|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: IPD: A Moment of Clarity
From: Jon Gary (fireball
SKYLAB.ORG)Date: Fri Jun 09 2000 - 13:00:35 CDT
- Next message: Neale: "2009 errors fill the system log"
- Previous message: Russ: "Alert: Outlook 98/2000 Email Security Update now available"
- Maybe in reply to: Greg Hoglund: "IPD: A Moment of Clarity"
- Maybe reply: Jon Gary: "Re: IPD: A Moment of Clarity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yes, it does do something. However, I'd have to agree with Greg on this
one. A driver is only one way to get code into ring 0. Greg mentions
several of these methods in his post, so I won't go into them, but the point
here really is that fixing one small part of a larger problem only confuses
the issue. It gives the illusion of security, when the only thing the IPD
does is protect against drivers that load at least 20 minutes after boot.
This is useful, to be sure, but it's really turning the problem into a game
of whack-a-mole. What next? Release a driver that doesn't allow access to
certain system calls that might be used to run code at ring 0? Then make
sure you write a driver that protects the important registry keys. After
that, you need to write one that keeps someone from patching memory... The
game continues. Greg is right, the correct solution is to get in at boot
time. If you can't verify the integrity of NTOSKRNL.EXE and every file it
loads at boot, you cannot be sure that your files are correct.
The fundamental problem here is the approach that if we fix it so that
'exploit A' doesn't work anymore, we've fixed a security hole. This
sometimes gets ridiculous. The problem is not that the NT rootkit DLL can
be loaded into memory, the problem is that once the box is rooted, the
hacker/cracker can run malicious code a ring 0. The confusion comes from
the fact that most NT rootkits to date use a loadable driver, therefore the
problem is seen as being a driver problem. The IPD addresses this
sub-problem, but it doesn't fix the larger problem. It's much like building
a large fence with barbed wire, dogs, and guards on one side of a four-sided
building, while saying, "most people in the past have gone in this entrance,
so this will add security."
-Jon Gary
http://www.rootkit.com
- Next message: Neale: "2009 errors fill the system log"
- Previous message: Russ: "Alert: Outlook 98/2000 Email Security Update now available"
- Maybe in reply to: Greg Hoglund: "IPD: A Moment of Clarity"
- Maybe reply: Jon Gary: "Re: IPD: A Moment of Clarity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]