Rabu, 09 September 2009

5 Beatles: Rock Band Tunes We’re Ready to Rock, 5 We’ll Miss

Patient Rock Band players’ long wait for songs by The Beatles ends Wednesday when the special version of the game hits store shelves. But some Fab Four fans are going to have to wait a little longer to play the tunes they love.

In solidarity with both camps, we’ve drafted lists celebrating the sonic strengths and weaknesses of The Beatles: Rock Band. We’ve named the top five tunes we simply can’t wait to perform as well as the top five we seriously wish made the cut for the game (or its post-release downloads, to be rolled out starting in October).

Strike Up the Band! Five We’ll Rock

“Helter Skelter” from The White Album
The loudest rock song The Beatles ever made, this finger-blister has been revised by Aerosmith, Siouxsie and Autolux (and has been utterly misunderstood by the ultimate frustrated amateur, Charles Manson). Originally designed by Paul McCartney to outdo the dirty rock of The Who, it has become legend to rock pros and pretenders worldwide. If you’re a Beatles nut for everything after Rubber Soul, chances are this is the first tune you’ll play when you unwrap the package.

“I Want You (She’s So Heavy)” from Abbey Road
While jagged imprecision rules “Helter Skelter,” hypnotic precision hammers this rock epic down the gravity well. An eight-minute blast of sexual yearning and head-bobbing chord progressions shot through with sinister groove, the power of “I Want You” is simply narcotic. “Helter Skelter” has volume, but this unusual entry weighs heavy like a black hole. It’s all in the title.

“Birthday” from The White Album
Crackling riffs, Ringo’s roughest drumming, and unrestrained vocals help this monstrous stomp stand out from the Beatles’ densely populated pack of winners. Singers won’t have to stress on the lyrics, of which there are few, but their throats will probably be sore when it’s over. It would have been a mind-wipe to watch the Fab Four perform this burner in the flesh — performing it with your pals is probably the next best thing.

“While My Guitar Gently Weeps” from The White Album
Eric Clapton laid down smoking guitar for George Harrison’s timeless track, including a solo that has given guitarists real and make-believe fits of ecstasy, whether on steel strings or in empty air. (Have any of you caught Prince’s rendition? Find the clip; it will melt your face.) “While My Guitar Gently Weeps” is one of the finest rock songs of all time, that rare convergence of sound and sentiment. Soak it up.

“Dig a Pony” from Let It Be
It’s one of The Beatles’ most maligned tunes. Even Lennon called it a piece of garbage, and he wrote it. But rediscovering the genius of tracks like “Dig a Pony” is what virtual immersions like Rock Band are for. From its angular guitar and nonsensical lyrics to its urgent vocals and insistent drums, this Let It Be throwaway is primed for a repurposing at the hands of those way too young to snicker about where it sits within Beatles canon.

Dude, Where’s My Rock? Five We’ll Miss

“Happiness Is a Warm Gun” from The White Album
One of the Fab Four’s most cynical, hilarious tunes, this blazing meter-shifter rocks the body and brain. Lennon once called this song the history of rock ‘n’ roll in microcosm, which is enough to warrant its admittance to Rock Band. Its unhinged doo-wop finale and cerebral lyrics would test wannabe vocalists to the max, and guitarists would have a field day with the sludgy riffs and ethereal arpeggios. Bang bang, shoot shoot!

“Strawberry Fields Forever” from Magical Mystery Tour
How could Harmonix not include this immortal track, one of the most beautiful Beatles tunes ever committed to wax? A simple acoustic lullabye hiding beneath polished psychedelia, “Strawberry Fields Forever” can be played in so many glorious ways. Especially by novices molesting plastic. Maybe songs from Magical Mystery Tour are being squirreled away for a future payday. Which sucks.

“I’m Only Sleeping” from Revolver
Like “Tomorrow Never Knows,” which made the cut in the form of a medley with “Within You Without You,” this ambitious head-trip from 1966 was one of the first psychedelic tunes from The Beatles, or anyone for that matter. One wonders how The Beatles would have ever played it live. A studio jewel, it features two guitar solos from George Harrison played in reverse, which could keep adepts busy and tax the wrists of noobs. Speaking of the always underrated Harrison…

“Savoy Truffle” from The White Album
Harrison’s ode to Eric Clapton ’s chocolate addiction is chock-full of delicious rock. “Savoy Truffle” orbits around a ferocious guitar jam, with some tasty leads sprinkled in for good measure, and has been covered by artists as different as Ella Fitzgerald and They Might Be Giants. What, amateurs can’t give it a go? Turn it up loud the next time you spin The White Album. You’ll see what we mean.

