te

ch

no

lo

gy

21In

fosecu

rity Tod

ayJanuary/February 2005

H ands up everyone who looks for-ward to upgrading all the desk-

top PCs in your company. No surpris-es there, then.

Upgrading the hardware and soft-ware of the corporate PC pool is prob-ably the most loathed task in the ITdepartment. Properly done, it involvestest groups, regression issues, configu-ration control, careful planning, over-time and risk, not to mention pacifyinggrumpy users who lose their umbilicalcords for a few minutes.

Ideally, enterprises base their deci-sion to upgrade on a thorough costbenefit analysis. But with security re-searchers discovering vulnerabilitiesdaily and vendors sending out regularpatches, the dangers of delaying up-grades are numerous and obvious.

Mark Cox, head of the security re-sponse team at Linux vendor RedHat, is responsible for limiting RedHat customers’ exposure should theychoose not to upgrade regularly. "Weknow [enterprises] can't always up-grade or even upgrade quickly.Theydon't want to do it every day or foreverything that comes out, particular-ly things that have a minor impact. Sohow should we reduce the impact,and how should we protect them inthe interim?" he asks.

Non-executable bits One answer comes from micro-processor manufacturers.They have

introduced a non-execution flag,sometimes known as NX, which dis-tinguishes between sections ofmemory based on whether they run

code or hold data.Without the flag,memory is a blank sheet and pro-grams are free to overwrite datawith code and code with data.Faults happen when programs clash

over the same bits of memory,whether by design or accident, andopen the system to abuse.

But the NX flag changes the land-scape. In particular it stops a damag-ing class of malware, the worm,which exploits a buffer overflow todeliver its payload.Analyst firmGartner reckons "The main vulnera-bility to buffer overflow attacks canbe explicitly prevented in hard-ware."

AMD's brand of NX, the EnhancedVirus Protection or EVP, is availableon AMD 64-bit processors; Intel'sExecute Disable Bit function was in-troduced on the Itanium processorfamily in 2001.

Worm cure is ahard act

New techniques deliver unprecedented protection from Internet wormsand promise fewer update headaches.

William Knightwilliam@wordsafari.co.uk

Robert Morris, at the time a Cornell University student, released the first internetworm, sometimes called the Great Worm, on 8 November 1988. It was a small pieceof C code that exploited a buffer overflow and replicated itself across the nascentinternet, infecting over 6000 computers. The idea was reportedly suggested by his father, a US National Security Agency ana-lyst, who was worried about the (then-theoretical) security threat posed byunchecked buffers.Executable code (a program) is set out as a list of instructions in one long contigu-ous area of computer memory. This is akin to writing the instructions on a longscroll of paper. On this scroll, there are areas for commands that tell the computerwhat to do, and areas to store user-specific data and results. Sometimes, if the space for user input is too small, just as with filling in the boxeson a preprinted banking form, it's possible to keep writing until the instructionsthemselves have been written over. When a worm invades memory it fills the boxes with its code. So when computertries to run the original instructions it executes the worm code which then takescontrol of the system and copies itself to infect other computers.

Worms and buffer overflows

There seems to beno serious

downside to thesetechniques.

te

ch

no

lo

gy

22In

fosecu

rity Tod

ayJanuary/February 2005

Dave Everitt,AMD’s product manag-er for Europe, points to a two-pronged defence. Support is neededin the hardware, he says, and then, ata minimum, vendors must recompiletheir operating systems and regres-sion-test them before release.

This takes time. Only recently havemainstream OS (operating system)vendors released versions that takeadvantage of the new hardware. ButNX functionality is now available onMicrosoft Windows Server 2003 withService Pack 1, Microsoft WindowsXP with Service Pack 2 (SP2), SUSELinux 9.2 and Red Hat EnterpriseLinux 3 update 3.

Everitt says mobile computing andgaming as well as tougher enterpriserequirements are driving security im-provements. "[NX] is really importantfor mobile network access," he says."At a hotspot you have no idea of thehost’s virus policy; you could bedownloading anything.And whoknows what could be downloadedfrom a online gaming link."

Red Hat's Enterprise Linux v3.3 us-es the non-executing bit and also in-cludes Exec-Shield, which deliverssimilar protection for non-NX proces-

sors using software.This feature wasadded specifically to protect legacysystems for companies who have putoff upgrades.

Red Hat’s original intention was toput Exec-Shield into Enterprise Linuxv4, but it was so effective Red Hatmoved it up. "We looked at all the[buffer overflow] exploits over a yearand all of them would have beenblocked.That's why we acceleratedit," says Cox.

