Talk:Buffer overflow: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Pat Palmer
imported>Subpagination Bot
m (Add {{subpages}} and remove checklist (details))
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{checklist
{{subpages}}
|                abc = Buffer overflow
|                cat1 = Computers
|                cat2 =
|                cat3 =
|          cat_check = y
|              status = 2
|        underlinked = y
|            cleanup = y
|                  by = --[[User:Eric M Gearhart|Eric M Gearhart]] 09:54, 12 April 2007 (CDT)
}}


==Editors please comment on what more this article needs for approval==
==Editors please comment on what more this article needs for approval==
Line 23: Line 13:


::In some architectures--SPARC is one, I think--data memory and program memory are segregated, so the stack is always different from code.  It's mainly in the x86 architecture that it's been easy in the past to write a virus by overwriting the part of the stack that contained the '''return address'''; the newly inserted return address actually may point to bad code (which gets loaded into the stack as data but then used later as code).  Or something like that.  In a SPARC architecture, return addresses for procedure calls do not live in the stack at all (but rather, in special registers) so things like buffer overruns in the stack were somewhat less likely to launch a virus.[[User:Pat Palmer|Pat Palmer]] 18:36, 19 April 2007 (CDT)
::In some architectures--SPARC is one, I think--data memory and program memory are segregated, so the stack is always different from code.  It's mainly in the x86 architecture that it's been easy in the past to write a virus by overwriting the part of the stack that contained the '''return address'''; the newly inserted return address actually may point to bad code (which gets loaded into the stack as data but then used later as code).  Or something like that.  In a SPARC architecture, return addresses for procedure calls do not live in the stack at all (but rather, in special registers) so things like buffer overruns in the stack were somewhat less likely to launch a virus.[[User:Pat Palmer|Pat Palmer]] 18:36, 19 April 2007 (CDT)
::More specifically, in SPARC, virtual memory segments are marked as read-only if they are code.  These only get loaded by the linking loader.  The stack is only loaded into virtual memory segments that are writable.  Code and data are just not co-mingled.  I'm not sure how it all plays out in x86 except that I seem to recall the return addresses live right in the stack as data, which makes them vulnerable to tampering.[[User:Pat Palmer|Pat Palmer]] 18:39, 19 April 2007 (CDT)


== More for software ==
== More for software ==
Line 47: Line 39:


:Yes the main reason I originally added those sections was just to "drum up ideas" for that section... technical accuracy trumps structure any day. [[User:Eric M Gearhart|Eric M Gearhart]]
:Yes the main reason I originally added those sections was just to "drum up ideas" for that section... technical accuracy trumps structure any day. [[User:Eric M Gearhart|Eric M Gearhart]]
==smashing the stack==
I think buffer overruns can occur in the heap as well if you're using a language like C.  In fact, I'm sure of it.  And when you overrun the memory illegally enough to reach the border of a virtual memory segment, you get a memory segment error.  So "smashing the stack" I think refers to the x86 style attack of overwriting the return address of a procedure.  That is a special case of a buffer overrun.  A buffer overrun is not always malicious; typically, it's just a programmer's silly error (hey, every C programmer does it at least once; it's like a teenager's mandatory first fender-bender).  An aside--one reason Java became so successful is that the Java runtime automatically tries to prevent buffer overruns by inserting runtime checks, and on the whole, it does a pretty good job of doing that.[[User:Pat Palmer|Pat Palmer]] 18:48, 19 April 2007 (CDT)
::The point being, that some architectures are much more vulnerable than others to buffer overruns.  x86 is generally worse than SPARC.  Also, some languages (C, assembler, and native machine language) cannot be made safe.  This is so much web programming has moved to "safer" languages like Java (because you don't want your web server crashing in the middle of the night); using a strongly typed, type-safe language overcomes some of the vulnerabilities of the underlying hardware and OS.  Not sure how to fold this into the article...I don't think I really know enough to write it.[[User:Pat Palmer|Pat Palmer]] 18:51, 19 April 2007 (CDT)
:::I agree that SPARC's register windowing is less susceptible to stack smashing attacks, simply because the stack is built of registers without consecutive memory addresses.  However, this feature of SPARC is quite unique.  RS/6000, Alpha, PowerPC, etc all behave just like x86 in this respect.  A bigger issue is whether your memory controller will allow you to mark some pages as read-only, which is a place where x86 is sorely lacking.  Buffer overflows are still entirely possible, even on SPARC. 
:::I agree that the article ''over''-emphasizes stack smashing attacks and ''under''-emphasizes other types of buffer overflows.
:::It's just plain wrong to say that languages like C or assembler cannot be made safe--it's just a lot harder.  To turn your example around, you don't want your web server crashing in the middle of the night--most likely, your web server (apache or IIS) is written in C or C++.  I don't know about now, but they used to recommend that one run Apache Tomcat (written in Java) behind an Apache Proxy (written in C) for security.  We ''do'' talk about the use of safer languages under the heading "As Language Semantics or Library Functionality".--[[User:Nick Johnson|Nick Johnson]] 08:41, 20 April 2007 (CDT)
::::Sorry to seem confused here. To clarify, I intended to talk of applications that ''run'' on the web server, not the web server itself.  Back in the days when C or C++ was used to write dynamic web server applications (not the server itself), one person's application was quite capable of behaving so badly (often by accident) that the whole server crashed.  Making C safe requires that the programmer remember to do everything right; it might not work despite the best intentions.  As a result, web servers mostly now require you to write in a language that is more type safe, and they try to sandbox each programmer's application so it doesn't eat up the whole server and crash it.[[User:Pat Palmer|Pat Palmer]]