“Rain” from Hey Jude
From its gorgeous pop bounce to its dense sonics and backward vocals, this 1966 B-side for “Paperback Writer” is a mesmerizing listen. It could be just as hypnotic in fake performance, rewarding all members of the band at hand. Better yet, it’s comparatively esoteric, meaning that even old Beatles fans might find a deep cut worth another several years of devotion (and Rock Band downloads).

Selasa, 08 September 2009

NASA And ISRO Satellites Perform In Tandem To Search For Ice On The Moon

NASA/GSFC/Arizona State University - Image of the crater Erlanger (87 N, 28.6 E; 10 km diameter), the target crater for our Bi-Static observations. Mini-SAR images suggest unusual scattering properties of the crater interior compared with its exterior. LROC Narrow Angle Camera image.

WASHINGTON – On Aug. 20, 2009 NASA and the Indian Space Research Organization (ISRO) will attempt a novel joint experiment that could yield more information on whether ice exists in a permanently shadowed crater near the north pole of the moon. Currently the ISRO’s Chandrayaan-1 and NASA’s Lunar Reconnaissance Orbiter (LRO) spacecraft are orbiting the moon. While LRO is in its commissioning phase the two spacecraft pass close enough to each other when they are over the lunar north pole to attempt a unique experiment. Both spacecraft are equipped with a NASA Miniature Radio Frequency (RF) instrument that functions as a Synthetic Aperture Radar (SAR), known as Mini-SAR on Chandrayaan-1 and Mini-RF on LRO. The experiment uses both radars to point at Erlanger Crater at the same time.

Normally the Mini-RF Instrument sends radio pulses to the moon and precisely records the radio echoes that bounce straight back from the surface, along with their timing and frequency. From these data scientists can build images of the moon that not only show areas they otherwise couldn’t see, such as the permanently-shadowed areas near the lunar poles, but also contain information on the physical nature of the surface.

For the Bi-Static experiment the Mini-SAR on Chandrayaan-1 performs its normal SAR imaging (transmitting and receiving) while the Mini-RF is set to receive only. The two instruments look at the same location from different angles. Comparing the signal that bounces straight back to Chandrayaan with the signal that bounces at a slight angle to LRO provides unique information about the surface.

Arecibo Radiotelescope Puerto Rico - Low resolution Earth-based radar image of the North Pole of the Moon, showing the position of the crater Erlanger (arrow). Radar image (70 cm wavelength).

Stewart Nozette, Mini-RF principal investigator from the Universities Space Research Association’s Lunar and Planetary Institute, said, “An extraordinary effort was made by the whole NASA team working with ISRO to make this happen”

While this coordination sounds easy, this experiment is extremely challenging because both spacecraft are traveling at about 1.6 km per second and will be looking at an area on the ground about 18 km across. Due to the extreme speeds and the small point of interest, NASA and ISRO need to obtain and share information about the location and pointing of both spacecraft. The Bi-Static experiment requires extensive tracking by ground stations of NASA’s Deep Space Network, the Applied Physics Laboratory, and ISRO.

Even with the considerable planning and coordination between the U.S. and India the two instrument beams may not overlap, or may miss the desired location. Even without hitting the exact location Scientists may still be able to use the Bi-Static information to further knowledge already received from both instruments.

“The international coordination and cooperation between the two agencies for this experiment is an excellent opportunity to demonstrate future cooperation between NASA and ISRO, “says Jason Crusan, program executive for the Mini-RF program, from NASA’s Space Operations Mission Directorate, Washington, D.C.

ISRO/NASA/JHUAPL/LPI - Mosaic of Mini-SAR image strips of the north polar area, showing the crater Erlanger, just south of the crater Peary. North Pole is in the direction of left top, out of frame. Mini-SAR radar image, Chandrayaan-1 mission.

