[dba-Tech] AV product breaches

John W. Colby jwcolby at colbyconsulting.com
Sun Feb 27 18:30:37 CST 2005 

LOL.  What you forget is that the PC started from a FOUR BIT processor
called a 4004 by Intel in 1972 or thereabouts.  

Do you really think that the mainframes with all that fancy stuff just
appeared out of thin air that way?  They started from machines in the
forties, made from relays and later vacuum tubes.  You may rest assured that
those old machines did not have any of that fancy stuff either.

John W. Colby
www.ColbyConsulting.com 

Contribute your unused CPU cycles to a good cause:
http://folding.stanford.edu/

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of DJK(John)
Robinson
Sent: Sunday, February 27, 2005 5:01 PM
To: 'Discussion of Hardware and Software issues'
Subject: RE: [dba-Tech] AV product breaches


Just for the record ...

ICL mainframes from the early 70s (that's the 1970s - more than thirty years
ago!) had two things in hardware, both exploited by operating system
software:

1.	EPB (Execute Permission Bit) had to be set to allow code execution.
By default it was not set.

2.	Bounded descriptors.  A pointer wasn't just an address (to the start
of a buffer), but also said how big the buffer was.  Hardware interrupted if
you tried to write past the end.

Results?  NO data executed as code;  NO buffer overruns.  Period.

Great innovations from Intel/MS?  Hmmph!

John


> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of 
> MartyConnelly
> Sent: 27 February 2005 18:13
> To: Discussion of Hardware and Software issues
> Subject: Re: [dba-Tech] AV product breaches
> 
> 
> You can also approach this through hardware, I believe some IBM
> mainframes have had this for years
> On desktop cpu's this method has several names. Microsoft has several 
> names so does Intel and AMD.
> This has to be checked before implementation in production 
> environments.
> 
> See execute disable bit Win XP SP 2 enables it on 32 bit
> machines 
> http://www.intel.com/business/bss/infrastructure/security/flash.htm
> 
> One solution is to use Win XP SP2 and brand new Intel or AMD 32 bit
> chips with Execute Disable bit set
> Right now it is only available in Intel Itanium Servers  and 
> AMD Athalon 
> 64 bit servers. 
> http://www.intel.com/business/bss/infrastructure/security/xdbit.htm
> 
> What it does, is set apart pages of memory to be data only, so code
> cannot be executed from it.
> 
> http://www.intel.com/business/bss/infrastructure/security/flash.htm
> 
> On CPUs that support execution protection (NX) technology, Windows XP
> Service Pack 2 marks data pages non-executable. This feature of the 
> underlying hardware prevents execution of code from pages 
> marked in this 
> way. This prevents attackers from overrunning a marked data 
> buffer with 
> code and then executing the code; it would have stopped the 
> Blaster worm 
> dead in its tracks. The only processor families that 
> currently support 
> NX are the 64-bit AMD K8 and Intel Itanium; however, 
> Microsoft expects 
> future 32-bit and 64-bit processors to provide hardware based 
> execution 
> protection.. In addition to supporting NX, Service Pack 2 implements 
> sandboxing. All binaries in the system have been recompiled 
> with buffer 
> security checks enabled to allow the runtime libraries to catch most 
> stack buffer overruns, and "cookies" have been added to the heap to 
> allow the runtime libraries to catch most heap buffer overruns.
> 
> Steve Erbach wrote:
> 
> >John,
> >
> >FWIW, Jerry Pournelle has commented on his web site that all
> the focus
> >on C++ over the years is reaping the whirlwind, so to speak.
> That is,
> >with a more strongly typed language, there would be no such thing as
> >buffer overflows. Do you or does anyone else here have a 
> feel for that?
> >
> >Steve Erbach
> >
> >
> >On Fri, 25 Feb 2005 15:45:06 -0600, John Bartow <john at winhaven.net>
> >wrote:
> >  
> >
> >>Just got this from Watchguard:
> >>
> >>Trend Micro AV Ushers Hackers Right In
> >>
> >>*
> >><http://www.trendmicro.com/vinfo/secadvisories/default6.asp?
VName=Vuln
>>erabil
>>ity+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution> Trend
>>ity+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution> Micro's
>>ARJ Buffer Overflow Alert
>>
>>A similar thin ghappened to Symantec a couple weeks ago:
>>*        <http://xforce.iss.net/xforce/alerts/id/189> ISS X-Force's ARJ
>>Buffer Overflow Alert
>>
>>John B.
>>    
>>
>_______________________________________________
>dba-Tech mailing list
>dba-Tech at databaseadvisors.com
>http://databaseadvisors.com/mailman/listinfo/dba-tech
>Website: http://www.databaseadvisors.com
>
>  
>

-- 
Marty Connelly
Victoria, B.C.
Canada



_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

More information about the dba-Tech mailing list