more specialized >community.... > > . . . At most, you could say that running the most common system > makes you somewhat more vulnerable to attack, and you should take > that into consideration when planning your security. > These statements seem to agree. Is there a point? >Yes; and it would be interesting (though probably difficult) to quantify >that. > It is difficult to quantify just about any security benefit. > So heterogeneity is really just security by obscurity, dressed up to > sound pretty . . . > >Seems to me that obscurity is the *only* defence against exploits for >unpublished/unpatched vulnerabilities that are spreading in the cracker >community; if you can avoid being a target, by whatever means, then you >are ahead of the game. > Now that is just not true. All of the technologies in the previous thread (StackGuard, PointGuard, ProPolice, PaX, W^X, etc.) have some capacity to resist attacks based on unpublished/unpatched vulnerabilities. That is their entire purpose. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 10:09:01 PDT