Data Execution Protection 254
esarjeant writes "In addition to a number of other security features, anti-virus vendors are starting to push buffer overflow detection. This will be part of Microsoft's future direction with Data Execution Prevention (DEP) and is already integrated with McAfee 8.0i. So it looks like everyone is going to upgrade all of their software again, will software vendors be able to keep up with the support calls?"
Virus vendors? (Score:5, Funny)
Re:Virus vendors? (Score:2)
or maybe this is just the new term for microsoft?
Re:Virus vendors? (Score:2)
Re:Virus vendors? (Score:2)
You heard it here first.
Re:Virus vendors? (Score:4, Funny)
Who buys viruses? (Score:2)
Huh...... (Score:2)
support calls (Score:5, Interesting)
Yes, with more automation, more people on the other end (most likely in India) and more cost passed onto the customer. When I used to work we used to have a saying. "If it weren't for Microsoft, we would all be out of jobs"
Re:support calls (Score:2)
virus vendors? (Score:3, Funny)
Virus vendors eh? (Score:4, Funny)
Re:Virus vendors eh? (Score:3, Funny)
What a ripoff... I get all of mine for free.
Re:Virus vendors eh? (Score:3, Informative)
What is it with the buffer overflows?` (Score:3, Insightful)
Re:What is it with the buffer overflows?` (Score:5, Interesting)
Basically this is just laziness in the Windows architecture that overlaps the code and data segments. Separate these and the problem is solved with no new hardware, minimal application rework, and the like.
Incidentally, my perusal of the setup routines in Linux (well, it was version 1.0, so I don't know if this is still the case) show that it also maps code and data to the same actual addresses, which makes it vulnerable as well.
Sure, you can use "smart" languages and NX bits and stuff like that, but it's all assembly at some level, and the processor manufactures actually built in sufficient protection decades ago when they came up with segmented memory. (PowerPC architecture can also distinguish between code and non-code).
I am always amused at how the memory management community hasn't nipped this one in the bud ages ago when the tools to fix it already exist.
Re:What is it with the buffer overflows?` (Score:2)
lets say you have a global pointer to an object... in thread A, you are deleting an instance of the object, then the OS jumps threads in the middle of this operation, and thread B goes and tries to access information from the same object. this is known as a race condition.
basically, which one gets their first, and how much damage will it do? the more you start working with shared memory and threads, the more code prote
Re:What is it with the buffer overflows?` (Score:2)
Re:What is it with the buffer overflows?` (Score:2)
It's an intel flaw (Score:3, Informative)
Possibly you are confused by 80286 segments, which could make memory readable without being executable (because you could
Segmentation is better! (not) (Score:2, Interesting)
Windows uses a 4GB flat address space. The same memory model used by Linux and all other modern OSes. Segmentation, though supported by the hardware, is (1) inefficient and (2) more difficult to program for. Even CPU vendors realize it was bad technology and are moving away from it. Example: The new AMD64 chips support all the segmentation crap in compatibilit
Re:What is it with the buffer overflows?` (Score:3, Informative)
Nobody uses segments any more. Win32 programming uses a flat 32-bit address space.
The problem stems from the fact that, under the Intel architecture, procedure local variables are allocated on the stack right next to the return address pointer. If a lazy programmer allocates a 256 byte buffer and does a strcpy() that doesn't have a null within the first 256 bytes, strcpy() will keep copying data until it hits a null character, clobbering the return addre
To an extent (Score:2)
I'm one of said guys, so I'm well and truly familiar with this pain.
Part of it is culture - features and fast development above correctness. A project I'm involved with now is a horrifying mass of spaghetti that barely works at all, yet they're still adding new features with little focus on cleanup. There i
Re:What is it with the buffer overflows?` (Score:3, Informative)
We try our best, but we're humans. We make mistakes.
And why the hell do we still need to code buffers? Isn't there a library or a call to handle buffers in a safe way?
Yes. In fact, most modern languages like Java and C# handle memory for us; no more deletes necessary, and buffer overflows, while not impossible, more much less likely to happen with higher level languages.
