Avoiding Buffer Overflows
Buffer overflows are a fertile source of bugs and malicious attacks.
They occur when a program attempts to write data past the end of a
buffer. Consider this example:
#include
int main()
{
char buff[15] = {0}; /*zero initialize all elements*/
printf("enter your name: ");
scanf(buff, "%s"); /*dangerous, length unchecked*/
}
The program reads a string from the standard input (the keyboard) but
doesn't check the string's length. If the string has more than 14
characters, then it causes a buffer overflow as scanf() tries to write
the remaining characters past buff's end (remember that one character
is always reserved for a null terminator). The result is most likely a
segmentation fault that crashes the program. In certain conditions, the
users will receive a shell's prompt after the crash. Even if the shell
has restricted privileges, they can examine the values of environment
variables, list the current directory files or detect the network with
the ping command.
A more dangerous situation evolves when the program doesn't crash due
to a buffer overflow though. An expert familiar the system's internals
can craft a string that is just long enough to overwrite the program's
IP (instruction pointer, a pointer to the program's next instruction).
If the last 4 bytes of such a string contain a valid memory address,
then the program's flow can be altered. Instead of executing the next
instruction, the program will execute the code to which the new IP
points. It might call another routine or skip code that performs
security checks. I will not go through the gory details here, but this
isn't an unlikely scenario.
Some famous break-ins are based on exploiting such buffer overflows.
One well-documented example is the Red Hat 4.2 suiperl bug, which
resulted from using the function sprintf() (see
http://www.ryanspc.com/exploits/perl.txt for further information).
What can you do to avert buffer overflows? Always check the bounds of
an array before writing it to a buffer. If this is impossible (e.g.,
when the input is coming from a CGI script), then use functions that
limit the number of input characters. For instance, instead of using
scanf(), use the fgets() function, which reads characters up to a
specified limit:
int main()
{
char buff[15] = {0};
fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/
}
Additionally, the standard string functions have versions that take an
explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf
(), use strncpy(), strncmp(), and snprint(), respectively.
» posted by ITworld staff
ITworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Enterprise 2.0 Implementation
By Aaron C. Newman, Jeremy Thomas
Published by McGraw-Hill
Learn more!
Deploying Cisco Wide Area Application Services
By Zach Seils, Joel Christner
Published by Cisco Press
Learn more!
