Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Execution Protection

Posted by Hemos on from the protection-from-our-own-stupidity dept.

esarjeant writes "In addition to a number of other security features, anti-virus vendors are starting to push buffer overflow detection. This will be part of Microsoft's future direction with Data Execution Prevention (DEP) and is already integrated with McAfee 8.0i. So it looks like everyone is going to upgrade all of their software again, will software vendors be able to keep up with the support calls?"

31 of 254 comments (clear)

  1. Virus vendors? by King+Of+Chat · · Score: 5, Funny

    Who buys viruses?

    --
    This sig made only from recycled ASCII
    1. Re:Virus vendors? by BorgCopyeditor · · Score: 3, Funny

      I hope they don't have it on the same hard drive as their Norton Virus; if those two come into contact ... it would be bad.

      --
      Shop as usual. And avoid panic buying.
  2. support calls by millahtime · · Score: 5, Interesting

    So it looks like everyone is going to upgrade all of their software again, will software vendors be able to keep up with the support calls?

    Yes, with more automation, more people on the other end (most likely in India) and more cost passed onto the customer. When I used to work we used to have a saying. "If it weren't for Microsoft, we would all be out of jobs"

    --
    Evolution or ID?
  3. virus vendors? by 2020hindsight · · Score: 3, Funny

    Virus vendors have been pushing buffer overflows for quite some time ...

  4. Virus vendors eh? by kevb · · Score: 4, Funny

    Virus venders.. hmmm For just £39.95 a month, you too can recieve the latest virii, trojans and worms directly to your inbox.

    1. Re:Virus vendors eh? by RaguMS · · Score: 3, Funny

      Virus venders.. hmmm For just £39.95 a month, you too can recieve the latest virii, trojans and worms directly to your inbox.

      What a ripoff... I get all of mine for free.

  5. What is it with the buffer overflows?` by Anonymous Coward · · Score: 3, Insightful

    I'm just a microcontroller guy, but can't the PC guys check their goddamn counters and pointers when using buffers? And why the hell do we still need to code buffers? Isn't there a library or a call to handle buffers in a safe way?

    1. Re:What is it with the buffer overflows?` by ThosLives · · Score: 4, Interesting
      I don't even think it's due to not checking pointers and NX bits or anything like that. The problem is the way in which our modern OSs map out the memory. Intel chips have the capability to map segments to be either code or data, and the chip will generate a fault if you try to execute anything in a data segment (inherent NX capability). This is part of the segment descriptors used in all programs. The problem is that, as far as I can tell, Windows maps both the code and data segments to the same logical addresses! This is kind of foolish; it should be possible to simply map these two segments to different areas and be completely transparent to the application. As long as applications are behaved and don't have segment overrides all over the place, this should be just fine. Then, when you try to jump to an address that's in the stack, the processor will trip a general protection fault (because the stack must be in a segment defined as data, well, stack to be precise).

      Basically this is just laziness in the Windows architecture that overlaps the code and data segments. Separate these and the problem is solved with no new hardware, minimal application rework, and the like.

      Incidentally, my perusal of the setup routines in Linux (well, it was version 1.0, so I don't know if this is still the case) show that it also maps code and data to the same actual addresses, which makes it vulnerable as well.

      Sure, you can use "smart" languages and NX bits and stuff like that, but it's all assembly at some level, and the processor manufactures actually built in sufficient protection decades ago when they came up with segmented memory. (PowerPC architecture can also distinguish between code and non-code).

      I am always amused at how the memory management community hasn't nipped this one in the bud ages ago when the tools to fix it already exist.

      --
      "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
    2. Re:What is it with the buffer overflows?` by codegen · · Score: 3, Informative
      Part of the problem is the reliance on langauges which are over permissive. There was a whole class of languages developed in the 80's and 90's such as Euclid, Turing (both from U of T), and Modula which were much more strongly checked. Indeed the semantics of the languages allowed for many of the runtime checks to be statically eliminated. See the papers "Proof Rules for the Programming Language Euclid", R.L. London et al., Acta Informatica, And "On Legality Assertions in Euclid", D.B. Wortman, IEEE Transactions on Software Engineering.

