July 29, 2011
Understanding the exploitation of vulnerability is important both for the product security team and for the research teams that authors signatures for network intrusion prevention/detection (NIS) devices.
Product security team needs to gain an understanding of the vulnerable part of the code and provide an update, or patch, to fix the vulnerability. In order to create a signature for an intrusion prevention/detection device, researchers must gain an understanding of the vulnerability and then derive the conditions that can lead from being exploited. When deployed, the signature will protect the vulnerable application from being exploited via the network. In order to develop a signature for traditional types of vulnerabilities such as buffer overflows, format string vulnerabilities and integer overflows, we have to refer to the vulnerable code itself. Once the vulnerable portion of the code has been identified, it can be used to determine the conditions that will lead to its exploitation, and a signature can be generated based on those conditions.
Recently, however, we have observed a new type of exploitation technique that makes use of improper implementation of protocol specifications. This type of exploitation requires a different type of vulnerability analysis to author a NIS signature. Fuzzing tools also will have to be redesigned to prevent exploitation due to the improper implementation of protocol specifications. Due to space limitation as such we do not plan to discuss how to analyze these kinds of exploitations along with the changes which a fuzzing tool is required. For the interested readers, we encourage to refer to our recently published article in Virus Bulletin August 2011 issue. The article provides further details about how to analyze these kinds of vulnerabilities to author a NIS signature and also the changes which the fuzzing tools will require to prevent exploitation which are happening due to the improper implementation of protocol specifications. We have been actively monitoring such kind of exploitation and are working on detection of such kind of exploitation techniques.