Bugtraq mailing list archives
Re: Preventing exploitation with rebasing
From: Crispin Cowan <crispin () wirex com>
Date: Tue, 04 Feb 2003 17:48:43 -0800
Alan DeKok wrote:
With one other critical factor: Systems that can be *properly* criticized for being "security through obscurity" have the property that the "obscurity" factor is fixed at software release time, or earlier. Thus the attacker need only crack the key once, and then own thousands of copies.Brian Hatch <bugtraq () ifokr org> wrote:People keep saying "but it won't stop everything", and that's true.Exactly. Even DES isn't "perfectly" secure, (i.e. unbreakable). It *obfuscates* the data, but does not *secure* it. The benefit of DES is that it has a provable level of obfuscation. This takes the security versus obscurity argument from the realm of personal opinion to one of quantitative statements. We should have a similar goal for this discussion.
Systematic diversity (as explored by me <http://wirex.com/%7Ecrispin/crackerpatch.pdf>, Forrest et al, proposed in Bugtraq yesterday by Huang, and here in this thread) is qualitatively different in that the "key" (the degree of rebasing offset) can be chosen at runtime. If it is chosen with sufficient entropy, then it is as effective as a similar amount of entropy in your favorite crypto system. More, because with crypto the attacker can grind on your ciphertext off line, but with systematic diversity, the attacker has to grind on your machine, which you tend to notice sooner or later :-)
Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
Attachment:
_bin
Description:
Current thread:
- RE: Preventing exploitation with rebasing, (continued)
- RE: Preventing exploitation with rebasing Jason Coombs (Feb 04)
- Re: Preventing exploitation with rebasing Charlie Root (Feb 05)
- Re: Preventing exploitation with rebasing David Litchfield (Feb 05)
- Re: [VulnDiscuss] Re: Preventing exploitation with rebasing Halvar Flake (Feb 05)
- Re: Preventing exploitation with rebasing Brian Hatch (Feb 05)
- Re: Preventing exploitation with rebasing Alan DeKok (Feb 05)
- Re: Can't Preventing exploitation with rebasing bugtraq (Feb 05)
- Re[2]: Can't Preventing exploitation with rebasing dullien (Feb 05)
- Observation on randomization/rebiasing... Nicholas Weaver (Feb 05)
- RE: Observation on randomization/rebiasing... Jason Coombs (Feb 05)
- Re: Preventing exploitation with rebasing Crispin Cowan (Feb 05)
- Re: Preventing exploitation with rebasing David S Goldberg (Feb 05)
- Re: Preventing exploitation with rebasing Alun Jones (Feb 05)
- Re: Preventing exploitation with rebasing Deus, Attonbitus (Feb 06)
- Re: Preventing exploitation with rebasing Bugtraq User (Feb 05)
- Re: Preventing exploitation with rebasing D.C. van Moolenbroek (Feb 05)
- Re: Preventing exploitation with rebasing Michal Zalewski (Feb 05)
- Re: Preventing exploitation with rebasing Todd Sabin (Feb 05)