Buffer Overflow Protection

Discussion in 'other security issues & news' started by richrf, May 25, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Well, it’s become a little more civilized here, so I’ll tiptoe back in with one more comment.

    Regarding .exe monitoring - they have more uses than just watching installation of software. For instance, they block the surreptitious installation of keyloggers, spyware, adware, executable viruses. Another interesting use concerns Alternate Data Streams, and I’m preparing a demo which I’ll post to the ‘NTFS : Alternative Data Streams’ thread sometime next week. Since there are screen shots, it’s difficult to set it up in a post on this forum, so I’ll probably post a link to my own server as I did with my Kerio Firewall Tutorial.

    A lot of this has gotten a bit off topic from Buffer Overflow, and I hope kareldjag will post back with some more info. He’s probably busy with his beta testing.

    But as long as general security is being discussed, I’ll say that I think it’s pointless to base one’s setup on what someone else has. This is pointed out in CN232’s post #115 and richrf mentions in #121, that you would get 50 different responses from 50 people if asked what security products to you use. This can be seen in several on-going threads in different forums on "What firewall shall I chose?" The poor people who asked the question are probably so confused that they don’t know where to turn.

    Some of the later posts in this thread are getting closer to a better approach, ie, start with looking at the user's system/programs/needs and go from there. Ideally, a person educates herself/himself about the basics of computing starting from day one. How this can be done, I'm not sure... I thought that security forums would be one place that would provide basic computing and security education. But that doesn't seem to be.

    I came to these forums a few months ago gathering information for a project I’m doing: "Fear and Paranoia - the Driving Forces Behind the Computing Security Industries." I was quite taken aback that very little is discussed about user education, user awareness, etc… On another forum, one person was brave enough to start a thread on user responsibility and education and received very little support for the idea. I also started a similar thread, and it went nowhere. Most people just prefer to talk about and recommend products.

    One writer commented in an article (I’ve since lost the source of this excerpt) that lack of user awareness leads to this scenario about products:

    Those who become a bit more technical, start using sophisticated products, many of which have forums here, and are happily discussed in all of these threads.

    I mentioned in the thread referred to above:

    Clueless Newbie wrote:

    A bit strong, perhaps, but if you read carefully some of the threads that discuss the merits of products, you draw this conclusion. Nothing wrong with having that kind of fun, but it’s confusing for the average person coming here for information about security.

    I spoke recently with my brother - he is an independent programmer (writes business software), does consulting, and sets up small office systems.

    He and I are of a like mind about security: stressing user awareness, and using few products. I asked him if he still uses the same security setup. Yes:

    Norton firewall
    Norton System Works

    My point is not to recommend products, but just to say that he certainly belongs in the "highly qualified" category of users; he has three computers on a LAN, connected to the internet via broadband and yet he has a very simple security setup, based on what he’s decided he needs. He’s had this setup for many years and has never had an unwanted intrusion to his system.

    My own unscientific survey in talking with people indicates that the more knowledgeable and alert people are about their computing habits, the fewer security products they use. In a recent thread on the DSL forum asking you to list your three important security programs, I was not surprised that several said: None. At least one put, 1) user awareness 2) user awareness 3) user awareness

    I say unscientific, because many people posting to these forums are very knowledgeable, yet have a long string of security products installed, so more study is necessary before meaningful conclusions can be drawn. My premise is that the fear and paranoia level is high, even if subconscious, but this will be difficult to prove scientifically.

    Well, I’ve enjoyed the back and forth banter amongst the various posters here - not sure how useful it’s been, but if it contributes something to the knowledge base of security, perhaps it’s all worth while.

    Regards,

    -rich
     
    Last edited: May 29, 2005
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi rich,

    "Paranoia" is unfounded fears. Practically everyone of my friends has been hit by pretty malicious malware over the last year, so being concerned about security doesn't fall into the paranoia category as far as I can tell.

    My attitude is to have some straight-forward practical solutions which will afford a very high level of security that are practical, can be easily assimilated, and doesn't cost that much in time or money. For this reason, a simple recommendation (without going into any heavy duty user education beyond telling someone to avoid porno sites and P2P), such as purchasing one of the top-rated AVs (Kaspersky, McAfee, NOD32, BitDefender) already puts a user into a very highly protected state of security (no Windows tweaking or any other fancy stuff needed).

