Dailydave mailing list archives

Re: more flotsam and jetsam

From: Dave Aitel <dave () immunitysec com>
Date: Tue, 24 Aug 2004 15:31:41 -0400

(sometimes I have to force things public so people don't write software
patents faster than I can write code, sorry)

On Tue, 2004-08-24 at 14:51, Someone Who May Remain anonymous wrote:
<stuff cut>

The big problem that the HIPS guys don't handle is
that code with security issues is written poorly
to begin with. If you block an API that has a signature
or hits an ACL, you may stop an intrusion, but if the
application does not recover from the failed API call,
it may go into la-la land.


I'm strictly host-based, network IPS is silly. Modeling is bad. It's
like playing chess against someone who can only see their pieces. It
works in theory, but it's a bad mindset to be in. (All of you who write
NIPS for a living can feel free to rag on me for this. :>)

I agree you don't want to leave the API all nutty, but a MOSDEF-IPS
signature can do rewriting as well, for example, truncating any string
to a given length in a given C structure passed to an arbitrary
function. (The C structures are parsed by the Python at signature
installation time - this part is working already).

And even though MOSDEF-IPS is written in Python (and hence can be
managed and updated over XML-RPC), the checks get compiled to assembly
and run at normal speed. :>

(So you'll pay O(N) for a strlen() check, but at C speeds and within the
process, plus the complexity cost for a API hook, which is not
completely trivial, but handle-able).

The advantage of having MOSDEF do it is that you'll sometimes want to
have a fairly complex class structure parsed and validated, and this
becomes difficult to manage without a special purpose language that can
compile down to shellcode. The other great thing is that you're not
passing little binary patches all over the place. This is one things
that I liked about NASL checks - they can be peer reviewed to not be
malicious. The downside is of course "It's not C" but someone could
always get MOSDEF's LGPL cparse.py to a better place and fix that
(actually, you can't work around the non-context freeness of C until
Immunity ports lex.py and yacc.py to work in a non-academic setting, but
that'll be soon).

-dave
(one hammer, many nails)


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Anonimized reply Dave Aitel (Aug 24)
- Re: Anonimized reply Daniel (Aug 24)
  - Re: Anonimized reply Ben (Aug 24)
    - more flotsam and jetsam Dave Aitel (Aug 24)
  - Message not available
    - Re: more flotsam and jetsam Dave Aitel (Aug 24)