Dailydave mailing list archives
Re: Fwd: RE: We have the enemy, and the enemy is... you
From: Alexander Sotirov <asotirov () determina com>
Date: Thu, 13 Apr 2006 19:31:22 -0700
Olef Anderson wrote:
Stop with that please! so you are telling me that your 10 person team (an optimistic estimate) will do a better job in hooking vulnerable functions on runtime in order to prevent exploitation and will do a safer and better job than a MS hotfix (which is backed by probably the world's biggest QA department) ?
Yes. Microsoft patches usually break 3rd party apps because they disable insecure functionality or add other security enhancements, like tightening permissions or introducing extra authentication checks. Of course if a HIPS vendor does the same, they will face the exact same issues as Microsoft. The difference is that a HIPS vendor can limit the scope of a hotpatch to a single vulnerable function and check for a clearly defined failure condition. For example, if you have a strcpy into a buffer on the stack, a simple strlen check before the strcpy will stop the vulnerability with no compatibility issues. The bad reputation of runtime hooking and patching is mostly a result of poor implementations that are not thread safe, don't interoperate with other hookers, or even leave the entire process space RWX after hooking. These issues can be addressed during the design and development of the hooking engine. The limited QA time on a Patch Tuesdays afterwards affects only the hotpatches (which are safe because of their very limited scope), not the entire engine (where most of the problems are found) Disclaimer: I work for a HIPS vendor, so feel free to disregard anything I say. Alex
Current thread:
- RE: We have the enemy, and the enemy is... you Sandy Wilbourn (Apr 13)
- <Possible follow-ups>
- Fwd: RE: We have the enemy, and the enemy is... you Olef Anderson (Apr 13)
- Re: Fwd: RE: We have the enemy, and the enemy is... you Alexander Sotirov (Apr 14)
- Re: Fwd: RE: We have the enemy, and the enemy is... you Matt (Apr 14)
- Re: Fwd: RE: We have the enemy, and the enemy is... you H D Moore (Apr 14)
- RE: Fwd: RE: We have the enemy, and the enemy is... you Dave Korn (Apr 14)
- Re: Fwd: RE: We have the enemy, and the enemy is... you Chris Wysopal (Apr 14)
- RE: RE: We have the enemy, and the enemy is... you Paul Melson (Apr 14)
- RE: RE: We have the enemy, and the enemy is... you Andrew R. Reiter (Apr 14)
- Re: Fwd: RE: We have the enemy, and the enemy is... you Alexander Sotirov (Apr 14)