Bugtraq mailing list archives
RE: Preventing exploitation with rebasing
From: "Jason Coombs" <jasonc () science org>
Date: Thu, 6 Feb 2003 10:23:00 -1000
We expect software developers to test their products before shipping them, but we don't require any proof they have done so. If the developer has never executed each potential path through their code, why should we run it as field testers when our desire instead is to be customers who rely on trustworthy products? As customers we should not pay for products that are being tested on us. We should pay for products that have already been tested, and we should be given the results of that testing to use as a tool of security auditing and threat containment. A system of forensic profiling for compiled code would enable numerous countermeasures to the threats that arise today out of the necessity to leave our microprocessors and OS APIs open to arbitrary utilization. These resources can and should be closed to the run-time execution of code that does not have an accompanying forensic profile created by the developer as they carefully tested each logical path through the authentic compiled product. With such a fundamental shift in the way that we receive and use software from developers, rebasing and other techniques to randomize the run-time execution environment would be unnecessary because we would have the tools and the information necessary to reign in our microprocessors and OS APIs. Arbitrary malicious code can cause a CPU to do math, but it can't cause a CPU to do harm unless it is able to communicate with or control a willing victim (such as a device driver). Jason Coombs jasonc () science org
Current thread:
- Re: Preventing exploitation with rebasing, (continued)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
- Re: Preventing exploitation with rebasing Bugtraq User (Feb 05)
- Re: Preventing exploitation with rebasing D.C. van Moolenbroek (Feb 05)
- Re: Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing Todd Sabin (Feb 05)
- Re: Preventing exploitation with rebasing Seth Breidbart (Feb 06)
- Re: Preventing exploitation with rebasing Richard Moore (Feb 06)
- Re: Preventing exploitation with rebasing Carolyn Meinel (Feb 07)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
- Re: Preventing exploitation with rebasing Dave Aitel (Feb 05)
- Preventing exploitation with rebasing Fred Cohen (Feb 06)
- RE: Preventing exploitation with rebasing Jason Coombs (Feb 07)
- RE: Preventing exploitation with rebasing Ilya Dubinsky (Feb 07)