Test Run: Determina's Vulnerability Protection Suite 3.0

Until now, Determina's memory firewall has automatically stopped stack- and heap-based buffer overruns by monitoring applications' runtime memory and disallowing execution paths outside the programs' normal bounds. But that's not enough to protect against conditions that don't violate the apps' normal runtime execution. In Vulnerability Protection Suite (VPS) 3.0, Determina adds support for Windows NT, as well as a Liveshield module that protects against nonmemory attacks and a custom applications module that lets you protect new application executables.

Determina describes Liveshield Sentries as runtime patches that modify executables as they're executed, replacing vulnerable code with fixed code. Sentries aren't patch replacements, but temporary fixes that resolve vulnerabilities quickly so you have time to thoroughly test vendor-supplied patches and service packs.

Unlike the memory firewall, Liveshield Sentries must be updated to patch new vulnerabilities. The management server checks for Sentry updates automatically; administrators then enable the updates and push them to servers. Determina aims to have new Liveshield signatures available within 24 to 48 hours after the release of the vendor patch or service pack. The company's engineers develop Liveshield Sentries by analyzing the changes vendor patches make to the runtime application image and then generating the byte code replacement.

Determining Validity

In our Secure Enterprise Real-World Labs®, I deployed the Determina Management Console on a Windows XP computer, and the VPS Suite (including Liveshield) on Windows 2000 Server Service Pack 0 and Service Pack 4 computers.

Before testing the VPS, I exploited our servers using the remote exploits LSAS Buffer overflow CAN-2003-0533, and UMPNPMGR CAN-2005-1983 exploits against the W2K Server SP4 host. On the W2K Server SP0, I exploited two nonmemory overflow vulnerabilities, a directory traversal vulnerability MS 00-078 and the IIS double decode directory traversal MS-01-026. The latter two vulnerabilities program logic flaws in how vulnerable IIS servers handle Unicode-encoded URLs. I used Core Security Impact 5.0 to execute attacks against the targets.

After installing the VPS agent, I rebooted the targets and reran the attacks. Liveshield blocked the server-side attacks.

I disabled the Liveshield Sentries and the memory firewall blocked the stack and heap overflow. However, the two Unicode attacks were successful, as expected, because those attacks take advantage of a flaw in program logic.

When a protected application starts up, VPS checks the program code for Liveshield vulnerabilities and injects the Sentry code into the process memory. During testing, exploits against patched services didn't cause Liveshield events to be logged, as there were no vulnerabilities in the software.

Custom Applications

To test whether VPS lets users add memory firewall for apps Determina hasn't predefined, I installed an old version of alt-n MDaemon 6.8.2, which contained a remotely exploitable vulnerability, and tested it with Core Impact. Next, I created a custom application in Determina's management console.

I first put the application profile into a staging mode, which removes all protection and alerts on incompatibilities between the app and VPS. In the event of a conflict between VPS and the application, VPS would remove itself. There were 21 violations. Next, I installed Apache 2.0.53 and added a custom application. During initial install, the server didn't require restart. When VPS was installed, restarting the individual service sufficed, and I was fully protected after restarting the Apache service.

Mike Fratto, Editor

www.securitypipeline.com/