FYI: Stackdefender - Win32 IPS

Quote:

---

1.- Announcing StackDefender v1.00:
-----------------------------------

Stackdefender is an IPS (Intrusion Prevention System) , for WIN32, that
will deny shellcodes from executing in User Stack and Writable memory
regions. Stackdefender will protect your windows server from successful
exploitation of buffer overflows, 0-days, worms...

Buffer Overflows are very common and difficult to avoid in closed source
programs. The only chance for end users to protect these programs was to
trust the programmers skills. From now on, with StackDefender you have
the solution. With its unique technology, StackDefender will protect
transparently all the installed programs in your windows server,
preventing buffer overflow exploitation.

Sample list of stopped worms/overflows:

* Slammer exploiting an MS SQL overflow.
* CodeRed exploiting an IIS overflow.
* MS-Blaster exploiting RPC-DCOM overflow.
* IIS WebDav buffer overflow.
* MS SQL multiple buffer overflows.
* SunONE heap overflow.
* Microsoft RPC-DCOM multiple buffer overflows.

Find further info at:

http://www.ngsec.com/ngproducts/stackdefender/

---

I just recieved a newsletter from Next Generation Security Technologies and it had mention of this software. I haven't seen it mentioned on here, so I thought I'd throw this up. Both to inform other AO members and to see if anyone has heard of it/used it before? It has a rather hefty price tag ($849 USD) but there is a trial available on the website, which I'm thinking of giving a try. It seems like it'd be a great step towards securing a system if it actually works properly. The website has a few screenshots and a document on how it stopped Blaster. It's definately worth checking out in my opinion. After I've given it a try, I'll mention it here and let y'all know how it went for me....

FYI there are quite a few things like this for Linux / BSD systems, the most notable one of which is libsafe.

It's a very good idea, however it doesn't protect from all buffer overflows.

It will stop a lot of script kiddie exploits and worms because the stock exploits are unlikely to work. Only buffer overflows that are caused by specific C library functions will be stopped; however in practice nearly all are.

I have no idea how the win32 one works, but I assume it's a similar principle - i.e. it modifies a DLL or inserts code that gets linked before the DLL to modify various C library functions.

However another weakness of this approach is it does nothing for statically linked programs.

I have no idea if M$ normally do statically link their programs (seems unlikely), but some programs on Linux (like MySQL) are statically linked for greater performance (albeit heavier memory usage)

(edit)
Oh yes one other thing... Stack protection technology does nothing against non-overflow based exploits. Some programs, notably Internet Explorer, have historically had a lot of non-overflow based vulnerabilities, for example parsing errors and problems with the javascript security model. So it's not a magic bullet.
(end edit)

Slarty