Bugtraq mailing list archives
RE: Observation on randomization/rebiasing...
From: Michael Wojcik <Michael.Wojcik () microfocus com>
Date: Thu, 6 Feb 2003 00:43:29 -0800
From: Jason Coombs [mailto:jasonc () science org] Sent: Wednesday, February 05, 2003 5:08 PM
A properly security-hardened binary DOES NOT require support for arbitrary relocations, arbitrary dynamic library injection, arbitrary code injection resulting in new execute paths defined at run-time, and the type of programmability required by software developers. Once code has been compiled and linked, even when that code makes use of dynamic libraries, there is no longer any unknown.
There are plenty of examples of programs and libraries that by design load and execute independently-developed code: browser plugins, ISAPI, and so forth. Leaving aside for the moment the question of whether this is a Good Thing, or whether it fits someone's definition of "a properly security-hardened binary", it's certainly a popular approach. The security community has not to date had much luck convincing users and programmers to adopt even its uncontroversial recommendations; I doubt you'll get any traction with this one. Michael Wojcik Principal Software Systems Developer, Micro Focus
Current thread:
- RE: Observation on randomization/rebiasing... Michael Wojcik (Feb 06)
- RE: Observation on randomization/rebiasing... Jason Coombs (Feb 06)