add buffer overflow protection?

Discussion in 'ProcessGuard' started by hswanfang, Sep 19, 2005.

Thread Status:
Not open for further replies.
  1. hswanfang

    hswanfang Registered Member

    Joined:
    Sep 19, 2005
    Posts:
    8
    can you add buffer overflow protection function for prevent worm attack system?
     
  2. hswanfang

    hswanfang Registered Member

    Joined:
    Sep 19, 2005
    Posts:
    8
    why not?:'(
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Buffer overflows are the result of poor coding (specifically not applying checks to the size of incoming data). The only way to properly prevent them is to rewrite the programs responsible to add such checks.

    While there are programs that claim to offer "buffer overflow protection", in reality most only try to detect overflows and shut down the process responsible (or shut down the system altogether). See Phrack: Bypassing 3rd Party Windows Buffer Overflow Protection for more details on this.

    While PG could add similar features, it would be a major addition and since buffer overflows are rarely a problem for end-users (they are mostly used on servers that have to be available to the general public), it does make more sense for DiamondCS to address outstanding issues with PG first.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    PG already allows you to control execution of CMD.EXE and other processes, which are critical in the Windows environment. Attacks who USE buffer overflows tend to spawn cmd.exe :) simple but effective defence really..
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Unless you use the command line yourself and have given cmd.exe permission to run beforehand. Of course, being able to restrict programs by parameter would help in this case...
     
  6. CloudWalker

    CloudWalker Guest

    but that only describe protection by API hooking

    what about a pax style pageexec, i'm under the impression that it would be a lot harder to bypass

    also ASLR (address space layout randomization) would also make exploitation a lot harder

    would DCS consider adding these?
     
  7. manzz

    manzz Registered Member

    Joined:
    Oct 6, 2005
    Posts:
    55
  8. Iwonder

    Iwonder Guest

  9. manzz

    manzz Registered Member

    Joined:
    Oct 6, 2005
    Posts:
    55
    Its very specific in its protection, and I have not seen other apps with this type to compare. (this to me is a, Dealer shuffles after each deal)
     
  10. CloudWalker

    CloudWalker Guest

    only the commercial version of WehnTrust supports buffer overflow protection

    by the way, BufferShield recently added ASLR when run on Windows 2003
     
  11. manzz

    manzz Registered Member

    Joined:
    Oct 6, 2005
    Posts:
    55
    Thanks, I will try this out on W2K3 when I have time,... I know that BufferShield has problems with XP hardware DEP....have just re-tested, and HW DEP stops BufferShield`s "overflow.exe" from running.
     
  12. CloudWalker

    CloudWalker Guest

    but it just means that DEP is working
    overflow.exe is the program that test various overflow problem on your system
     
  13. manzz

    manzz Registered Member

    Joined:
    Oct 6, 2005
    Posts:
    55
    I was given no warning of a test and the pgm "overflow.exe" would not exit, and wanted network access, when network access not given the pgm crashed.
     
  14. CloudWalker

    CloudWalker Guest

    i didnt have time to test the latest yet
    but in eariler version, overflow.exe is only launched when i click on the test page of the program
    and it never ask for network connectios on my machine
     
Thread Status:
Not open for further replies.