detection and prevention of buffer overflow exploit n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Detection and Prevention of Buffer Overflow Exploit PowerPoint Presentation
Download Presentation
Detection and Prevention of Buffer Overflow Exploit

Loading in 2 Seconds...

play fullscreen
1 / 21

Detection and Prevention of Buffer Overflow Exploit - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

Detection and Prevention of Buffer Overflow Exploit. Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD. Review of Buffer Overflow Exploit. What is Buffer Overflow Exploit. Definition of a Buffer How Buffers Are Exploited How to Exceed Program Space

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Detection and Prevention of Buffer Overflow Exploit' - matthew-trujillo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
detection and prevention of buffer overflow exploit

Detection and Prevention of Buffer Overflow Exploit

Cai Jun

Anti-Virus Section Manager

R&D Department

Beijing Rising Tech. Corp. LTD.

what is buffer overflow exploit
What is Buffer Overflow Exploit
  • Definition of a Buffer
  • How Buffers Are Exploited
  • How to Exceed Program Space
  • Overflow the Stack
  • What Follows a Buffer Overflow
how to detect and prevent buffer overflow exploit
How to Detect and Prevent Buffer Overflow Exploit
  • Static Detection
  • Compile Time Detection
  • Network-based Detection
  • Host-based Detection
static code analysis part i
Static Code Analysis (Part I)
  • How it works?

Source code level analysis

static code analysis part ii
Static Code Analysis (Part II)
  • Advantages

Help to improve an application

  • Disadvantages
    • Program analysis is inadequate
    • Modification and recompiling of source code are needed
compile time detection part i
Compile Time Detection (Part I)
  • How it works?

Stack-smashing protection

compile time detection part ii
Compile Time Detection (Part II)
  • Advantages

Nearly 100% protection of “simple function calls”

  • Disadvantages
    • Recompiling is needed
    • No sane way to protect “complex function calls”
network based detection part i
Network based Detection (Part I)
  • How it works?

Analyze network data for attack code

network based detection part ii
Network-based Detection (Part II)
  • Advantages

Detect exploit code by rule

  • Disadvantages

Either high number of false positive alert or low number of true positive alert

host based detection part i
Host-based Detection (Part I)
  • How it works?

Executable space protection

    • Hardware solution (CPU)
    • Software solution
nx technology
NX Technology
  • What is NX?

NX stands for ‘No Execute’

  • CPUs which support NX

Sun's Sparc, Transmeta's Efficeon,

newer 64-bit x86 processors:

AMD64, IA-64, etc.

  • OSs implement NX

Windows XP SP2, Windows Longhorn

Linux with NX patch

software solution from rising tech part i
Software Solution From Rising Tech.(Part I)

Solution 1: TDI driver (only for Windows)

  • How it works?

use TDI driver to detect known buffer overflow exploit

software solution from rising tech part ii
Software Solution From Rising Tech.(Part II)

Solution 1:TDI driver

  • Advantages

Detect viruses which exploit known vulnerabilities

  • Disadvantages

Fail to protect unknown vulnerabilities

software solution from rising tech part iii
Software Solution From Rising Tech. (Part III)

Solution 2: StackChecker(Only for Windows)

  • How it works?

Install kernel driver to inspect system calls and detect invalid user calls from stack or heap

software solution from rising tech part iv1
Software Solution From Rising Tech.(Part IV)

Solution 2: StackChecker

  • Advantages

Detect viruses which exploit buffer overflow

  • Disadvantages

Victim program will eventually crash despite of the warning

summary part i
Summary (Part I)

If you are a programmer

  • Check your source code manually
  • Use aid tools to find hidden bugs
  • Compile with StackGuard or other tools to avoid buffer overflow
summary part ii
Summary (Part II)

If you are a network administrator

  • Apply NIDS product
  • Update it promptly

If you are a user

  • Apply latest updates of your operate system
  • Try StackChecker to detect real-time buffer overflow exploit