Buffer-Overflow Attacks: Perimeter Defenses No Panacea
Guest commentary: When the attack gets to a privileged machine, your firewall does you no good, Symark Senior Technical Support Specialist Richard Williams writes. Limiting privileges can limit the scope of the attack.
By now youve probably read about, if not experienced, buffer-overflow attacks. In fact, recent CERT statistics indicate that more than 60 percent of advisories refer to buffer-overflow attacks. And because many of the attacks come through enterprise intranets (which are open by design), perimeter defenses cant provide the protection required to keep these malicious data streams from doing damagepotentially in your enterprise. In some cases, buffer overflows cause asset destruction, requiring hundreds of hours of "forensic programming" to reconstruct or restore the destroyed assets. So what can be done to prevent them? One conceptual defense is easier said than done: writing programs that check buffers. More often the recommendation is to install the latest patch that fixes the vulnerability. There are other preventative security measures and ways to mitigate the damage.
A good preventative defense starts first by protecting assets based on their value to the enterprise. Since there will be buffer overflows if enough code is created over time (a humanistic certainty), place a higher scrutiny/protection priority on the more valuable code, and limit its ability to operate as a privileged user.
In the example illustrated above, weve determined that among our highest-valued data assets are computer account data (such usernames and passwords); HR data (such as Social Security numbers, salary information and stock-option information), and HIPAA or financial data are higher-value. The various data is protected from buffer-overflow attacks by limiting the applications that access this data, both in duration and privilege. For example, user accounts are added via a program that runs as root but must be executed from a specific host and directory, started by a specified administrators, and run only at a certain period of time during specified weekdays. Another best practice to mitigate damage caused by a buffer-overflow attack is restricting access beyond the compromised host. Even if the attacker gains root-level access, minimize the hackers ability to gain root access to other hosts by securing each hosts unique root password needed to invoke superuser privileges.
Although software developers are working diligently to write good programs, best practice to address buffer-overflow attacks involves analyzing and prioritizing assets based on their value to your company, protecting these assets by restricting administrative and particularly root privileges, and minimizing the attackers ability to gain access to other machines beyond the compromised host. Richard Williams is a Senior Technical Support Specialist for Symark Software of Westlake Village, Calif. He has been involved in Unix computing, networking and security since 1983.