Protection against Buffer Overflow Attacks

Discussion in 'ProcessGuard' started by richrf, Jan 13, 2005.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I am a licensed used of PG3.0. There have been some recent threads concerning buffer overflow attacks, and to the best of my understanding, PG3.0 doesn't really guard against these type of attacks. Is this correct? If it is correct, what is the best protection: A good AV (I use Kaspersky 4.5)? A good AT (I use TDS-3)? I know that Prevx provides some protection, but my experiences with a prior version of Prevx were quite poor. Lots of instabilities. Ideas?

    Thanks.

    Rich
     
    Last edited: Jan 13, 2005
  2. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Buffer overflow "attacks" can only be used on software which has these sorts of vulnerabilities in them (basically software which has bad bugs). So your best defence against them is to not run software known to have buffer overflows in them. :)
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Jason,

    Yep, I understand that "well designed" will not have these vulnerabilities, but given that at any moment in time, I don't really have full knowledge concerning the architecture of some software that I might be running - what is the "second best" defense? :)

    Thanks,
    Rich
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    richrf, there isn't really any solid way for any one program to secure all other programs against buffer overflows, and not all programs are vulnerable anyway. Various programs have come and gone which show some interesting methods of trying to prevent various memory-related problems such as stack and buffer overflows, but none have been 'complete', or overly efficient. Like Jason said, buffer overflows in most cases are simply programming errors/oversights - code that initially looked fine to the programmer, but upon closer inspection would reveal a problem. In many cases they are not exploitable, they just cause the program to crash or behave erratically, although in some cases just causing a program to crash can be enough ground for a denial-of-service attack by preventing that program from being used. The exploitable ones are quite interesting though, as they allow the attacker to inject shellcode of his/her choosing, although the maximum size of the code that can be injected is often quite small so usually the goal of the shellcode is to open up another, more accessible backdoor into the system (such as listening on a port to create a remote command prompt).

    This page should be of interest to anyone who isn't very familiar with overflow-style attacks and would like to learn some of the basics:
    http://en.wikipedia.org/wiki/Buffer_overflow
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks a lot for the super explanation.

    Rich
     
  6. kareldjag1

    kareldjag1 Guest

    Hi,

    This sort of attack concerns more corporations than home users.

    It's an advanced method and it'very difficult to apply for a "scriptkiddy".

    Crashing an application by executing an arbitrary code to access to the stack is not as frequent as we think it.


    Prevx is a solution to detect some oh theses attacks, but it does not distingish if it's a buffer overflow or an other attack.
    There is others protections like StackGuard (Immunix) but it is quite for enterprises.

    ***Here an analysis of a B.O:

    http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html

    ***Here a demo (for advanced users) of a Buffer Overflow:

    http://nsfsecurity.pr.erau.edu/bom/

    Regards
     
  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi kareldjag1,

    Thanks for the further clarification. Appreciate it.

    Rich
     
  8. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Some antivirus apps are adding some sort of bufffer overflow protection. McAfee VirusScan Enterprise 8 adds it. It supposedly protects based on it signature file and includes most common windows components and services.

    But they say: Buffer Overflow Protection detects code starting to run from data in a heap or stack and prevents that code from running. It does not stop data from being written to the heap or stack. Do not rely on the exploited application remaining stable after being exploited, even if Buffer Overflow Protection stops the exploited code from running.

    Notice they say "if" in that last sentence. :D
     
Thread Status:
Not open for further replies.