1 / 21

Detection and Prevention of Buffer Overflow Exploit

Detection and Prevention of Buffer Overflow Exploit. Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD. Review of Buffer Overflow Exploit. What is Buffer Overflow Exploit. Definition of a Buffer How Buffers Are Exploited How to Exceed Program Space

matthew-trujillo
Download Presentation

Detection and Prevention of Buffer Overflow Exploit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD.

  2. Review of Buffer Overflow Exploit

  3. What is Buffer Overflow Exploit • Definition of a Buffer • How Buffers Are Exploited • How to Exceed Program Space • Overflow the Stack • What Follows a Buffer Overflow

  4. An Example of Buffer Overflow

  5. How to Detect and Prevent Buffer Overflow Exploit • Static Detection • Compile Time Detection • Network-based Detection • Host-based Detection

  6. Static Code Analysis (Part I) • How it works? Source code level analysis

  7. Static Code Analysis (Part II) • Advantages Help to improve an application • Disadvantages • Program analysis is inadequate • Modification and recompiling of source code are needed

  8. Compile Time Detection (Part I) • How it works? Stack-smashing protection

  9. Compile Time Detection (Part II) • Advantages Nearly 100% protection of “simple function calls” • Disadvantages • Recompiling is needed • No sane way to protect “complex function calls”

  10. Network based Detection (Part I) • How it works? Analyze network data for attack code

  11. Network-based Detection (Part II) • Advantages Detect exploit code by rule • Disadvantages Either high number of false positive alert or low number of true positive alert

  12. Host-based Detection (Part I) • How it works? Executable space protection • Hardware solution (CPU) • Software solution

  13. NX Technology • What is NX? NX stands for ‘No Execute’ • CPUs which support NX Sun's Sparc, Transmeta's Efficeon, newer 64-bit x86 processors: AMD64, IA-64, etc. • OSs implement NX Windows XP SP2, Windows Longhorn Linux with NX patch

  14. Software Solution From Rising Tech.(Part I) Solution 1: TDI driver (only for Windows) • How it works? use TDI driver to detect known buffer overflow exploit

  15. Software Solution From Rising Tech.(Part II) Solution 1:TDI driver • Advantages Detect viruses which exploit known vulnerabilities • Disadvantages Fail to protect unknown vulnerabilities

  16. Software Solution From Rising Tech. (Part III) Solution 2: StackChecker(Only for Windows) • How it works? Install kernel driver to inspect system calls and detect invalid user calls from stack or heap

  17. Software Solution From Rising Tech. (Part IV)

  18. Software Solution From Rising Tech.(Part IV) Solution 2: StackChecker • Advantages Detect viruses which exploit buffer overflow • Disadvantages Victim program will eventually crash despite of the warning

  19. Summary (Part I) If you are a programmer • Check your source code manually • Use aid tools to find hidden bugs • Compile with StackGuard or other tools to avoid buffer overflow

  20. Summary (Part II) If you are a network administrator • Apply NIDS product • Update it promptly If you are a user • Apply latest updates of your operate system • Try StackChecker to detect real-time buffer overflow exploit

  21. The End

More Related