“In the last few years we have seen a renaissance in international interest and cooperation in the study of the moon” says Gordon Johnson, program executive for the LRO, from NASA’s Exploration Systems Mission Directorate, Washington, D.C. “As LRO completes its commissioning phase, we look forward to LRO’s contribution to this international effort.”

LRO was launched June 18, 2009. Its objectives are to scout for safe landing sites, locate potential resources, characterize the radiation environment, and demonstrate new technology. NASA’s Goddard Space Flight Center in Greenbelt, Md. built and manages the mission for NASA’S Exploration Systems Mission Directorate in Washington. LRO is a NASA mission with international participation from the Institute for Space Research in Moscow. Russia provides the neutron detector aboard the spacecraft.

Instrument principal investigators Stewart Nozette (LRO) and Paul Spudis (Chandrayaan-1) are from the Universities Space Research Association’s Lunar and Planetary Institute. NASA’s Space Operations Mission Directorate, NASA Headquarters, manages the Mini-RF program. NASA’s Exploration Systems Mission Directorate, NASA Headquarters, manages the LRO.

In addition to Mini-SAR the Chandryaan-1 spacecraft, which was launched in October 2008 from India’s Satish Dhawan Space Centre, also carries NASA’s Moon Mineralogy Mapper for assessing the moon’s mineral resources.

For more information on the Lunar Reconnaissance Orbiter mission, visit: http://www.nasa.gov/lro

Senin, 07 September 2009

Google Algorithm Predicts When Species Will Go 404, Not Found

By Hadley Leggett
September 4, 2009 |
3:28 pm |
Categories: Animals

Biologists have figured out the most efficient way to destroy an ecosystem — and it’s based on the Google search algorithm.

Scientists have long known that the extinction of key species in a food web can cause collapse of the entire system, but the vast number of interactions between species makes it difficult to guess which animals and plants are the most important. Now, computational biologists have adapted the Google search algorithm, called PageRank, to the problem of predicting ecological collapse, and they’ve created a startlingly accurate model.

“While several previous studies have looked at the robustness of food webs to a variety of sequences of species loss, none of them have come up with a way to identify the most devastating sequence of extinctions,” said food web biologist Jennifer Dunne of the Santa Fe Institute, who was not involved in the research. Using a modified version of PageRank, Dunne said, the researchers were able to identify which species extinctions within a food web would lead to biggest chain-reaction of species death.

“If we can find the way of removing species so that the destruction of the ecosystem is the fastest, it means we’re ranking species by their importance,” said ecologist Stefano Allesina of the University of California, Santa Barbara, who co-authored the paper published Friday in PLoS Computational Biology.

Unlike previous solutions to the coextinction problem, the Google solution takes into account not only the number of connections between species, but also their relative importance. “In PageRank, you’re an important website if important websites point to you,” Allesina said. “We took that idea and reversed it: Species are important if they support important species.”

In other words, grass is important because it’s eaten by gazelles, and gazelles are important because they’re eaten by lions.

When the researchers tested the Google algorithm against existing models for predicting ecosystem collapse, they found that the new solution outperformed the old ones in each of the 12 food webs they looked at. “In every case that we tested, the algorithm returned either the best possible solution, out of the billions of possibilities, or very close to it,” Allesina said. In this case, the “best possible solution” is the one that predicts total ecosystem collapse using the fewest number of species extinctions.

To make the circular PageRank algorithm work for food webs, which are traditionally considered unidirectional, the researchers had to solve the problem of what to do with dead ends: Not much eats a lion, but that doesn’t necessarily mean lions aren’t critical to the food chain. The scientists solved this problem by adding what Allesina calls a “root node,” which is based on the idea that all living creatures contribute to the food chain through their excrement and eventual decay.

“What we found is that the importance of a species can be connected to the amount of matter that flows to it,” Allesina said. “If species eat a lot of things, and a lot of things eat them, they tend to be important.” Previous solutions to the problem tended to underestimate the importance of species that are lower on the food chain, Allesina said, and he hopes the new solution will encourage conservation biologists to take a broader view of species extinctions.

“What I hope is that people will pick up interest and start thinking about conservation in a more network-based way,” Allesina said. “Right now, most conservationists are focused on a single species, and they just study that species. But you really have to take into account that this species is not independent, it’s really tangled in a network of multi-species interactions.”