Latest revision as of 16:15, 25 September 2007

This article is developed but not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
To learn how to update the categories for this article, see here. To update categories, edit the metadata template.
 Definition In computers and computer security, occurs when more data is written to a memory buffer than can fit into the memory buffer. [d] [e]
Checklist and Archives
 Workgroup category Computers [Categories OK]
 Subgroup category:  Security
 Talk Archive none  English language variant British English

Editors please comment on what more this article needs for approval

The CZ community did a great job taking this article from the "embryo" I created and ironing out an encyclopedia-quality article. I'd like to ask our editors for input on what more development this article needs before it is ready for approval Eric M Gearhart

We still need someone to write about OpenBSD's W^X-bit strategy. --Nick Johnson 13:47, 19 April 2007 (CDT)
Well the whole thing with Approval status is that an article has to have an encyclopedic tone and has to cover enough relevant topics. It doesn't have to be "perfect," it has to be "worked up" enough though. The W^X-bit is one of those things that I'd think can be added to a later draft once someone that is knowledgeable happens on it, after this version got approved. Eric M Gearhart

Technical explanation not technical

For instance, nothing "marks" stack contents as either program location or data.--Nick Johnson 14:40, 11 April 2007 (CDT)

Why not correct the article then? --Eric M Gearhart 14:51, 11 April 2007 (CDT)
In some architectures--SPARC is one, I think--data memory and program memory are segregated, so the stack is always different from code. It's mainly in the x86 architecture that it's been easy in the past to write a virus by overwriting the part of the stack that contained the return address; the newly inserted return address actually may point to bad code (which gets loaded into the stack as data but then used later as code). Or something like that. In a SPARC architecture, return addresses for procedure calls do not live in the stack at all (but rather, in special registers) so things like buffer overruns in the stack were somewhat less likely to launch a virus.Pat Palmer 18:36, 19 April 2007 (CDT)
More specifically, in SPARC, virtual memory segments are marked as read-only if they are code. These only get loaded by the linking loader. The stack is only loaded into virtual memory segments that are writable. Code and data are just not co-mingled. I'm not sure how it all plays out in x86 except that I seem to recall the return addresses live right in the stack as data, which makes them vulnerable to tampering.Pat Palmer 18:39, 19 April 2007 (CDT)

More for software

I plan on doing some research, and then adding these things under the software section:

