de-DEen-US
Language
Search
× Search
Monday, December 23, 2024
ProductsBufferShield

BufferShield 1.01M

BufferShield is a security tool, preventing the exploitation of buffer overflows. It detects intrusion attempts and terminates the compromised application.

Sys-Manage BufferShield PackageOver the past few years, there has been a sharp rise in the number of reported vulnerabilities and worms.

The main reason existing security technologies fail to protect organizations from emerging security threats, is that they rely on incomplete or inaccurate information. Some rely on analyzing network traffic, others use signatures of known attacks, whilst some combine both.

But, none of these technologies can effectively protect organizations from the new breeds of computer worms and other malicious attacks.

Our customers use BufferShield in a wide variety of ways:

  • Add an additional security layer to Windows update, virus scanners and firewalls
  • Enhance the security on current desktop and server operating systems
  • Enhance the security on critical infrastructure systems
  • Enhance the security for no longer supported legacy OS like Windows NT 4.0 and Windows 2000, still being targeted
  • Survive the day-0 phase, that any publicly known vulnerability goes through, until hotfixes / patches are available
  • As a honeypot component, triggering an alarm in order to discover new and harmful threats at the earliest possible stage

Contrary to Microsoft's hardware based DEP technology, requiring the installation of service pack 2 for XP and the availability of certain processor features (Intel's XD and AMD's NX technology), BufferShield protects all Microsoft operating systems beginning with NT4, even if such a hardware is not present.

Beside of that the hardware enforced Data Execution Prevention feature (DEP) in Windows XP SP2 and Windows Server 2003 SP1 and SP2 doesn't offer a reliable protection against buffer overflows in its default settings. Please click here to learn more about the benefits of using BufferShield instead of hardware DEP.

Microsoft's DEP software based approach does, opposed to the widespread believe of protecting from buffer overflows, explicitly protect from one specific exploit that occurred one time only and is based on overwriting the pointer to the SEH exception handler.

Please feel free to use our DEPTest tool to verify your computer’s current security settings regarding the mentioned pitfalls with MS software & hardware based NX protection.

To combat these security threats BufferShield uses an innovative pro active technology, which prevents that malicious code exploits a system function or takes advantage of functionality inside the executables.

BufferShield is capable of detecting and preventing the exploitation of buffer overflows, responsible for the majority of security related problems faced today.

Upon detection it creates an entry within the event log and optionally terminates the application in question, preventing the execution of potentially malicious code.

Buffer overflows are commonly used by hackers and viruses to introduce malicious code into your systems. For example the Zotob, Sasser or LovSan / MSBlaster worms used such a technique to attack remote systems.

BufferShield uses similar technologies, implemented by the PaX project to protect the Linux platform from buffer overflows.

BufferShield is the only product available for Microsoft platforms allowing the definition of a protection scope, specifying which applications or services should or should not be protected. Additionally the protection scope allows the exclusion of certain memory ranges that should be excluded. This is necessary because some applications actually generate dynamic code on the stack or heap and attempt to execute it afterwards, being detected by BufferShield as an attempted exploitation of a buffer overflow.

BufferShield's key features:

  • Detects code execution on the stack, default heap, dynamic heap, virtual memory and data segments
  • Can terminate applications in question if a buffer overflow was detected
  • Reports to the Windows® event log in case of any detected overflows
  • Allows the definition of a protection scope to either protect only defined applications or to exclude certain applications or memory ranges from being protected
  • Utilizes Intel XD / AMD NX hardware based technology if available
  • SMP support
  • Address Space Layout Randomization (ASLR)

BufferShield supports the following operating systems:

  • Microsoft Windows® NT 4.0 Workstation
  • Microsoft Windows® NT 4.0 Server
  • Microsoft Windows® NT 4.0 Server Enterprise Edition
  • Microsoft Windows® NT 4.0 Terminal Server Edition
  • Microsoft Windows® 2000 Professional
  • Microsoft Windows® 2000 Server
  • Microsoft Windows® 2000 Advanced Server
  • Microsoft Windows® XP Professional
  • Microsoft Windows® XP Home Edition
  • Microsoft Windows® 2003 Server Standard Edition
  • Microsoft Windows® 2003 Small Business Server
  • Microsoft Windows® 2003 Server Enterprise Edition
  • Microsoft Windows® 2003 Server Web Edition
  • Microsoft Windows® 2003 Datacenter Edition

BufferShield is compatible with Antivirus Software like:

  • Symantec Norton AntiVirus
  • Kaspersky Anti-Virus
  • CA EZ Antivirus
  • G Data AntiVirenKit
  • Trendmicro PC-cillin Internet Security
  • ...

BufferShield is currently incompatible with VMWare, Microsoft Virtual PC & Virtual Server 2005 R2

Download

You need to get registered or login before you can download files.

What is a Buffer Overflow?

A buffer overflow is a common problem for today's users of computer systems.

