RE: [SC-L] Determina claims 100% protection against all buffer overflows

2004-06-15 Thread Gary McGraw
The company was once called araksha.  Their technology is good (think compiler 
optimization foo) but not a silver bullet.  Many of the problems and issues with this 
approach can be found in a paper published a couple of years ago at usenix security.  
Google for it through the MIT profs name.

gem 

 -Original Message-
From:   Thor Larholm [mailto:[EMAIL PROTECTED]
Sent:   Wed Jun 09 13:32:52 2004
To: sc-l
Subject:[SC-L] Determina claims 100% protection against all buffer overflows

Startup Determina has released a product that they claim protects
against 100% of all memory based attacks, including all types of buffer
overflows, without any false positives, false negatives or noticeable
overhead.

This is appareantly based on work done by their CTO, Dr. Saman
Amarasinghe, who is an Associate Professor of the Department of
Electrical Engineering and Computer Science at MIT. 

If this is based on work from MIT I guess the research should be public,
but I have trouble finding evidence that support these broad claims.

Broad overview at
http://www.determina.com/tech/memfirewall.asp

More in-depth overview at
http://www.determina.com/docs/Determina%20Memory%20Firewall%20Paper.pdf

The paper gives some graphs about jump points and break instructions. I
would guess that they have a rootkit that hooks all kernel and user
space functions that deal with memory allocation and process creation.
When a process is created they probably generate a map of all
carry/jump/break instructions which they use to compare with once
anything in the system tries to alter the process memory space through
the system functions they are proxying. If anything tries to change the
existing execution roadmap they just disregard that request for a
process memory change. 




Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
[EMAIL PROTECTED]
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
http://www.pivx.com/qwikfix







This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.





[SC-L] Determina claims 100% protection against all buffer overflows

2004-06-09 Thread Thor Larholm
Startup Determina has released a product that they claim protects
against 100% of all memory based attacks, including all types of buffer
overflows, without any false positives, false negatives or noticeable
overhead.

This is appareantly based on work done by their CTO, Dr. Saman
Amarasinghe, who is an Associate Professor of the Department of
Electrical Engineering and Computer Science at MIT. 

If this is based on work from MIT I guess the research should be public,
but I have trouble finding evidence that support these broad claims.

Broad overview at
http://www.determina.com/tech/memfirewall.asp

More in-depth overview at
http://www.determina.com/docs/Determina%20Memory%20Firewall%20Paper.pdf

The paper gives some graphs about jump points and break instructions. I
would guess that they have a rootkit that hooks all kernel and user
space functions that deal with memory allocation and process creation.
When a process is created they probably generate a map of all
carry/jump/break instructions which they use to compare with once
anything in the system tries to alter the process memory space through
the system functions they are proxying. If anything tries to change the
existing execution roadmap they just disregard that request for a
process memory change. 




Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
[EMAIL PROTECTED]
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
http://www.pivx.com/qwikfix