Enough of my rambling intro...the whole point of this entry was to discuss a couple of HIDS products and a tool for breaking them that was updated to coincide with CanSecWest. I did not go to CanSecWest, but Jordan did and so did one of the smart guys from nCircle who posted his notes from all the presentations on their blog--definitely check it out their blog and excellent write-up of CanSecWest.
I was planning on running through a demo of slipfest running within CoreForce and WehnTrust with screenshots but time has gotten away from me--thanks to 3 hrs on the phone troubleshooting a problem on my mom's laptop--so it will have to wait until this weekend. To wet your appetite, check out the descriptions from the products' websites below.
WehnTrust is a Host-based Intrusion Prevention System (HIPS) that provides secure buffer overflow exploitation countermeasures. While other Windows based intrusion prevention systems are only capable of working with a pre-defined group of applications, WehnTrust's technology allows it to work with virtually all software products. Perhaps best of all, WehnTrust is currently free for home use.
CORE FORCE can be used to:
- Protect your computer from compromises by worms, virus and email-borne malware
- Prevent your computer from being used as a staging point to amplify attacks and compromise others
- Prevent exploitation of known bugs in the operating system and applications running on your computer
- Prevent exploitation of unknown bugs (0-day) in the operating system and applications running on your computer
- Detect and prevent execution of adware, spyware, trojan horses and other malware on you computer
Officially SLIPFEST is an acronym for "System level intrusion prevention system evaluation suite and toolkit". But the name is really a french joke meaning something like "Panty's party".
It's a tool which can help you to understand how your Windows HIPS (or personal firewall, or advanced anti-virus) works. With it you can list SDT (in kernel) or userland (in library) hooks, caracterize address space layout randomization (ASLR) or non executability, inject shellcodes in a process' address space to try to fool the heuristic or test the MAC mecanism with common flaws.
2 comments:
No mention of CSA?
-->jason
I can only but assume that you are referring to Cisco Security Agent. Reading back through my post, I realize that I didn't mention I was primarily sticking to free and/or Open Source tools and projects--something that I tend to favor having developed my skills in a university setting.
CSA is probably good, but I have no experience whatsoever. Cisco is too expensive for me to play with...we leave all the Cisco stuff to our network engineers.
If you want to provide me with a copy, I would be happy to test it also. Or, if you have extensive experience, feel free to post it here. Thanks,
-jhs
Post a Comment