mailing list archives
Re: considerations about exploits tricks
From: krymson () gmail com
Date: 5 Nov 2007 21:38:58 -0000
Can we defeat overflows? Well, sure, but one (or both) of three things need to happen. First, you need to teach every
software programmer and engineer how to properly bound their code. Second, you need to write a program that will
inspect and intelligently decide whether code in memory needs to be bounded. Good luck with that. Or three, randomize
memory so much that an attacker can't predict it.
This last piece is where a lot of progress has been made, but who is to say we even know about all the possible
overflows that may happen? In 3 years, will some new technique be discovered? Will some new programming or technology
recover old overflows we thought were fixed?
Let alone everything else about security such as the people as others have already mentioned. We can't win the whole
battle against attackers, but we can be successful in our defenses and risk management. And the OS dramatically changes
often, due to economics and human technological progress...which can usher in whole new classes of vulns...
If you want to think otherwise, I will point to teen pregnancy, murder, and drug use as other evils, and ask you why
we've not "solved" these issues to the point that they are eradicated and the battle won...
<- snip ->
I wonder about security holes which are still present in our OS, which let attackers take over control. I have heard
about PAX system, ProPolice and other, which in consolidation should well defend system against attacks like buffer
overflow. Is it not enough? Can't we really win the battle against buffer overflow and heap overflow?