http://www.washingtonpost.com/wp-dyn/articles/A55209-2005Feb26.html By John Breeden II Special to The Washington Post February 27, 2005 Pour a 12-ounce can of soda into an eight-ounce glass, and you've got spilled soda and a sticky mess. Hackers know this principle, too. But when they apply it in crafting viruses and worms, the mess is a lot harder to clean up -- and, until recently, to prevent. These exceedingly common "buffer overflow" exploits are one of the most common ways computers get infected by viruses and worms, from the "Great Internet Worm" of 1988 to 2003's Blaster. They attack programs written in the widely-used C and C++ programming languages. A malicious application will try to bowl them over with a too-large chunk of data that hides some executable code. Once that overflow crashes the target program, the embedded code can run and perform whatever mischief it's assigned -- deleting your data or turning your PC into a "zombie" that infects other machines or relays spam. In other words, instead of plain old soda, you spilled Evil Cola that isn't content to stain the table but will try to hijack it. If programmers wrote perfect software that could never be crashed by an overload of data, buffer overflow attacks would be a thing of the past. Various defensive techniques can also squelch overflow attacks, and other programming languages, such as Java, don't permit them at all (at the cost of slower performance). But rewriting or replacing every program in existence just isn't going to happen anytime soon. With last year's Service Pack 2 update to Windows XP, however, there is a new defense. In that update, Microsoft built in special code called the "no execute" (NX) flag that, when run on compatible processors, blocks code from running in the memory areas targeted by overflow attacks. Finding those compatible processors may not be easy. AMD offers NX support (which it calls "Enhanced Virus Protection") on all its Athlon 64 chips. But at Intel -- which trailed AMD in adding this technology to its consumer hardware -- the selection is much more random. Intel spokeswoman Claudine Mangano said the following processors offer NX support, which Intel calls "Execute Disable Bit Functionality": 520J, 530J, 540J, 550J, 560J, 570J, 630, 640, 650, 660 and "Extreme Edition" Pentium 4 desktop processors, plus the 730, 740, 750, 753, 758, 760 and 770 Pentium M laptop processors. Pair up the right processor with an SP2 edition of Windows XP (Microsoft's Windows Server 2003 with Service Pack 1, Red Hat Enterprise Linux 3 Update 3 and SuSE Linux 9.2 also offer NX), and your system should run just as it did before in daily use. We have yet to see any programs break on an NX-enabled machine. To test this feature in action, we ran a simple buffer-overflow test that, on a computer without SP2, flashed a message on the screen to signal a successful takeover. We ran the same test on a desktop with an AMD Athlon 64 processor and a laptop with a new Intel Pentium M chip, and the attack program got nowhere. This defense wasn't without its cost: Each time, the computer crashed as the attacking program tried to batter its way into the NX-protected neighborhood. A single buffer overflow should be blocked without incident by NX, but this barrage was too much. A system crash, however, still beats losing control of the computer. NX cannot defeat all attacks. Participants on hacker newsgroups are already mulling over ways to circumvent this barrier, and NX can't stop tactics that don't employ buffer overflows. NX is worth incorporating into your security plan -- either when you buy your next Windows computer, or by (finally) installing SP2 on your NX-ready machine -- but you'll still need to back it up with an up-to-date antivirus program, a firewall and one or more anti-spyware utilities. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Mon Feb 28 2005 - 04:49:35 PST