Aha, here are some more details about Saman's publications. http://cag-www.lcs.mit.edu/~saman/cv.html#PUBLICATIONS
And this one could look like the paper they based all of SecureCore on: "Secure Execution Via Program Shepherding" http://cag.lcs.mit.edu/commit/papers/02/RIO-security-usenix.pdf Thor -----Original Message----- From: Thor Larholm Sent: Wednesday, June 09, 2004 10:03 AM To: 'sc-l' Subject: Determina claims 100% protection against all buffer overflows Startup Determina has released a product that they claim protects against 100% of all memory based attacks, including all types of buffer overflows, without any false positives, false negatives or noticeable overhead. This is appareantly based on work done by their CTO, Dr. Saman Amarasinghe, who is an Associate Professor of the Department of Electrical Engineering and Computer Science at MIT. If this is based on work from MIT I guess the research should be public, but I have trouble finding evidence that support these broad claims. Broad overview at http://www.determina.com/tech/memfirewall.asp More in-depth overview at http://www.determina.com/docs/Determina%20Memory%20Firewall%20Paper.pdf The paper gives some graphs about jump points and break instructions. I would guess that they have a rootkit that hooks all kernel and user space functions that deal with memory allocation and process creation. When a process is created they probably generate a map of all carry/jump/break instructions which they use to compare with once anything in the system tries to alter the process memory space through the system functions they are proxying. If anything tries to change the existing execution roadmap they just disregard that request for a process memory change. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix>
