RE: *ICN - A Conspiracy of Inertia?

From: robert_david_graham (robert_david_graham@yahoo.com)
Date: 03/19/02 

From: robert_david_graham <robert_david_graham@yahoo.com>
To: falcon@cybersecret.com, focus-ids@securityfocus.com
Date: Tue, 19 Mar 2002 16:53:08 -0500

You could solve more than 50% of UNIX exploits if you simply hooked
exec("/bin/sh") in the kernel. Likewise, detecting changes to
/etc/inetd.conf would solve another large percentage of UNIX exploits.

The problem is that it suffers from the backwards spline problem. Without
too much problem, you could find some sort of equation that predicts the
past behavior of the stock market such that it looks like a sure bet to
predict the future: only it doesn't. The same thing applies to exploits.
RedHat could easily ship a version of Linux such that /bin/sh checks to see
if <stdin>/<stdout> are socket handles, but if they did that, then exploit
writers would simply choose another technique.

On the other hand, I do feel guilty sometimes for being a purist about it.
E.g. BlackICE never had generic NOP sled detection because I was too much of
a purist; it is so easily evadable I'm still surprised why people haven't
done something like replace 0x90 with 0x43 (inc ebx): the first thing most
shell code is overwrite ebx anyway. It really is a conspiracy of intertia
that we reject the simplest solutions while hunting for the more complex
"pure" solutions.