Re:What is it with the buffer overflows?` (Score:4, Informative)
C and C++ put the reliance on the programmer to check the rules under the assumption that compiler provided checks are too expensive. They are only too expensive if you assume the everthing-is-a-pointer model that underlies these languages. Java and C# gain some safety since they do not allow arbitrary pointers, but, in my opinion, have still inherited too much from the parent laguages.
Part of the problem is the everything looks like a nail approach. There are some wonderful languages out there that are much more appropriate for many of the tasks, and have syntax and semantics that make many of the security problems much easier to solve. However, they are not the "mainstream" langauges and as such do not get the developer attention.
Will software vendors be able to keep up? (Score:2, Funny)
I'm being optimistic (Score:4, Insightful)
What is a Buffer Overflow? (Score:3, Interesting)
I am asking as a person that isn't a programmer but understands the concepts that go behind the smoke and mirrors.
Re:What is a Buffer Overflow? (Score:2, Informative)
Re:What is a Buffer Overflow? (Score:3, Informative)
Re:What is a Buffer Overflow? (Score:5, Informative)
You have some memory allocated for some type of variable, or something. That's called a buffer, and it's usually a certain number of bytes "big". There's a function in your program that puts a value into that variable. If you can feed more data into the buffer than it can handle, you can have a buffer overflow.
The reason why this is dangerous is because that data "spills" into another portion of the memory, which could already be occupied by anything from more data, to executable code. In the latter case, if you've overwritten executable code, you can replace that code with your own executable code, and do all kinds of nasty things that the original program wasn't intended to do.
Congrats! (Score:2)
Re:What is a Buffer Overflow? (Score:2)
When I was subscribing to bugtrack I read about people who had found a security problem in a simple game written in C included in many Linux distros. The overflow? Second player name.
Re:What is a Buffer Overflow? (Score:4, Informative)
In this case, if "buffer" gets overfilled just so, then the program may incorrectly believe that the data it contains is safe to operate on even though it might not be. Remember, folks, there are other ways to exploit an overflowable buffer then the standard "write executable code to stack and jump to it" method.
Re:What is a Buffer Overflow? (Score:2, Informative)
Great explanation of buffer overflows here [helpbytes.co.uk]
Re:What is a Buffer Overflow? (Score:2, Informative)
*Many* moons ago, I took an OS writing course from Intel, on the 80286. The way I was taught, a buffer overflow is something that would not have been possible in the processor architecture. There were code segments, and data segments. If ever the twain should overlap, processor exceptions occur, whet
Re:What is a Buffer Overflow? (Score:2, Interesting)
Dude, you're making it sound like it's a matter of faith whether stack/heap overflows can be done at all. :-)
Noone said it's easy and quickly done to write a working exploit. It takes time to find the vulnerabilities, and still much more time to write code exploiting them.
Add to a
Re:What is a Buffer Overflow? (Score:2)
The basic problem is that Intel didn't include an execute protection bit in the i
Re:What is a Buffer Overflow? (Score:5, Informative)
partial remedial solutions include commands that prevent decleared data from being executed, having the return address stored on a different stack from the data stack, explicitly testing the stack integrity before executing a return from a subroutine, and putting up "electric fences" --basically buffer regions around every memory allocation that are not owned by the application requesting space.
Now, a translation into non-technical terms (Score:3, Funny)
On your way out you made a mental note to come back to your buddy's place, rather than your own. This is the return address. You also made a mental note that you needed potato chips and another case of beer. That list is in your buffer.
Your other "friend", a known sponge who still ow
Re:What is a Buffer Overflow? (Score:2)
* Subroutine
* Return Address
* Stack
* Local Variables
* Jumps
* Array
* String
* Push
* Allocated
Thank you and goodnight.
Re:What is a Buffer Overflow? (Score:3, Insightful)
Maybe it will slow down CPUs, but I think that if a CPU knows that a stack will ONLY ever contain return addresses and another stack only contains data there can be a fair number of optimizations.
