[ISN] 'No Execute' Flag Waves Off Buffer Attacks

InfoSec News isn at c4i.org
Mon Feb 28 05:37:10 EST 2005


By John Breeden II
Special to The Washington Post
February 27, 2005

Pour a 12-ounce can of soda into an eight-ounce glass, and you've got
spilled soda and a sticky mess. Hackers know this principle, too. But
when they apply it in crafting viruses and worms, the mess is a lot
harder to clean up -- and, until recently, to prevent.

These exceedingly common "buffer overflow" exploits are one of the
most common ways computers get infected by viruses and worms, from the
"Great Internet Worm" of 1988 to 2003's Blaster.

They attack programs written in the widely-used C and C++ programming
languages. A malicious application will try to bowl them over with a
too-large chunk of data that hides some executable code. Once that
overflow crashes the target program, the embedded code can run and
perform whatever mischief it's assigned -- deleting your data or
turning your PC into a "zombie" that infects other machines or relays

In other words, instead of plain old soda, you spilled Evil Cola that
isn't content to stain the table but will try to hijack it.

If programmers wrote perfect software that could never be crashed by
an overload of data, buffer overflow attacks would be a thing of the
past. Various defensive techniques can also squelch overflow attacks,
and other programming languages, such as Java, don't permit them at
all (at the cost of slower performance). But rewriting or replacing
every program in existence just isn't going to happen anytime soon.

With last year's Service Pack 2 update to Windows XP, however, there
is a new defense. In that update, Microsoft built in special code
called the "no execute" (NX) flag that, when run on compatible
processors, blocks code from running in the memory areas targeted by
overflow attacks.

Finding those compatible processors may not be easy. AMD offers NX
support (which it calls "Enhanced Virus Protection") on all its Athlon
64 chips.

But at Intel -- which trailed AMD in adding this technology to its
consumer hardware -- the selection is much more random. Intel
spokeswoman Claudine Mangano said the following processors offer NX
support, which Intel calls "Execute Disable Bit Functionality": 520J,
530J, 540J, 550J, 560J, 570J, 630, 640, 650, 660 and "Extreme Edition"  
Pentium 4 desktop processors, plus the 730, 740, 750, 753, 758, 760
and 770 Pentium M laptop processors.

Pair up the right processor with an SP2 edition of Windows XP
(Microsoft's Windows Server 2003 with Service Pack 1, Red Hat
Enterprise Linux 3 Update 3 and SuSE Linux 9.2 also offer NX), and
your system should run just as it did before in daily use. We have yet
to see any programs break on an NX-enabled machine.

To test this feature in action, we ran a simple buffer-overflow test
that, on a computer without SP2, flashed a message on the screen to
signal a successful takeover.

We ran the same test on a desktop with an AMD Athlon 64 processor and
a laptop with a new Intel Pentium M chip, and the attack program got
nowhere. This defense wasn't without its cost: Each time, the computer
crashed as the attacking program tried to batter its way into the
NX-protected neighborhood.

A single buffer overflow should be blocked without incident by NX, but
this barrage was too much. A system crash, however, still beats losing
control of the computer.

NX cannot defeat all attacks. Participants on hacker newsgroups are
already mulling over ways to circumvent this barrier, and NX can't
stop tactics that don't employ buffer overflows.

NX is worth incorporating into your security plan -- either when you
buy your next Windows computer, or by (finally) installing SP2 on your
NX-ready machine -- but you'll still need to back it up with an
up-to-date antivirus program, a firewall and one or more anti-spyware

More information about the ISN mailing list