[31329] in bugtraq
Re: Heterogeneity as a form of obscurity, and its usefulness
daemon@ATHENA.MIT.EDU (Nicholas Weaver)
Fri Aug 22 13:56:13 2003
Date: Fri, 22 Aug 2003 11:21:31 -0700
From: Nicholas Weaver <nweaver@CS.berkeley.edu>
To: Crispin Cowan <crispin@immunix.com>
Cc: Bob Rogers <rogers-bt2@rgrjr.dyndns.org>,
"BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@securityfocus.com>
Message-ID: <20030822112131.B17815@ring.CS.Berkeley.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3F459483.301@immunix.com>; from crispin@immunix.com on Thu, Aug 21, 2003 at 08:56:51PM -0700
On Thu, Aug 21, 2003 at 08:56:51PM -0700, Crispin Cowan composed:
> >Seems to me that obscurity is the *only* defence against exploits for
> >unpublished/unpatched vulnerabilities that are spreading in the cracker
> >community; if you can avoid being a target, by whatever means, then you
> >are ahead of the game.
> >
> Now that is just not true. All of the technologies in the previous
> thread (StackGuard, PointGuard, ProPolice, PaX, W^X, etc.) have some
> capacity to resist attacks based on unpublished/unpatched
> vulnerabilities. That is their entire purpose.
Likewise, the worm research has been focusing on how to automatically
detect, analyze, and respond to a new worm or similar threat. For
some classes (eg, Scanning worms like Slammer, blaster, code red,
etc), this appears quite doable.
So the likely viable worm defenses ideally should deal with 0 day
worms, which means stopping a new vulnerability contained in a new
worm.
--
Nicholas C. Weaver nweaver@cs.berkeley.edu
