[Dailydave] Algorithmic Bugs
Randy Smith
smithr at cs.wisc.edu
Wed Jan 10 15:18:31 EST 2007
For an (un)limited-time only, the presentation slides are now available
online. Get them at
http://www.cs.wisc.edu/~smithr/pubs/randy_smith_acsac2006.zip.
Cheers,
Randy Smith
Dave Aitel wrote:
>
> Best paper at a conference I went to recently here in Miami Beach.
>
>
> http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf
>
> Summery:
> You can send a remarkably small stream of data at a NIDS and cause it
> to go to 100% CPU and stop doing analysis if you send the RIGHT stream
> of data. This is basically undetectable (i.e. does not crash snort).
> Was fixed in Snort 2.6.1 (I believe). Some snort rules have a 1
> million to 1 expansion if you do it right (from what I read - I
> haven't tested this out yet - but it would make a great CANVAS module!)
>
> The presentation is clearer than the paper. I hope they put it online.
>
> Similar bugs exist in major commercial Python exploitation frameworks
> (i.e. you can tartrap CANVAS if you do it right). The more high level
> the language, the easier it is to get caught by something like this.
>
> - -dave
More information about the Dailydave
mailing list