Re: Algorithmic Bugs

[Randy Smith <smithr () cs wisc edu>]

For an (un)limited-time only, the presentation slides are now available 
online.  Get them at 
http://www.cs.wisc.edu/~smithr/pubs/randy_smith_acsac2006.zip.

Cheers,
Randy Smith



Dave Aitel wrote:
> Best paper at a conference I went to recently here in Miami Beach.
>
>
> http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf
>
> Summery:
> You can send a remarkably small stream of data at a NIDS and cause it
> to go to 100% CPU and stop doing analysis if you send the RIGHT stream
> of data. This is basically undetectable (i.e. does not crash snort).
> Was fixed in Snort 2.6.1 (I believe). Some snort rules have a 1
> million to 1 expansion if you do it right (from what I read - I
> haven't tested this out yet - but it would make a great CANVAS module!)
>
> The presentation is clearer than the paper. I hope they put it online.
>
> Similar bugs exist in major commercial Python exploitation frameworks
> (i.e. you can tartrap CANVAS if you do it right). The more high level
> the language, the easier it is to get caught by something like this.
>
> - -dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave