Preventing Buffer Overflow Exploits Using the Linux Distributed Security Module, Part 1
Internet servers (such as Web, email, and ftp servers) have been the target for different kinds of attacks aiming to disable them from providing services to their respective users. One particular exploit, which has become almost ubiquitous in the last several years, is the buffer overflow exploit. While the exploit requires particularly arcane and detailed knowledge of both assembly language and, in some cases, operating system interface details, once someone has coded an exploit and published it, anyone can use it. The results of these exploits provide interactive command shells on UNIX and Linux systems and the ability to upload and execute arbitrary programs on Windows systems.
To answer the need for advanced security features for Linux servers, the Open Systems Lab at the Ericsson Research Corporate Unit in Montreal, Canada, started the Distributed Security Infrastructure project (DSI) to design and develop a secure infrastructure that provides advanced security mechanisms for telecom applications running on carrier grade Linux servers. One of the goals of DSI is to prevent attacks incoming from the Internet and Intranet, which include buffer overflow exploits, denial of service attacks, and other type of attacks and exploits.
In Part 1 of this article, we describe the buffer overflow exploit and provide detailed examples to help understand it. In Part 2, we then discuss the available solutions to prevent such exploits and look in details to our own solution, DSM, as part of the DSI project. Please note that the examples we provide are meant for illustration purposes and we are not by any mean publicizing how to exploit systems; rather, we use very simple examples to better understand the nature of the exploits and how to prevent them.