For ecosystems on the brink of collapse, such as marine environments taxed by overfishing, Allesina said a network-based approach to conservation could make all the difference.

Minggu, 06 September 2009

Snow Leopard users suffer Flash back

Multimedia software firm Adobe advised all Mac OS X 10.6 users on Thursday to upgrade their Flash Player software, as installing the latest Apple OS reverts the ubiquitous Flash software to a vulnerable version.

In a post to its Product Security Incident Response Teams (PSIRT) blog, the Adobe security team warned that the Apple's Snow Leopard update, which shipped a week ago, would install a vulnerable version of the Flash Player software. Flash is commonly used on Web sites to add multimedia features and greater interactivity.

Security firm Sophos chided Apple for downgrading its users security.

"Mac users are not informed that Snow Leopard has downgraded their version of Flash without permission, and that they are now exposed to a raft of potential attacks and exploits which have been targeted on Adobe's software in recent months," Graham Cluley, senior technology consultant for the firm, said in a statement.

Apple's Snow Leopard update, which adds few obvious features but improves the Mac OS X's performance, has caused a few issues with security. Computers that have PGP's encryption and data-security software have to remove the program before installing the update, as there are conflicts between the programs.

Users of Snow Leopard, or any other operating system, that want to make sure they are running the latest version of Flash can go to Adobe's Web site.

source:securityfocus.com

Minggu, 30 Agustus 2009

Wired Science News for Your Neurons NASA’s Most Awesomely Weird Mission Patches

Perhaps the best thing about NASA’s military provenance is that the agency picked up the armed services’ habit of making patches.

We’ve long loved the Most Awesomely Bad Military Patches series that our sister blog, Danger Room, runs. Then, earlier this week, space collectors bid up the accidentally limited edition Stephen Colbert treadmill patch to more than $175 on eBay.

And with the Augustine Commission report on the future of human space exploration due next week — and bad news likely — we thought we’d do some old-fashioned space boosterism and assemble this gallery of Awesomely Awesome NASA Patches.

The patches above were drawn and worn by the wives of the astronauts on those respective missions. They are nearly identical to the actual patches, but the central figure is a woman instead of Leonardo Da Vinci’s Virtruvian Man.

colbert_large

The Stephen Colbert patch commemorating the treadmill that sort of bears his name on the International Space Station combines the new photorealistic style with the line drawings of older patches.

Sabtu, 29 Agustus 2009

Apache investigates Web server attack

The Apache Foundation shut down its Web servers early Friday morning after detecting attack code running on the computers, the organization stated in an advisory.

The attack, which started late Thursday night, apparently came from an account used to backup the group's servers automatically to an external hosting service. Using the proper SSH key authentication for the host, the attackers accessed people.apache.org, which acts as a "seed host" for Apache.org's Web sites. The attackers placed script files on the host, which were then synchronized to the Web server, Apache's infrastructure team stated.

The team noticed the attack early Friday morning when it detected the rogue processes spawned by the scripts.

"To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines," Apache's infrastructure team said in the statement. "While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided."

Open-source software is a popular target for online attackers. In February, the group that maintains the open-source forum software phpBB acknowledged that an attacker was able to get access to their servers. In 2001, a hacker who used the name Fluffy Bunny compromised Apache's Web site.

Apache current powers approximately 47 percent of all Web sites, according to the latest Netcraft survey.

Federal agency warns of postal trojan

A federal agency warned on Tuesday that cybercriminals are going low tech.

The National Credit Union Administration told financial institutions to be on the lookout for a fake alert, supposedly send by the agency, that comes in the regular mail accompanied by two CDs carrying malicious programs. The fraudulent letter requests credit unions to review the "training materials" on the CDs, the NCUA stated in its online alert.

"Doing so could result in a possible security breach to your computer system or have other adverse consequences," the agency stated.

However, the attack that inspired the warning appears to have been part of an authorized pentest against an NCUA member institution, according to the SANS Institute's Internet Storm Center. Security assessment firm MicroSolved posted a statement on their site on Friday, confirming that they had been the firm conducting the penetration test.

