Dailydave mailing list archives
RE: Understanding Windows Heap Overflows
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Sat, 8 Oct 2005 02:24:20 -0400
There was an academic paper on a nop detection method called "STRIDE".
I assume you are referring to "Stride: Polymorphic Sled Detection Through Instruction Sequence Analysis".
Is this what commercial IDS's are implementing today or do they use something dumber?
CheckPoint has something called "Malicious Code Protector". There isn't much info on it available, but they claim to file patents on their techniques. From the sound of it, they try to do more than just detect nop sleds.
From what I heard ISS might have some sort of shellcode checks as well,
but it's possible I misunderstood the ISS guy I talked to. I don't think that either of them use STRIDE...
Is there an open source version of STRIDE available for testing?
I don't think there's one. STRIDE is actually a part of the "EAR" project these guys have. All they publicly disclose is a very basic pseudo-code for STRIDE... Other than STRIDE, there's Fnord and "Abstract Payload Execution"... which shouldn't be overlooked either.
They claim very low false positives, but it seems like any email with a lot of A's should trigger it...
The tricky thing here is knowing how they actually use the STRIDE engine. As the paper implies, the engine is fed data from particular protocol fields (e.g., HTTP URI), so, in theory, if the protocol parser does a good job there wouldn't be any false positives if you simply stuff the email body with lots of A's. I've done some work in this area as well, but it's never been finished due to other more immediate projects. It would be interesting to revisit the project if you're willing to use it in your tests. Kyle
Current thread:
- RE: Understanding Windows Heap Overflows, (continued)
- RE: Understanding Windows Heap Overflows Brett Moore (Oct 05)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 19)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 19)
- RE: Understanding Windows Heap Overflows Dave Korn (Oct 20)
- Re: Understanding Windows Heap Overflows pbb (Oct 07)
- Re: Understanding Windows Heap Overflows Matt Conover (Oct 07)
- Re: Understanding Windows Heap Overflows Nicolas Waisman (Oct 07)
- Re: Understanding Windows Heap Overflows Dave Aitel (Oct 07)