Re: Behavior analysis vs. Integrity analysis [was: Binary Bruteforcing]

From: vkp (vkp@io.com)
Date: 03/29/02 

Date: Fri, 29 Mar 2002 02:26:55 -0600 (CST)
From: vkp <vkp@io.com>
To: Lincoln Yeoh <lyeoh@pop.jaring.my>

Systematic generation of "all possible inputs" is needed for and only for
security guys. The attacker side of the world only care about the impact
and not about the reasons leading to the impact. Since they have all the
time in the world, they can flood with random stutff and wait for whatever
time for thiings to happen. To counter these types of attacks, the
security side of the world a) does not have enough time b) they need to
check for reasons of the impact in order to do something to mitigate it c)
They certainly need to *systematically* check for each and every input
(which is hard if you go into complex protocols, or atleast have the code
only allow good inputs).

On Fri, 29 Mar 2002, Lincoln Yeoh wrote:

> Going through all the input and possible states and all that can be
> impossible, but when so many programs are so fragile you don't have to -
> they blow up at the first bend.
>
> Thing is C is such an unfriendly environment we can say an automated
> program can practically spot 95% of the bugs because 95% of the bugs could
> have been automatically avoided in the first place - either by some special
> program, or by using a different language.
>
> Don't have to exploit those 5% high level bugs when you can be root with
> the 95% right?
>
> That said, many of the web sites out there have the "pass raw cgi
> parameters to the db" problem. Give a programmer a low level tool and
> blahblahblah, give a programmer a high level tool and blahblahblah :).
>
> Cheerio,
> Link.
>
> At 11:42 AM 28-03-2002 -0500, Michal Zalewski wrote:
>
> >To tell how the process is to behave in certain conditions, you have to be
> >able to predict this behavior, or actually run / go thru the program and
> >see what happens. And you have to know it for all possible input
> >perameters. Both approaches, without making significant sacrifices, are
> >not very feasible for a typical real-life project (say, Sendmail), where
>
>

Relevant Pages

  • [NT] Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (MS03-044)
    ... Get your security news from a reliable source. ... A security vulnerability exists in the Help and Support Center function ... *Microsoft Windows Millennium Edition ... An attacker could exploit the vulnerability by constructing a URL that, ...
    (Securiteam)
  • [UNIX] Security Analysis of VTun
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can modify ... Packet forwarding: ... password) as encryption key. ...
    (Securiteam)
  • [REVS] Security Considerations for Web-based Applications
    ... Get your security news from a reliable source. ... consequences of this ranges from the erosion of customer confidence in the ... of poorly implemented host naming procedures or web-application URL ... The attacker may choose to inject ...
    (Securiteam)
  • [NT] Windows Media Player Directory Traversal Vulnerability (WMZ)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... When Media Player 7 or 8 is installed, ... As most other Internet Explorer vulnerabilities, ... cannot be guessed by a potential attacker. ...
    (Securiteam)
  • [NT] MHTML vulnerability in Outlook Express
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Outlook Express allows an attacker to run code of the ... If an attacker were to host a malicious website that contained an MHTML ...
    (Securiteam)