"This was a controlled exercise in which the process worked," the company said in a blog post on Friday. "The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement."

The security of financial institutions have become a major issue over the past few years, as online thieves have had greater success breaching their systems. Last week, a federal grand jury charged three men with stealing more than 130 million credit- and debit-card accounts from retailers. In 2006, two online brokerages acknowledged losses of at least $22 million in a single financial quarter due to hackers.

Most attacks have happened online, but offline attacks have also become a problem. In 2006, a security consultancy showed that bank employees are all too willing to put USB memory sticks from an unknown source into a sensitive computer at work. Last year, security experts warned that a number of devices — such as digital picture frames — had become vectors for compromising consumer computers.

Financial institutions that receive copies of the CDs in the mail should notify the NCUA.

UPDATE: This article was updated with information from the SANS Institute that the attack was actually an authorized pentest. It was updated again following MicroSolved's post on the topic.

If you have tips or insights on this topic, please contact SecurityFocus.

Jumat, 28 Agustus 2009

Buffer overflow

In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a process stores data in a buffer outside the memory the programmer set aside for it. The extra data overwrites adjacent memory, which may contain other data, including program variables and program flow control data. This may result in erratic program behavior, including memory access errors, incorrect results, program termination (a crash), or a breach of system security.

Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. They are thus the basis of many software vulnerabilities and can be maliciously exploited. Bounds checking can prevent buffer overflows.

Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array.

[edit]Technical description

A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. Most commonly this occurs when copying strings of characters from one buffer to another.

[edit]Basic example

In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide.

A								B
0	0	0	0	0	0	0	0	0	3

Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B:

A								B
'e'	'x'	'c'	'e'	's'	's'	'i'	'v'	'e'	0

Although the programmer did not intend to change B at all, B's value has now been replaced by a number formed from part of the character string. In this example, on a big-endian system that uses ASCII, "e" followed by a zero byte would become the number 25856. If B was the only other variable data item defined by the program, writing an even longer string that went past the end of B could cause an error such as a segmentation fault, terminating the process.

For more details on stack-based overflows, see Stack buffer overflow.

[edit]Exploitation

The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region. For example, exploitation on the heap (used for dynamically allocated memory) is very different from on the call stack.

[edit]Stack-based exploitation

Main article: Stack buffer overflow

A technically inclined and malicious user may exploit stack-based buffer overflows to manipulate the program in one of several ways:

By overwriting a local variable that is near the buffer in memory on the stack to change the behaviour of the program which may benefit the attacker.
By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input filled buffer.
By overwriting a function pointer,^[1] or exception handler, which is subsequently executed.

With a method called "trampolining", if the address of the user-supplied data is unknown, but the location is stored in a register, then the return address can be overwritten with the address of an opcode which will cause execution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause execution of user supplied data. The locations of suitable opcodes, or bytes in memory, can be found in DLLs or the executable itself. However the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. The Metasploit Project is one such database of suitable opcodes, though only those found in the Windows operating system are listed.^[2]

Stack-based buffer overflows are not to be confused with stack overflows.

[edit]Heap-based exploitation

Main article: Heap overflow

A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer.

The Microsoft JPEG GDI+ vulnerability is an example of the danger a heap overflow can represent to a computer user.^[3]

[edit]Barriers to exploitation

Manipulation of the buffer, which occurs before it is read or executed, may lead to the failure of an exploitation attempt. These manipulations can mitigate the threat of exploitation, but may not make it impossible. Manipulations could include conversion to upper or lower case, removal of metacharacters and filtering out of non-alphanumeric strings. However, techniques exist to bypass these filters and manipulations; alphanumeric code, polymorphic code, Self-modifying code and return to libc attacks. The same methods can be used to avoid detection byIntrusion detection systems. In some cases, including where code is converted into unicode,^[4] the threat of the vulnerability have been misrepresented by the disclosers as only Denial of Service when in fact the remote execution of arbitrary code is possible.

[edit]Practicalities of exploitation

In real-world exploits there are a variety of challenges which need to be overcome for exploits to operate reliably. These factors include null bytes in addresses, variability in the location of shellcode, differences between environments and various counter-measures in operation.

[edit]NOP sled technique

Main article: NOP slide

Illustration of a NOP-sled payload on the stack.

