Talk:Buffer overflow: Difference between revisions
imported>Nick Johnson (More for software) |
imported>Subpagination Bot m (Add {{subpages}} and remove checklist (details)) |
||
(22 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
{{ | {{subpages}} | ||
==Editors please comment on what more this article needs for approval== | |||
The CZ community did a great job taking this article from the "embryo" I created and ironing out an encyclopedia-quality article. I'd like to ask our editors for input on what more development this article needs before it is ready for approval [[User:Eric M Gearhart|Eric M Gearhart]] | |||
: We still need someone to write about OpenBSD's W^X-bit strategy. --[[User:Nick Johnson|Nick Johnson]] 13:47, 19 April 2007 (CDT) | |||
::Well the whole thing with Approval status is that an article has to have an encyclopedic tone and has to cover enough relevant topics. It doesn't have to be "perfect," it has to be "worked up" enough though. The W^X-bit is one of those things that I'd think can be added to a later draft once someone that is knowledgeable happens on it, after this version got approved. [[User:Eric M Gearhart|Eric M Gearhart]] | |||
== Technical explanation not technical == | == Technical explanation not technical == | ||
For instance, nothing "marks" stack contents as either program location or data.--[[User:Nick Johnson|Nick Johnson]] 14:40, 11 April 2007 (CDT) | For instance, nothing "marks" stack contents as either program location or data.--[[User:Nick Johnson|Nick Johnson]] 14:40, 11 April 2007 (CDT) | ||
:Why not [http://en.citizendium.org/wiki?title=Buffer_overflow&action=edit correct] the article then? --[[User:Eric M Gearhart|Eric M Gearhart]] 14:51, 11 April 2007 (CDT) | :Why not [http://en.citizendium.org/wiki?title=Buffer_overflow&action=edit correct] the article then? --[[User:Eric M Gearhart|Eric M Gearhart]] 14:51, 11 April 2007 (CDT) | ||
::In some architectures--SPARC is one, I think--data memory and program memory are segregated, so the stack is always different from code. It's mainly in the x86 architecture that it's been easy in the past to write a virus by overwriting the part of the stack that contained the '''return address'''; the newly inserted return address actually may point to bad code (which gets loaded into the stack as data but then used later as code). Or something like that. In a SPARC architecture, return addresses for procedure calls do not live in the stack at all (but rather, in special registers) so things like buffer overruns in the stack were somewhat less likely to launch a virus.[[User:Pat Palmer|Pat Palmer]] 18:36, 19 April 2007 (CDT) | |||
::More specifically, in SPARC, virtual memory segments are marked as read-only if they are code. These only get loaded by the linking loader. The stack is only loaded into virtual memory segments that are writable. Code and data are just not co-mingled. I'm not sure how it all plays out in x86 except that I seem to recall the return addresses live right in the stack as data, which makes them vulnerable to tampering.[[User:Pat Palmer|Pat Palmer]] 18:39, 19 April 2007 (CDT) | |||
== More for software == | == More for software == | ||
I plan on doing some research, and then adding these things under the software section: | I plan on doing some research, and then adding these things under the software section: | ||
* StackGuard and Canary Values as implemented by a compiler | * StackGuard and Canary Values as implemented by a compiler | ||
: Check --[[User:Nick Johnson|Nick Johnson]] 09:08, 12 April 2007 (CDT) | |||
* Memory address randomization | |||
: Check --[[User:Nick Johnson|Nick Johnson]] 09:08, 12 April 2007 (CDT) | |||
* Separation of privileges | |||
: Can't decide if this belongs on this page. It's a generic security safeguard, not specific to buffer overflows --[[User:Nick Johnson|Nick Johnson]] 10:01, 12 April 2007 (CDT) | |||
--[[User:Nick Johnson|Nick Johnson]] 08:36, 12 April 2007 (CDT) | |||
== More on Hardware/Software == | |||
By the way: OpenBSD does something called W^X (write-exclusive-or-execute). I don't really know how it works, but if anyone does, it should be added here. | |||
--[[User:Nick Johnson|Nick Johnson]] 08:37, 12 April 2007 (CDT) | |||
==Article growing nicely== | |||
''This'' is why I love working on wikis... I've learned as much as I've contributed to this article. Nice job Nick. --[[User:Eric M Gearhart|Eric M Gearhart]] 09:54, 12 April 2007 (CDT) | |||
: The pleasure is mine. Thank you Eric. --[[User:Nick Johnson|Nick Johnson]] 10:00, 12 April 2007 (CDT) | |||
== Document structure changes == | |||
I don't think that "Tools Used During Software Development", "By The Operating System", "As Language Semantics or Library Functionality", and "As Compiler Features" should be sub-headings under "Software Debugging Tools". I have changed the structure accordingly. My reasoning: the operating system, language semantics and the library itself are not debugging tools. The compiler may be considered a debugging tool, but this operation of it is not a debugging tool. --[[User:Nick Johnson|Nick Johnson]] 11:30, 16 April 2007 (CDT) | |||
:Yes the main reason I originally added those sections was just to "drum up ideas" for that section... technical accuracy trumps structure any day. [[User:Eric M Gearhart|Eric M Gearhart]] | |||
==smashing the stack== | |||