It occurs if memory allocated by an application program does not provide enough storage to serve a current request.

If, for example, an application has an interface providing some simple input controls without field length validation it will be possible for the user to cause such an overflow, if the amount of data entered exceeds the range of memory allocated by the application. As a result memory would get corrupted. It would effectively destroy data stored in the location following the buffer that got overwritten.

This is just an example, because only few users would attempt to hack their own systems.

You might ask yourself, how can this be used to introduce malicious code into a system ?

If we look at the most common form of overflows, the stack based buffer overflow, the answer lies in the way the processor stores internal, control flow relevant data, together with application data on the stack. Local variables declared in a program's function are usually allocated on the stack. The processor itself uses the stack area during function calls to store the return address, in order to be capable of continuing the control flow, upon function completion, where the function has been called from. Because this return address is stored following a function's local variables, it can be potentially overwritten by a buffer overflow.

This allows an attacker to decide where the CPU should continue the control flow upon the function's completion. If the attacker correctly chooses the data he or she uses to overflow the buffer, it will be possible to let the CPU continue execution within some part of the data used to overflow the buffer, thus allowing the introduction and execution of malicious code.

A heap based overflow works differently. Applications use the heap area of memory to store data available during the entire lifetime of the process. There are two different kinds of heaps on Windows systems. The single instance of the application default heap is allocated by the system during process creation. Dynamic heap is allocated by an application.

To increase performance, multithreaded applications tend to allocate an additional heap for each running thread. The reason for this is that the single instance of the default heap requires synchronization mechanisms to prevent two threads from accessing the same address at one time.

Lets imagine an application using some function pointers stored on the heap, to allow some kind of dynamic data processing. It would be possible to overflow another data buffer located on the heap as well, to gain control of those function pointers. An attacker could potentially let those pointers point to some malicious code, contained in the data used to overflow the data buffer.

Another potential method is overwriting global variables or static variables defined within the scope of a function. These are stored within the data segment of an application. As a result static variables are not being removed from the stack upon function completion, opposed to stack based variables. A very common scenario for this are C++ class methods, because they are similar to globally available variables (struct) and they use function pointers to implement a classes methods causing them to end up in the data segment.

The described methods can be used by an attacker in many ways. Some potentially scenarios are
described below:

  • Getting a network service to execute code upon receiving maliciously crafted requests. This recently happened to the Microsoft RPC Service in the form of the LoveSan virus. Other potential targets for this kind of attack are Web Servers, Mail Servers and others.
  • Getting an eMail client to execute code upon receiving mail traffic by using a maliciously crafted e-mail message.
  • Getting a Web Browser to execute code upon visiting a maliciously crafted web page.
What is BufferShield?
BufferShield is security software, capable of de- tecting and preventing so called "buffer overflows", that can enable an attacker to introduce malicious code into the affected systems and gain full access to them.
Why do I need BufferShield?

The answer to this question is in the word "proactive security mechanism".

Antivirus scanners use so called "Antivirus definitions / patterns" to detect (already known) malicious code in files which already arrived your hard drive. It can't detect new / yet unknown malicious code and is not capable of detecting malicious code in the system memory. It therefore is not a proactive security mechanism.

Anti spyware programs can scan your hard drive and / or memory for "already known" spyware programs. Nothing more and nothing less. Anti spyware programs are also not proactive. Firewalls also straighten the security for your systems by defining special rules for the data transfer between intranet and internet. Only the route of the data streams will be secured. It will not scan the data which runs through it for possible malicious code and cannot prevent, that a hacker uses security holes in software that is installed on your systems to gain full access to them.

Buffer overflow protection is a new era of nowadays security mechanisms. It extends the three above mentioned mechanisms with a further one, the PROACTIVE SECURITY THOUGHT!

BufferShield can prevent exploitation of security holes that are based on buffer overflows. Such security holes are located in many software products and lead regularly to VERY CRITICAL events in which victim's systems being successfully attacked and confidential company information is being stolen day by day. If, and i consciously say "if" the security hole becomes public (and is not tacitly misused by the discoverer itself) the developer of the affected software has to rewrite his software and must make a patch, update or bugfix available.

The time between this discovery and the publication of the bugfix by the software manufacturer can vary between some hours (ideal case), some days, some weeks till never ever. Many known security holes are not fixed and the software is something like a time bomb, waiting for the hacker to ignite it. Even Internet Explorer and also some well known antivirus products had and / or have actual unfixed security holes!

BufferShield's technique prevents systems from being exploited by even unknown security holes and therefore is a proactive security mechanism, the new era of today's security.

How BufferShield differs from competitors?
In contrary to com- petitor's software, BufferShield covers all different types of memory and not only some few. It offers a more extensively protection. In contrary to competitor's software BufferShield is cheaper!
Terms Of UsePrivacy StatementCopyright © Sys-Manage, 1998-2024. All Rights Reserved.
Back To Top