Home page logo

basics logo Security Basics mailing list archives

Re: considerations about exploits tricks
From: krymson () gmail com
Date: 5 Nov 2007 21:38:58 -0000

Can we defeat overflows? Well, sure, but one (or both) of three things need to happen. First, you need to teach every 
software programmer and engineer how to properly bound their code. Second, you need to write a program that will 
inspect and intelligently decide whether code in memory needs to be bounded. Good luck with that. Or three, randomize 
memory so much that an attacker can't predict it. 

This last piece is where a lot of progress has been made, but who is to say we even know about all the possible 
overflows that may happen? In 3 years, will some new technique be discovered? Will some new programming or technology 
recover old overflows we thought were fixed?

Let alone everything else about security such as the people as others have already mentioned. We can't win the whole 
battle against attackers, but we can be successful in our defenses and risk management. And the OS dramatically changes 
often, due to economics and human technological progress...which can usher in whole new classes of vulns...

If you want to think otherwise, I will point to teen pregnancy, murder, and drug use as other evils, and ask you why 
we've not "solved" these issues to the point that they are eradicated and the battle won...

<- snip ->

I wonder about security holes which are still present in our OS, which let attackers take over control. I have heard 
about PAX system, ProPolice and other, which in consolidation should well defend system against attacks like buffer 
overflow. Is it not enough? Can't we really win the battle against buffer overflow and heap overflow?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]