Myths and Legends about Overflow Errors

Journalists, technical writers that write about computer security, and security experts that that earn money for installing security systems tend to exaggerate the significance and power of attacks based on buffer overflow. As a rule, they say that hackers never fail to exploit buffer overflow errors and that if the user doesn't take adequate protection measures (which sometimes are expensive), then his or her information will surely be destroyed .

This is true (after all, it is much better to avoid going outdoors if there is no special need, because there always is a chance of some preposterous accident , such as being hit by a falling balcony ). However, during the evolution of computers, there were no more than ten occasions of wide use of overflowing buffers for distribution of viruses or for large-scale attacks. This is partially because true professionals attack practically silently. This is partially because true professionals are rarely encountered among contemporary hackers. In fact, they are practically extinct.

The presence of one or more overflowing buffers in itself doesn't provide the attacker with any serious possibilities. Most of such vulnerabilities never allow the attackers to go any further than trivial DoS. Here is only a brief list of limitations encountered by hackers and worms:

  • Overflowing string buffers (which are prevalent among buffers vulnerable to overflow errors) do not allow a zero character to be inserted into the middle of the buffer. Also, they do not allow some characters that are interpreted by the program in a special way to be inserted.

  • As a rule, the size of the overflowing buffer is catastrophically small and doesn't allow even the smallest and simplest loader to be inserted or some important data structures to be overwritten.

  • The absolute address of the overflowing buffer most frequently is unknown to the attacker; therefore, the attacker must operate with relative addresses. Note that this task is technically difficult.

  • Addresses of system and library functions change from operating system to operating system. Furthermore, it is impossible to rely on any addresses of a vulnerable program, because they are not constant (this is especially true for UNIX applications, which are compiled by users on their own).

  • Finally, attackers must know in detail the processor commands, specific features of different language compilers, and the architecture of operating systems. Furthermore, a hacker must have an unprejudiced mind and unlimited time for analysis, development, and debugging of the shellcode.

Now it is time to consider the widespread myths about the hacker's opponents information security specialists, who, like naive children, believe that it is possible to be protected against hackers, at least in theory.

  • There are no reliable techniques of searching for buffers vulnerable to overflow, either automatic or at least semiautomatic that would produce a satisfactory result. Also, these specialists believe that important security holes cannot be detected by a purposeful search. On the contrary, they support the opinion that all such security holes are always detected by chance.

  • All techniques of avoiding buffer overflow errors developed up to the moment reduce the performance (sometimes considerably) but do not eliminate the possibility of overflow, although they complicate the attacker's life.

  • Firewalls thwart only the most primitive worms, which load their tails using a separate TCP/IP connection. No firewall is capable of tracing data transmission in the context of existing TCP/IP connections.

There are thousands of publications concentrating on the buffer overflow problem. Among them are unique and valuable research articles. However, there are also gibberish articles full of boasts. (Look, I have caused stack overflow, I am cool! No matter that I did it in lab conditions.) Such theoretical articles are recognized by their concealment of the actual problems, which are immediately encountered by analyzing fully functional applications and designing shellcodes (which, principally, are highly-automated robots).

Most authors limit themselves to the issues of automatic buffer overflow, moving other kinds of overflow errors to the background. As the result of this practice, most users have a false impression of the problem. The world of overflowing buffers is much wider, and much more interesting, than this issue. The materials presented later in the chapter will prove this.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net