Bugs: Putting big packages in small boxes
This is my second in an exciting series of Bugs That Make Your Computer Go Bang. The first one was about sql injection flaws in web applications. This time I’ll be talking about buffer overflows.
Buffer overflows are extremely important. I’d hazard a guess that they’re the most common cause of exploitable flaws in modern software. Certainly all the big names in malware over the last few years - such as SQL Slammer or Sasser - were all made possible because of buffer overflows.
It’s also really easy to write code with a buffer overflaw bug. That, of course, is why it’s so common. Anyone who writes a program could make this mistake.
The overview
A buffer is an area in memory set aside to hold some input. You have to create a buffer to store information which you request from elsewhere. So when a program asks for your name it has to set aside space to store the name. That space is the buffer.
The buffer size is set when the program is written, so a lot of thought goes into getting the right size of buffer. Too big is a waste (since that memory can’t be used elsewhere if you’ve grabbed it) and too small can cause problems.
If the user provides input which is too big then the buffer will overflow. And that’s that. All the problems to follow come from the programmer failing to check whether their plate is big enough to hold all that tasty input.
The consequences
Two things can happen with a buffer overflow. If you’re lucky, then the application will fill the buffer and just keep filling. Like writing to the end of the page and continuing onto the desk. And as everyone knows, if teacher finds you writing on the desk you get in trouble.
Inside a computer the role of teacher is taken by the operating system. If it finds a program trying to write where it shouldn’t then *BANG* the program is killed.
This is a bit awkward, obviously, as you might have been doing something with that program. But teachers and operating systems have never been known to listen to reason in the past. And there’s good reason for this. If one badly written application could write wherever it wanted in memory it could very easily bypass security restrictions, crash other programs or just kill the whole computer.
Security compromises
There is another thing that can happen. This is the subtler flaw and lets other people execute programs on your computer if they want.
Picture in your mind a printed application form, such as for a driving licence. They have little squares, one for each letter. That is how the memory inside a computer is arranged, with each buffer containing a fixes number of ‘squares’. If you’ve got a long name and it’s a short box then you just have to write past the end of the box. Sometimes you can write past the edge of the box and into the box next door, which is a bit awkward.
This is what computers sometimes do. A malicious program, such as one of the worms I mentioned up in the second paragraph, can provide a specially crafted extra-long input, so that receiving program will overfill the buffer and write over something important. The “something important” is usually an instruction, which gets replaced with another more malicious instruction.
The following is a very silly example, but it might serve to illuminate. This is an application form. The first instruction asks you to fill in a set of numbers and letters from an outside source. This is the risky point, since the “hotline” may not be trustworthy…
Phone the hotline and fill in the information |_________________________________| Today's Date |______________|
You phone up the hotline and the automated voice might well ask you to fill in the following selection of highly improbable letters and numbers:
gFwf03 3r %5yw Gew q Hwret Gwer w rthy ukwq q Bank Account a%rg
Looks fairly innocuous, right? We’ll see what happens. You fill in the numbers and go over the edge of the box. You take up so much space you have to write over the next instructions. They are replaced with something slightly less benign than they were:
Phone the hotline and fill in the information |gFwf03 3r %5yw Gew q Hwret Gwer w rthy ukwq q Bank Account a%rg |______________|
But being a dumb computer you carry out the instructions to the letter, filling in all the information as it appears to be requested.
Phone the hotline and fill in the information |gFwf03 3r %5yw Gew q Hwret Gwer w rthy ukwq q Bank Account a%rg | 099283741 ___|
You can obviously see why this is a contrived and silly example, but at the same time it’s clear that carefully designed overly long input was the problem here. A very similar thing is responsible for crippling computers and propagating malware every single day.