Firewall Wizards mailing list archives
Re: Buffer Overruns
From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 21 Dec 1999 10:05:15 -0500
In message <E11zSbB-0000mB-00 () polaris shore net>, Vin McLellan writes:
It there something in the emergence of a popular Internet, or some other timely aspect in the industry's evolution, that has brought to light the vulnerabilities associated with buffer overruns in recent years? Maybe some shift in program design or programming engineering practice? What left so many of these vulnerabilities unexposed and their risks unappreciated for so many years? Sometimes even in <ahem> widely distributed source code.
I think it's a combination of closing of some other holes, the growth of the net in general (and hence more attackers and more targets), and the emergence of canned toolkits for building such attacks. You no longer need to be an assember language wizard to do it; you just take the snippets, and adjust a few constants until it works. I don't think that changes in practice have contributed much; if anything, the emergence of C++ (with its built-in String class) should have helped. But too many programmers write C using a C++ compiler, and C is a *lousy* language for avoiding such attacks. --Steve Bellovin
Current thread:
- Re: Buffer Overruns, (continued)
- Re: Buffer Overruns Ryan Russell (Dec 18)
- Re: Buffer Overruns Steven M. Bellovin (Dec 18)
- Re: Buffer Overruns Vin McLellan (Dec 20)
- Re: Buffer Overruns Joseph S D Yao (Dec 21)
- OT - Rant on State of S/w Engr (was Re: Buffer Overruns) Lim Wei Siong Vincent (Dec 22)
- Re: OT - Rant on State of S/w Engr (was Re: Buffer Overruns) Joseph S D Yao (Dec 23)
- Re: Buffer Overruns Joseph S D Yao (Dec 21)
- Re: Buffer Overruns Crispin Cowan (Dec 21)
- Re: Buffer Overruns Epstein, Jeremy (Dec 20)
- RE: Buffer Overruns Doty, Ted (ISSAtlanta) (Dec 20)
- RE: Buffer Overruns LeGrow, Matt (Dec 20)
- Re: Buffer Overruns Steven M. Bellovin (Dec 21)
- RE: Buffer Overruns sean . kelly (Dec 22)
- Re: Buffer Overruns Michael Kelly (Dec 22)
- RE: Buffer Overruns sean . kelly (Dec 22)
- Re: Buffer Overruns Joseph S D Yao (Dec 23)
- RE: Buffer Overruns sean . kelly (Dec 23)
- Message not available
- Message not available
- Re: Buffer Overruns Crispin Cowan (Dec 30)
- Re: Buffer Overruns Joseph S D Yao (Dec 30)
- Message not available