A NOP-sled is the oldest and most widely known technique for successfully exploiting a stack buffer overflow.^[5] It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area. To do this much larger sections of the stack are corrupted with theno-op machine instruction. At the end of the attacker-supplied data, after the no-op instructions, is placed an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer it will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shellcode.^[6]

Because of the popularity of this technique, many vendors of intrusion prevention systems will search for this pattern of no-op machine instructions in an attempt to detect shellcode in use. It is important to note that a NOP-sled does not necessarily contain only traditional no-op machine instructions; any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no-op. As a result it has become common practice for exploit writers to compose the no-op sled with randomly chosen instructions which will have no real effect on the shellcode execution.^[7]

While this method greatly improves the chances that an attack will be successful, it is not without problems. Exploits using this technique still must rely on some amount of luck that they will guess offsets on the stack that are within the NOP-sled region.^[8] An incorrect guess will usually result in the target program crashing and could alert the system administrator to the attacker's activities. Another problem is that the NOP-sled requires a much larger amount of memory in which to hold a NOP-sled large enough to be of any use. This can be a problem when the allocated size of the affected buffer is too small and the current depth of the stack is shallow (i.e. there is not much space from the end of the current stack frame to the start of the stack). Despite its problems, the NOP-sled is often the only method that will work for a given platform, environment, or situation; as such it is still an important technique.

[edit]The jump to address stored in a register technique

The "jump to register" technique allows for reliable exploitation of stack buffer overflows without the need for extra room for a NOP-sled and without having to guess stack offsets. The strategy is to overwrite the return pointer with something that will cause the program to jump to a known pointer stored within a register which points to the controlled buffer and thus the shellcode. For example if register A contains a pointer to the start of a buffer then any jump or call taking that register as an operand can be used to gain control of the flow of execution.^[9]

An instruction from ntdll.dll to call the DbgPrint() routine contains the i386 machine opcode for jmp esp.

In practice a program may not intentionally contain instructions to jump to a particular register. The traditional solution is to find an unintentional instance of a suitable opcode at a fixed location somewhere within the program memory. In figure E on the left you can see an example of such an unintentional instance of the i386 jmp esp instruction. The opcode for this instruction is FF E4.^[10]This two byte sequence can be found at a one byte offset from the start of the instruction call DbgPrint at address 0x7C941EED. If an attacker overwrites the program return address with this address the program will first jump to 0x7C941EED, interpret the opcode FF E4 as the jmp esp instruction, and will then jump to the top of the stack and execute the attacker's code.^[11]

When this technique is possible the severity of the vulnerability increases considerably. This is because exploitation will work reliably enough to automate an attack with a virtual guarantee of success when it is run. For this reason, this is the technique most commonly used in Internet worms that exploit stack buffer overflow vulnerabilities.^[12]

This method also allows shellcode to be placed after the overwritten return address on the Windows platform. Since executables are based at address 0x00400000 and x86 is a Little Endian architecture, the last byte of the return address must be a null, which terminates the buffer copy and nothing is written beyond that. This limits the size of the shellcode to the size of the buffer, which may be overly restrictive. DLLs are located in high memory (above 0x01000000 and so have addresses containing no null bytes, so this method can remove null bytes (or other disallowed characters) from the overwritten return address. Used in this way, the method is often referred to as "DLL Trampolining".

[edit]Protective countermeasures

Various techniques have been used to detect or prevent buffer overflows, with various tradeoffs. The most reliable way to avoid or prevent buffer overflows is to use automatic protection at the language level. This sort of protection, however, cannot be applied to legacy code, and often technical, business, or cultural constraints call for a vulnerable language. The following sections describe the choices and implementations available.

[edit]Choice of programming language

The choice of programming language can have a profound effect on the occurrence of buffer overflows. As of 2008, among the most popular languages are C and its derivative, C++, with an enormous body of software having been written in these languages. C and C++ provide no built-in protection against accessing or overwriting data in any part of memory; more specifically, they do not check that data written to an array (the implementation of a buffer) is within the boundaries of that array. However, the standard C++ libraries provide many ways of safely buffering data, and technology to avoid buffer overflows also exists for C.

