RE: Understanding Windows Heap Overflows

["Kyle Quest" <Kyle.Quest () networkengines com>]

> There was an academic paper on a nop detection method 
> called "STRIDE".

I assume you are referring to "Stride: Polymorphic Sled Detection
Through Instruction Sequence Analysis".

> Is this what commercial IDS's are implementing today or 
> do they use something dumber?

CheckPoint has something called "Malicious Code Protector".
There isn't much info on it available, but they claim to file
patents on their techniques. From the sound of it, they try
to do more than just detect nop sleds.

> From what I heard ISS might have some sort of shellcode checks as well,
but it's possible I misunderstood the ISS guy I talked to.

I don't think that either of them use STRIDE...

> Is there an open source version of STRIDE available for testing?

I don't think there's one. STRIDE is actually a part of the "EAR"
project these guys have. All they publicly disclose is a very
basic pseudo-code for STRIDE... 

Other than STRIDE, there's Fnord and "Abstract Payload Execution"...
which shouldn't be overlooked either.

> They claim very low 
> false positives, but it seems like any email with a lot of A's should 
> trigger it...

The tricky thing here is knowing how they actually use the STRIDE engine.
As the paper implies, the engine is fed data from particular protocol fields
(e.g., HTTP URI), so, in theory, if the protocol parser does a good job
there wouldn't be any false positives if you simply stuff the email body with
lots of A's. 

I've done some work in this area as well, but it's never been finished
due to other more immediate projects. It would be interesting to revisit 
the project if you're willing to use it in your tests.

Kyle