1 files changed, 122 insertions, 0 deletions
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..c618004
--- /dev/null
+++ b/TODO
@@ -0,0 +1,122 @@
+TODO:
+append only files can be achieved by making sure that offsets passed to writefile are not less than the total size of the file
+disable all non-TCP/IP / netbios protocols by default (with an additional option to enable)
+(connect to \Device\AFD disable non tcp/ip stuff) (\device\netbios)
+svchost.exe needs to be jailed by DLLs... each DLL will have its own policy
+policy_include: additional.policy
+add ability to deny logons to certain users
+add a "signature" rule.. LocalSystem execution of different processes (especially cmd.exe) should be logged and possibly denied?
+allow occasional rules to go through w/o logging? especially file & registry?
+investigate SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\IEXPLORE.EXE
+disable execution of certain applications based on their version (i.e. vulnerable IE) (from okena)
+add sniffer & non-ip protocol detection (from okena)
+COM/ActiveX interception
+support for application clauses (chapter 6)
+when creating an "exception" rule, MC can/should ask for whether the exception rule should be created on
+the selected agent only, all agents of a certain type or all agents of all types
+block debuggers
+non-GUI/system apps cannot use GUI calls?
+in server paranoid mode, allow only c:\program files\*.exe and c:\windows\*.exe to execute?
+trusted path execution (execution of binaries from non-trusted directories (i.e world-writable))
+(A trusted path is one that is inside is a root owned directory that is not group or world writable.)
+explorer option.. "Run process in a sandbox.." brings up a gui that asks whether to allow file, reg, network access?
+port to Itanium/AMD64
+see if we can take over the job of a buffer overflow security exception handler
+on win2k3 install custom BO exception handler that terminates a process
+need to be able to control access to all device drivers (is this already handled by intercepting createfile?) is there another way to obtain a handle to a kernel driver?
+disable modem access, etc
+raw devices of all (mounted?) filesystems should be read-only
+copy in all unicode strings, check them and then pass the kernel copies to the kernel to avoid race conditions?
+disable our driver if loading using LastKnownGood configuration (notify MC?)
+restrict reboot capability and certain programs only to interactive sessions?!
+add ability to load what programs are allowed to run? (sha1 hashes, signed binaries)
+investigate kernel32!CreateHardLink
+dll_all: log will also log all section rules since RULE_DLL will be converted to RULE_SECTION
+protect crypto keys
+use ZwQueryProcessInfo ProcessVmCounters to keep track of amount of allocated process memory (execution time can be limited using job objects?! memory limit too?)
+(or simply hijack malloc & free)
+device naming on terminal servers
+have a webpage which lists new vulnerabilities and whether our system would automatically protect against it
+deallocate allocated virtual memory that was used by AS randomization once the process is loaded and initialized (what about dynamically loaded DLLs)?
+create a policy check tool.. one of the things to lookout for is using "eq" and then specifying regex chars like * or ? in the filename
+interactive learning mode
+policy_ask user app should not run as an interative service but rather as a separate app running as a particular user
+IIS install should scan the registry for any known virtual roots and automatically add them to the policy.. same for other apps
+make sure that file-system protection cannot be subverted by accessing files by other means (\\127.0.0.1\share\file)
+per-group policy, per-user global policy
+network connect should be able to specify ports and not just ip addresses
+address eq "127.0.0.1:443" then permit
+address eq "0:443" then deny
+address eq "\\UNCpath\blah" then log
+address eq "www.porn.com:80" then deny
+new product idea: Solaris BSM-like auditing (http://www.securityfocus.com/infocus/1362) for Windows
+(compare to what audit logs native Windows Group/Security Policies can already generate)
+posix 1003e
+layers:
+desktop
+web server (iis, apache, netscape)
+database server (oracle, MS SQL / access, Sybase, DB2, Informix, Interbase, MySQL)
+terminal server
+mail server
+VPN server / remote access server
+dns server
+dhcp server
+wins server
+streaming media server
+domain controller
+file and print server
+(application server � websphere, BEA websphere)
+(collaboration server � IBM Lotus Domino)
+client policies:
+        email (outlook, outlook express, eudora, netscape)
+        browsers (IE, netscape, opera)
+        IM (aol, yahoo!, msn, icq)
+        others (ms office, napster)

diff --git a/TODO b/TODO new file mode 100644 index 0000000..c618004 --- /dev/null +++ b/TODO
@@ -0,0 +1,122 @@
	1	TODO:
	2
	3	append only files can be achieved by making sure that offsets passed to writefile are not less than the total size of the file
	4
	5	disable all non-TCP/IP / netbios protocols by default (with an additional option to enable)
	6	(connect to \Device\AFD disable non tcp/ip stuff) (\device\netbios)
	7
	8	svchost.exe needs to be jailed by DLLs... each DLL will have its own policy
	9
	10	policy_include: additional.policy
	11
	12	add ability to deny logons to certain users
	13
	14	add a "signature" rule.. LocalSystem execution of different processes (especially cmd.exe) should be logged and possibly denied?
