Hi everyone, Assuming that "are we missing DEP and assorted userland exploit mitigations" for the web is not a rhetorical question, indeed assorted technologies based on randomized instruction sets have been researched and I have seen PoC solutions circa 2004 (SQLi) and more recently for XSS. [1] is a nice starting point, as I am in somewhat of a hurry to locate the papers/PoCs now.
Obviously, if that was a rhetorical question, :) [1] http://www.cs.columbia.edu/~angelos/cv.html On 03/26/2011 09:12 PM, Arian J. Evans wrote: > [SNIP] > And why is that? Are we missing DEP and SEHOP and such for the web? > > Or is the web, the browser, and userland malware just where the easy > money is, so the attackers focus there? > > --- > Arian Evans > Software Security Realism -- -- thanasisk _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
