FYI: Stackdefender - Win32 IPS
Results 1 to 2 of 2

Thread: FYI: Stackdefender - Win32 IPS

  1. #1
    Senior Member
    Join Date
    Jan 2003

    FYI: Stackdefender - Win32 IPS

    1.- Announcing StackDefender v1.00:

    Stackdefender is an IPS (Intrusion Prevention System) , for WIN32, that
    will deny shellcodes from executing in User Stack and Writable memory
    regions. Stackdefender will protect your windows server from successful
    exploitation of buffer overflows, 0-days, worms...

    Buffer Overflows are very common and difficult to avoid in closed source
    programs. The only chance for end users to protect these programs was to
    trust the programmers skills. From now on, with StackDefender you have
    the solution. With its unique technology, StackDefender will protect
    transparently all the installed programs in your windows server,
    preventing buffer overflow exploitation.

    Sample list of stopped worms/overflows:

    * Slammer exploiting an MS SQL overflow.
    * CodeRed exploiting an IIS overflow.
    * MS-Blaster exploiting RPC-DCOM overflow.
    * IIS WebDav buffer overflow.
    * MS SQL multiple buffer overflows.
    * SunONE heap overflow.
    * Microsoft RPC-DCOM multiple buffer overflows.

    Find further info at:
    I just recieved a newsletter from Next Generation Security Technologies and it had mention of this software. I haven't seen it mentioned on here, so I thought I'd throw this up. Both to inform other AO members and to see if anyone has heard of it/used it before? It has a rather hefty price tag ($849 USD) but there is a trial available on the website, which I'm thinking of giving a try. It seems like it'd be a great step towards securing a system if it actually works properly. The website has a few screenshots and a document on how it stopped Blaster. It's definately worth checking out in my opinion. After I've given it a try, I'll mention it here and let y'all know how it went for me....
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member
    Join Date
    Jan 2002
    FYI there are quite a few things like this for Linux / BSD systems, the most notable one of which is libsafe.

    It's a very good idea, however it doesn't protect from all buffer overflows.

    It will stop a lot of script kiddie exploits and worms because the stock exploits are unlikely to work. Only buffer overflows that are caused by specific C library functions will be stopped; however in practice nearly all are.

    I have no idea how the win32 one works, but I assume it's a similar principle - i.e. it modifies a DLL or inserts code that gets linked before the DLL to modify various C library functions.

    However another weakness of this approach is it does nothing for statically linked programs.

    I have no idea if M$ normally do statically link their programs (seems unlikely), but some programs on Linux (like MySQL) are statically linked for greater performance (albeit heavier memory usage)

    Oh yes one other thing... Stack protection technology does nothing against non-overflow based exploits. Some programs, notably Internet Explorer, have historically had a lot of non-overflow based vulnerabilities, for example parsing errors and problems with the javascript security model. So it's not a magic bullet.
    (end edit)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts