[28748] in bugtraq
Re: Preventing exploitation with rebasing
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Torbj=F6rn_Hovmark?)
Tue Feb 4 14:53:13 2003
Message-ID: <010401c2cc55$bf9e1510$fe87a8c0@fujitsu>
From: =?iso-8859-1?Q?Torbj=F6rn_Hovmark?= <torbjorn.hovmark@abtrusion.com>
To: "David Litchfield" <david@ngssoftware.com>, <bugtraq@securityfocus.com>
Date: Tue, 4 Feb 2003 15:00:17 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Hi David,
> [...] Eventually I've rebased all of the DLLs used by SQL Server mutating
> it's "genetic code", making it considerably different to any other SQL
> Server install on the planet. In fact if I rebase every DLL on my system
and
> every executable then I can make my box almost invulnerable to a given
> exploit, past, present or future.
The idea is very elegant (in fact we have planned to include a variation of
it in an upcoming product), but unfortunately it will not work very well
with system DLLs. Many Windows system DLLs can't be safely rebased. Although
they include relocation information, they make assumptions about where in
memory they (or other system DLLs) will be loaded. Essentially, if you
rebase some of the system DLLs, your system will become unstable or will
fail to start. Also, many exes do not include relocation information at all
(since exes are loaded first they are not supposed to be relocated in normal
operation). You will not be able to rebase them either.
Best regards,
Torbjörn Hovmark
______________________________________
Abtrusion Security AB
- next generation intrusion protection
http://www.abtrusion.com