    But I know, that anyone of these products can be penetrated - though the probability is very low. So instead of recommending a ton of other scanners which in reality will offer almost no protection over and above what KAV can provide, I offer the recommendation that people protect their computer from basic registry modifications that malicious programs can make (e.g. some registry defense shield) as well as security software that will prevent the initial execution of any malicious programs (I believe this is more important than detecting after-the-fact actions of malicious programs that have already begun to execute). Scanners are therefore the first level of defense, program control the second (if someone desires it) and registry control the third level (again if someone desires it).

    Beyond this, I also recommend a good firewall (router and/or sw) and using FireFox (which all of my friends are doing at this time).

    This is a basic strategy which I hope is useful to other people who have very real and valid concerns about security and do not want to spend too much time on education - especially since I do not think it requires a lot of time to be very well protected.

    Rich
     
  3. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Rmus,

    There is merit in a less is more approach. First, there is a situation where one is protected simply because there are no CPU cycles left for anything else - security by resource starvation I guess :)

    While this thread has wandered a bit and had some pointed excursions, there is substantial food for thought here for anyone using a computer.

    Many folks simply have too much in the way of realtime monitoring. Processes undergo a constant battle for contention and the system locks. It really is a case of too many cooks in the cyber-kitchen. My own belief - fewer is better, of course then it comes down to what do I mean by fewer? For myself, I've noted it in the post above.

    I also do not try to squeeze every last CPU cycle or byte of RAM out of things. I consider myself reasonably capable, but it's unusual for me to spend more than a few minutes adjusting a software configuration once I've done some testing, basically understood what the options do, and examined what those before me have done. Overall, I'm a default guy with exception based customization. If I run into a specific instance where tweaks are required, I'll do them. Otherwise it's a standard install all the way. Extensive customization quickly reaches a point of diminishing returns, at least for me.

    Kernel level applications are one area where I still have mixed emotions. I appreciate the power, but I worry about the cascade of unintended consequences. PG/RD are well behaved thus far, but again I participate in minimal tweaking, tend not to shutdown "unneeded" Windows services (which may be needed for stability while walking down this road), and am parsimonious in my choices.

    All this does come back to the issue of user education and having a working knowledge of the tools you use. That working knowledge is not akin to being a mechanic for your car, but being able to read the flashing red lights, knowing when the car is not properly functioning, and being aware that the random addition of fluids to the gas tank provided by passing walkers is probably a bad thing. We know all these things for car, which are fairly complex, people should know the equivalent for PC's.

    Returning to the subject of the thread - buffer overflow protection. For me - these will be caused by some malware and I'll let the tools that I've selected to handle malware in general tackle them. I really don't plan to implement specific tools directed towards this possibility. If the tools I employ fail me, and the minimal backup isn't sufficient, I'll reassess my strategy, perhaps make approrpiate changes if warranted, and then move on accordingly.

    Blue
     
  4. CN232

    CN232 Guest

    In my view the point I made in #115 is totally 100% diagramitcally opposed to Rich's #121, I'm not sure why you think they are the same point.

    The reason why you get 50 different answers is no doubt sometimes due to different experiences and tastes, but I suspect much of it stems from

    1) Questioner does not state exactly what his situation is, as a result, people answering the post feel free to recommend what *THEY* use, no wonder they get 50 different answers!

    2) Even if the person asking for help posts his requirements (rarely, and found not complete), I've noticed that in many cases people actually give recommendations that clearly go against what is asked.

    Eg Recent threads asking for freebies got replies of running KAV/PG/RD!
    This makes me wonder if people are really reading the request and trying to help, or perhaps there is an element of boasting involved, a desire to tell the the whole world about their security setup regardless of what is asked.

    In other cases it's less obvious, people recommending stuff like MSAS on a win98 machine, or memory hungry programs on a low end machine.

    To be fair, I think things might be changing.

    Obviously, the correct answer to a bare "what firewall should I choose?", is any/all and the free for all starts. Of course to be fair, the person asking the question seldom knows what are the right questions and info to provide in the first place.

    I've often toyed with the idea of posting a checklist that someone can fill, maybe even incorporate it into his profile. So when he makes a request, the person answering can get a better idea about the user skill level, browsing habits, paranoia level, basic computer specs and tailor his answer according.

    I can see 2 drawbacks to this

    1) Privacy. Not everyone is willing to reveal this info.

    2) Fun . It's less fun if you must really use your brain to tailor your answer instead of automatically recommending what you think is the best , most paranoia most unbeatable setup you run. :)

    Yes, I noticed that too. Even in other threads . I am heartened.

    I thought I was the only one who saw this.

