Defense Technology: network firewall's anti-overflow Policy

Recently, a design defect called buffer overflow is seriously endangering system security and thus becoming a headache for Y2K. Once this defect is discovered by someone with ulterior motives, it will be exploited as a means of illegal intrusion to damage information in the computer. According to statistics, cache overflow attacks account for more than 80% of the total number of system attacks. Recently, major network sites suffered so-called distributed denial of service (DDoS) attacks) is also an attack that uses the cache overflow principle.

To put it simply, cache overflow is a means of attacking the system. By writing content that exceeds its length into the buffer zone of the program, it can cause overflow and damage the program stack, enable the program to execute other commands to attack the program. Distributed Denial of Service (DDoS) Intruders use a long string to enter areas such as the communication bar to exceed the designed capacity. Some redundant strings will be mistaken for the execution password by the computer, give intruders the opportunity to access the computer, and the system is unaware of it. Some reports have pointed out that "cache overflow" is a very common computer security problem that has occurred over the past decade. Intruders can use it to fully control computers.

Common tactics of cache overflow hackers

In Unix systems, obtaining root permissions through cache overflow is a widely used hacker technology. In fact, this is the preferred attack method after a hacker has a basic account in the system. It is also widely used in remote attacks. Many instances have been used to remotely obtain rootshell through stack overflow of daemon processes.

In Windows, cache overflow also exists. Moreover, with the popularity of the Internet, there are more and more Internet service programs on Windows platforms. Low-Level win programs are critical to your system because they also cause remote stack overflow. In contrast, the users and managers of the remote attacker in system generally lack security awareness. If a stack overflow occurs in a win system and is exploited maliciously, the entire machine will be controlled by hackers, this may cause the entire LAN to fall into the hands of hackers. Microsoft's IIS Server4.0 has been found to have a defect known as "illegal HTR requests. According to Microsoft, this vulnerability may cause any code to run on the server under certain circumstances. Hackers can exploit this vulnerability to completely control IIS servers. In fact, many e-commerce sites are based on this system.

How hackers disrupt Cache

Next let's take a look at the principle of cache overflow. In general, the C language does not perform array boundary checks. In many applications implemented using the C language, it is assumed that the buffer size is sufficient, the capacity must be greater than the length of the string to be copied. However, this is not always the case. When a program fails or a malicious user intentionally sends a long string, many unexpected events occur, the extra characters will overwrite the space of other variables adjacent to the array, making the variable unexpected. If it happens that when the array is adjacent to the return address of the subroutine, it is possible that more than one string overwrites the return address of the subroutine, this leads to another unexpected address when the subprogram is returned after execution, which leads to an error in the execution process of the program. Even because the application accesses an address that is not within the process address space, the process suffers a fault in violation. This type of error is common in programming.

A program that attempts to corrupt or illegally access the system by exploiting Buffer Overflow usually consists of the following parts:

1. Prepare a string that can call up a shell machine code. We will call it shellcode below.

2. Apply for a buffer zone and enter the machine code in the low-end of the buffer zone.

3. estimate the possible starting position of the machine code in the stack and write this position to the high-end of the buffer zone. This starting position is also a parameter that needs to be called repeatedly when we execute this program.

4. Use this buffer zone as an entry parameter for the system program with buffer overflow errors and execute this program with errors.

Through the above analysis and examples, we can see that cache overflow poses a huge threat to system security. In Unix systems, the use of a type of well-written programs, the use of such errors in the SUID program can easily obtain the privileges of the system's Super User. When a service program provides services on a port, the buffer overflow program can close the service easily, paralyzing the system service for a certain period of time, and possibly causing the system to crash immediately, it becomes a Denial-of-Service attack. This kind of error is not only a programmer's error, but also occurs in the implementation of the system itself. Today, buffer overflow errors are constantly being discovered from UNIX, windows, routers, gateways, and other network devices, and constitute the largest number of threats to the system security to a large extent.