      C and C++ put the reliance on the programmer to check the rules under the assumption that compiler provided checks are too expensive. They are only too expensive if you assume the everthing-is-a-pointer model that underlies these languages. Java and C# gain some safety since they do not allow arbitrary pointers, but, in my opinion, have still inherited too much from the parent laguages.

      Part of the problem is the everything looks like a nail approach. There are some wonderful languages out there that are much more appropriate for many of the tasks, and have syntax and semantics that make many of the security problems much easier to solve. However, they are not the "mainstream" langauges and as such do not get the developer attention.

      --
      Atlas stands on the earth and carries the celestial sphere on his shoulders.
  6. I'm being optimistic by hardcoredreamer · · Score: 4, Insightful

    "So it looks like everyone is going to upgrade all of their software again, will software vendors be able to keep up with the support calls" I will be optimistic that despite the development into a new direction, and the occasional headaches, things will be better in the future. That said, why are people so negative about change? So Microsoft's SP2 broke some programs, at least they finally released it. So we have more than 640K of memory and you had to use a memory manager, at least we got past conventional memory. So at least in theory, there will be less buffer under runs in patched/upgraded systems. Would you prefer they didn't try?

    --
    I know a guy named Sig.
  7. Re:great news by JeanBaptiste · · Score: 3, Interesting

    question. this is _not_ a troll.

    So MS is pushing for (what I'm guessing is) some sort of protection for application layer buffer overflows.

    Does linux have any sort of thing like this? I know microsoft doesn't hold a monopoly on buffer overflows ;)

    Seriously, I'm curious. Thanks.

  8. Glad this is being addressed... :P by TripMaster+Monkey · · Score: 5, Funny
    This will be part of Microsoft's future direction with Data Execution Prevention (DEP)


    I feel safer already.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  9. Exploits can be pure data by redelm · · Score: 3, Insightful
    Malware doesn't need to bring in code, there's plenty of code in the target executable. All it needs is to be able to grab control via the return address on the stack. Then fill the stack with exploit data and set the return addr to something like an exec() syscall.

  10. CSA already does this by wschalle · · Score: 5, Informative

    Cisco Systems CSA product does this and more.

  11. Looks like... by eno2001 · · Score: 3, Interesting

    Microsoft and Intel are finally catching up to where DEC was back in 1992. DEC Alpha + OpenVMS = no such thing as a buffer overflow and 64 bit processing as well. Whatever happened to the future again? ;P

    --
    -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
  12. Not a silver bullet by TwistedSquare · · Score: 4, Informative

    DEP will not prevent all buffer overflow attacks. It is intended to protect from the attack where the return address of the stack is overwritten to make the program jump into the stack. However, the program could still jump into a useful portion of existing code, or simply crash, or keep running but overflow a flag variable on the stack that will cause odd behaviour. It can also prevent things like JIT/HotSpot compilation. I'm not saying it's not useful at all, but it is one of many measures that all help a little.

  13. Re:What is a Buffer Overflow? by RupW · · Score: 3, Informative

    It's usually where you've assume that user input or decoded data won't exceed a certain length, and if the user deliberately enters too much data then they can scribble over the call stack and e.g. change the function return pointer and take control of the program. See Wikipedia.

  14. Re:What is a Buffer Overflow? by alc6379 · · Score: 5, Informative
    This is the way I understand it, and I'm not really a programmer. So, I know someone's going to clarify or refute:

    You have some memory allocated for some type of variable, or something. That's called a buffer, and it's usually a certain number of bytes "big". There's a function in your program that puts a value into that variable. If you can feed more data into the buffer than it can handle, you can have a buffer overflow.

    The reason why this is dangerous is because that data "spills" into another portion of the memory, which could already be occupied by anything from more data, to executable code. In the latter case, if you've overwritten executable code, you can replace that code with your own executable code, and do all kinds of nasty things that the original program wasn't intended to do.

