On Thu, Aug 21, 2003 at 08:56:51PM -0700, Crispin Cowan composed: > >Seems to me that obscurity is the *only* defence against exploits for > >unpublished/unpatched vulnerabilities that are spreading in the cracker > >community; if you can avoid being a target, by whatever means, then you > >are ahead of the game. > > > Now that is just not true. All of the technologies in the previous > thread (StackGuard, PointGuard, ProPolice, PaX, W^X, etc.) have some > capacity to resist attacks based on unpublished/unpatched > vulnerabilities. That is their entire purpose. Likewise, the worm research has been focusing on how to automatically detect, analyze, and respond to a new worm or similar threat. For some classes (eg, Scanning worms like Slammer, blaster, code red, etc), this appears quite doable. So the likely viable worm defenses ideally should deal with 0 day worms, which means stopping a new vulnerability contained in a new worm. -- Nicholas C. Weaver nweaver@cs.berkeley.edu