If you want to really be paranoid, have 3 stacks. One stack for code (return addresses), one stack for data (variables), and one stack for metadata - e.g. each entry could store the end location of the data (e.g. the data stack p
Re:What is a Buffer Overflow? (Score:5, Informative)
Glad this is being addressed... :P (Score:5, Funny)
I feel safer already.
Exploits can be pure data (Score:4, Insightful)
CSA already does this (Score:5, Informative)
Looks like... (Score:4, Interesting)
Well, it's just the rise of "Worse is Better" (Score:2)
What this really implies is that the world will always be playing catch-up with the virus writers: security is only an issue when someone releases an actual threat. Until then, there's no economic incentive to do anything about it.
Re:Looks like... (Score:3, Funny)
DEC ported the Microsoft DCOM implementation from Windows to OpenVMS, including its buffer overflow bugs.
Not a silver bullet (Score:5, Informative)
Re:Not a silver bullet (Score:2)
Visual C++.NET 2003 has a compile switch that makes your app check the return address, so that is nothing new. DEP interacts with the NX bit on the CPU to stop data-only memory from being executed, which should prevent a lot of buffer overflows.
Nope (Score:2)
Eventually, someone will create a ROM-booted web applicance that has flash and pdf capability built in that they will feel comfortable using, will work for 10 years without an upgrade, and is immune to viruses because when you turn it off - everything is wiped. Their "Desktop" will be on google or somewhere external to their own system.
Re:Nope (Score:2)
You could redo the I-Opener today. In fact, you could even get the latest version of QNX with the new embedded browser and load it into an I-Opener.
Something like that should be in every hotel room, where you really want a stateless client machine.
A Flawed Architecture (Score:4, Interesting)
Is it too late to change? Well, we have had new chips arise ( like power , or CELL ) so, its not impossible.. just difficult.
Re:A Flawed Architecture (Score:2)
Re:A Flawed Architecture (Score:2)
Re:A Flawed Architecture (Score:3, Insightful)
And a Harvard architecture doesn't help, anyway, if your program contains routines that an attacker would like to run with chosen data, because the st
Strengths and differences of this vs SELinux (Score:4, Interesting)
The SELinux approach sounds to me like a far better way to approach this, actually controlling the permissions of a process with some high degree of precision, down to what files it can use and what other processes it can invoke.
Anyone learned in this stuff care to give a non-flamed opinion of the two approaches strengths and weaknesses? Also, do or will the newer Linux kernels do anything similar regarding stack protection?
Re:Strengths and differences of this vs SELinux (Score:2)
The problem is that administrating these permissions is a real pain in the ass. It's not simple at all, and is usually more of a hassle than its worth. Different version of the same product may require different rule sets. Even a simple, small
Orthogonal (Score:2)
Re:Strengths and differences of this vs SELinux (Score:4, Interesting)
Most people recommend a combined approach including mandatory access control, chroot jails for services on the internet, stack smash protection, address space layout randomization, non-executable memory pages, firewalls, virus and spyware scanning, intrusion detection, regular vulnerability patching, and user education (did I leave anything out?). No one will tell you that you are safe after implementing just one of these solutions, but the more you do implement, the more secure your system will be.
All of the above have been available on Linux for some time, but are not implemented by default in any popular distribution that I am aware of, which is a shame because I believe it is only a matter of time before someone writes a really nasty worm for Linux. Most Linux users I know seem to believe they are safe with only regular patching and a firewall.
Gentoo is the best distro I have found for implementing these security measures and tries to build them in as an option wherever possible. Gentoo has great documentation on security and is all about custom configuration and compiling. Since some of the above solutions require special compiler technologies, Gentoo is a perfect fit.
Each of those solutions take a certain amount of effort to implement and will break certain existing applications in different ways. Basically, Microsoft is taking the next step and implementing the least disruptive and easiest solution that will provide some protection for all software running on the system. They should probably also compile their own software with stack smash protection and make address space layout randomization available as a next step.
Re:Strengths and differences of this vs SELinux (Score:2)
Re:Strengths and differences of this vs SELinux (Score:2)
File permissions are permissions granted to a user. This is permissions to various objects and resources granted to programs and processes.
Big difference.
As an example, the author of that Redhat article has a Fedora Core 3 box set up with a very restrictive SELinix configuration and freely gives out the root password and even with root, people can't do anything dangerous to the box.
He's had a similar Debian box out
Re:Strengths and differences of this vs SELinux (Score:2)
Bob: rwx
Jill: -wx
Secretaries: r-x
Everybody: ---
This set of permissions cannot be done in Unix/Linux, without using another solution other than FS permissions. In addition, NTFS permissions are more detailed and complex than RWX, you have:
Change Owner/Permissions of Object
Execute and View Directory are Seperate permissions
and Read
Re:Strengths and differences of this vs SELinux (Score:2)
Re:Strengths and differences of this vs SELinux (Score:2)
You have a root shell but can't hack the box. That's pretty impressive.
Time to buy a new computer again... (Score:5, Funny)
"Hey, my 3ghz computer is running as slow as a Pentium 1.5ghz... Why is that?"
"Oh that's all the new virus checking that runs the executables before they run to make sure they don't have any viruses in them."
So y'see... Viruses ARE good for the industry!
Re:Time to buy a new computer again... (Score:2)
Re:Time to buy a new computer again... (Score:2)
DEP is already in Windows (Score:3, Informative)
It appears that if the hardware doesn't support DEP, it will enable some sort of software DEP, instead.
W2K3 SP! also includes a new, XPSP2-like firewall interface with some nice logging and an easy-to-use rules interface. There's also the new Security Configuration Wizard, which seems to do a pretty damned good job of really locking down 2003 for those that need it.
Software for software (Score:3, Interesting)
Re:Software for software (Score:3, Insightful)
the problem is not jmp to data segments. the problem largely is executable stacks. which is exactly what stack smashing is about.
the other problem is that executable stacks are required for some legitimate compiler functions such as trampolines.
the real solutions are:
_complete_ separation of code and data segments.
code is _never_ writable, under any circumstances.
data is _never_ executable, under any circumstances.
no executable stack.
no more mprotect().
this will solve the arbi
Re:Software for software (Score:2)
Keeping your developers happy (Score:5, Interesting)
--pete
People Still Writing Code in C (Score:3, Interesting)
(And yes, I still write C/C++ when I need it, but that's laziness after 25 years of habitual use, and usually I use shel when I need to program :-)
Less of an issue if... (Score:2)
You are quite right, however, in that buffer overflow is a result of careless programming. Making assumptions about length of strings is fine if you're
Re:People Still Writing Code in C (Score:2, Insightful)
You can't blame a programming language for sloppy coding. Sloppy code is sloppy code and it makes no difference what language you use, if you're a crap coder then you are going to have problems.
And stating that "C is probably still the language of choice, but the number of people who do that is pretty limited" is just plain wrong. Back in the REAL world, C is used more now than it has ever been.
And besides, what do you suggest you write an OS is ? Perl ? TCL ? Vusua
A Tough Transition (Score:3, Interesting)
No problems so far. (Score:2)
I even enabled DEP for all programs and services, not the default "essential" ones.
Boldly going where Linux went back in 2000 (Score:3, Interesting)
I am surprised that major distributions have not picked up and run with this great tool. One of the first things I do on any new machine is to ensure that all internet-facing services are being run with libsafe preloaded.
No Execute = snake oil (Score:5, Interesting)
Now, if you had a "Take no action whatsoever based on the content of this location, in fact, whenever you are asked even to read it, always return the same value" flag -- that might prevent the execution of unwanted code. Chances are your system would also be computationally incomplete.
As it stands, NX is trivially defeated by persuading the user to install a simple piece of code -- effectively an emulator.
Basically, NX is answering the wrong question. The question that needs to be asked is "How can we best persuade users not to run arbitrary code when they don't know what the hell it does?" My own answer would be for every processor to have its own, unique instruction set; so only code compiled for that one particular individual processor would ever run on it. {Obviously you'd have to have a compatibility mode for bootstrapping, so you could compile the compiler to compile the unique-ified software; but this would have to be accessed by some deliberate hardware action that no software could get around.} I'm sure that is not impossible; but I'm not sure that it's feasible as long as the likes of Microsoft want to do things their way.
