Chips to ease Microsoft's big security nightmare (buffer overflow problem )

New Scientist ^ | 10:00 22 February 04 | Anil Ananthaswamy

[Ernest_at_the_Beach]

The World's No.1 Science & Technology News Service

Chips to ease Microsoft's big security nightmare

10:00 22 February 04

Exclusive from New Scientist Print Edition. Subscribe and get 4 free issues.

Chip makers are planning a new generation of microprocessors that should plug the gaps that led Microsoft to issue a "critical security alert" last week.

The alert was sparked by the discovery that a raft of Microsoft programs were vulnerable to a problem called "buffer overflow", which hackers can exploit to extract private information from a PC. And the risk of such attacks only worsened when, two days after the alert was issued, critical Windows "source code" was leaked on to the internet letting hackers see how it works.

A buffer is a section of computer memory that can store a set amount of data. Sometimes, usually because of a software bug, the processor sends more data to the buffer than it can hold, causing it to overflow into the next chunk of buffer memory. This makes computers vulnerable to hackers, because by deliberately making a buffer overflow they can force the computer to execute their malicious code.

	How hackers exploit buffer overflow

The problem is hard to detect, as popular programming languages, like C and C++ do not make it easy to track when programs are vulnerable to overflow. But now chip makers Advanced Micro Devices (AMD) and Intel are developing processor chips that will deal with the problem.

AMD's Athlon-64 (for PCs) and Opteron (for servers) will protect against buffer overflows when used with a new version of Windows XP. Intel plans similar features on next generation Pentium chips.

Malicious instructions

Until now, Intel-compatible processors have not been able to distinguish between sections of memory that contain data and those that contain program instructions. This has allowed hackers to insert malicious program instructions in sections of memory that are supposed to contain data only, and use buffer overflow to overwrite the "pointer" data that tells the processor which instruction to execute next. Hackers use this to force the computer to start executing their own code (see graphic).

The new AMD chips prevent this. They separate memory into instruction-only and data-only sections. If hackers attempt to execute code from the data section of memory, they will fail. Windows will then detect the attempt and close the application.

"Buffer overflows are the largest class of software vulnerabilities that lead to security flaws," says Crispin Cowan, of computer security company Immunix in Portland, Oregon.

	Subscribe to New Scientist for more news and features
	Related Stories Microsoft chases major leak of source code 13 February 2004 Microsoft should weather zombie PC attack 2 February 2004 Microsoft reveals string of software bugs 4 September 2003 For more related stories search the print edition Archive Weblinks Microsoft Advanced Micro Devices Immunix

Buffer overflow was behind the devastating Slammer and Blaster worm attacks on Windows PCs in 2003, and the Slapper worm used it to infect thousands of Linux-based web servers in 2002.

Full remote access

The buffer overflow problem that triggered last week's alert was discovered by engineers at eEye Digital Security in Aliso Viejo, California. It appears in a commonly used component of 20 Microsoft packages, including the Outlook emailer. "It's a most critical vulnerability," says Firas Raouf of eEye. Hackers could exploit the flaw to write email worms that could give them full remote access to a PC. This could happen without the user of the target PC opening an attachment or reading the email that carried it.

The new chips will block this kind of attack. But Cowan believes hackers will find other ways to insert malicious code: for example, by making a program jump to a subsection of its own code at the wrong time, perhaps to open a data port, to a hacker. "There's nothing to prevent that kind of attack," Cowan says.

Anil Ananthaswamy

[Ernest_at_the_Beach]

I thought the AMD64 had the hardware enabling instructions in already.

[Ernest_at_the_Beach]

fyi

[Ernest_at_the_Beach]

Anyone know more technical detail?

[B Knotts]

Absurd. We're going to fix software problems in hardware?

If they wanted to, they could deal with such things in the kernel.

[HAL9000]

The new AMD chips prevent this. They separate memory into instruction-only and data-only sections.

This was known as "Harvard Architecture" back in the 1940s.

[Ernest_at_the_Beach]

That was before my time!

[snooker]

" This was known as "Harvard Architecture" back in the 1940s."

Been around a long long time. As with most Wintel 'discoveries' this is trotted out as new. The MMU usually takes care of this automatically in real computers. Sun SPARCS have had it for some time, It is part of the SPARC architecture specs.