> -----Original Message-----
> From: Benjamin Tomhave [mailto:falcon@cybersecret.com]
> Sent: Tuesday, March 19, 2002 1:36 AM
> To: focus-ids@securityfocus.com
> Subject: FW: *ICN - A Conspiracy of Inertia?
>
>
> Has anybody else heard about this? It seems to uphold a
> principal that I've
> tried to consistently apply throughout my security career --
> working with
> known quantities whenever possible and configuring systems to
> only accept
> those known quantities. Even if the software is ficticious,
> it represents
> the possibility for a paradigm shift from the perspective of
> IDS, among
> other things. Thoughts?
>
> ----- Original Message -----
> Sent: Monday, March 18, 2002 12:17 PM
> Subject: FW: *ICN - A Conspiracy of Inertia?
>
>
> > This guy simply has no idea how big and stupid the world is.
> >
> > -----Original Message-----
> > From: internetcrimenews [mailto:internetcrimenews@infowar.com]
> > Sent: Monday, March 18, 2002 9:47 AM
> > To: icnlist@infowar.com
> > Subject: *ICN - A Conspiracy of Inertia?
> >
> >
> >
> >
> > By Sarah Scalet
> > An academic-turned-entrepreneur says he's found the key to security
> > problems - and the security community doesn't want it.
> >
> > I'm deeply suspicious of anyone who claims to have created
> a new paradigm
> in
> > security. In fact, I usually hit the delete button faster
> than you can say
> > "snake oil." But this week, allow me to entertain one such
> vendor claim
> that
> > relates to how the entire security community approaches insecurity.
> > It involves a man named John Munson, who has spent the last 30 years
> > thinking about software reliability - and we're talking
> about serious
> > software like the stuff that powers the Space Shuttle and
> the Cassini
> > spacecraft that's currently hurtling toward Saturn. Dr. Munson, a
> University
> > of Idaho professor and NASA contractor turned entrepreneur,
> is not a man
> you
> > want to find out is a kook. Yet he's skittering on the edge of a
> conspiracy
> > theory that, if it turns out to be true, could turn the
> security community
> > on its head and empty out its pockets.
> >
> > His premise? That the security community doesn't want to
> solve security
> > problems once and for all, because the whole business
> relies on the very
> > existence of computer crime and malicious code.
> >
> > The technical details of the research that led Munson to
> this conclusion
> are
> > far beyond the scope of this column, but here's the
> 250-word version.
> >
> > Munson's life work involves researching and monitoring how software
> > responds, and sometimes breaks, because of what a user does to the
> software.
> > Software doesn't wear out like hardware; it crashes because
> of user input.
> > Astronauts can only hit so many buttons in the Space
> Shuttle, and Munson
> > used to make sure that none of those combinations would
> cause the systems
> to
> > break.
> >
> > Then, about three years ago, he decided that this research could be
> applied
> > to computer security. By monitoring the kernel of an
> operating system, he
> > set out to find nuances of behavior change when a system
> was under attack
> > from a hacker or computer virus. "It turns out there were no such
> nuances,"
> > explains Munson, at work at Software Systems International,
> the second
> > obscure company (the first one went bankrupt) attempting to
> profit from
> > these principles. "Assaults were astonishingly obvious. In
> fact, we have
> yet
> > to observe a malicious activity that is not wearing a Day-Glo orange
> shirt."
> >
> > If an attack on a computer system were so easy to identify, he asked
> > himself, then why not build in controls that identify and
> allow normal
> > behavior and stop abnormal behavior? There'd be no need for
> patches to fix
> > specific vulnerabilities, and no need for antivirus
> software to fight
> > malicious code.
> >
> > Munson says he has a few Linux servers up and running that
> are protected
> by
> > an early version of these operating system controls, which
> are calibrated
> > based on how the server normally operates. He says the
> controls could
> > eventually be built into a computer's hardware.
> >
> > Needless to say, his work has been met with considerable skepticism.
> >
> > "The reaction is, we don't believe you," Munson says. "But
> this is not an
> > act of faith. All the research I have done is reproducible
> to scientific
> > standards."
> >
> > Munson suspects more than skepticism. "They (security
> vendors) thrive on
> > your misery. It's a conspiracy of inertia. I don't think there's
> collusion.
> > I don't think McAfee is sitting there kicking viruses out
> the back door. I
> > do believe that they're making money at it and would like
> to keep making
> > money at it. But they're working on the wrong problem."
> >
> > Whether Munson (or anyone) can actually deliver a product
> that avoids
> > security problems altogether - and whether hackers and
> coders couldn't
> then
> > launch attacks designed to look "normal" - I cannot say.
> But his logic is
> > tempting. The way things are done today is terribly inefficient and
> > ineffective, and a lot of people are profiting from it.
> >
> > Suppose, just for a moment, that there is a solution to the
> security woes
> > plaguing corporate America - the endless cycle of installing patches
> against
> > new vulnerabilities, of stopping viruses and security
> breaches, of fixing
> > damage done. I'm not talking about a magical elixir but a so-called
> > disruptive technology that comes from an outsider whose
> ideas could make
> > columns like this obsolete. CIOs would be ready to hear it.
> But what about
> > the rest of us?
> >
> > What do you think? E-mail Sarah D. Scalet, security editor
> and senior
> > writer, at sscalet@cio.com.
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Cybercrime Reports: http://www.infowar.com/ccr/ccr1.shtml
> > CCR@infowar.com
> > Internet Crime Watch: http://www.infowar.com/iwatch/iwatch.shtml
> > ICN@infowar.com
> >
> > Internet Crime News ( ICN) is brought to you by Infowar.Com Ltd.
> > Please feel free to pass this on as long as all information
> and header
> > remains intact.
> > Please forward your comments or posts to ICN@infowar.com.
> > Subscribe and Remove instructions appear at the end of this email.
> >
> > Infowar.Com Ltd. 3030 N. Rocky Point Drive West. Suite 275.
> Tampa, FL
> 33607
> > 813-288-1955 Voice 813-288-1985 FAX
> > Need Further Info? Write betty@infowar.com
> > Visit the Security Store @ Infowar.com
> > http://estore.infowar.com
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > ----------------------------------------------
> > To unsubscribe send an email to icnlist@infowar.com
> > with unsubscribe as the first line of the message in PLAIN TEXT.
> >
> > To receive a digest of 15 messages per email
> > send an email to icnlist@infowar.com with
> > mode_digest as the first line of the message.
> > Note that control messages must be sent as PLAIN TEXT.
>

Quantcast