Buffer Overflow Attack protection: how important is it?

so what do u think?
how important is it? to which segment (eg: home user’s machines, web servers, mail servers etc).

I would like to hear everyone’s opinion and have a discussion about this if we can please.

thank you

Melih

“Buffer Overflow protection”, please forgive me, I’ve never even heard the expression. :o Does it address something in v3?

/LA

http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html

check this

Melih

Thanks Melih. A quick review of those sources tells me; the concept goes beyond my current skills and understanding. However, I’ll be glad to follow this thread to learn from others. And of course, I may have the general opinion, that all possible protection (of computers) should be in place - to the extent it is actually needed.

We all really need a firewall, but do we need buffer overflow attack protection? Does CPF cause data overflow? I know it has built in termination protection (great), but I don’t know the risk of CPF writing data overflow. Again, all protection is great, but I think only Comodo can tell whether this is needed or not. Or…?

/LA

the issue is all the malware out there that uses BO (Buffer Overflow) as a mechanism to infect victim’s machines. For example there are lots of examples of drive-by-download attacks utilising this Buffer overflow vulnerabilities that exist in browsers (and it does exist in many other software actually). Servers running applications are also targets using BO to take over the servers etc etc.

Melih

Windows XP:

From what I understand, it’s extremely important. While programmers have to make programs in Assembly/C/C++ (Unmanaged Code) buffer overflow exploits are always going to exist in a program.

Humans can only do so much in this respect when a program starts getting very long such as an anti-virus program or Operating System.

Windows Vista (I ramble a little bit here):

Buffer Overflow attacks are not going to be as relevant with Windows Vista because system processes are no longer loaded into a set spot in memory.

I think that hackers in the next couple of years (Time may vary by factors such as how many people and with what skills are working on the “Problem” ) are going to be very busy hacking Vista. Vista presents a rather impressive challenge when it comes to exploiting the Operating System as a whole for reasons that I won’t go into.

With the event of Vista, it’s a waiting game to see where the weak point is with vista.

The new server OS that “goes with” the release of Vista will most likely have the same sort of protections that vista has. And that most likely goes with the whole range of Microsoft products.

At the moment all that is needed is a “Stop Gap” solution until vista is the most commonly used Operating System. This may take 3 or 4 years.

Today it may be buffer overflows, tomorrow it may be a mutation of the buffer overflow or a totally new problem.

Also the process in which buffer overflow attacks are found is called 'Reverse Engineering" which will also be halted because of the TPM chip in the processors that are and have been released (This is generally hidden from the public). This technology allows for Bit Locker capabilities in Vista but can also be used to store cryptographic keys that can only be accessed by the appropriate product.

So when an encrypted program runs it grabs its key and decrypts the rest of the program. This is protected from the processor to the application through hardware and software. So the process that is used most commonly to find buffer overflows will be stopped dead until it is cracked.

Now the TPM thing is being sold as a “DRM” measure, (Obtain legal advice for your own country).

From what I understand in my own situation (Obtain legal advice for your own country):

  1. Reverse engineering is protected in certain situations.
  2. TPM will allow a company to protect from reverse engineering through TPM
  3. TPM is also a DRM measure
  4. Bypassing DRM is illegal (Clashing with point No .1)

Buffer overflows are ALLOT harder to find and use effectively by “Guessing”. Also if I recall correctly each process is isolated.

I know I may have gone a little off-topic, I think the upcoming OS/Technologies is very relevant to this subject.

There, that is a very basic analysis of what problems the future holds with BO attacks.

if you look at the below link, its a product designed against buffer overflow attacks and it lists some of the nasties that used buffer overflow vulnerabilities to cause damage.

http://www.ngsec.com/ngproducts/stackdefender/?lang=en

Sasser worm exploiting MS workstation service.
Slammer worm exploiting an MS SQL overflow.
CodeRed worm exploiting an IIS overflow.
MS-Blaster exploiting RPC-DCOM overflow.
IIS WebDav buffer overflow.
MS SQL multiple buffer overflows.
SunONE heap overflow.
Microsoft RPC-DCOM multiple buffer overflows.

look at the pricing though :frowning: I wonder if there are other products that does something similar but cheaper? pls let me know if you know any.
thanks
Melih

Melih

I suspect the pricing is based on the trend that BO issues mainly impact commercial operations these days, since in recent times most BOs have been aimed at web servers and such, not home PCs. Of course, that doesn’t mean that it will continue to follow this trend… it only needs somebody to release something in the future that will prove vulnerable to BO attack & the trend could quickly shift.

how about drive-by-download attacks that uses BO to infect unsuspecting victim’s machine?

thanks
Melih

DEP in Windows?

Melih

I must admit that I didn’t know that drive-by downloads used BO as a method of deployment (not including when dbd’s are inserted into legitimate web site pages themselves… that might use BO) … I thought they were things that were downloaded/installed without the users specific knowledge. Mind you, I wasn’t disagreeing with you anyway… I merely said that the current trend is to hit commercial targets with BOs & that could change (back to us) anyway. Outlook was infamous for this… the reason that I still refuse to use Outlook to this day.

Rotty

Unfortunately, whilst DEP does work fairly well for Windows (the OS) it doesn’t necessarily protect applications running under the OS. History has shown that applications running under a DEP hardened OS can still be vulnerable to the BO exploit.

Imo, having Buffer Overflow protections is critical not only against today’s cracking attempts but also in future perspective, for two reasons:
a) Vista, that someone said should be more effective against this kind of attacks, likely will not have the same diffusion as the previous MS systems, having excessive hardware requirements and being less intuitive than its predecessors, besides being still partially exploitable. Most people I heard will stick to XP as long as possible, and Linux is becoming a viable alternative.
b) If a program is badly conceived, even in non-admin enviroments the buffer overflows can be used to gain higher privileges. In any case, even if Vista may guarantee the OS integrity, teh same is not true for the user’s data.
In definitive I think such a protection is an important pro-active measure and it should be running along with a FW in any MS system.

Well to answer your question I Know one, actualy the Sunbelt Personal FIrewall (formerly Kerio Firewall) has buffer overflow protection on it’s HIPS.
The software has not been updated much, but it still works, I know because I used it and it worked very well with sasser and slammer… oh and it only costs 10 bucks.

I would say most home users do not need protection from buffer overflows. So I would not waste my time, this year at least. :wink:

And I believe all those overflows listed on that page have been fixed by patches? Microsoft I believe has been pretty good at fixing these types of issues lately.

UPnP had buffer overflows for example and was patched pretty quickly:

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

There was also the Microsoft JPEG GDI+ and Windows Metafile vulnerability which again where both fixed pretty quickly.

So yes while I agree home users are effected but I doubt to any real levels unlike spyware and virus. Other vendors have been pretty quick to fix these bugs as well.

So yeah everyone is effected but is is worth to create an application to protect home users. I doubt it! Corp users? Yes!! Totally different ball game!

Well this is how I feel about it…

Oh and check this out:

http://www.metasploit.com:55555/EXPLOITS

Now if you could create a product to protect you from all of them then yell yeah it would be wroth it. As metasploit is a common tool used by hackers.

Be sure and check out the awesome security now podcast on buffer overflows: