[LINK] Study says "buffer overflow" is most common security bug

Grant Bayley gbayley@ausmac.net
Wed, 24 Nov 1999 13:12:47 +1100 (EST) 

On Tue, 23 Nov 1999, Bernard Robertson-Dunn wrote:

> They also cited "a culture that favors performance over correctness."

The only culture that fosters this kind of thing is the one that says a
company should release a product to market before it's finished to gain
some market share over a competitor.  Examples of this include:

* Internet Explorer 5 from Microsoft
  - It's had about 10 security related issues since release, the most
    serious of which relate to the execution of code from untrusted
    sources.

* Outlook (and descendants) from Microsoft
  - Melissa virus.  BubbleBoy virus. Nuff said?  Integrated software is a
    nice, noble goal for a company like Microsoft and the unwashed masses,
    but when the software is allowed to access information from other
    pieces of software and act upon it (grab address book, resend virus
    to all), there's trouble a'brewing.

* ICQ 99a from Mirabilis
  - In the first version, you could access any file on a user's hard
    drive whose location you were aware of, or telnet to port 80 on any
    user's computer and type "quit".

Sure, in each case the problems have a fix released for them, but what
percentage of users apply the fixes?  Not many.

> Or to put it another way, the Internet was created by hackers, not
> engineered for quality.
> 

It was, but the observation only holds true if it can be said open source
developers release software before it's ready, or if they're trying to
head off a competitor.  In general, this isn't the case because there's
often two clearly marked versions available for download - the "stable"
version and the "development" version.  No prizes for guessing which one
you as a businessperson should use.  With open source, the competitiveness
is still there - it's just that the competitors usually end up 
contributing to the one piece of software instead of creating something
half-baked on their own.

> 
> Quick: What's the computer vulnerability of the decade?
> 

The computer vulnerability of the century are the users of them.

A stray, cleverly worded error message and they'll do anything...

> 
> "Buffer overflows have been the most common form of security vulnerability
> for the past 10 years," according to a new paper published by the Oregon
> Graduate Institute of Science & Technology (OGI) and funded in part by the
> Defense Advanced Research Projects Agency (DARPA). "Because these kinds of
> attacks enable anyone to take total control of a host, they represent one
> of the most serious classes of security threats."
> 

Correct, but the only time this is true is when the software (or some
piece of software it's able to spawn) is running with root/administrator
priveliges.

In the case of a networked system considered to be "secure", network
services (for example) will usually be run with the userid/groupid of an
unpriveliged user and all other software able to give elevated priveliges
on the system will have been either removed or otherwise made unavailable
(daemon in a chrooted environment).  The end result of this is that even
if there is a buffer overflow, it doesn't and can't grant any additional
priveliges to the attacker.

> Security analysts agree that the first step in cutting down on buffer
> overflow bugs is for people to engage in more careful computer programming.
> 

Very much agreed.  Why not start by checking the OS against obvious
overflows and race conditions (another type of common security problem)?

> Programmers can protect their products against buffer overflow attacks
> simply by including instructions for handling overlong strings, according
> to Alan Paller, director of research for the System Administration,
> Networking and Security Institute (SANS).
> 
> "It all comes back to one programmer being careless," Paller said. "You
> wrote a program, asked someone for input, gave them space for a certain
> amount of characters, and didn't check to see if the program could take
> more. You are incompetent, and you are the problem. One guy making that
> mistake is creating all the work for the rest of us."

Very true.

> 
> The OGI paper identified careful coding as the first line of defense
> against buffer overflows, but it said that was easier said than done
> considering today's programming languages and sloppy programming culture.
> 
> "Writing correct code is a laudable but remarkably expensive proposition,
> especially when writing in a language such as C that has error-prone
> idioms," the authors wrote. They also cited "a culture that favors
> performance over correctness."
> 

See above.

> To combat careless coding, programmers have developed debugging tools that
> search out buffer overflow vulnerabilities, according to the paper. Other
> defenses the paper cites prevent code from being executed in the address
> space or establish boundaries that prevent excess characters from moving to
> locations where they can be executed.
> 

Although it doesn't solve the problem, compiling certain things on OpenBSD
will give you warnings like "insecure use of strcpy()" or "insecure use of
mktemp()".

> The paper's conclusions recommend implementing a combination of defenses
> against the vulnerability.
> 
> Software vendors are ultimately responsible for the buffer overflow
> problem, and customers should hold them accountable, Paller said.
> 

Customers won't.  They're lazy.

> "It's quite correct that the problem stems from programming methodologies,
> and in our case we have been implementing a fairly comprehensive program to
> go through our software and check it out for vulnerabilities like buffer
> overflows," said Tom Goguen, group manager for Sun's Solaris Web server for
> commercial sites. "We're also developing tools to do some automated
> checking of the software and tools to prevent any further problems like
> this."
> 

Have a look here:

http://www.l0pht.com/slint.html

> Goguen downplayed the hazard posed by most buffer overflows encountered by
> Sun. He said they tended to open servers up to denial-of-service attacks,
> which cause computers to crash and shut off service to users, rather than
> open them up to invasion and control by the attacker.
> 

Mostly for the reason mentioned above.  The software runs in an almost
entirely unpriveliged manner, and if someone attempts to exploit a buffer
overflow, the program will either just crash or core dump.

On a final note, humans are vulnerable to buffer overflows as well.  It's
called social engineering...

Grant

_______________________________________________________
Grant Bayley                         gbayley@ausmac.net
- IT Manager, Batey Kazoo (www.kazoo.com.au)
- Administrator, The AusMac Archive (www.ausmac.net)
- Webmaster/Organiser, 2600 Australia (www.2600.org.au)
_______________________________________________________