|
Wehnus, Inc. strives for software excellence and is diligent in
solving issues related to its software. If you are experiencing
a problem that you think may be related to WehnTrust, please take
a few moments to help improve the product by filling out a
bug report.
|
|
1) General Questions
|
|
1.1) What is a buffer overflow?
A buffer overflow is a term used by programmers to describe the act of
writing data past the end of a buffer. A buffer is best thought of
as being similar to a bucket. Buffers, like a bucket, can
come in a variety of sizes and can contain various quantities of items.
However, just like a bucket, buffers have a maximum storage capacity.
If this storage capacity is exceeded, the buffer is said to have
been overflowed. When such an overflow occurs data seeps past
the boundary of the buffer and corrupts its surroundings. Under these
conditions it is often possible for an attacker to take control of
the data adjacent to the buffer and thus leverage control of the
execution path that a program takes. When such a scenario occurs an
attacker exploits a buffer overflow by taking advantage
of the data seepage.
|
| |
|
|
1.2) What is an exploit?
An exploit is a high-level term used to describe taking advantage of
an implementation or design flaw. In the context of computer programs,
an exploit generally takes advantage of buffer overflows, or other
implementation level vulnerabilities, to gain control of the path a
program takes when executing, thus allowing the attacker to run their
own code.
There are two general classes of exploits: remote and local. A remote exploit
is loosely defined as an exploit that can be taken advantage of without having
physical, or equivalent, access to a computer. Some examples of a remote vulnerabilities
that can be taken advantage of over the internet are the
RPC DCOM and
the
LSASS
vulnerabilities that have been heavily exploited in recent years.
A local exploit is an exploit that takes advantage of a security flaw that
requires physical, or equivalent, access to a machine in order to be used.
An example of a recently discovered local vulnerability is the
Windows LPC heap overflow
vulnerability.
|
| |
|
|
1.3) What are Host-based Intrusion Prevention Systems (HIPS)?
Host-based Intrusion Prevention Systems is a term used to describe a class of software
that is designed to prevent attacks against a single computer. Such attacks
can include proactive exploitation, viruses, and other malicious mediums
which have the intention of gaining unauthorized access to a machine. HIPS
products run on the machine that they are protecting rather than as an entity between
the machines that are being protected, such as would be the case with a firewall or IDS
device.
|
| |
2) WehnTrust Questions
|
|
2.1) How is Wehnus pronounced?
Wehnus is pronounced "weh nus".
|
| |
|
|
2.2) What is WehnTrust?
WehnTrust is a Host-based Intrusion Prevention System that is designed to
prevent the exploitation of common software vulnerabilities. By preventing
software vulnerabilities from being leveraged by an attacker, WehnTrust helps
users keep their computers secure.
|
| |
|
|
2.3) How does WehnTrust work?
The technology that WehnTrust uses is referred to as Address Space Layout Randomization which
is a term for the randomizing of the virtual address space layout of any given process. During the
process of writing an exploit it is often a requirement that attacker know some memory address
that will not vary from one execution of the process to the next. If the address were to vary
between instances it would be harder and in some cases impossible to write a reliable exploit. This
fact acts as a major deterrent for exploit writers and raises the bar on exploitation.
|
| |
|
|
2.4) What is Address Space Layout Randomization (ASLR)?
Address Space Layout Randomization is the randomizing of a process' virtual address space. Depending
on the scope, it could refer to the randomizing of stacks, heaps, image files, and other arbitrary
memory regions.
|
| |
|
|
2.5) How does WehnTrust prevent exploits?
WehnTrust prevents exploits by randomizing the layout of a process' virtual address space. This
makes it so an attacker cannot assume that a certain value will be at a certain place in memory.
Since this assumption is no longer safe it becomes nearly impossible for an attacker to gain
access to the machine.
|
| |
|
|
2.6) How do I know WehnTrust is working?
The security related features of WehnTrust are always on and functioning. The protection should
be hardly noticable given that it is designed to run efficiently. By executing the user interface
it is possible for one to see whether or not WehnTrust is enabled and how many memory regions
have currently been randomized.
|
| |
|
|
2.7) Will WehnTrust protect against trojans, malware, and viruses?
WehnTrust is designed to prevent buffer overflow, and other arbitrary code execution, vulnerabilities
from being leveraged by an attacker. It is not designed to protect computers against malicious
attachments and other malware that can find its way onto a computer,
such as through a web-browser or an E-mail client. To protect against trojans and malware, a standard
Anti-Virus scanner such as McAfee VirusScan or Norton should be used.
|
| |
|
|
2.8) Will WehnTrust prevent local privilege escalation exploits?
The current version of WehnTrust is not designed to protect a machine against
local exploitation. The next
major release of WehnTrust is being designed with local exploitation prevention
in mind.
|
| |
|
|
2.9) Is WehnTrust the ultimate security solution?
In short, the answer is no. While WehnTrust does raise the bar and makes exploitation
of the majority of remote software vulnerabilities impossible, there are still conditions
that it does not protect against. These conditions are not inherent design flaws, but
rather indications of scenarios that deserve further research and handling in the future.
In the interest of honesty, Wehnus has provided a detailed
explanation of the scenarios that
WehnTrust cannot currently protect against.
|
| |
|
|
2.10) Do I still need to install patches when WehnTrust is installed?
Yes. Having WehnTrust installed makes it more challenging, and in most cases impossible,
to exploit software vulnerabilities. With that said, security patches should always be
applied. While WehnTrust does give users the ability to delay the installation of patches
in most cases, Wehnus encourages the installation of recommended patches, regardless of whether
or not WehnTrust is installed on the computer in question.
|
| |
|
|
|
