The common cold of IT security

The common cold of IT security
The common cold of IT security 

By William Jackson

IT security experts are not ready to admit defeat by one of the most 
common types of exploits, but the battle against buffer overflows so far 
has produced about the same results as medical science has against the 
common cold: We can treat it, but we havent found a way to cure it.

Its the same problem over and over again, independent security 
consultant Shawn Moyer said Thursday at the Black Hat Federal Briefings 
in Washington. We patch, we scan, we patch, we scan, and the cycles get 
shorter and shorter and the problem is worse. The result, he said, is a 
flailing death spiral of updates and patches.

There are defenses to block and mitigate these attacks, such as 
non-executable stacks and randomizing addresses within a system. None of 
them are bulletproof, but they do offer some relief.

A stack buffer overflow is one of the oldest tricks used by hackers to 
take control of a computer. When a malicious program writes excess data 
to an address on the call stack of an application with a fixed length 
buffer, the corrupted stack can make the application run improperly. 
Moyer described the technique as ten pounds of crap in a five pound bag. 
This sometimes allows the exploiter to gain control by injecting 
executable code into the running program.

The problem is not new. Its roots go back to John von Neumann, a 
physicist who worked on the Manhattan Project during World War II and 
came up with some of the first ideas for reprogramming a computer 
without physically rewiring it. The possible threat it represents was 
recognized in the 1960s, and the first widely recognized Internet worm, 
the Morris worm, exploited buffer overflows in 1988.

Its all basically the same problem for 20 years, Moyer said.

One way to fight buffer overflows in the stack is to use non-executable 
stacks, which segregate executable instructions from other data. This is 
done in some systems, but often it is made optional because of the 
difficulties it can present in running applications. This means that 
even if the function is used, a worm could simply shut it off and gain 
the access it needs to execute code.

Another technique is adding extensions to the stack, guard values or 
trip wires that look for and halt unauthorized executables. Randomizing 
addresses in the stack also makes it more difficult for malicious code 
to find its intended target. This technique, while not necessarily 
killing the code, can at least slow it down and limit its spread. The 
technique is not easy to do well, however.

Microsofts Vista is the first Windows operating system to natively 
support Address Space Layout Randomization, which puts programs and 
associated memory in random locations between reboots or executions, 
making them more difficult to attack because vulnerabilities are not 
found in predictable locations.

But it turns out that a tool used to randomize the addresses of data to 
hide it from hackers is not quite as random as it could be. Ollie 
Whitehouse, a security analyst with Symantec Corp., examined how 
information was distributed through the address space of Vista, and 
reported at last years Black Hat Federal Briefings that some significant 
biases were discovered in address allocation for some functions, 
reducing the effectiveness of ASLR. This weakness is expected to be 
corrected in the first Service Pack release for Vista.

The Holy Grail of defense would to go to the root of the problem and fix 
it there, Moyer said. We could fix the code, he added. That would be 

It also is about as likely as doctors fixing our DNA to makes us immune 
from colds. The problem is that there is so much code to be examined and 
fixed that fixing it all is impossible, just as starting over from 
scratch with all new code for all of our software is impossible. 
Existing code can be scanned and sometimes fixed with automated tools. 
But even that has drawbacks.

One of the problems with all of this is that it is going to break bad 
code, which means that users tend to disable the tools so that 
applications can be used, Moyer said. For the foreseeable future, manual 
review of code probably will remain an important, if time-consuming, 
tool in the fight against buffer overflows.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods