Published: 2005-08-230 comment(s)
Last Updated: 2005-08-24 22:31:21 UTC
by Jason Lam (Version: 1)
Last Updated: 2005-08-24 22:31:21 UTC
by Jason Lam (Version: 1)
Windows buffer overflow protection
Today, we solicited ideas for runtime buffer overflow protection on Windows platform. There has been many recent developments in the arena of buffer overflow protection. Many vendors are coming out with their own solution for protecting machines from 0-day buffer overflow attacks. Even the anti-virus vendors are bundling it into the AV solution, is it the next big thing in security or is it another marketing hype?
I have personally seen couple of products in action recently, both performed as it claimed, protected the unpatched machines from buffer overflow attack (different ones for the two products that I have seen). If you have it installed in your environment, please share your thoughts on how it performed.
Here are some of the vendors/products who have solution in this space, feel free to contribute more (with a brief description, please)
* Mcafee VirusScan Enterprise 8i, this AV solution will protect the Windows machine from buffer overflow attack.
* Ozone HIPS is a policy based HIPS that has buffer overflow protection by randomizing the memory address space.
* Prevx is a HIPS that provide buffer overflow protection.
* Mcafee Entercept is Mcafee's IPS solution.
* Cisco CSA, formerly known as Okena StormWatch is Cisco's IPS offering.
* Symantec Critical System Protection is Symantec's behavior based HIPS.
* Win XP SP2 and Win 2K3 SP1 has Data Execution Protection (DEP) built in. It needs more recent CPU from Intel and AMD to provide full protection. See http://support.microsoft.com/kb/875352 [Steve Shockley]
* StackDefender is a based Windows IPS [Simon Howard]
* ISS Protventia Desktop Firewall has a buffer overflow protection engine[Matt Pierce]
* Eeye Blink has buffer overflow protection and has a resonable price point. [Seth Kusiak]
* Sygate Secure Enterprise provide buffer overflow protect as well as a whole lot of other endpoint protection features. [Seth Kusiak]
* Determina SecureCore is another host based IPS product. [Daniel Charboneau]
Another handler Ed Skoudis reminded us that There are two forms of DEP - Software-based DEP and Hardware-based DEP. The software-based stuff is
active by default on WinXP SP 2 regardless of your processor type. It is config'ed to secure "essential Windows components and services", and other apps can be added. The Hardware-based DEP requires a processor that supports NX.
Ed also added that to enable DEP, you have to do the following,
Click on Settings under Performance, and go to Data Execution Prevention.
Scooter had good experience with Mcafee Enterprise VirusScan 8i. "It has worked as advertised with almost no configuration or customization necessary. It so far has been one of the best implementations of buffer-overflow protection I have seen (i.e. quiet but effective)." [Scooter]
Keng Lim send in an interesting link to information on circumventing MS DEP http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm
Philippe submitted another link to us for circumventing the MS DEP http://www.packetstormsecurity.com/papers/bypass/bypassing-win-heap-protections.pdf [Philippe]
From reader Casey Rhoton, "This is Eeye's IPS solution, and during our evaluation testing, I placed an unpatched Windows 2000 workstation with Blink installed in an out of the box configuration outside our firewall. The machine survived two full weeks outside the firewall with only the Blink client on it. This machine did not have the lastest patches, or AV of any kind on it. Very impressive. We had simular results with Cisco's CSA, but the CSA agent despratly wants to talk to it's managment server, as does McAfee's Intercept product. Both of these products use the Okina core code. The one thing I noticed while testing these products, was that Eeye's Blink was the only product tested, that I did not find any remenants of attack code, or malware on the hard drive after testing. They state that there product stops the attack at the network link, between layers 3 and 4, thus preventing the overflow from ever making it to the physical hard drive. The other products seem to kill the attack at execution. Just my experence with these products. They all have a fairly large memory footprint, some more that others." [Casey Rhoton]
From an anonymous reader, "We have the McAfee Virusscan 8 Buffer Overflow Protection in place on our network. During the recent Zotob outbreak, it worked at first, blocking infection attempts that were coming from our WAN. However, the worm found an unprotected machine on our network, which then found several more unprotected machines. Once there were several infected machines on the LAN, the worm started jumping to protected machines. After analysis, it looks like the machines were somehow overloaded to the point of rebooting (either by network traffic or attempted attacks). As the machines were booting, the anti-virus hadn't started yet, but the Plug and Play service was reachable via TCP port 445. The previously protected machines became infected, after which they ironically started blocking incoming buffer overflow attempts again (albeit too late). Moral of the story - don't depend solely on McAfee Buffer Overflow Protection, because it won't protect you from a network worm while machines are in the process of booting. Perhaps a desktop firewall might help, but I haven't had a chance to test that yet."