  • StackGuard and Canary Values as implemented by a compiler
Check --Nick Johnson 09:08, 12 April 2007 (CDT)
  • Memory address randomization
Check --Nick Johnson 09:08, 12 April 2007 (CDT)
  • Separation of privileges
Can't decide if this belongs on this page. It's a generic security safeguard, not specific to buffer overflows --Nick Johnson 10:01, 12 April 2007 (CDT)

--Nick Johnson 08:36, 12 April 2007 (CDT)

More on Hardware/Software

By the way: OpenBSD does something called W^X (write-exclusive-or-execute). I don't really know how it works, but if anyone does, it should be added here. --Nick Johnson 08:37, 12 April 2007 (CDT)

Article growing nicely

This is why I love working on wikis... I've learned as much as I've contributed to this article. Nice job Nick. --Eric M Gearhart 09:54, 12 April 2007 (CDT)

The pleasure is mine. Thank you Eric. --Nick Johnson 10:00, 12 April 2007 (CDT)

Document structure changes

I don't think that "Tools Used During Software Development", "By The Operating System", "As Language Semantics or Library Functionality", and "As Compiler Features" should be sub-headings under "Software Debugging Tools". I have changed the structure accordingly. My reasoning: the operating system, language semantics and the library itself are not debugging tools. The compiler may be considered a debugging tool, but this operation of it is not a debugging tool. --Nick Johnson 11:30, 16 April 2007 (CDT)

Yes the main reason I originally added those sections was just to "drum up ideas" for that section... technical accuracy trumps structure any day. Eric M Gearhart

smashing the stack

I think buffer overruns can occur in the heap as well if you're using a language like C. In fact, I'm sure of it. And when you overrun the memory illegally enough to reach the border of a virtual memory segment, you get a memory segment error. So "smashing the stack" I think refers to the x86 style attack of overwriting the return address of a procedure. That is a special case of a buffer overrun. A buffer overrun is not always malicious; typically, it's just a programmer's silly error (hey, every C programmer does it at least once; it's like a teenager's mandatory first fender-bender). An aside--one reason Java became so successful is that the Java runtime automatically tries to prevent buffer overruns by inserting runtime checks, and on the whole, it does a pretty good job of doing that.Pat Palmer 18:48, 19 April 2007 (CDT)

The point being, that some architectures are much more vulnerable than others to buffer overruns. x86 is generally worse than SPARC. Also, some languages (C, assembler, and native machine language) cannot be made safe. This is so much web programming has moved to "safer" languages like Java (because you don't want your web server crashing in the middle of the night); using a strongly typed, type-safe language overcomes some of the vulnerabilities of the underlying hardware and OS. Not sure how to fold this into the article...I don't think I really know enough to write it.Pat Palmer 18:51, 19 April 2007 (CDT)
I agree that SPARC's register windowing is less susceptible to stack smashing attacks, simply because the stack is built of registers without consecutive memory addresses. However, this feature of SPARC is quite unique. RS/6000, Alpha, PowerPC, etc all behave just like x86 in this respect. A bigger issue is whether your memory controller will allow you to mark some pages as read-only, which is a place where x86 is sorely lacking. Buffer overflows are still entirely possible, even on SPARC.
I agree that the article over-emphasizes stack smashing attacks and under-emphasizes other types of buffer overflows.
It's just plain wrong to say that languages like C or assembler cannot be made safe--it's just a lot harder. To turn your example around, you don't want your web server crashing in the middle of the night--most likely, your web server (apache or IIS) is written in C or C++. I don't know about now, but they used to recommend that one run Apache Tomcat (written in Java) behind an Apache Proxy (written in C) for security. We do talk about the use of safer languages under the heading "As Language Semantics or Library Functionality".--Nick Johnson 08:41, 20 April 2007 (CDT)
Sorry to seem confused here. To clarify, I intended to talk of applications that run on the web server, not the web server itself. Back in the days when C or C++ was used to write dynamic web server applications (not the server itself), one person's application was quite capable of behaving so badly (often by accident) that the whole server crashed. Making C safe requires that the programmer remember to do everything right; it might not work despite the best intentions. As a result, web servers mostly now require you to write in a language that is more type safe, and they try to sandbox each programmer's application so it doesn't eat up the whole server and crash it.Pat Palmer