[7588] in bugtraq
Re: A way to prevent buffer overflow exploits? (was: "Any user can
daemon@ATHENA.MIT.EDU (Jim Hebert)
Mon Aug 10 11:33:30 1998
Date: Sat, 8 Aug 1998 00:08:59 -0400
Reply-To: Jim Hebert <jhebert@COMPU-AID.COM>
From: Jim Hebert <jhebert@COMPU-AID.COM>
X-To: "Anil B. Somayaji" <soma@CS.UNM.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <ut23eb82x04.fsf@atropos.cs.unm.edu>
On Fri, 7 Aug 1998, Anil B. Somayaji wrote:
[much snipped]
> The main purpose of that paper was to discuss the fact that computer
> systems today are amazingly homogeneous at a binary level, and this
> lack of diversity leads to many of the security problems that we see.
> One cracker writing a script to break in to one machine is generally
> not a big deal; one cracker spreading a script on the net that can
> break into thousands of machines _is_ a problem.
With all due respect, because I really do believe you to be an intelligent
person, I have to disagree in part.
First off: Things that I can do on my machine to stop script kiddies, slow
them down, or even make it easy for me to catch klutzy script kiddies (eg
tripwire) are good. OTOH, the goal is not simply to stop script kiddies.
> We can avoid this by making computer systems unique - the trick is to
> do this while providing a uniform interface to users. We discussed
> several approaches in:
This stops the script kiddies, and O(zero) more, where O(zero) reaslly is
my attempt to sum up the advantages of security through obscurity.
Saying "we need to make all these computers a little different from one
another" is really just saying "we need to obscure various details about
this computer that, when known, will make the attack possible again."
Again, yes, it's good if it stops script kiddies. Some people run domains
that are so low-on-the-totem-pole that any 31337 4@|<3|~ who's looking to
really land the big fish will bother. But both proprietary and open source
offerings are trying to win spots in "bet your business on this" lists,
and military contractors, nuclear research centers, and naval warships
to name 3 will regard things which "make it annoying to build the same
exploit that runs everywhere" (my rather rude characterization :-) as
being on the order of zero. Then again, maybe not, since the above named
things also think obscurity is a great security tool. =(
jim
