[28815] in bugtraq
RE: Observation on randomization/rebiasing...
daemon@ATHENA.MIT.EDU (Michael Wojcik)
Thu Feb 6 15:13:48 2003
Message-ID: <75C025AE395F374B81F6416B1D4BDEFBEEBBB0@mtv-corpmail.microfocus.com>
From: Michael Wojcik <Michael.Wojcik@microfocus.com>
To: BugTraq <bugtraq@securityfocus.com>
Date: Thu, 6 Feb 2003 00:43:29 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
> From: Jason Coombs [mailto:jasonc@science.org]
> Sent: Wednesday, February 05, 2003 5:08 PM
> A properly security-hardened binary DOES NOT require support
> for arbitrary relocations, arbitrary dynamic library injection,
> arbitrary code injection resulting in new execute paths defined at
> run-time, and the type of programmability required by software
> developers. Once code has been compiled and linked, even when that
> code makes use of dynamic libraries, there is no longer any unknown.
There are plenty of examples of programs and libraries that by design load
and execute independently-developed code: browser plugins, ISAPI, and so
forth. Leaving aside for the moment the question of whether this is a Good
Thing, or whether it fits someone's definition of "a properly
security-hardened binary", it's certainly a popular approach. The security
community has not to date had much luck convincing users and programmers to
adopt even its uncontroversial recommendations; I doubt you'll get any
traction with this one.
Michael Wojcik
Principal Software Systems Developer, Micro Focus
