From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 5 May 2005 15:13:49 +0200
Subject: [TOOL] PIE - Patch Integration Engine
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050505123432.DBA8657A7@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PIE - Patch Integration Engine
------------------------------------------------------------------------
SUMMARY
DETAILS
The Patch Integration Engine (PIE) is a system for the insertion of
patches into a runtime process, allowing for the immediate correction of
security vulnerabilities.
In the event that a new vulnerability is discovered in a server program
running on your network it is most desirable to patch as soon as possible.
The patching process has traditionally involved downloading an updated
version of the program in order to replace the the vulnerable binary with
a new and secure one. The problem with this lies in the downtime sustained
when restarting this hypothetical server program. In some circumstances
this server may be mission critical where any unscheduled downtime would
cause substantial disruption or even monetary loss.
However, whenever such a bug is publicized a race is essentially started.
This is a race between the hordes of malicious script kiddies crawling
vulnerability disclosure hot spots and the system administrators in charge
of keeping their network secure. Any delay in patching a vulnerability
could well be the difference between business as usual or an embarrassing
system compromise. This is the circumstance where PIE may be useful for
you.
What is PIE?
PIE itself is more of a platform than an individual program. It prevents
the exploitation of security holes by changing the way a program runs as
the program itself is running. Security vulnerabilities occur in
functions; PIE secures these functions by inserting pieces of code most
accurately described as prepatches. The general idea of a prepatch is to
run just before a vulnerable function is called and to verify that the
data being passed to the function is not malicious. Consider this flow
diagram showing a normal and a malicious function call:
PROGRAM --> vulnerable function --> PROGRAM
ATTACK --> PROGRAM --> vulnerable function --> ARBITRARY PROGRAM
After prepatching this scenario we get:
PROGRAM --> prepatch --> vulnerable function --> PROGRAM
ATTACK --> PROGRAM --> prepatch
At this stage, the prepatch recognizes the attack and prevents the
function from being exploited. As mentioned above PIE is not a singular
program, but in fact consists of three separate parts described here in
brief:
* libpie - An API containing the functions needed to make a prepatch. See
<http://pie.sourceforge.net/libpie.html>; Libpie Reference.
* pfp - A tool for creating function fingerprints. See
<http://pie.sourceforge.net/pfp.html>; Pfp Reference.
* pie - The component that handles the actual insertion of prepatches.
See <http://pie.sourceforge.net/pie.html>; Pie Reference.
For technical details of how PIE works see the document
<http://pie.sourceforge.net/internals.html>; PIE Internals.
Download Information:
The tool's source code can be obtained at:
<http://pie.sourceforge.net/download.html>;
http://pie.sourceforge.net/download.html
Several prepatches for existing vulnerabilities can be found at:
<http://pie.sourceforge.net/prepatch.html>;
http://pie.sourceforge.net/prepatch.html
ADDITIONAL INFORMATION
To keep updated with the tool visit the project's homepage at:
<http://pie.sourceforge.net/index.html>;
http://pie.sourceforge.net/index.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