DEP has nothing (Score:3, Interesting)
DEP actually can be evaded [blogspot.com] because it supplies no ASLR. If the attacker can reasonably know where some data exists in memory--particularly, his exploit and msvcrt.dll for memcpy() and VirtualAlloc()--he can basically switch DEP off during an attack. Believe it or not, this is pretty easy if everything is in the same place every program run.
Fortunately in Linux we have PaX, which supplies much better protection than W^X, Exec Shield, or DEP with "competetive" (i.e. comparable, potentially lower; it can actually viably compete) compatibility. Red Hat of course has convinced the GCC devs to make GCC mark everything to have an executable stack if the compiler is at all not sure that it can operate without one; but PaX ignores that and still only "breaks" a few packages (and nVidia's glx).
PaX, GrSecurity, IBM's SSP (ProPolice), and PIE executable binaries should pave the future on Linux; but people are trying so hard to avoid them. It's not even much work to maintain a distro using those.
DEP is basically like vanilla Linux on AMD64.
Re:DEP has nothing (Score:2)
From the linked blog post:
I don't believe that. Using a canary would stop the attack discussed in that post (which is an attack strategy that is already well known).
MS Visual C++ has offered the option of canary protection for some time (even if they did not use Cowan's name for it). I would have expected that SP2 involved recompiling most/all code with the check prior to a
Better idea? (Score:3, Informative)
Character arrays have an extra byte stuck on the end of them. When the compiler sees that it's being called by an unsafe method or some sort of strcpy it puts a random value into that byte, and rechecks it after the call. There is no way for the buffer overflow code to know what the value was and when it is changed the program is immediately killed. Then again your overflows still have a 1 in 256 chance of working.
So is this already being done somewhere or is there any reason why this just wouldn't work?
Seems to me OSS along with GCC has the potential to fix overflow problems a LOT easier than a commerical OS vender could.
-Don.
Re:Better idea? (Score:2)
I just use IBM Rational Purify to build a version of my code, chuck random crap at the purified version and fix all the problems it finds. It's relatively expensive, but I think it's worth more than it costs.
Ph
W^X copy? (Score:2)
Better Late Than Never (Score:3, Informative)
I've had stack protection for quite some time with Solaris and OpenBSD. The Windows platform is a few years late to the party; doesn't Microsoft realize how much easier their life would be if they acted earlier?
Companies with Windows are like a person persisting to wear worn-out shoes. They're uncomfortable, they cause blisters, they don't keep water out, yet they keep them, because going barefoot is worse, I guess. The software industry still has a lot of growing-up to do.
Good naming, marketing. :-) (Score:2)
Early AT&T Unix (Score:2)
Re:great news (Score:3, Interesting)
So MS is pushing for (what I'm guessing is) some sort of protection for application layer buffer overflows.
Does linux have any sort of thing like this? I know microsoft doesn't hold a monopoly on buffer overflows
Seriously, I'm curious. Thanks.
Re:great news (Score:3, Informative)
Re:great news (Score:5, Informative)
- Oisin
Re:great news (Score:3, Informative)
Re:great news (Score:3, Informative)
Re:great news (Score:5, Informative)
Re:great news (Score:2, Informative)
Re:great news (Score:3, Informative)
Re:great news (Score:2, Funny)
The main protection Linux has is the developers looking at Microsoft and saying, "See those guys? Let's not be like those guys."
I disagree. (Score:2, Funny)
Re:Umm... (Score:4, Informative)
Re:Time to change.... OS (Score:2, Insightful)
everyone loves to bash MS here, fair enough. i dont really give two monkeys.
however, i just dont think this is true. i run NAV2004 on my XP box, and it never ever flags anything. now, either this means its just cack (corporate edition is certainly pretty cack), or i just dont get all these viruses. i spend plenty of time surfing around the shady underbelly of the web, with firefox admittedly, and i use my common sense wit