Cisco Blogs


Cisco Blog > Security

Exploring Heap-Based Buffer Overflows with the Application Verifier

Isolating the root cause of a heap-based buffer overflow can be tricky at best. Thankfully, Microsoft provides a great tool called the Application verifier, which makes the process significantly gentler.

In this post, we will look at how to use the Application Verifier to pinpoint the source of a heap overflow in a binary. Due to the fact that it is difficult to find a publicly available and easy-to-trigger heap overflow vulnerability in an application whose EULA does not prevent reverse engineering, I have created a small sample application that contains a heap overflow for this purpose.

Read More »

Don’t blame the computer

“I’m sorry, Dave, I’m afraid I can’t do that.”

- HAL the computer from 2001: A Space Odyssey (1968)

Every day, essential business and physical functions are executed by software, without human oversight.  Many of these functions—automobile braking systems, automatic systems on commercial aircraft and commuter trains, medical equipment—function at speeds and levels of precision that cannot be matched by human beings.  Thankfully, the persistent fear that someone may eventually create software that is intelligent enough to defy us has not come to pass.  If anything, the opposite remains the more immediate concern:  as fallible humans, we continue to generate software riddled with problems, setting the stage for accidents waiting to happen. One such incident was recently made public.

Read More »

Don’t blame the computer

“I’m sorry, Dave, I’m afraid I can’t do that.”

- HAL the computer from 2001: A Space Odyssey (1968)

Every day, essential business and physical functions are executed by software, without human oversight.  Many of these functions—automobile braking systems, automatic systems on commercial aircraft and commuter trains, medical equipment—function at speeds and levels of precision that cannot be matched by human beings.  Thankfully, the persistent fear that someone may eventually create software that is intelligent enough to defy us has not come to pass.  If anything, the opposite remains the more immediate concern:  as fallible humans, we continue to generate software riddled with problems, setting the stage for accidents waiting to happen.  

Read More »

Think Before Plugging In

Many popular software products have frameworks that allow users to extend and customize the application using plugins or add-ons. Examples include Firefox, WordPress and Google Chrome. In fact, even nerd software like irssi allows users to use plugins. Plugins help with productivity and make the software fun to use. However, plugins can also introduce risk to users. Sometimes, these issues are very overt. For example, malware was recently discovered in a Firefox add-on (I was impressed with how this was addressed though). Other times, the issues may be more subtle: perhaps the plugin could introduce a new vulnerability that, with a little research, could be exploited.

Read More »

Malicious Advertising Threatens the Popular Ad-supported Business Model

Web 2.0 and social media are driven by user-generated content. In return for producing content, users want to receive information or experiences that encourage them to revisit a given site. In this cycle, sites can monetize the user experience by utilizing advertising to generate profits from users’ visits and eventual patronage from advertisers. By and large, users resist paying for contexts such as social networks where they post their own content, like pictures, status updates, or videos.

For this model to perpetuate, each participant must uphold their contribution: sites must generate an attractive experience, advertisers must present relevant content to user interests, and users must provide content or consume advertisements. If advertising is overrun by malicious code, users may be driven to abandon a site that is deemed dangerous, or take steps to block advertising. Many users adopting the same approach could hurt the existing business model, resulting in a financial risk to sites that are based on advertising revenue.

Read More »