Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)

From: Crispin Cowan (crispin@private)
Date: Tue Oct 07 2003 - 12:31:41 PDT

Next message: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"

Previous message: Mark Morrissey: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
In reply to: Zot O'Connor: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zot O'Connor wrote:

>On Tue, 2003-10-07 at 09:26, John McHugh wrote:
>  
>
>>Among other things, this seeks ways to create large numbers of variants 
>>of functionally equivalent programs.  Suppose that there were 1000 
>>different versions of, say, IIS, each requiring a different buffer 
>>overflow exploit, but appearing identical in function and performance 
>>to the user.  Now, the developer of a new exploit must develop the 1000 
>>variations and launch them simultaneously.  In addition, each variant 
>>will have a 1000 times more difficult task in propagating.
>>    
>>
>I have often wondered about this approach.  It is sort like the canary
>from StackGuard (CFIAPM) combined with the "roll your own" philosophy of
>some Linux folks.  By placing randomness throughout the build process
>you might mitigate the impact of the overflows, though I am not sure to
>what extent the randomness would have to be.  While shifting code around
>would disturb the pattern, it is unlikely to remove the overflow.
>
This paper is my general view on the relative effectiveness of 
randomization for diversity's sake:

    "The Cracker Patch Choice: An Analysis of Post Hoc Security
    Techniques".  Crispin Cowan, Heather Hinton, Calton Pu, and Jonathan
    Walpole.  Presented at the National Information Systems Security
    Conference (NISSC) <http://csrc.nist.gov/nissc/>, Baltimore MD,
    October 16-19 2000. PDF
    <http://immunix.com/%7Ecrispin/crackerpatch.pdf>.

Basically, I spent 4 years trying to make the randomization effect work 
for intrusion prevention, and in every case I found a more adroit hack 
that worked better. This is where the Immunix tool suite came from.

You can also read about it in this bugtraq thread 
http://lists.insecure.org/lists/bugtraq/2003/Aug/index.html#329

On the other hand, here is a surprisingly effective instance of address 
space randomization, presented this week at the SRDS 
<http://srds2003.cnuce.cnr.it/> conference:

    Jun Xu, Zbigniew Kalbarczyk and Ravishankar K. Iyer. Transparent
    Runtime Randomization for Security.
    <http://www.crhc.uiuc.edu/%7Ejunxu/Papers/SRDS2003_final_trr.pdf> To
    appear in /Proc. of 22nd Symposium on Reliable and Distributed
    Systems (SRDS)/, Florence, Italy, October 6-8, 2003.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/

Next message: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
Previous message: Mark Morrissey: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
In reply to: Zot O'Connor: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 07 2003 - 13:09:12 PDT