I think buffer overruns can occur in the heap as well if you're using a language like C. In fact, I'm sure of it. And when you overrun the memory illegally enough to reach the border of a virtual memory segment, you get a memory segment error. So "smashing the stack" I think refers to the x86 style attack of overwriting the return address of a procedure. That is a special case of a buffer overrun. A buffer overrun is not always malicious; typically, it's just a programmer's silly error (hey, every C programmer does it at least once; it's like a teenager's mandatory first fender-bender). An aside--one reason Java became so successful is that the Java runtime automatically tries to prevent buffer overruns by inserting runtime checks, and on the whole, it does a pretty good job of doing that.[[User:Pat Palmer|Pat Palmer]] 18:48, 19 April 2007 (CDT) | |||
::The point being, that some architectures are much more vulnerable than others to buffer overruns. x86 is generally worse than SPARC. Also, some languages (C, assembler, and native machine language) cannot be made safe. This is so much web programming has moved to "safer" languages like Java (because you don't want your web server crashing in the middle of the night); using a strongly typed, type-safe language overcomes some of the vulnerabilities of the underlying hardware and OS. Not sure how to fold this into the article...I don't think I really know enough to write it.[[User:Pat Palmer|Pat Palmer]] 18:51, 19 April 2007 (CDT) | |||
:::I agree that SPARC's register windowing is less susceptible to stack smashing attacks, simply because the stack is built of registers without consecutive memory addresses. However, this feature of SPARC is quite unique. RS/6000, Alpha, PowerPC, etc all behave just like x86 in this respect. A bigger issue is whether your memory controller will allow you to mark some pages as read-only, which is a place where x86 is sorely lacking. Buffer overflows are still entirely possible, even on SPARC. | |||
:::I agree that the article ''over''-emphasizes stack smashing attacks and ''under''-emphasizes other types of buffer overflows. | |||
:::It's just plain wrong to say that languages like C or assembler cannot be made safe--it's just a lot harder. To turn your example around, you don't want your web server crashing in the middle of the night--most likely, your web server (apache or IIS) is written in C or C++. I don't know about now, but they used to recommend that one run Apache Tomcat (written in Java) behind an Apache Proxy (written in C) for security. We ''do'' talk about the use of safer languages under the heading "As Language Semantics or Library Functionality".--[[User:Nick Johnson|Nick Johnson]] 08:41, 20 April 2007 (CDT) | |||
::::Sorry to seem confused here. To clarify, I intended to talk of applications that ''run'' on the web server, not the web server itself. Back in the days when C or C++ was used to write dynamic web server applications (not the server itself), one person's application was quite capable of behaving so badly (often by accident) that the whole server crashed. Making C safe requires that the programmer remember to do everything right; it might not work despite the best intentions. As a result, web servers mostly now require you to write in a language that is more type safe, and they try to sandbox each programmer's application so it doesn't eat up the whole server and crash it.[[User:Pat Palmer|Pat Palmer]] |
Latest revision as of 16:15, 25 September 2007
Editors please comment on what more this article needs for approval
The CZ community did a great job taking this article from the "embryo" I created and ironing out an encyclopedia-quality article. I'd like to ask our editors for input on what more development this article needs before it is ready for approval Eric M Gearhart
- We still need someone to write about OpenBSD's W^X-bit strategy. --Nick Johnson 13:47, 19 April 2007 (CDT)
- Well the whole thing with Approval status is that an article has to have an encyclopedic tone and has to cover enough relevant topics. It doesn't have to be "perfect," it has to be "worked up" enough though. The W^X-bit is one of those things that I'd think can be added to a later draft once someone that is knowledgeable happens on it, after this version got approved. Eric M Gearhart
Technical explanation not technical
For instance, nothing "marks" stack contents as either program location or data.--Nick Johnson 14:40, 11 April 2007 (CDT)
- Why not correct the article then? --Eric M Gearhart 14:51, 11 April 2007 (CDT)
- In some architectures--SPARC is one, I think--data memory and program memory are segregated, so the stack is always different from code. It's mainly in the x86 architecture that it's been easy in the past to write a virus by overwriting the part of the stack that contained the return address; the newly inserted return address actually may point to bad code (which gets loaded into the stack as data but then used later as code). Or something like that. In a SPARC architecture, return addresses for procedure calls do not live in the stack at all (but rather, in special registers) so things like buffer overruns in the stack were somewhat less likely to launch a virus.Pat Palmer 18:36, 19 April 2007 (CDT)
