[Dailydave] The sky's downward trajectory

[Dave Aitel]

I always recommend customers use the "AlwaysOn" DEP - which affects
everything if you set it in your boot.ini. The default, "OptIn" only does
some system components, but more and more organizations use "OptOut" which
is comprehensive unless told otherwise. Of course, there's an API to turn
this off while inside a program, which is the standard technique and is
automated by Immunity Debugger. It's not the only technique, of course, but
the others are harder to automate by a binary analysis tool.

In any case, DEP has defeated the zero-day exploits you've been able to get
ahold of. I'm sure there's better stuff in the wild, just not used as
widely.

-dave

On 2/18/07, George Ou <george_ou at lanarchitect.net> wrote:
>
>  DEP is normally only activated for critical system components and left
> off for all applications including MS Office and Internet Explorer.  From
> what I understand from past experience, Hardware-enforced DEP if enabled has
> defeated every zero-day flaw for IE in the past year (at least the ones that
> were in the wild) but didn't help against the MS Office exploits (at least
> according to Microsoft).  Can these techniques you speak of defeat
> hardware-enforced DEP in most or all cases?
>
>
>
>
>
> George Ou
>
>
>
> *From:* dailydave-bounces at lists.immunitysec.com [mailto:
> dailydave-bounces at lists.immunitysec.com] *On Behalf Of *Dave Aitel
> *Sent:* Saturday, February 17, 2007 7:10 PM
> *To:* dailydave at lists.immunitysec.com
> *Subject:* [Dailydave] The sky's downward trajectory
>
>
>
> http://www.fcw.com/article97658-02-13-07-Web&printLayout
> """
> Current U.S. cyber warfare strategy is dysfunctional, said Gen. James
> Cartwright, commander of the Strategic Command (Stratcom), in a speech at
> the Air Warfare Symposium in Orlando, Fla., last week. Offensive, defensive
> and reconnaissance efforts among U.S. cyber forces are incompatible and
> don't communicate with one another, resulting in a disjointed effort,
> Cartwright said.
> ...
> "They will exploit anything and everything," the senior official said,
> referring to the Chinese hackers' strategy. And although it is impossible to
> confirm the involvement of China's government, the attacks are so
> deliberate, "it's hard to believe it's not government-driven," the official
> said.
> ...
> Gen. Ronald Keys, commander of Air Combat Command, told reporters at the
> conference that current policies prevent the United States from pursuing
> cyberthreats based in foreign countries. Technology has outpaced policy in
> cyberspace, he said.
>
> The United States should take more aggressive measures against foreign
> hackers and Web sites that help others attack government systems, Keys said.
> It may take a cyber version of the 2001 terrorist attacks for the country to
> realize it must re-examine its approach to cyber warfare, he added.
> """
>
> If you go into the Forbidden City, in the heart of Beijing, and walk into
> the museum exhibits you will see a few preserved suits of silk armor, along
> with swords, halberds, and various other Dungeons and Dragons style
> weaponry. If you know what a halberd is, you probably, like me, didn't get
> invited to the cool parties in high school. Let's just say it's a big stick
> with an ax on top. Anyways, some of the displays have a little printed
> notice of what they are, translated into English. Usually they say something
> like this "Example of a few halberds used by Such and Such. This weaponry
> was no match for western guns used at the time". I got the feeling the whole
> exhibit was a "Memorandum to self: invest in technology immediately and
> continue for next couple hundred years."
>
> Picking the technology to invest in is, of course, quite difficult. From
> many perspectives, I'm sure, Immunity's investments would seem insane. For
> example, Immunity Debugger is quite a strange thing to put so much emphasis
> in, right when DEP and other protective technologies are making remote
> buffer overflows a thing of the past. There are, of course, perfectly usable
> free debuggers.
>
> Yesterday, before most of Immunity went bowling (like all hackers, we're
> extremely athletic), Nico was showing me the "defeat dep" Immunity Debugger
> script. You type "!defeatdep" and then it has a little wizard you go through
> and then you've got a buffer that will do the return into libc trick to
> defeat DEP. Simple and easy! It's part of an "Advanced Windows Overflows"
> class we're teaching all next week. Nico's Immunity Debugger !heap script
> allows you to do do all sorts of tricks with heaps - and to defeat the next
> generation of heap protection, you're going to need all of it, plus some
> luck. Kostya's "!safeseh" script does various neat things around that as
> well. None of the free debuggers allow you to do this stuff, but none of the
> free debuggers are specifically for exploit development either.
>
> One facet of an asymmetric attack is to appear to have a disjointed effort
> but yet have an emergent strategic behavior that can topple an enemy. This
> is something I'm sure Gen. James Cartwright knows well. In Immunity's case,
> this enemy is DEP, SafeSEH, and related technologies - and only a couple
> days after Microsoft Tuesday we've released an exploit for MS07-007 that
> works regardless of DEP on XP SP2. Just a thought.
>
>
> -dave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070218/bd15dd1e/attachment.htm