Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Execution Protection

Posted by Hemos on from the protection-from-our-own-stupidity dept.

esarjeant writes "In addition to a number of other security features, anti-virus vendors are starting to push buffer overflow detection. This will be part of Microsoft's future direction with Data Execution Prevention (DEP) and is already integrated with McAfee 8.0i. So it looks like everyone is going to upgrade all of their software again, will software vendors be able to keep up with the support calls?"

3 of 254 comments (clear)

  1. CSA already does this by wschalle · · Score: 5, Informative

    Cisco Systems CSA product does this and more.

  2. Re:What is a Buffer Overflow? by alc6379 · · Score: 5, Informative
    This is the way I understand it, and I'm not really a programmer. So, I know someone's going to clarify or refute:

    You have some memory allocated for some type of variable, or something. That's called a buffer, and it's usually a certain number of bytes "big". There's a function in your program that puts a value into that variable. If you can feed more data into the buffer than it can handle, you can have a buffer overflow.

    The reason why this is dangerous is because that data "spills" into another portion of the memory, which could already be occupied by anything from more data, to executable code. In the latter case, if you've overwritten executable code, you can replace that code with your own executable code, and do all kinds of nasty things that the original program wasn't intended to do.

    ...And again, this is from one layman to another-- that's how I understand it.

    --
    I don't moderate anymore. Karma penalty for 90% fair mods? Can I mod that unfair?
  3. Re:What is a Buffer Overflow? by goombah99 · · Score: 5, Informative
    The most common form is as follows. When a subroutine is called the return address is placed on the stack. Then all the local variables for the subroutine are placed on the stack. the subroutine runs and when it finishes it jumps to the return address on the stack. However if the subroutine were to write data into an array or string on the stack and tried to push more data into the string than space was allocated it would continue writing past the end of the array and eventually overwrite the return address. This allows a way to substitute a new return address for a virus maker. If this return address happened to jump right back onto the string itself then in principle the data string will now be exceuted as code.

    partial remedial solutions include commands that prevent decleared data from being executed, having the return address stored on a different stack from the data stack, explicitly testing the stack integrity before executing a return from a subroutine, and putting up "electric fences" --basically buffer regions around every memory allocation that are not owned by the application requesting space.

    --
    Some drink at the fountain of knowledge. Others just gargle.