Complicity and legality Exploiting a buffer overflow is a tech-nical challenge but by no means im-possible. Programmers are largely toblame for leaving holes in applica-tions through shoddy testing, poortechnique or simple mistakes, but anunchecked buffer is actually the de-fault condition for some program-ming languages.According to Gartner,overflow continues to be an in-grained feature of most software de-velopment.

Top of malware that exploits bufferoverflows is the internet worm (seeBox) that uses it to self-replicate with-out the need for user interaction.Aninternet worm can travel the world inminutes, tearing open servers and in-flicting arbitrary damage.

Generally speaking, software ven-dors are determined to increase userprotection since most exploits comefrom specific coding errors. Despitethe “shrink-wrap” licence conditionsusers sign, litigation looms if vendorsaren’t seen to do everything they canto reduce risks to users.

Currently, the law on this matter isuncertain and lacking precedent. But

vendors operating in the USA facetheoretical risk, as Jon Fell, partnerand technology expert at law firmPinsent Masons, explains. "Whilethere have been no cases to decidethis question, there is certainly a riskthat an innocent party who fails totake steps to keep hackers from en-tering their systems could be foundnegligent if through them hackerscaused disruption to other parties."

Fell says that under Welsh andEnglish law there is not yet a clear le-gal requirement to keep systems suffi-ciently secure that they cannot beused to cause damage to third parties."This means that even a businesswhose lax security has allowed ahacker to launch attacks via its sys-tems may escape liability for any dam-age the hacker causes to innocentparties."

A changing environment While the law is still catching up, thearms race with hackers escalates.Apromising method involves changingthe memory footprint of a system toprevent harmful code from running.Cox says that worms often rely onknowing where in memory, known asan offset, they are located.To jumpback into the stack you need to knowthe offsets.This is possible becauseany one operating system alwaysloads its components into memory atthe same addresses.

"At the moment, all the machineslook the same," says Fell.“But if exe-cutables are loaded randomly andthe operating system looks differenton each launch, knowing the offsetsis impossible and therefore writinga worm becomes extremely difficult.”

The advantage of changing thememory map has not been lost onGartner. It suggests Microsoft used itin Service Pack 2 for XP."Recompilation brings another bene-fit,” it said recently.“Microsoft carriessoftware modules unchanged acrossmany versions and generations ofWindows. It is this consistency thatallows the worms to attack Windows

Pinsent Mason’s Jon Fell: Innocentsrisk negligence charge.

Buffer overflow attacks can be

explicitlyprevented in hardware.

fe

at

ur

e23

Info

security To

day

January/February 2005

NT, 2000, XP and Server 2003 in oneoutbreak. SP2 forces a recompilationand restructuring of almost everyWindows component.This restructur-ing changes the "shape" of the code,and worms written for older versionswill not work on SP2."

Recompilation renders existing ex-ploits obsolete but does not stop newworms. Cox explains how Red Hathas used a feature known as PIE(Position Independent Executables)to stop worms past and future.Because the worm depends on thememory address of its own code tobegin execution, loading the operat-ing system differently each time itboots can stop it.

The starting point of the worm’spayload is random; this makes it diffi-cult to take advantage of a bufferoverflow. "It [a worm] has to be a lotcleverer," Cox says. "It's likely to crashthe program with a wrong address,and when restarted the exploitchance is lost."

Replacing older computers withNX-enabled systems may reduce theneed for virus-related repairs and maycut out software patches for bufferoverflow attacks. IT managers wouldwelcome this, especially as thereseems to be no serious downside tothese techniques. Cox warns of mi-nor performance degradation with

NX enabled hardware, but the promise of worm resistant computersseems sound.

Perhaps that is why Gartner is so en-thusiastic about the NX concept."Short of installing host-based intrusionprevention at every desktop (at a po-tentially non-trivial cost), NX support isone of the few opportunities to make asignificant difference in disruptingworms’ DNA." Gartner is 90% certainthat by 2009, NX-enabled Microsoft XP,SP2 systems will not propagate bufferoverflow worms at all.

But while the internet worm maybecome an historical curiosity, itseems certain hackers are working ona fitter replacement. "The worm isdead; long live the worm," they cry.But let us hope the worm turns onthem instead.

William Knight is a technologywriter with 18 years experience inSoftware Development and IT con-sulting. He writes for titles that in-clude: Computing, JavaPro andGantthead.com

Red Hat’s Mark Cox: an enterprise can-not always upgrade.