Dailydave mailing list archives
Re: more flotsam and jetsam
From: Dave Aitel <dave () immunitysec com>
Date: Tue, 24 Aug 2004 15:31:41 -0400
(sometimes I have to force things public so people don't write software patents faster than I can write code, sorry) On Tue, 2004-08-24 at 14:51, Someone Who May Remain anonymous wrote: <stuff cut>
The big problem that the HIPS guys don't handle is that code with security issues is written poorly to begin with. If you block an API that has a signature or hits an ACL, you may stop an intrusion, but if the application does not recover from the failed API call, it may go into la-la land.
I'm strictly host-based, network IPS is silly. Modeling is bad. It's like playing chess against someone who can only see their pieces. It works in theory, but it's a bad mindset to be in. (All of you who write NIPS for a living can feel free to rag on me for this. :>) I agree you don't want to leave the API all nutty, but a MOSDEF-IPS signature can do rewriting as well, for example, truncating any string to a given length in a given C structure passed to an arbitrary function. (The C structures are parsed by the Python at signature installation time - this part is working already). And even though MOSDEF-IPS is written in Python (and hence can be managed and updated over XML-RPC), the checks get compiled to assembly and run at normal speed. :> (So you'll pay O(N) for a strlen() check, but at C speeds and within the process, plus the complexity cost for a API hook, which is not completely trivial, but handle-able). The advantage of having MOSDEF do it is that you'll sometimes want to have a fairly complex class structure parsed and validated, and this becomes difficult to manage without a special purpose language that can compile down to shellcode. The other great thing is that you're not passing little binary patches all over the place. This is one things that I liked about NASL checks - they can be peer reviewed to not be malicious. The downside is of course "It's not C" but someone could always get MOSDEF's LGPL cparse.py to a better place and fix that (actually, you can't work around the non-context freeness of C until Immunity ports lex.py and yacc.py to work in a non-academic setting, but that'll be soon). -dave (one hammer, many nails) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Anonimized reply Dave Aitel (Aug 24)
- Re: Anonimized reply Daniel (Aug 24)
- Re: Anonimized reply Ben (Aug 24)
- more flotsam and jetsam Dave Aitel (Aug 24)
- Message not available
- Re: more flotsam and jetsam Dave Aitel (Aug 24)
- Re: Anonimized reply Ben (Aug 24)
- Re: Anonimized reply Daniel (Aug 24)