Programmers have a difficult job. Faced with tight deadlines and the need to get products to market quickly, security might be the last thing on their minds. The first series of tests are probably performed by the programmers and quality engineers to get an idea of how applications will function. Beta testing comes next and might be performed internally and externally by prospective users, but after that it’s off to market. There might still be some bugs, but these things can be caught by the consumers and patched in subsequent versions or updates.

That scenario would sound unbelievable if this were about the airline business or implantable medical devices, but it is common practice in the world of software. Most of us have grown accustomed to hearing that a new buffer overflow has been announced by Microsoft or other software vendor. A review of the National Vulnerability Database shows that in the first six months of 2005, 331 buffer overflows were reported. This is not a small problem.

What Is a Buffer Overflow?
What are buffer overflows? Well, they are really too much of a good thing. Usually we don’t complain when we get more of something than we ask for, but buffer overflows give us just that. If you have ever tried to pour a liter of your favorite soda into a 12 ounce cup, you know what an overflow is. Buffers work in much the same way Buffers have a finite amount of space allocated for any one task. As an example, if you have allocated a 24 character buffer and then attempt to stuff 32 characters into it, you’re going to have a real problem.
A buffer is a temporary data storage area whose length is defined in the program that creates it or by the operating system. Ideally, programs should be written to check that you cannot stuff 32 characters into a 24 character buffer. However, this type of error checking does not always occur. Error checking is really nothing more than making sure that buffers receive the type and amount of information required. For example, for an organization that had a great e-commerce website. The problem was that on the order entry page, you could enter a negative value. Instead of ordering 20 of an item, the page would accept 20. This type of functionality could add some quick cash to the unethical hacker’s pocket! Although this isn’t a specific example of buffer overflow, it is a good example of the failure to perform error checking. These types of problems can lead to all types of security breaches, as values will be accepted by applications no matter what the format. Most of the time, this might not even be a problem. After all, most end users are going to input the types of information they are prompted for. But, do not forget the hacker; he is going to think outside the box. The hacker will say, “What if I put more numbers than the program asks for?” The result might be that too long a string of data overflows into the area of memory following what was reserved for the buffer. This might cause the program to crash, or the information might be interpreted as instructions and executed. If this happens, almost anything is possible, including opening a shell command to executing customized code.

Tags: Buffer Overflows, software flaws