Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD.

Published byKevin Patterson Modified over 8 years ago

Similar presentations

Presentation on theme: "Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD."— Presentation transcript:

1 Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD.

2 Review of Buffer Overflow Exploit Time Virus Name Financial Loss 1989 Morris Worm $96,000,000 2001-6 CodeRed (I/II) $2,600,000,000 2003-1 SQL Slammer $1,200,000,000 2003-8Worm.Blaster$1,200,000,000 2004-7Worm.Sasser$500,000,000 ………

3 What is Buffer Overflow Exploit Definition of a Buffer Definition of a Buffer How Buffers Are Exploited How Buffers Are Exploited How to Exceed Program Space How to Exceed Program Space Overflow the Stack Overflow the Stack What Follows a Buffer Overflow What Follows a Buffer Overflow

4 An Example of Buffer Overflow

5 How to Detect and Prevent Buffer Overflow Exploit Static Detection Static Detection Compile Time Detection Compile Time Detection Network-based Detection Network-based Detection Host-based Detection Host-based Detection

6 Static Code Analysis (Part I) How it works? How it works? Source code level analysis

7 Static Code Analysis (Part II) Advantages Advantages Help to improve an application Disadvantages Disadvantages –Program analysis is inadequate –Modification and recompiling of source code are needed

8 Compile Time Detection (Part I) How it works? How it works? Stack-smashing protection

9 Compile Time Detection (Part II) Advantages Advantages Nearly 100% protection of “ simple function calls ” Disadvantages Disadvantages –Recompiling is needed –No sane way to protect “ complex function calls ”

10 Network based Detection (Part I) How it works? How it works? Analyze network data for attack code

11 Network-based Detection (Part II) Advantages Advantages Detect exploit code by rule Disadvantages Disadvantages Either high number of false positive alert or low number of true positive alert

12 Host-based Detection (Part I) How it works? How it works? Executable space protection –Hardware solution (CPU) –Software solution

13 NX Technology What is NX? What is NX? NX stands for ‘ No Execute ’ CPUs which support NX CPUs which support NX Sun's Sparc, Transmeta's Efficeon, newer 64-bit x86 processors: AMD64, IA-64, etc. OSs implement NX OSs implement NX Windows XP SP2, Windows Longhorn Linux with NX patch

14 Software Solution From Rising Tech. (Part I) Solution 1: TDI driver (only for Windows) How it works? How it works? use TDI driver to detect known buffer overflow exploit

15 Software Solution From Rising Tech. (Part II) Solution 1:TDI driver Advantages Advantages Detect viruses which exploit known vulnerabilities Disadvantages Disadvantages Fail to protect unknown vulnerabilities

16 Software Solution From Rising Tech. (Part III) Solution 2: StackChecker (Only for Windows) How it works? How it works? Install kernel driver to inspect system calls and detect invalid user calls from stack or heap

17 Software Solution From Rising Tech. (Part IV)

18 Solution 2: StackChecker Advantages Advantages Detect viruses which exploit buffer overflow Disadvantages Disadvantages Victim program will eventually crash despite of the warning

19 Summary (Part I) If you are a programmer Check your source code manually Check your source code manually Use aid tools to find hidden bugs Use aid tools to find hidden bugs Compile with StackGuard or other tools to avoid buffer overflow Compile with StackGuard or other tools to avoid buffer overflow

20 Summary (Part II) If you are a network administrator Apply NIDS product Apply NIDS product Update it promptly Update it promptly If you are a user Apply latest updates of your operate system Apply latest updates of your operate system Try StackChecker to detect real-time buffer overflow exploit Try StackChecker to detect real-time buffer overflow exploit

21 The End

Download ppt "Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
5/1/2015 5:57:24 PM 5864_ER_WHITE.1 Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia.

5/1/2015 5:57:24 PM 5864_ER_WHITE.1 Evaluating Modern Address Space Integrity Protections within the Common Criteria Ashley Fox CSC Australia.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )

Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )
Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.

Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.

Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.

Similar presentations

Ads by Google