Re: Buffer Overruns

["Epstein, Jeremy" <Jeremy_Epstein () NAI com>]

The answers to this question have been interesting, because those writing
responses have interpreted the original question in two different ways.  The
first interpretation is "are vulnerabilities in hosts behind the firewall
protected by the firewall itself".  The second interpretation is "are
firewalls *themselves* vulnerable to buffer overrun attacks".

The answer to the first question is "it depends", and the answer to the
second question is "it depends".

Firewalls may protect against some attacks against the hosts behind them,
not just for buffer overruns but for other attacks too.  For example, a
firewall might filter out DEBUG messages sent to sendmail, just in case
anyone is still running a ten year old version of sendmail!  Or a firewall
could filter out URLs longer than the maximum allowed, to prevent a buffer
overrun attack against web servers.  I know that some firewalls protect
against some of these attacks, but I wouldn't rely on a firewall to prevent
all of these attacks.  Joe Yao, Crispin Cowan, and Steve Bellovin explained
the issues in this area nicely.  In particular, Crispin's StackGuard would
be a good solution to this problem.

With respect to the second question, firewalls may be as vulnerable as other
hosts.  As Marcus points out, "buffer overruns in proxy firewalls can be
pretty lethal".  We recently used software wrappers to constrain the
behavior of application proxies on Gauntlet; the result was that buffer
overrun attacks were more limited.  (I won't say they were impossible; I
know better than that :-)  I have a paper in preparation on this topic...

So.... which question was being asked?  The answer is still "it depends",
but the factors are different :-)

--Jeremy Epstein, NAI Labs