	15
	16	allow occasional rules to go through w/o logging? especially file & registry?
	17
	18	investigate SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\IEXPLORE.EXE
	19
	20
	21	disable execution of certain applications based on their version (i.e. vulnerable IE) (from okena)
	22	add sniffer & non-ip protocol detection (from okena)
	23	COM/ActiveX interception
	24	support for application clauses (chapter 6)
	25
	26	when creating an "exception" rule, MC can/should ask for whether the exception rule should be created on
	27	the selected agent only, all agents of a certain type or all agents of all types
	28
	29
	30	block debuggers
	31
	32	non-GUI/system apps cannot use GUI calls?
	33
	34
	35	in server paranoid mode, allow only c:\program files\.exe and c:\windows\.exe to execute?
	36	trusted path execution (execution of binaries from non-trusted directories (i.e world-writable))
	37	(A trusted path is one that is inside is a root owned directory that is not group or world writable.)
	38
	39	explorer option.. "Run process in a sandbox.." brings up a gui that asks whether to allow file, reg, network access?
	40
	41	port to Itanium/AMD64
	42
	43	see if we can take over the job of a buffer overflow security exception handler
	44	on win2k3 install custom BO exception handler that terminates a process
	45
	46	need to be able to control access to all device drivers (is this already handled by intercepting createfile?) is there another way to obtain a handle to a kernel driver?
	47	disable modem access, etc
	48
	49	raw devices of all (mounted?) filesystems should be read-only
	50
	51	copy in all unicode strings, check them and then pass the kernel copies to the kernel to avoid race conditions?
	52
	53	disable our driver if loading using LastKnownGood configuration (notify MC?)
	54
	55	restrict reboot capability and certain programs only to interactive sessions?!
	56
	57	add ability to load what programs are allowed to run? (sha1 hashes, signed binaries)
	58
	59	investigate kernel32!CreateHardLink
	60
	61	dll_all: log will also log all section rules since RULE_DLL will be converted to RULE_SECTION
	62
	63	protect crypto keys
	64
	65	use ZwQueryProcessInfo ProcessVmCounters to keep track of amount of allocated process memory (execution time can be limited using job objects?! memory limit too?)
	66	(or simply hijack malloc & free)
	67
	68	device naming on terminal servers
	69
	70	have a webpage which lists new vulnerabilities and whether our system would automatically protect against it
	71
	72	deallocate allocated virtual memory that was used by AS randomization once the process is loaded and initialized (what about dynamically loaded DLLs)?
	73
	74	create a policy check tool.. one of the things to lookout for is using "eq" and then specifying regex chars like * or ? in the filename
	75
	76	interactive learning mode
	77
	78	policy_ask user app should not run as an interative service but rather as a separate app running as a particular user
	79
	80	IIS install should scan the registry for any known virtual roots and automatically add them to the policy.. same for other apps
	81
	82	make sure that file-system protection cannot be subverted by accessing files by other means (\\127.0.0.1\share\file)
	83
	84	per-group policy, per-user global policy
	85
	86
	87	network connect should be able to specify ports and not just ip addresses
	88	address eq "127.0.0.1:443" then permit
	89	address eq "0:443" then deny
	90	address eq "\\UNCpath\blah" then log
	91	address eq "www.porn.com:80" then deny
	92
	93
	94	new product idea: Solaris BSM-like auditing (http://www.securityfocus.com/infocus/1362) for Windows
	95	(compare to what audit logs native Windows Group/Security Policies can already generate)
	96	posix 1003e
	97
	98
	99	layers:
	100
	101	desktop
	102	web server (iis, apache, netscape)
	103	database server (oracle, MS SQL / access, Sybase, DB2, Informix, Interbase, MySQL)
	104	terminal server
	105	mail server
	106	VPN server / remote access server
	107
	108	dns server
	109	dhcp server
	110	wins server
	111	streaming media server
	112	domain controller
	113	file and print server
	114	(application server � websphere, BEA websphere)
	115	(collaboration server � IBM Lotus Domino)
	116
	117
	118	client policies:
	119	email (outlook, outlook express, eudora, netscape)
	120	browsers (IE, netscape, opera)
	121	IM (aol, yahoo!, msn, icq)
	122	others (ms office, napster)