Re: Stack growth direction to thwart buffer overflow attacks

• Previous message: Anton Ertl: "Re: Stack growth direction to thwart buffer overflow attacks"
• In reply to: Barry Margolin: "Re: Stack growth direction to thwart buffer overflow attacks"
• Next in thread: Barry Margolin: "Re: Stack growth direction to thwart buffer overflow attacks"
• Reply: Barry Margolin: "Re: Stack growth direction to thwart buffer overflow attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 15 Aug 2003 07:55:56 GMT

In article <klR_a.101$mD.0@news.level3.com>, Barry Margolin <barry.margolin@level3.com> writes:
|> In article <bhgmd8$psp$1@pegasus.csx.cam.ac.uk>,
|> Nick Maclaren <nmm1@cus.cam.ac.uk> wrote:
|> >You cannot produce corruption from outside unless there is a failure
|> >of the input checking, whether the program uses strncpy, strcpy or
|> >a for-loop. In none of those is the checking fully automatic, and
|> >therefore there is scope for human error.
|>
|> Nothing is perfect, but some things are better than others.

Sometimes. Quite often, some things APPEAR to be better than others
but the appearance is misleading.

|> Using routines that automatically check for overflow reduces the likelihood
|> of bugs, because it's much easier to provide the correct buffer length than
|> it is to write your own overflow checking.

The first part of your statement is true, and the second is misleading
to the point of being false in context. There are two points.

Firstly, in the case of functions like strcpy, it is NOT much easier
to provide the correct length than to do your own checking. In the
case of functions like sprintf, it assuredly is. This is why I have
often written snprintf even before I started using C (sic) but usually
put the strcpy checks in by hand. Merely a matter of taste.

In practice, almost all problems caused by bugs in reasonable quality
code appear in the 'nasty' cases - routine checking eliminates the
'easy' ones. The errors I saw in the programs that used strncpy
religiously included ones where it was copying into a non-local,
variable-sized location. C pointers do not have an associated size
of object they point to.

|> Consider a function like gets(). Unless you have direct control over the
|> contents of standard input, it's virtually impossible to prevent buffer
|> overflow. By contrast fgets() gives you the opportunity to provide the
|> buffer length; the only way to mess up is to give the wrong length.

The difference between strcpy and gets is that it is trivial to check
for the length used by strcpy in advance and impossible to do so for
gets. The cases are not comparable.

|> Most buffer overflows can essentially be traced to lazy programming.
|> There's two solutions to lazy programming: get rid of all the lazy
|> programmers, or make it easier for them to program safely (so they can
|> remain lazy and achieve better results). In an ideal world the first
|> solution would be used, but we don't live in that world. We have to make
|> do with the programmers available, so the second solution should help.

Yes, it should. But will it?

One of the common causes of problems is that a 'solution' eliminates
enough of the easy cases so that lazy programmers stop even trying
to do tackle the problem themselves. In turn, this means that the
number of nasty cases increases. As it is common for 90% of the
bugs to be easy, but 90% of the problems to be caused by hard bugs,
this often REDUCES the overall reliability.

Of course, it makes it easier to pass initial validation, and then
all further bugs are the users' problems, so this is clearly a Good
Thing - if you think like a certain large software house ....

Regards,
Nick Maclaren.

• Previous message: Anton Ertl: "Re: Stack growth direction to thwart buffer overflow attacks"
• In reply to: Barry Margolin: "Re: Stack growth direction to thwart buffer overflow attacks"
• Next in thread: Barry Margolin: "Re: Stack growth direction to thwart buffer overflow attacks"
• Reply: Barry Margolin: "Re: Stack growth direction to thwart buffer overflow attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Stack growth direction to thwart buffer overflow attacks ... Firstly, in the case of functions like strcpy, it is NOT much easier ... almost all problems caused by bugs in reasonable quality ... |> Most buffer overflows can essentially be traced to lazy programming. ... |> do with the programmers available, so the second solution should help. ... (comp.security.misc) RE: Update: Web browsers - a mini-farce (MSIE gives in) ... point is that an HTML renderer should not be designed for inputs from ... In general, programmers can protect against ... classes of bugs without prior understanding of those bugs. ... You don't have to understand how to exploit a buffer overflow in order to ... (Bugtraq) Re: How does this make you feel? ... > [listing system programmers, app programmers, end users] ... bug and feature since they are sometimes synonymous. ... > Bugs that are visible all the way up to the end user: ... > 1% because the big limiter is memory latency. ... (comp.arch) Re: C / C++ skills ... but the pitfalls of so called safe languages are not that different. ... The only way to be sure of the absence of bugs is to design software to ... the odd operator precedence of C, tripping up new programmers. ... But yeah, a well-worded coding standard, and a culture that cares about it ... (comp.arch.embedded) Re: How many bytes per Italian character? ... I spent a lot of years teaching new programmers, especially new hires in a commercial ... We were finding bugs, design flaws, buffer overruns, etc. on each review. ... part of Windows CE _is_ open source. ... The myth of open source is that you can fix all the bugs yourself. ... (microsoft.public.vc.mfc)