- More specifically, in SPARC, virtual memory segments are marked as read-only if they are code. These only get loaded by the linking loader. The stack is only loaded into virtual memory segments that are writable. Code and data are just not co-mingled. I'm not sure how it all plays out in x86 except that I seem to recall the return addresses live right in the stack as data, which makes them vulnerable to tampering.Pat Palmer 18:39, 19 April 2007 (CDT)
More for software
I plan on doing some research, and then adding these things under the software section:
- StackGuard and Canary Values as implemented by a compiler
- Check --Nick Johnson 09:08, 12 April 2007 (CDT)
- Memory address randomization
- Check --Nick Johnson 09:08, 12 April 2007 (CDT)
- Separation of privileges
- Can't decide if this belongs on this page. It's a generic security safeguard, not specific to buffer overflows --Nick Johnson 10:01, 12 April 2007 (CDT)
--Nick Johnson 08:36, 12 April 2007 (CDT)
More on Hardware/Software
By the way: OpenBSD does something called W^X (write-exclusive-or-execute). I don't really know how it works, but if anyone does, it should be added here. --Nick Johnson 08:37, 12 April 2007 (CDT)
Article growing nicely
This is why I love working on wikis... I've learned as much as I've contributed to this article. Nice job Nick. --Eric M Gearhart 09:54, 12 April 2007 (CDT)
- The pleasure is mine. Thank you Eric. --Nick Johnson 10:00, 12 April 2007 (CDT)
Document structure changes
I don't think that "Tools Used During Software Development", "By The Operating System", "As Language Semantics or Library Functionality", and "As Compiler Features" should be sub-headings under "Software Debugging Tools". I have changed the structure accordingly. My reasoning: the operating system, language semantics and the library itself are not debugging tools. The compiler may be considered a debugging tool, but this operation of it is not a debugging tool. --Nick Johnson 11:30, 16 April 2007 (CDT)
- Yes the main reason I originally added those sections was just to "drum up ideas" for that section... technical accuracy trumps structure any day. Eric M Gearhart
smashing the stack
I think buffer overruns can occur in the heap as well if you're using a language like C. In fact, I'm sure of it. And when you overrun the memory illegally enough to reach the border of a virtual memory segment, you get a memory segment error. So "smashing the stack" I think refers to the x86 style attack of overwriting the return address of a procedure. That is a special case of a buffer overrun. A buffer overrun is not always malicious; typically, it's just a programmer's silly error (hey, every C programmer does it at least once; it's like a teenager's mandatory first fender-bender). An aside--one reason Java became so successful is that the Java runtime automatically tries to prevent buffer overruns by inserting runtime checks, and on the whole, it does a pretty good job of doing that.Pat Palmer 18:48, 19 April 2007 (CDT)
- The point being, that some architectures are much more vulnerable than others to buffer overruns. x86 is generally worse than SPARC. Also, some languages (C, assembler, and native machine language) cannot be made safe. This is so much web programming has moved to "safer" languages like Java (because you don't want your web server crashing in the middle of the night); using a strongly typed, type-safe language overcomes some of the vulnerabilities of the underlying hardware and OS. Not sure how to fold this into the article...I don't think I really know enough to write it.Pat Palmer 18:51, 19 April 2007 (CDT)
- I agree that SPARC's register windowing is less susceptible to stack smashing attacks, simply because the stack is built of registers without consecutive memory addresses. However, this feature of SPARC is quite unique. RS/6000, Alpha, PowerPC, etc all behave just like x86 in this respect. A bigger issue is whether your memory controller will allow you to mark some pages as read-only, which is a place where x86 is sorely lacking. Buffer overflows are still entirely possible, even on SPARC.
- I agree that the article over-emphasizes stack smashing attacks and under-emphasizes other types of buffer overflows.
- It's just plain wrong to say that languages like C or assembler cannot be made safe--it's just a lot harder. To turn your example around, you don't want your web server crashing in the middle of the night--most likely, your web server (apache or IIS) is written in C or C++. I don't know about now, but they used to recommend that one run Apache Tomcat (written in Java) behind an Apache Proxy (written in C) for security. We do talk about the use of safer languages under the heading "As Language Semantics or Library Functionality".--Nick Johnson 08:41, 20 April 2007 (CDT)
- Sorry to seem confused here. To clarify, I intended to talk of applications that run on the web server, not the web server itself. Back in the days when C or C++ was used to write dynamic web server applications (not the server itself), one person's application was quite capable of behaving so badly (often by accident) that the whole server crashed. Making C safe requires that the programmer remember to do everything right; it might not work despite the best intentions. As a result, web servers mostly now require you to write in a language that is more type safe, and they try to sandbox each programmer's application so it doesn't eat up the whole server and crash it.Pat Palmer