Discussion in 'ProcessGuard' started by hswanfang, Sep 19, 2005.
can you add buffer overflow protection function for prevent worm attack system?
Buffer overflows are the result of poor coding (specifically not applying checks to the size of incoming data). The only way to properly prevent them is to rewrite the programs responsible to add such checks.
While there are programs that claim to offer "buffer overflow protection", in reality most only try to detect overflows and shut down the process responsible (or shut down the system altogether). See Phrack: Bypassing 3rd Party Windows Buffer Overflow Protection for more details on this.
While PG could add similar features, it would be a major addition and since buffer overflows are rarely a problem for end-users (they are mostly used on servers that have to be available to the general public), it does make more sense for DiamondCS to address outstanding issues with PG first.
PG already allows you to control execution of CMD.EXE and other processes, which are critical in the Windows environment. Attacks who USE buffer overflows tend to spawn cmd.exe simple but effective defence really..
Unless you use the command line yourself and have given cmd.exe permission to run beforehand. Of course, being able to restrict programs by parameter would help in this case...
but that only describe protection by API hooking
what about a pax style pageexec, i'm under the impression that it would be a lot harder to bypass
also ASLR (address space layout randomization) would also make exploitation a lot harder
would DCS consider adding these?
This works well with PG (well up to now) Blog:- http://blogs.msdn.com/michael_howard/archive/2005/09/30/475763.aspx
I wonder how this WehnTrust HIPS compares to the other many available HIPS programs on the market......including payware apps.
Its very specific in its protection, and I have not seen other apps with this type to compare. (this to me is a, Dealer shuffles after each deal)
only the commercial version of WehnTrust supports buffer overflow protection
by the way, BufferShield recently added ASLR when run on Windows 2003
Thanks, I will try this out on W2K3 when I have time,... I know that BufferShield has problems with XP hardware DEP....have just re-tested, and HW DEP stops BufferShield`s "overflow.exe" from running.
but it just means that DEP is working
overflow.exe is the program that test various overflow problem on your system
I was given no warning of a test and the pgm "overflow.exe" would not exit, and wanted network access, when network access not given the pgm crashed.
i didnt have time to test the latest yet
but in eariler version, overflow.exe is only launched when i click on the test page of the program
and it never ask for network connectios on my machine
Separate names with a comma.