[LibWhacker]

Fascinating, thanks for the ping. Nope, this is the first I've heard of this.

[HAL9000]

That was before my time!

Mine too.

Harvard Architecture could help the buffer overflow problem - but only if the equipment manufacturers and software engineers design their products to support it. It would probably break a lot of existing software that load code into data space.

[HAL9000]

Sun SPARCS have had it for some time, It is part of the SPARC architecture specs.

Harvard Architecture has been available for PowerPC chips too, but the motherboard designers usually combine the program and data paths into a conventional von Neumman architecture.

[zeugma]

Well, I guess this is the only way to fix shoddy microsoft programming practices. I'm sure the folks at microsoft will find a way around it though. Windows just wouldn't be windows without worms, viruses, and security holes.

[Cboldt]

Thanks for the ping. Others on this thread are educating me on this one! I never heard of "Harvard architecture."

I'm not sure that said architecture prevents attacks, but agree that buffer overflow is a common avenue to r00t machines.

[Cboldt]

Well, I guess this is the only way to fix shoddy microsoft programming practices. I'm sure the folks at microsoft will find a way around it though. Windows just wouldn't be windows without worms, viruses, and security holes.

I had a Linux machine compromised by a buffer overflow exploit. This isn't just a MS issue.

[MrB]

Not a machine code level guy, but I would think this would effect code that passed around function pointers and callbacks in C++,
but probably not their replacement "delegates" in .NET.

[EvilOverlord]

Modern processors with internal cache memory do use a 'Harvard Architecture' internally. The first level cache is separated into an instruction cache and a data cache, which are physically separate entities, and some processors these days also have a larger level 2 "unified" cache that contains both instructions and data. This is the standard way of designing processors, and Intel does the same thing.

In fact, one of the quirks of the Intel Architecture is that it has always used a "segmented" memory space with explicit data and code regions, specified by internal registers. It's just that Intel processors never had any hardware checks to see if the code and data segments overlapped. From the article, it appears that Intel may now be implementing such checks in hardware. That's the only real change.

[Eala]

Dang! No more self-modifying code? What's an assembly hacker to do? *\;-)

[zeugma]

Of course it is not a microsoft only problem. The issue though is that it sure seems to be a heck of a lot more prevalent in the windows world.

[Cboldt]

... The issue though is that it sure seems to be a heck of a lot more prevalent in the windows world.

No disagreement with me on that front.

[Myrddin]

A common "feature" in operating systems that support shared libraries is to load them dyamically at run time. Windows, HP-UX and Solaris have support libraries explicitly provided for this functionality. Software houses use this capability to sell "enhancements" to their products. You buy the "basic" application and install it on your computer. At startup time, the application scans the shared libary directory to look for files and calling signatures that match the "feature" stubs in the basic product. The search comes up "empty" until you purchase the add-on shared libraries.

Any application built to support a dynamically-loaded library is subject to having a "trojan" shared library placed on the disk as a replacement for the valid copy from the manufacturer. Trojan DLLs are a common "hack" of Windows system files.

The ability to split instruction/data addresses has been supported in UNIX compilers from the beginning. They also supported mixed instruction/data for compactness. A hardware enforced split of instruction/data memory addresses is going to break lots of mixed mode applications.

At the machine code level, a compiler generated "function" call usually consists of pushing the arguments onto the "stack", then executing a subroutine call using an absolute or relative address. The CPU computes and saves the next address following the "call" and places that back into the program counter when the called function executes a "return from subroutine" instruction. A "return" value is often pushed on the stack before the "return from subroutine call".

I think function pointers will still work, but you won't be allowed to change them dynamically at run time i.e. writes to the instruction memory address space would be disallowed and fetching of "instructions" from data addresses would be disallowed. Putting "return" addresses on the "stack" would also be disallowed. A return address on the stack is the mechanism most frequently exploited by the buffer overrun hacks.

[upchuck]

IMHO, any properly QC'ed code would not have this problem. MSFT has been throwing slop at the marketplace for years and they've finally been caught.

I know sys managers that spend countless hours patching their systems because of MSFT's horrible coding practices really appreciate this :)