A buffer overflow is a type of computer bug. When the length limitation of a space reserved for data – a buffer – is not properly enforced, a buffer overflow may occur. Input data is written to the buffer and, if the input data is longer than the buffer size, the space beyond the end of the buffer is overwritten.
Buffer overflow bugs are frequently security vulnerabilities. A program which takes advantage of a vulnerability to subvert another program’s security is called an exploit. A buffer overflow exploit works by feeding the program with specially crafted content designed to change the data that follows the buffer in memory. Buffer overflows are most easily exploited when the buffer is in the program stack, since this can lead directly to an alteration of the program’s execution path.
Determining the exploitability of a buffer overflow vulnerability can be difficult even for experienced programmers, since it involves a lot of high and low level knowledge of the architecture internals and the target program. Overflows of as little as a single byte beyond the end of a buffer have proved to be exploitable.
Generally, the buffer overflow problem is caused by careless programming. Avoiding them is still a manual process as most formal verification systems have yet proven unattainable in modern programming languages.
Buffer overflows are common only in programs written in relatively low-level programming languages, such as assembly language, C and C++. Many programming languages use a combination of run time checking and static analysis to make it difficult or impossible to code a buffer overflow bug. However, runtime systems and libraries for such languages may occasionally have buffer overflows.
Examples of Prevention
The use of Intrusion Detection Software can detect remote attempts to use buffer overflows. Since most buffer overflows contains a long array of NOPs, the IDS just has to block all incoming packets containing suspiciously many NOPs. (In most assembly languages, “NOP” stands for “No OPeration”.) Recently, crackers have begun to use alphanumeric, polymorphic and self-modifying shellcodes to slip through the IDS.
Various techniques have been used to make buffer overflows in C programs less likely. Systems such as stackguard provide protection against the most common techniques for exploiting buffer overflows by checking that the stack has not been altered when a function returns.
Known to be the open source operating system that is concerned most with security. As most operating systems, OpenBSD is written in the low level C. Yet, it is known to employ its own variant of stackguard, and the project has completed rigorous manual sweeps of the code to address issues most systems just haven’t.
In 1989, the Morris worm used a buffer overflow in a Unix program called finger to propagate itself over the Internet. Even after this incident, buffer overflows were virtually ignored as security issue by the public. Later, in 1995, Thomas Lopatic independently reinvented the buffer overflow and published his findings on the Bugtraq security mailing list, which caused a wave of new security relevant buffer overflows to be found.