    ...And again, this is from one layman to another-- that's how I understand it.

    --
    I don't moderate anymore. Karma penalty for 90% fair mods? Can I mod that unfair?
  15. A Flawed Architecture by nurb432 · · Score: 3, Interesting

    The basic architecture is fundamentally flawed in today's 'consumer grade' computers. Using a strict Harvard architecture, where data is *separate* from code, would eliminate a lot of today's troubles.

    Is it too late to change? Well, we have had new chips arise ( like power , or CELL ) so, its not impossible.. just difficult.

    --
    ---- Booth was a patriot ----
  16. Strengths and differences of this vs SELinux by weave · · Score: 3, Interesting
    I just got done reading an interesting article about SELinux. I'm just curious as to the strengths and weaknesses of each approach.

    The SELinux approach sounds to me like a far better way to approach this, actually controlling the permissions of a process with some high degree of precision, down to what files it can use and what other processes it can invoke.

    Anyone learned in this stuff care to give a non-flamed opinion of the two approaches strengths and weaknesses? Also, do or will the newer Linux kernels do anything similar regarding stack protection?

    1. Re:Strengths and differences of this vs SELinux by kbielefe · · Score: 3, Interesting
      This is a good introduction to the main solutions to software exploits in Linux and the different kinds of protection they provide and why.

      Most people recommend a combined approach including mandatory access control, chroot jails for services on the internet, stack smash protection, address space layout randomization, non-executable memory pages, firewalls, virus and spyware scanning, intrusion detection, regular vulnerability patching, and user education (did I leave anything out?). No one will tell you that you are safe after implementing just one of these solutions, but the more you do implement, the more secure your system will be.

      All of the above have been available on Linux for some time, but are not implemented by default in any popular distribution that I am aware of, which is a shame because I believe it is only a matter of time before someone writes a really nasty worm for Linux. Most Linux users I know seem to believe they are safe with only regular patching and a firewall.

      Gentoo is the best distro I have found for implementing these security measures and tries to build them in as an option wherever possible. Gentoo has great documentation on security and is all about custom configuration and compiling. Since some of the above solutions require special compiler technologies, Gentoo is a perfect fit.

      Each of those solutions take a certain amount of effort to implement and will break certain existing applications in different ways. Basically, Microsoft is taking the next step and implementing the least disruptive and easiest solution that will provide some protection for all software running on the system. They should probably also compile their own software with stack smash protection and make address space layout randomization available as a next step.

      --
      This space intentionally left blank.
  17. Time to buy a new computer again... by the_skywise · · Score: 5, Funny


    "Hey, my 3ghz computer is running as slow as a Pentium 1.5ghz... Why is that?"
    "Oh that's all the new virus checking that runs the executables before they run to make sure they don't have any viruses in them."

    So y'see... Viruses ARE good for the industry!

  18. Keeping your developers happy by Aslan72 · · Score: 5, Interesting

    The huge problem with McAfee 8.0i has been figuring out a policy that protects from buffer overruns and keeps your developers happy; I've had to loosen the restrictions for those folks because as you put together stuff in vstudio and attempt to debug it, McAfee's Buffer Overrun flags it and doesn't allow it to run :(.

    --pete

  19. Re:great news by mchawi · · Score: 3, Informative

    Check Google with a string like Linux NX AMD. There have also been several slashdot stories about it. The short answer is yes it is available, but I don't know how widely used it is.

  20. Re:What is a Buffer Overflow? by goombah99 · · Score: 5, Informative
    The most common form is as follows. When a subroutine is called the return address is placed on the stack. Then all the local variables for the subroutine are placed on the stack. the subroutine runs and when it finishes it jumps to the return address on the stack. However if the subroutine were to write data into an array or string on the stack and tried to push more data into the string than space was allocated it would continue writing past the end of the array and eventually overwrite the return address. This allows a way to substitute a new return address for a virus maker. If this return address happened to jump right back onto the string itself then in principle the data string will now be exceuted as code.

    partial remedial solutions include commands that prevent decleared data from being executed, having the return address stored on a different stack from the data stack, explicitly testing the stack integrity before executing a return from a subroutine, and putting up "electric fences" --basically buffer regions around every memory allocation that are not owned by the application requesting space.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  21. Re:great news by TheRaven64 · · Score: 4, Informative

    Not sure about Linux, but OpenBSD has a number of features which protect from this kind of vulnerability. This is why a lot of arbitrary code execution vulnerabilities become DoS vulnerabilities on OpenBSD.

