Bell Labs ``Libsafe'' press release briefly mentions Debian
FYI... i'm not subscribed to debian-publicity
http://www.bell-labs.com/news/2000/april/20/1.html
Bell Labs' Free Linux Software Foils the Most Common Computer Security
Attack
MURRAY HILL, N.J. (April 20, 2000) -- Bell Labs announced today that
it is releasing free Linux software that foils the most common form of
computer security attack. Lucent's Libsafe software prevents
electronic intruders from overflowing an application program's buffer
memory to gain unauthorized access to a computer.
Buffer overflows have been the most common form of computer security
vulnerability exploited by intruders for the past 10 years, according
to a recent report published by the Oregon Graduate Institute of
Science & Technology (OGI) and funded in part by the Defense Advanced
Research Projects Agency (DARPA).
Linux distributors Red Hat, Inc., Linux-Mandrake, Turbolinux and
Debian GNU/Linux are working with Bell Labs to incorporate Lucent
Libsafe into their software releases. The Linux computer operating
system contains an "open" source code that anyone is free to
modify. Modeled on Bell Labs' UNIX* software, Linux has been gaining
popularity for server and desktop computers over the last few years.
Bell Labs is making Libsafe freely available under the GNU Library
General Public License. Users and developers who would like further
information and the Libsafe source code can visit
<http://www.bell-labs.com/org/11356/libsafe.html>.
A buffer is a region of computer memory that application programs use
to temporarily store information. Programs that write information to
buffers without properly checking the size of the buffers are
potentially vulnerable to security attacks. Such attacks cause an
inordinately large amount of data to be written, overwriting the
memory immediately following the buffer region. The overflow injects
additional code into an application program and then hijacks control
of that program to execute the injected code. Lucent's Libsafe
software intercepts and monitors the use of vulnerable standard
functions and prevents buffer overflow hijackings.
"Red Hat is pleased that Bell Labs is participating in the on-going
development of the Linux platform," said Paul McNamara, VP of Business
Development, Red Hat. "Innovations like Libsafe will continue to
expand Linux' leading position as the preferred platform for internet
infrastructure."
"In the current context where security has become a major concern,
this innovation further improves the security of the Linux-Mandrake
system and meets the expectations of today's users," said Jacques Le
Marois, president of MandrakeSoft.
"TurboLinux is focused on delivering secure, Linux solutions to our
customers in the enterprise," said Steve Quan, senior director of
product marketing, TurboLinux. "Lucent Libsafe is an important step
forward in securing Linux for the enterprise."
"Debian treats system security very seriously, and works hard to
discover and eliminate security exposures in the free and open-source
software we distribute; the Libsafe package adds additional protection
against undiscovered exploits in poorly-designed programs, and is
therefore beneficial to Debian GNU/Linux users," said David Coe, one
of the developers of Debian Linux.
Libsafe does not require access to the source code of the application
programs and protects all application programs running on a
system. Bell Labs' tests indicate that Libsafe's effect on a
computer's performance is negligible.
It is generally accepted that the best solution to buffer overflow
attacks is to fix the original defects in programs. However, this
requires knowing that a particular program is defective. Libsafe helps
protect programs that are not yet known to be vulnerable.
Reply to: