[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer overflow prevention

To: Shaun Clowes <shaun@securereality.com.au>
Subject: Re: Buffer overflow prevention
From: Crispin Cowan <crispin@immunix.com>
Date: Sun, 17 Aug 2003 15:42:07 -0700

Shaun Clowes wrote:

>I think it's generally accepted that homogenity breeds insecurity, in
>which case it makes sense to try to be as different from everyone else
>as possible even if that doesn't make it impossible for someone to break
>you.
>
That is a commonly held view, but I would not say it is widely accepted. 
I certainly don't accept it.

Heterogeneity increases survivability of the *species*, but does little 
to protect the individual. A site manager seeking to protect their own 
servers cares little if an attack that takes them down doesn't take down 
their competitors. In fact, it's kind of bad if heterogeneity means that 
you go down and your competitors don't. At most, you could say that 
running the most common system makes you somewhat more vulnerable to 
attack, and you should take that into consideration when planning your 
security.

So heterogeneity is really just security by obscurity, dressed up to 
sound pretty. It also comes at a cost: in direct proportion to the 
security benefits of running an obscure system is elevated operational 
costs due to incompatibilities induced by your diversity. Exactly what 
those incompatibility costs are varies according to the ways in which 
you diverge from others. For that matter, so do the security benefits 
vary according to what aspects of your system you diversified.

So before spending a bucket of $ on contrived diversity, consider 
spending that $ on actual security mechanisms: you will get a much more 
predictable ROI.

Caveat: there is a gray spectrum between natural diversity (Windows vs. 
Linux vs. BSD) and synthetic diversity (PAX/ASLR, PointGuard). The 
former are diverse, but the ways in which they are divers are rigidly 
fixed aspects of system architecture, and cannot be changed. The latter 
use cryptographically secure random numbers (to the extent possible) to 
provide per-instance diversity that is readily changed, much like crypto 
session keys. Cryptography itself is just a form of obscurity, albeit 
with some very important properties surrounding key management.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/

Follow-Ups:
- Re: Buffer overflow prevention
  - From: Mark Handley <M.Handley@cs.ucl.ac.uk>
- Heterogeneity as a form of obscurity, and its usefulness
  - From: Bob Rogers <rogers-bt2@rgrjr.dyndns.org>

References:
- Re: Buffer overflow prevention
  - From: Mariusz Woloszyn <emsi@ipartners.pl>
- Re: Buffer overflow prevention
  - From: Shaun Clowes <shaun@securereality.com.au>
- Re: Buffer overflow prevention
  - From: Crispin Cowan <crispin@immunix.com>
- Re: Buffer overflow prevention
  - From: Shaun Clowes <shaun@securereality.com.au>

Prev by Date: Re: Buffer overflow prevention
Next by Date: OpenSLP initscript symlink vulnerability
Prev by thread: Re: Buffer overflow prevention
Next by thread: Re: Buffer overflow prevention
Index(es):
- Date
- Thread