Firewall Wizards mailing list archives
Re: Buffer Overruns
From: Crispin Cowan <crispin () cse ogi edu>
Date: Mon, 20 Dec 1999 20:18:30 +0000
Vin McLellan wrote:
It there something in the emergence of a popular Internet, or some other timely aspect in the industry's evolution, that has brought to light the vulnerabilities associated with buffer overruns in recent years? Maybe some shift in program design or programming engineering practice? What left so many of these vulnerabilities unexposed and their risks unappreciated for so many years?
My personal conjecture is that it comes from the following factors: * Wide-spread Internet connectivity. Buffer overflows are not very interesting if the attacker can't network to your computer. * Wide-spread $ on the Internet, i.e. the big change in the early 90s when commerce was admitted to the Internet. $ on the net transforms penetration attacks from vandalism to a profitable endevour. * Wide-spread source code availability. Yes, source was available before, but mostly to "good" people at Universities. The Linux phenomena brough source code (and workstation-class computers!) to the rowdy teenagers of the world. Probably at least two orders of maginitude more people are looking at source today than in 1990. Probably 4 or 5 orders of magnitude more people with criminal intent are looking at source code today than in 1990. In 1990, to hack a buffer overflow you either had to be a scholar at a research lab or university, or buy yourself a $10K Sun workstation. In 1999, you have to be a 14-year-old with a $400 PC and a copy of Linux. Note also that *source* code availability is not a necessary condition, it just makes things go faster. Buffer overflows in closed source (Windows) applications have been emerging for a couple of years now: http://www.cultdeadcow.com/cDc_files/cDc-351/ Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Re: Buffer Overruns, (continued)
- Re: Buffer Overruns Matt Curtin (Dec 18)
- Re: Buffer Overruns Frederick M Avolio (Dec 20)
- RE: Buffer Overruns Michael D. Hunter-Linville (Dec 21)
- Re: Buffer Overruns Saravana Ram (Dec 24)
- Re: Buffer Overruns Frederick M Avolio (Dec 20)
- Re: Buffer Overruns Matt Curtin (Dec 18)
- Re: Buffer Overruns Ryan Russell (Dec 18)
- Re: Buffer Overruns Steven M. Bellovin (Dec 18)
- Re: Buffer Overruns Vin McLellan (Dec 20)
- Re: Buffer Overruns Joseph S D Yao (Dec 21)
- OT - Rant on State of S/w Engr (was Re: Buffer Overruns) Lim Wei Siong Vincent (Dec 22)
- Re: OT - Rant on State of S/w Engr (was Re: Buffer Overruns) Joseph S D Yao (Dec 23)
- Re: Buffer Overruns Joseph S D Yao (Dec 21)
- Re: Buffer Overruns Crispin Cowan (Dec 21)
- Re: Buffer Overruns Michael Kelly (Dec 22)
- Re: Buffer Overruns Joseph S D Yao (Dec 23)
- Message not available
- Message not available
- Re: Buffer Overruns Crispin Cowan (Dec 30)