    Indeed, I feel that discussion about such topics here is not wrong. After all, the bunch here is a self-selected bunch of people who do have some interest in computer security and eventually some might even learn something other than just running software. For example in this thread alone, though there is heavy discussion of whether software X blocks buffer overflows, I see people coming away with a little basic knowledge of buffer overflows .

    Indeed, this is my observation too. I have friends and coworkers who are working in the computer security field, and they know more about security, hacking and networking in their little finger alone compared to me, and yet when I visit their home computers they run a very minimal setup.

    One of them merely runs a router + on demand AV! Believe it or not.

    I have often asked them for their evaluations of PG, RD etc, and generally they tell me it's a good product (interesting technically), and it wouldn't hurt to run it, but despite this they still won't run it.

    I'm often wondered why, the main idea I think is that they believe in the KISS principle. The run of the mill threats are hardly a threat with proper user eduction and I suspect with their knowledge, they know that if someone good is really gunning for you (to the extent of utilzling zero day exploits , modelling your setup ), you are pretty dead anyway.

    I would say that though people posting here are knowledgable compared to the average person on the street, most of us are not security gurus by any long shot or even competent programmers or crackers.

    My favourite term for myself is that I'm a white hat version of a script kiddie. I run security software coded by others with little or no idea of how it works.
    Just like a script kiddie can be dangerous against obviously unsecured systems, a white hate script kiddie can be effective in teaching others how to ward off basic threats.

    But I suspect this modest aim is not what most people here are shooting for?

    There are a few truly knowledgable people of course, but these are the commerical vendors themselves. And there are those who enjoy pointing out technical flaws in these products, generally they arent well received.
     
  5. CN232

    CN232 Guest

    I would add that in my experience a 'black hat script kiddie' (compared to the leet types) runs about the same security tools favoured by the people here. :)

    Whether this reflects similar level of knowledge, I leave it for the reader to decide.
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
  7. CN232

    CN232 Guest

    Let's see shall we.Quoting authorthity is always a good thing.


    Too bad, none of it talks directly about .exe monitoring. The value of protection against process termination and driver installation (strongest defense against rootkit i guess means that) is one that I have no problems with.

    After all there's a reason why security apps are adding anti-termination protection.

    Excution protection in PG is pretty much a after thought anyway. Though PG can protect a proccess when it's in memory, it can't do anything when it's not running and this leaves the file vulnerable to be edited.

    PG's exe protection is merely a means to check that the md5 hash of the protected process /file is not changed when starting. Rather than checking only for protected processes, it was trival i guess to throw in the monitoring for all exe.

    I guess that's why SSM's exe monitoring far surpasses PG's. Since if you want to take a shot at making exe monitoring even remotely useful, being able to check and allow/disallow parent /child proccesses is critical.

    As it stands, PG's exe protection is less than useful, unless you set everything to allow once, and that is way too troublesome for most.
     
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    HI CN232,

    Nothing malicious can happen on a computer (e.g. file editting) unless a malicious program (or script is allowed to execute in the first place. This is the basic strategy of a pro-active, front-line defense.

    Clean Machine + Trusted Apps - Everything Else = Trusted Machine.

    The overall strategy is quite straight forward and quite understandable by almost any computer user. The trick is how to prevent everything, but trusted apps, from installing? Thus top-rated AV/AT, ProcessGuard, WormGuard, RegDefend.

    I have no idea what your strategy is because you refuse to relate it. However, I am quite certain that scanning after the fact (even registries like MS AS does) is too late. As for SSM, a very well conceived product, but I definitely invite people to compare your recommendation to ProcessGuard.

    Rich
     
    Last edited: May 30, 2005
  9. CN232

    CN232 Guest

    I'm in awe of your insight. :)

    It's quite simple, given that you have taken the proactive strategy, the only other strategy left to me is the "get infected first" strategy . :) Come on Rich. Throwing around the words 'proactive', 'execution stream', 'strategy' doesn't make you sound better and impresses no one.

    It's one thing to refuse to be pinned down on specifics without any relevant details, it's quite another to talk in broad empty terms.

    I'll let you have this shot, you deserve it. I'm impressed by antimalware too, I believe it is proactive too, but truly I'm too clueless to know if this is really the case.

    Thank you for your invition, your endorsement of SSM, will surely be a big help.
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    To briefly stray back on topic, Kerio 4.2 has a tickbox for buffer overflow protection (and another for executable code injection). I haven't tested either to see how effective they are. I have gotten an alert or two about buffer overflows so it must be doing something...

