|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Heterogeneity as a form of obscurity, and its usefulness
From: Crispin Cowan (crispin
immunix.com)
Date: Thu Aug 21 2003 - 22:56:51 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bob Rogers wrote:
> Heterogeneity increases survivability of the *species*, but does little
> to protect the individual . . .
>
>I don't think that stands up, at least not for digital species. I can
>run Apache on Linux/x86, for which tons of shellcode is available, or I
>can run the same version of Apache on Linux/sparc, for which much less
>is available, and exists within a smaller and more specialized
>community....
>
> . . . At most, you could say that running the most common system
> makes you somewhat more vulnerable to attack, and you should take
> that into consideration when planning your security.
>
These statements seem to agree. Is there a point?
>Yes; and it would be interesting (though probably difficult) to quantify
>that.
>
It is difficult to quantify just about any security benefit.
> So heterogeneity is really just security by obscurity, dressed up to
> sound pretty . . .
>
>Seems to me that obscurity is the *only* defence against exploits for
>unpublished/unpatched vulnerabilities that are spreading in the cracker
>community; if you can avoid being a target, by whatever means, then you
>are ahead of the game.
>
Now that is just not true. All of the technologies in the previous
thread (StackGuard, PointGuard, ProPolice, PaX, W^X, etc.) have some
capacity to resist attacks based on unpublished/unpatched
vulnerabilities. That is their entire purpose.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
http://www.immunix.com/shop/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]