|
EXPLOIT PROTECTION
Every vendor in our analysis claims to protect systems against exploitation using some form of HIPS technology. Different vendors use this term for a variety of disparate technical defenses (see "HIPS Hydra," below). Regardless of approach, we wanted to see how each vendor would fare against exploitation attempts in a series of three tests. We disabled each product's firewall component to focus the test exclusively on HIPS functionality.
[IMAGE] [IMAGE] [IMAGE] ENDPOINTS | Exploit Protection
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
[IMAGE]
The good news
Overall, eEye performed best in detecting exploits.
The bad news
CA fared poorly in detecting and blocking client and services exploits.
[IMAGE]
[IMAGE]
First, we attempted to exploit client-side software running on the protected hosts, trying to attack Internet Explorer via the IE CreateObject vulnerability (MS06-014) and VML flaw (MS06-055). We also tried to exploit the Fire-fox browser using the Mozilla_CompareTo vulnerability.
[IMAGE] [IMAGE] [IMAGE] HIPS Hydra
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
[IMAGE]
HIPS HYDRA
Host-based intrusion prevention system (HIPS) functionality means many different things to the vendors that include such capabilities in their endpoint security suites. The goal, of course, is to prevent the end system from being compromised by an attacker, but the technological approach of the ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
vendors implementing HIPS varies widely. We interviewed each vendor, asking them to describe their technical approach to blocking exploitation attempts. We wanted to focus specifically on defenses against buffer overflow and related code execution exploits. Based on our interviews, we identified seven essential forms of such exploit detection and prevention:
- System call backtracing analyzes various system API calls to ensure the calling address exists in a known code segment.
- Spawn blocking limits which programs can run new programs (for example, blocking a browser from running a new command shell process).
- Behavior checking monitors system calls for combinations that historically have indicated that an attack is under way.
- DLL loading checking looks for unusual or unexpected DLLs to be loaded into running applications on the machine.
- Call verification ensures the return address for the current function is immediately preceded by a call instruction.
- SEH validation protects against exploits that overwrite exception handlers by validating the Structured Exception Handler chain.
- Network-based IPS monitors network traffic for known vulnerabilities and exploits.
CA implements spawn blocking, DLL loading checks and network-based IPS. eEye relies on system call backtracing, call verification and network-based IPS. IBM ISS uses system call backtracing and network-based IPS. McAfee has created a patented "generic buffer overflow protection," although it declined to share details with us before press time, as well as network-based IPS. Sophos uses system call backtracing. Symantec implements behavior checking and network-based IPS. Trend Micro focuses exclusively on network-based IPS.
--Ed Skoudis & Matt Carpenter
[IMAGE]
[IMAGE]
|
 |
|