    To focus on that one aspect of the argument so I can get in and out of this thread quickly.... Some things that were observed early this year here and probably other places as well


    • If you want to "Block new and changed applications" then all "Permit Once" items will also be blocked, this detracts from current workarounds (like having rundll32 on permit once)
    • During boot you can get "Permit Once (Unable to ask user)" auto-allowed executions unless "Block new and changed applications" has been selected
    I still find that the PG execution protection has some value, although to me the value is largely in the "last run" date/time and the audit trail

    This because my personal preference is to have a personal firewall that also provides application execution control. Seeing as the firewalls tend to start with the TCP stack there is potential for enforce rules and receive execution alerts earlier (I get Kerio alerts prior to login and at the login screen)

    I'd have to say that my personal preference would be to have finer grained control over program executions but by exception rather than for everything. At times command line parameters would be enough and for other things I would also want to specify the parent process and at times I would like to be able to control instantiation of InProcServer dll's that are effectively new program executions
     
  11. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    i was just searching for something (dont remember what it was) but i came across this thread and was interested. my question is this: what buffer overflow protection software is the best overall? or should i treat it like an AV and just try them one by one? n lastly, does any of the buffer overflow protection software conflict with the Athlon 64 and hardware DEP?
     
  12. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I would personally go for Attack Shield (see first page of this thread) No buffer overflow protection app will stop them all (not even hardware DEP), but Attack Shield does a little more than just try to intercept overflows, so the effect would probably be a bit more comprehensive. Prevx is another option for the same reason, although it's no where near as transparent as Attack Shield.
     
  13. trq21

    trq21 Guest

    What about BufferShield as mentioned by StevieO? That has a free version also and it looks like a good one.
     
  14. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    From a personal point of view, i don't think that BufferShield is very effective, neither very useful: too much false positives and it often deny execution of legitimate applications: i like to keep the control of my system...

    AttackShield is free (like the BufferShield free version) and will limit BO attacks impact on Windows services (bu tit's not a protection of the stack): it's an install it and forget it... so as Notok, why not?

    If BO exploits are published each day and could be applied by any scriptkiddie, it's much more difficult to hypnotize the program and gain access and total control of the system (advanced/very experiencied coders/attackers).

    But one the more easy way to prevent any "zero day" attack/exploit, even Buffer Overflow ones, it's to limit rights and privileges on the system (don't run as an admin. during a surf session).

    http://eweek.com/article2/0,1759,1772361,00.asp

    And the Aaron Magnosis weblog appears to me as a must-have on my bookmarks:

    http://blogs.msdn.com/aaron_margosis/default.aspx

    The 2 articles "zero day attacks and using limited privileges" and "why you shouldn't run as an admin." are really interesting for any user.

    If the privBar is not useful for some users, there's some tweaks to know if we run as admin/user and here's one of them:

    double click on the clock in the systray: if the similar (english version) pop up box like the attached image appears, then it means that you run as an admin.

    As it was said, BO attacks are very effective but not common on windows home users systems.


    hope this helps

    regards
     

    Attached Files:

  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The key to a buffer overflow attack is being able to send data to a system - home users with a firewall set up to block unsolicited traffic therefore have very little chance of being hit by one, only those who run servers (though this includes file-sharing software) should need to concern themselves about this.
     
  16. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    thats good to hear, but i feel better knowing i have all the bases covered. thats why i asked about which program to use.
     
  17. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    Hmmm... This article may be useful -
    http://www.mnin.org/write/2005_trimode.html.
     
  18. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    Not to claim I am in the same league as CN232's friends (but I do work hands-on in IT), my setup is basic - just XP2 built-in firewall, MSAS, NAV, Spybot, Lavasoft, an audit trail logger (to catch things that my children might have installed by mistake or unsolicited changes in my PCs), and an anti-phishing plugin (for my internet bankings). My other friends also in the IT (writing software) - just NAV, firewall and an anti-phishing plugin.

    Having said this, PG looks kool but I believed my constant O/S and IE updates are sufficient for my security needs. Also if I guess that if things got stuffed, my children's dad is always there to debug and fix up the problem.


    My 2 cents worth.
     
  19. Pollmaster

    Pollmaster Guest

    I suppose Paranoid2000 is thinking of buffer overflows of the Slammer worm varity that exploit work station servers with listening services.

    I agree that a home user doesn't have to worry about that with a properly setup firewall (software or hardware) that doesn't allow inbound connections without a matching outbound first.

    However on the other hand buffer overflow attacks are not just limited to exploiting listening open services, but can be used in combination with scripts to exploit browsers when they visit another site.

    So if you keep yourself patched, the attacker will have to have or find his own non-public exploit to successfully hit you.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.