JD from VirusIntel.com wrote in and said, "I have implemented VirusScan 8.0i into my organization and its does work well. I think McAfee should adopt Ford's slogan "Have you taken a look at us lately". One thing for readers to keep in mind is that VirusScan 8.0i does not provide protection for all services. I believe readers could search the Knowledge base for a list of services covered. Another consideration that needs to be acknowledged, is that the protection offered, is the removal of malicious code as a result of a buffer overflow. While the attacked system will not be infected, the service that the buffer overflow occurred on, my be left in an unstable state. In the case of MS04-011, this meant a possible reboot.
I have also implemented McAfee's Entercept (HIPS) into my organization as well. I am very impressed with the product. The signature based protection really compliments the behavioral based protection. Creating custom signatures can be very powerful for protecting against new threats, or for other management functions such as USB storage device blocking.
I have also tested PrevX home addition. If you do not mind the chatty warnings, and remember to suspend it before installing software, then it offers great protection for home users. I recommend it for home users that are, well lets say, known for risky internet behavior." Thanks, JD!
John Sawyer wrote in to remind us that Mcafee VirusScan only protects about 20 different applications, so it might not provide sufficient coverage.
Cody Hatch suggests that "eEye's Blink is essentially a network layer-based protocol reassembler. If a protocol doesn't fall within Blink's "understood" protocols, will it get handled appropriately? Since Blink doesn't hook into the kernel and relies solely on network-layer information, encrypting application layer data (an attack can conform to RFCs and have an encrypted application layer) will evade Blink as well." [Update: eEye writes back and confirms that aside from the network traffic examination, Blink does have a kernel driver that is monitoring various kernel API's to see how things are behaving and stop attacks. Also, Blink has protection code that gets injected into applications to generically protect from various bad system calls and functionality behaviors. This confirms Casey Rhoton's statement that the attack code are on residing on the box and even if the attack pass through the network layer checking, it can still be catched by Blink using the above mentioned mechanism.]
Moses Hernandez has the following comments, "From my experience the eEYE Product has a network and application firewall and a RFC Based IPS. What this means is that it has taken RFC's and created rules based upon what the RFC denoted parameters are. We did not get hit with zotob or any other worm in the last 8 months. I know that the company has stated for the Zotob infection that any machine with the Blink client did not necessarily need to be patched rigth away since the IPS portion should protect the client. Additionally the 2.0 Product includes a Advanced Application Protection Piece. Most badly written software will trigger the Application protection so i've only been able to use this on very specific locked down machines. This will protect any piece of software from running inside Ring 0 (NT Kernel Protected Space). Since most malware and spyware will run inside of this it will protect that. I have no idea if this includes Buffer Overflow attacks but i am sure it must at some level inspect this.
The Cisco CSA Client with the Okena code is a different animal. It does have some features while will allow applications not to run. If the machine is however not configured correctly, then renaming the application will allow said application to run. Additionally it is an anomoly engine. It will need to "learn" what is a "normal" traffic pattern to be able to protect against "abnormal" traffic patterns such as a DoS attack. Finally about needing to be hooked into the mothership, please note that there are configurations that will allow you to use what they mention as a Headless CSA, it has a default policy. This is used on the Cisco ACS product and also the Cisco Callmanager.
Lastly the Zonelabs Integrity Client which is an enterprise client of ZoneLabs Firewall now has the Checkpoint Smartdefense Filters already applied to it. I Cannot comment more than to say that these are the same filters you find on the Interspect Engine and I believe more than what you find on the FW1/VPN1 firewalls. They are signature based and do require updates. The nice things are people with organizations that have Checkpoint Products will now have a unified Dashboard, Logging, Tracking and more features than I care to go into." Thanks, Moses
ISC handler on duty - jason /at/ networksec /dot/ org
Join us at SANS! Attend with Jason Lam in starting