Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

NULL pointer exploit excites researchers

More than flash in the pan.

In 1996 it was Aleph One's astounding paper, "Smashing the Stack for fun and Profit" that introduced a generation of Information Security researchers, and eventually the world at large, to the inherent exploitability of buffer overflows and introduced techniques that would form the basis of proving that a vulnerability was exploitable (as well as the basis of any number of exploits themselves).

In 2008 it is Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" that looks set to have a similar effect on the field of Information Security. Already the small but growing group of Information Security experts that have had the chance to read and digest the contents of the paper are expressing an excited concern, depending on how they are interpreting the contents of the paper.

If your local expert doesn't seem jumpy or on edge, then it is more than likely that they have not had the chance to read or comprehend the scope of what has been presented in the paper.

While the Flash vulnerability described in the paper has been patched by Adobe it is the presentation of a reliable exploit for NULL pointer [[xref:http://www.owasp.org/index.php/Null-pointer_dereference |dereferencing|new]] that has the researchers who have read the paper excited.

In simple terms a NULL pointer dereference is when a software application tries to access a memory address that has been declared to have the value NULL (a special value that tells software that there is nothing there, as there is a real but critical difference between '', ' ', '0', NULL, or any other number of means of representing nothing). In most cases, the application should stop running and crash whenever a NULL value in memory is accessed by the program, but it has been found that it is possible to force some applications to access and execute arbitrary memory locations whenever a NULL pointer is accessed. The only problem has been that it was considered extremely difficult to achieve, and not so easy to develop a generic approach for. That has now changed, with Dowd effectively providing a framework that could be used to probe for exploitable NULL pointer dereferences across multiple platforms - essentially a generic attack / vulnerability finder for this class of vulnerability.

By effectively opening up this class of vulnerability for much easier investigation and attack (attacking memory flaws is still a difficult job) it is going to lead to a rush to develop tools to automate the process of looking for this type of flaw and correcting or exploiting it depending on the approach of the developer. While it was known that buffer overflows were best avoided prior to Aleph One's paper, it wasn't really until after the paper that people really understood the risks associated with them. This paper is likely to do the same for NULL pointer dereferencing.

If NULL pointers are so dangerous, why do developers continue to use them? There is really nothing better for declaring that there is nothing there and it is a useful initial setting for software variables as it ensures memory is available for when there are real values to be entered into memory by the application.

Aside from the sheer technical brilliance of the whitepaper, what has many amazed is how Mark utilises a number of innovative steps to force Flash to overwrite its own runtime code in memory such that he then controls how code can then access and manipulate the local system, running as both interpreted code and system level instructions inside the same small attack package.

With careful design, what Mark has presented is not far off being cross platform and if it had been used to attack systems rather than demonstrate the vulnerability that had been patched, then it could have been one of the most dangerous pieces of code since the Morris Worm. By publicly sharing what he has discovered, Mark is encouraging greater awareness of this particular vulnerability class and research into its risks.

Mark politely declined to be interviewed for this article, citing terms of his employment, but was pleased to see that information about his discovery was being spread to the widest audience possible.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Adobe, ISS
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • IBM zEnterprise System Brings Hybrid Computing Capabilities to Midsize Organisations
    This paper focuses on the IBM z114 cross-tier solution, which brings IBM AIX Unix and Linux workloads into the mix, with Microsoft Windows support to follow in the future. This blended approach to computing allows workloads running on any of those operating systems to communicate more quickly and effectively with the System z, producing business benefits from the orchestration, or coordination, of management for all of the workloads running across all of the linked platforms.
    Learn more »
  • Fixing Your Dropbox Problem - How the Right Data Protection Strategy Can Help
    It’s estimated that more than 50 million people have used public cloud storage services such as Dropbox to share and exchange files. Public cloud services are so easy to use that their openness can undermine existing IT policies regarding the transmission of confidential data. With data volumes threatening to overwhelm onsite storage, IT managers are looking to find a solution that’s affordable and secure. This paper details a simple three-step approach to helping users manage access to the public cloud without placing your data or your business at risk. Read on.
    Learn more »
  • Avaya Deploys the Avaya Desktop Video Device with the Avaya Flare® Experience
    A revolutionary new video collaboration device, the Avaya Desktop Video Device has been making waves in the communications industry ever since Avaya introduced the product in the fall of 2010. Avaya’s own employees have been among the earliest users and have seen first-hand how the product can improve collaboration and make people more efficient and effective. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.