From: Adamsc@io-online.com (Adamsc)
Date: Thu, 21 Nov 1996 22:47:15 -0800 (PST)
To: "m5@tivoli.com>
Subject: Re: Finjan "SurfinGate"
Message-ID: <19961122064500531.AAA48@rn37.io-online.com>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 21 Nov 1996 12:10:51 -0600, Mike McNally wrote:

>Check out http://www.finjan.com and the stuff about "SurfinGate".  The
>software supposedly can perform an on-the-fly inspection of a Java 
>applet or ActiveX control, and then apply a signature to it along with
>a "safety" level qualifier to feed into a configurable policy mechanism.
>
>Any ideas as to how you can look at an ActiveX control and determine
>whether it's safe or not?

You can't.  Anyone who claims to be able to do so is betting their scanning
ability against the collective programming skill of hundreds of
brilliant-but-twisted programmers/hackers.   Remember CHK4BOMB? The old DOS
program that would dump strings from an EXE so you could look for things
like "Happy birthday yoshi"?  They started encrypting and adding
polymorphing and stealthing and . . .

Now you could write a program that would scan for more 'obvious' attacks but
it will probably be a continual catch-up game.  You don't even have the
ability to do checksumming of existing files (like you do w/virii).

#  Chris Adams  <adamsc@io-online.com> | http://www.io-online.com/adamsc/adamsc.htp
#  <cadams@acucobol.com>                 | send mail with subject "send PGPKEY"
"That's our advantage at Microsoft; we set the standards and we can change them."
   --- Karen Hargrove, Microsoft (quoted in the Feb 1993 Unix Review editorial)