Buffer overflows
- A buffer overflow is an anomalous condition where a program somehow
writes data beyond the allocated end of a buffer in memory.
- In 1988, Cornell grad student
Robert Morris brought down the Internet with a
worm
that used a buffer overflow in a Unix program called finger.
- Using fgets() instead of gets() or scanf() helps prevent buffer overflows
since fgets() requires a maximum buffer size as one of its arguments
- If you are writing a package that will be widely used, and security is
an issue, then you should be aware of these problems.
- For 201 you should be aware that using gets() will cause a warning
message to be generated. Use fgets() instead.
Vulnerable to buffer overflow
This example will cause problems if the user enters more than fourteen
characters. (Why 14 and not 15?)
#include <stdio.h>
int main()
{
char buff[15] = {0};
printf("enter your name: ");
scanf("%s", buff);
}
Using gets( ) introduces the same vulnerability.
Safe from buffer overflow
This example is safe since fgets( ) will return at most 14 characters plus NULL.
#include <stdio.h>
int main()
{
char buff[15] = {0};
fgets(buff, sizeof(buff), stdin);
}
Ok, So how does a worm grab control of your computer?
- If a cracker knows the code of the program he's attacking
(e.g., Unix finger)
- And it does unsafe string operations
- He feeds it an overly long string
- part of which will overwrite parts of the program
- with characters that will be subsequently interpreted as code
- that, when executed, will do what he wants.
CSEE
|
201
|
201 F'06
|
lectures
|
news
|
help
Last Modified - Tuesday, 22-Aug-2006 07:14:08 EDT