Quick: What's the computer vulnerability of the decade?
It's not the Y2K bug, according to computer science and security analysts,
but a security weakness known as the buffer overflow. Unlike the Y2K bug,
which threatens to cripple computers unable to distinguish years written in
two-digit shorthand, this vulnerability opens computers to attacks by
malicious hackers, who can use the bug to commandeer the targeted computer.
In a buffer overflow, the attacker floods a field, typically an address
bar, with more characters than it can accommodate. The excess characters in
some cases can be run as "executable" code, effectively giving the attacker
control of the computer without being constrained by security measures.
"Buffer overflows have been the most common form of security vulnerability
for the past 10 years," according to a new paper published by
the Oregon Graduate Institute of Science
& Technology (OGI) and funded in part by the Defense Advanced Research
Projects Agency (DARPA). "Because these
kinds of attacks enable anyone to take total control of a host, they
represent one of the most serious classes of security threats."
Security analysts agree that the first step in
cutting down on buffer overflow bugs is for people to engage in more
careful computer programming.
Programmers can protect their products against buffer overflow attacks
simply by including instructions for handling overlong strings, according
to Alan Paller, director of research for the System Administration,
Networking and Security Institute (SANS).
"It all comes back to one programmer being careless," Paller said. "You
wrote a program, asked someone for input, gave them space for a certain
amount of characters, and didn't check to see if the program could take
more. You are incompetent, and you are the problem. One guy making that
mistake is creating all the work for the rest of us."
The OGI paper identified careful coding as the first line of defense
against buffer overflows, but it said that was easier said than done
considering today's programming languages and sloppy programming culture.
"Writing correct code is a laudable but remarkably expensive proposition,
especially when writing in a language such as C that has error-prone
idioms," the authors wrote. They also cited "a culture that favors
performance over correctness."
To combat careless coding, programmers have developed debugging tools that
search out buffer overflow vulnerabilities, according to the paper. Other
defenses the paper cites prevent code from being executed in the address
space or establish boundaries that prevent excess characters from moving to
locations where they can be executed.
The paper's conclusions recommend implementing a combination of defenses
against the vulnerability.
Software vendors are ultimately responsible for the buffer overflow
problem, and customers should hold them accountable, Paller said.
"Liability goes back to [Microsoft chief executive] Bill Gates and
[Sun Microsystems chief executive] Scott McNealy," Paller said.
"Until people stop being so generous with the suppliers, this problem isn't
going away."
Sun concurred that the buffer overflow problem is both common and
preventable but defended its efforts to prevent coding errors and to
respond to bugs once they come to light.
"It's quite correct that the problem stems from programming methodologies,
and in our case we have been implementing a fairly comprehensive program to
go through our software and check it out for vulnerabilities like buffer
overflows," said Tom Goguen, group manager for Sun's Solaris Web server for
commercial sites. "We're also developing tools to do some automated
checking of the software and tools to prevent any further problems like
this."
Goguen downplayed the hazard posed by most buffer overflows encountered by
Sun. He said they tended to open servers up to denial-of-service attacks,
which cause computers to crash and shut off service to users, rather than
open them up to invasion and control by the attacker.
Microsoft, which last week patched a buffer overflow issue in
its Windows operating system, was not immediately available for comment.
Part of the problem is that programmers have let down their guard against a
long-recognized hazard, according to one academic.
"We're not learning the lessons of the past," said Matt Bishop, associate
professor of computer science at the University of California at Davis and
author of an upcoming book on computer security. "We knew how to handle
buffer overflows in the 1960s and '70s. But the solutions that were
required typically either used hardware or were implemented within the
program itself. Some felt it made the program go too slow, so a lot of
programs went out there without buffer checks, and now we're paying the price."
The OGI paper will be read at DARPA's Information Survivability
Expo at Hilton Head Island, S.C., and at the SANS 2000 event
in Orlando, Fla.
The lead author for the OGI study, Crispin Cowan, in September
became chief technology officer of WireX, a server software firm that will
sell StackGuard, one of the buffer overrun solutions described in the
paper. Cowan remains a part-time professor at OGI.
Go to  Front Door | Enterprise Computing | Search | Short takes | One Week View