Re: FW: *ICN - A Conspiracy of Inertia?

From: Michal Zalewski (
Date: 03/20/02

Date: Tue, 19 Mar 2002 18:21:47 -0500 (EST)
From: Michal Zalewski <>
To: o00o_j <>

On Tue, 19 Mar 2002, o00o_j wrote:

> This seems like a good technology - something that would play very well
> with current security products, but not necessarily replace any of
> them.

This "technology" is already known as, for example, strong access control
- any access control mechanism that is operation and object oriented,
bound to a specific application and supports dynamic changes over time
meets the criteria. This way, you can define the behavioral path of your
application. There are many examples, even I coded one on my own (in
Argante OS).

The problem with using it in real world is that too loose control is
somewhat pointless; script kiddies aren't a real threat to a company that
shows any interest in security; people are more concerned about sensitive
customer data integrity, credit card numbers and other information that is
not stolen by people who perform "obvious" attacks. Very strict control
requires a formal run-time model of program's functionality - something
that is expensive and time consuming to develop, prone to design flaws
(such as "bypass authentication" vulnerabilities), and - basically - means
rewriting your solution in another high-level control language, and then,
evaluating it carefully. It takes months for medium size frozen code!
And the model has to be built for each single potential use given software
and modified and re-evaluated every time you change something. Think about
a desktop system.

This is pretty much the same situation as with anomaly detection network
IDS, just even more complex and less accurate (not that anomaly detection
IDSes are very accurate). It is certainly easier to build a model of
information flow in your network - you know the protocols, can define
needs pretty easily - than to build a very detailed model of, say, MS
Windows possible acceptable execution flow.

> Every company has different things going on in their network and systems
> that could be considered malicious anywhere else.

Extactly. There's no demand for such extremely expensive and "fixed"
solutions, while there is a high demand for fast delivery of flexible
code... and that is why it is insane to brag about "conspiracy".

> is this innovative? most likely.


Michal Zalewski [] [security]
[] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=