Re: Buffer Overruns

[Crispin Cowan <crispin () cse ogi edu>]

Vin McLellan wrote:

>         It there something in the emergence of a popular Internet, or some
> other timely aspect in the industry's evolution, that has brought to light
> the vulnerabilities associated with buffer overruns in recent years?
>
>         Maybe some shift in program design or programming engineering
> practice?  What left so many of these vulnerabilities unexposed and their
> risks unappreciated for so many years?

My personal conjecture is that it comes from the following factors:

   * Wide-spread Internet connectivity.  Buffer overflows are not very
     interesting if the attacker can't network to your computer.
   * Wide-spread $ on the Internet, i.e. the big change in the early 90s when
     commerce was admitted to the Internet.  $ on the net transforms penetration
     attacks from vandalism to a profitable endevour.
   * Wide-spread source code availability.  Yes, source was available before, but
     mostly to "good" people at Universities.  The Linux phenomena brough source
     code (and workstation-class computers!) to the rowdy teenagers of the
     world.  Probably at least two orders of maginitude more people are looking
     at source today than in 1990.  Probably 4 or 5 orders of magnitude more
     people with criminal intent are looking at source code today than in 1990.
     In 1990, to hack a buffer overflow you either had to be a scholar at a
     research lab or university, or buy yourself a $10K Sun workstation.  In
     1999, you have to be a 14-year-old with a $400 PC and a copy of Linux.

Note also that *source* code availability is not a necessary condition, it just
makes things go faster.  Buffer overflows in closed source (Windows) applications
have been emerging for a couple of years now:
http://www.cultdeadcow.com/cDc_files/cDc-351/

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org