At 9:28 AM -0800 12/13/05, Ron Forrester wrote: > On 12/13/05, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote: >> The detection mechanism seems to primarily be looking primarily for non-OS >> software modifying OS inhabited memory blocks. Wonder how they're definining >> (and maintaining the definition) of each... I also wonder how it'll impact >> near-OS software installations like, say, device drivers, authentication >> plug-ins, and other things that need to poke pretty deeply into the OS in >> order to install. > > I have to admit, when I initially read about this I immediately > dismissed it as nothing but marketing hype -- what little details they > gave for the solution seemed to me to be less than practical and > certainly would have issues adapting to targeted attempts to deceive > the mechanism. > > I'd love to hear other peoples thoughts on the matter.
For a test of their generalized characterization of the problem, consider how well they might do analyzing VMS running on Itanium. If the "non-OS software" attempted to trick the "OS software" into doing something from an inner mode, their external approach seems intractable. On the other hand, "non-OS software" calls to "OS software" regularly result in changes to memory protected against outer mode access. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
