[31223] in bugtraq
Re: Need help. Proof of concept 100% security.
daemon@ATHENA.MIT.EDU (Nicholas Weaver)
Fri Aug 15 15:58:15 2003
Date: Fri, 15 Aug 2003 10:48:12 -0700
From: Nicholas Weaver <nweaver@CS.berkeley.edu>
To: Balwinder Singh <balwinder@gmx.net>
Message-ID: <20030815104812.A2020@ring.CS.Berkeley.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1061220294.1744.59.camel@limit.tm.org>; from balwinder@gmx.net on Mon, Aug 18, 2003 at 08:54:54PM +0530
On Mon, Aug 18, 2003 at 08:54:54PM +0530, Balwinder Singh composed:
> Hi All,
>
> I have developed an application, which I believe can provide 100%
> security against various attacks.I can hear people laughing. Hmm..
> The applications is called Execution Flow Control (EFC).
> Details of software can be found at http://203.197.88.14/efc
You are doing system call monitoring based on a program model, and
killing programs which deviate, assuming I read the documentation
correctly...
A: You have false positives unless you generate this database through
program analysis or some other technique. "Security" procedures which
make systems less reliable are only rarely acceptable.
B: This has been done, based on program analysis, traces, and a whole
host of other techniques. Probably the best example based on program
analysis is
"Intrusion Detection via Static Analysis"
David Wagner and Drew Dean:
http://www.cs.berkeley.edu/~daw/papers/ids-oakland01.ps
This is probably the nicest imply because their model does NOT have
false positives, only false negatives.
C: How to waltz through this "100%" protection:
"Mimicry Attaks on Host-Based Intrusion Detection"
David Wagner and Paolo Soto:
http://www.cs.berkeley.edu/~daw/papers/mimicry.pdf
--
Nicholas C. Weaver nweaver@cs.berkeley.edu