Many other programming languages provide runtime checking and in some cases even compile-time checking which might send a warning or raise an exception when C or C++ would overwrite data and continue to execute further instructions until erroneous results are obtained which might or might not cause the program to crash. Examples of such languages includeAda, Lisp, Modula-2, Smalltalk, OCaml and such C-derivatives as Cyclone and D. The Java and .NET bytecode environments also require bounds checking on all arrays. Nearly everyinterpreted language will protect against buffer overflows, signalling a well-defined error condition. Often where a language provides enough type information to do bounds checking an option is provided to enable or disable it. Static code analysis can remove many dynamic bound and type checks, but poor implementations and awkward cases can significantly decrease performance. Software engineers must carefully consider the tradeoffs of safety versus performance costs when deciding which language and compiler setting to use.

[edit]Use of safe libraries

The problem of buffer overflows is common in the C and C++ languages because they expose low level representational details of buffers as containers for data types. Buffer overflows must thus be avoided by maintaining a high degree of correctness in code which performs buffer management. It has also long been recommended to avoid standard library functions which are not bounds checked, such as gets, scanf and strcpy. The Morris worm exploited a gets call in fingerd.^[13]

Well-written and tested abstract data type libraries which centralize and automatically perform buffer management, including bounds checking, can reduce the occurrence and impact of buffer overflows. The two main building-block data types in these languages in which buffer overflows commonly occur are strings and arrays; thus, libraries preventing buffer overflows in these data types can provide the vast majority of the necessary coverage. Still, failure to use these safe libraries correctly can result in buffer overflows and other vulnerabilities; and naturally, any bug in the library itself is a potential vulnerability. "Safe" library implementations include "The Better String Library" ^[14], Vstr ^[15] and Erwin.^[16] The OpenBSD operating system's C library provides the strlcpy and strlcat functions, but these are more limited than full safe library implementations.

In September 2006, Technical Report 24731, prepared by the C standards committee, was published; it specifies a set of functions which are based on the standard C library's string and I/O functions, with additional buffer-size parameters. However, the efficacy of these functions for the purpose of reducing buffer overflows is disputable; it requires programmer intervention on a per function call basis that is equivalent to intervention that could make the analogous older standard library functions buffer overflow safe.^[17]

[edit]Buffer overflow protection

Main article: Buffer overflow protection

Buffer overflow protection is used to detect the most common buffer overflows by checking that the stack has not been altered when a function returns. If it has been altered, the program exits with a segmentation fault. Three such systems are Libsafe,^[18] and the StackGuard^[19] and ProPolice^[20] gcc patches.

Microsoft's Data Execution Prevention mode explicitly protects the pointer to the SEH Exception Handler from being overwritten.^[21]

Stronger stack protection is possible by splitting the stack in two: one for data and one for function returns. This split is present in the Forth programming language, though it was not a security-based design decision. Regardless, this is not a complete solution to buffer overflows, as sensitive data other than the return address may still be overwritten.

[edit]Pointer protection

Buffer overflows work by manipulating pointers (including stored addresses). PointGuard was proposed as a compiler-extension to prevent attackers from being able to reliably manipulate pointers and addresses.^[22] The approach works by having the compiler add code to automatically XOR-encode pointers before and after they are used. Because the attacker (theoretically) does not know what value will be used to encode/decode the pointer, he cannot predict what it will point to if he overwrites it with a new value. PointGuard was never released, but Microsoft implemented a similar approach beginning in Windows XP SP2 and Windows Server 2003 SP1.^[23] Rather than implement pointer protection as an automatic feature, Microsoft added an API routine that can be called at the discretion of the programmer. This allows for better performance (because it is not used all of the time), but places the burden on the programmer to know when it is necessary.

Because XOR is linear, an attacker may be able to manipulate an encoded pointer by overwriting only the lower bytes of an address. This can allow an attack to succeed if the attacker is able to attempt the exploit multiple times and/or is able to complete an attack by causing a pointer to point to one of several locations (such as any location within a NOP sled)^[24]. Microsoft added a random rotation to their encoding scheme to address this weakness to partial overwrites.^[25]

[edit]Executable space protection

Main article: Executable space protection

Executable space protection is an approach to buffer overflow protection which prevents execution of code on the stack or the heap. An attacker may use buffer overflows to insert arbitrary code into the memory of a program, but with executable space protection, any attempt to execute that code will cause an exception.

