Bugtraq mailing list archives

Re: Preventing exploitation with rebasing

From: Carolyn Meinel <cmeinel () techbroker com>
Date: Thu, 6 Feb 2003 15:29:47 -0800

On Wednesday 05 February 2003 16:07, Seth Breidbart wrote:

Even under the assumption that locations aren't re-used, it's
provably impossible (Turing-complete) to determine whether the
contents of a location can be used as an address by a program.


Would that be more accurately not impossible, but "intractable"? With a 
small enough and simple enough program it is possible to analyze 
whether its implementation on a Turing Machine will reach a halting 
point. What the Turing Machine Halting Problem proves is that for an 
arbitrary tape, calculation of the upper bound on the number of moves 
the read-write head must make to determine whether there is a halting 
state is an "intractable" problem.

What this rebasing discussion comes down to is: to what extent may one 
simplify operation of a program by limiting inputs by obfuscating ports 
(as defined in finite state machine theory, a subset of the Turing 
Machine) that could accept input of exploits?

Better yet, how about eliminating buffer overflow-generated ports by 
using a programming language that doesn't automagically lend itself to 
buffer overflows? There are, after all, languages other than C and 
Fortran, and memory is no longer ferrite cores strung together with 
copper wires by Taiwanese ladies and leased, not sold, by IBM. So we 
don't really need the extreme and bug-prone measures of yesteryear to 
save on RAM use.

Using more modern languages can also reduce the temptation to reuse 
crufty code:)

Two excellent books relevant to this discussion are "Building Secure 
Software" by Viega and McGraw, and "Computers and Intractability" by 
Garey and Johnson.

-- 
"I see in the near future a crisis approaching that unnerves me and 
causes me to tremble for the safety of my country. As a result of the 
war, corporations have been enthroned and an era of corruption in high 
places will follow, and the money power of the country will endeavor to 
prolong its reign by working on the prejudices of the people until all 
wealth is aggregated in a few hands, and the Republic is destroyed."
-- Abraham Lincoln in a letter to William F. Elkins, Nov 21st, 1864

505-281-9675
http://techbroker.com
http://happyhacker.org

Gravity. It's not just a good idea. It's the law.

Current thread:

Re: Preventing exploitation with rebasing, (continued)
- - - Re: Preventing exploitation with rebasing Deus, Attonbitus (Feb 06)
  - RE: Preventing exploitation with rebasing Riley Hassell (Feb 05)
  - Re: [VulnDiscuss] Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
  - Re: Preventing exploitation with rebasing Bugtraq User (Feb 05)
  - Re: Preventing exploitation with rebasing D.C. van Moolenbroek (Feb 05)
  - Re: Preventing exploitation with rebasing Michal Zalewski (Feb 05)
  - Re: Preventing exploitation with rebasing Todd Sabin (Feb 05)
    - Re: Preventing exploitation with rebasing Seth Breidbart (Feb 06)
    - Re: Preventing exploitation with rebasing Richard Moore (Feb 06)
    - Re: Preventing exploitation with rebasing Carolyn Meinel (Feb 07)
- Re: Preventing exploitation with rebasing Dave Aitel (Feb 05)
- Preventing exploitation with rebasing Fred Cohen (Feb 06)
  - RE: Preventing exploitation with rebasing Jason Coombs (Feb 07)
- RE: Preventing exploitation with rebasing Ilya Dubinsky (Feb 07)