    --
    I am TheRaven on Soylent News
  22. Re:Umm... by ctr2sprt · · Score: 3, Informative
    This may sound really dumb, but isn't it up to the guy who wrote the vulnerability in the first place to fix it?
    There is a time gap between when a bug is first discovered and when it is fixed. There is an even bigger gap between when a bug is fixed and when users actually bother to install the patch. Helping to prevent buffer overflows and the like will limit the problems caused by those gaps.
    how the hell do you detect an overflow?
    Memory is allocated using a library call like malloc(). Debugging tools will trap malloc() and actually allocate slightly more memory than is asked for, then write a signature before and after the buffer. It will then periodically check those signatures to see if they are still there. If they aren't - like because a program overwrote them with its own data - it means there's a buffer overflow. You can also use the CPU's virtualization hardware to spot some kinds of buffer overflows or other errors (like trying to read from a page that was allocated but never written to). There are other methods, but that's the most common and probably the easiest to understand.
  23. Re:What is a Buffer Overflow? by nudicle · · Score: 4, Informative

    Quite a good writeup of stack buffer overflows can be found here.

  24. No Execute = snake oil by ajs318 · · Score: 4, Interesting

    Sorry, but the whole "No Execute" thang is aceite de serpiente, as they say in Madrid. Even the much-vaunted {by people who don't understand it, anyway} Harvard Architecture {i.e. using separate buses for data and instructions, thereby breaking the Neumann principle totally} doesn't work. If the computer can make some kind of decision based on the content of memory location x, then this is tantamount to x being an executable location.

    Now, if you had a "Take no action whatsoever based on the content of this location, in fact, whenever you are asked even to read it, always return the same value" flag -- that might prevent the execution of unwanted code. Chances are your system would also be computationally incomplete.

    As it stands, NX is trivially defeated by persuading the user to install a simple piece of code -- effectively an emulator.

    Basically, NX is answering the wrong question. The question that needs to be asked is "How can we best persuade users not to run arbitrary code when they don't know what the hell it does?" My own answer would be for every processor to have its own, unique instruction set; so only code compiled for that one particular individual processor would ever run on it. {Obviously you'd have to have a compatibility mode for bootstrapping, so you could compile the compiler to compile the unique-ified software; but this would have to be accessed by some deliberate hardware action that no software could get around.} I'm sure that is not impossible; but I'm not sure that it's feasible as long as the likes of Microsoft want to do things their way.

    --
    Je fume. Tu fumes. Nous fûmes!
  25. Re:What is a Buffer Overflow? by Just+Some+Guy · · Score: 3, Informative
    You got it write, except that overwriting other data can be just as bad as overwriting executable code:
    char buffer[100];
    int dataHasBeenVirusChecked = 0;
    gets(buffer);
    if (dataHasBeenVirusChecked) { sendAsEmailAttachment(buffer); }

    In this case, if "buffer" gets overfilled just so, then the program may incorrectly believe that the data it contains is safe to operate on even though it might not be. Remember, folks, there are other ways to exploit an overflowable buffer then the standard "write executable code to stack and jump to it" method.

    --
    Dewey, what part of this looks like authorities should be involved?
  26. Re:great news by x0n · · Score: 4, Informative

    Yes, but nothing stops user apps from ignoring segment descriptors -- and the operating system cannot easily check the type flag before executing the code. On the other hand, the NX (no execute) flag causes a _hardware_ interrupt which cannot be ignored by the user app if the O/S decides to act on it.

    - Oisin

    --

    PGP KeyId: 0x08D63965