Some CPUs support a feature called NX ("No eXecute") or XD ("eXecute Disabled") bit, which in conjunction with software, can be used to mark pages of data (such as those containing the stack and the heap) as readable and writeable but not executable.

Some Unix operating systems (e.g. OpenBSD, Mac OS X) ship with executable space protection (e.g. W^X). Some optional packages include:

Newer variants of Microsoft Windows also support executable space protection, called Data Execution Prevention.^[29] Proprietary add-ons include:

BufferShield ^[30]
StackDefender ^[31]

Executable space protection does not generally protect against return-to-libc attacks, or any other attack which does not rely on the execution of the attackers code. However, on 64-bitsystems using ASLR, as described below, executable space protection makes it far more difficult to execute such attacks.

[edit]Address space layout randomization

Main article: Address space layout randomization

Address space layout randomization (ASLR) is a computer security feature which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.

Randomization of the virtual memory addresses at which functions and variables can be found can make exploitation of a buffer overflow more difficult, but not impossible. It also forces the attacker to tailor the exploitation attempt to the individual system, which foils the attempts of internet worms.^[32] A similar but less effective method is to rebase processes and libraries in the virtual address space.

[edit]Deep packet inspection

Main article: Deep packet inspection

The use of deep packet inspection (DPI) can detect, at the network perimeter, very basic remote attempts to exploit buffer overflows by use of attack signatures and heuristics. These are able to block packets which have the signature of a known attack, or if a long series of No-Operation instructions (known as a nop-sled) is detected, these were once used when the location of the exploit's payload is slightly variable.

Packet scanning is not an effective method since it can only prevent known attacks and there are many ways that a 'nop-sled' can be encoded. Attackers have begun to use alphanumeric,metamorphic, and self-modifying shellcodes to evade detection by heuristic packet scanners and Intrusion detection systems.

[edit]History of exploitation

Buffer overflows were understood as early as 1972, when the Computer Security Technology Planning Study laid out the technique: "The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine." (Page 61)^[33] Today, the monitor would be referred to as the kernel.

The spread of personal computers in the 1980s increased the number of people who were aware of the technique. On the Commodore PET for instance it was a common practice to employ a rarely-used second tape buffer to store assembly language routines. Some programmers, to save a few bytes of space on a machine with a maximum of 32K RAM, avoided use of the tedious BASIC "POKE" statement by changing the print buffer start to the tape buffer to print the 6502 assembly language code (as strange looking characters) directly to the desired location. Since the actual print buffer was longer than the tape buffer, the BASIC string could easily overrun byte 1024 and interfere with the Microsoft BASIC interpreter on the PET. The bare-bones boot image loaders of the early personal computers, including the early Mac, Commodore, Atari and all Microsoft operating systems up to Windows 95 and 98, had inadequate buffer protections and so many programmers became aware of buffer overflows.

The earliest documented hostile exploitation of a buffer overflow was in 1988. It was one of several exploits used by the Morris worm to propagate itself over the Internet. The program exploited was a Unix service called finger.^[34] Later, in 1995, Thomas Lopatic independently rediscovered the buffer overflow and published his findings on the Bugtraq security mailing list.^[35] A year later, in 1996, Elias Levy (aka Aleph One) published in Phrack magazine the paper "Smashing the Stack for Fun and Profit",^[36] a step-by-step introduction to exploiting stack-based buffer overflow vulnerabilities.

Since then, at least two major internet worms have exploited buffer overflows to compromise a large number of systems. In 2001, the Code Red worm exploited a buffer overflow in Microsoft's Internet Information Services (IIS) 5.0^[37] and in 2003 the SQL Slammer worm compromised machines running Microsoft SQL Server 2000.^[38]

In 2003, buffer overflows present in licensed Xbox games have been exploited to allow unlicensed software, including homebrew games, to run on the console without the need for hardware modifications, known as modchips.^[39] The PS2 Independence Exploit also used a buffer overflow to achieve the same for the PlayStation 2. The Twilight Hack accomplished the same with the Wii, using a buffer overflow in The Legend of Zelda: Twilight Princess.