Are buffer overflows simply poor programming?

Discussion in 'other security issues & news' started by Devinco, Jul 21, 2006.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Isn't a buffer overflow simply the result of an inadequate error handling routine?
    Whether this is caused by the OS, the program, or a combination, shouldn't the error handler simply stop the exploit and just generate an error message?
    I'm sure the problem is more complex, but it seems like it is just poor programming.
    Why not just improve the error handlers so they enforce certain restricted behaviors when an error occurs?
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    If I correctly remember (and if I don't please forgive me - it's been a long time since I've looked at it), in VB there's simply a checkbox in the compile setup to enable/disable buffer checking in the output code. Saves a few CPU cycles and makes the code run faster with it unchecked. I'm guessing that it is not much different for any compiler except that they may or may not have the option exposed to the end user... Possibly some of them don't even support output code that has buffer checking.... So whether you're hand coding or using a compiler basically standard practice is to make the code run as fast as you know how... I don't know if I'd personally say poor programming, perhaps over-optimising? Given the now understood exploitability of unchecked buffers perhaps anything being developed I would see it that way...

    Anyhow, just my $0.02 worth :)

    Cheers :)
     
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks NOD32 user.
    That's even worse than I thought.
    Just checking a buffer checking checkbox in the compiler would stop buffer overflow exploits in the particular program!
    I was expecting new error handlers would have to be programmed.
    But the solution is readily available right now if programmers simply enable buffer checking?
    Maybe I should have said lazy programming? :D
    Buffer overflow exploits have been publicly known for years now, I don't think there is a good excuse anymore for programmers to not enable buffer checking if it will stop the exploits.
     
    Last edited: Jul 21, 2006
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Automated tools are not perfect either. And buffer overflows are not the only vulnerability there is, though they are common. That said, I am a programmer (although I haven't done any particular programming in C in a long time), and I know that when it comes to "secure coding", the amount of laziness you can find is really bewildering. I know of programmers who have been coding for web sites (even large ones) in php or asp for years, and they didn't even know about sql injection and cross-site scripting, the two most common vulnerabilities around. I've seen sites with budgets of tens of thousands of dollars where every single sql injection and XSS attempt worked like a charm.
     
  5. evilrabbi

    evilrabbi Registered Member

    Joined:
    Jul 30, 2006
    Posts:
    6
    buffer overflows are really only a problem in type-unsafe languages like c or c++...
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I know that (hence my claim "but I haven't programmed anything serious in C in years"). I was commenting on the (overall) laziness of many programmers when it comes to preventing vulnerabilities.
     
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks TNT.
    Even if the automated buffer checking would cut down 25% of these overflows, that would be a big help security wise.

    Thanks evilrabbi. Welcome to Wilder's.

    Are there places like Wilder's where the security clueless programmer can learn the essential secure coding procedures?

    Is there a place like that for the security clueless PHP coder and web site developer?
     
  8. evilrabbi

    evilrabbi Registered Member

    Joined:
    Jul 30, 2006
    Posts:
    6
    I didn't mean for that to be a jab at you. I was simply stating that for the OP.
     
  9. evilrabbi

    evilrabbi Registered Member

    Joined:
    Jul 30, 2006
    Posts:
    6
    Thanks ;) I'm glad to be here. I followed a link about gameguard here and liked the forum. For php check out this link http://www.zend.com/zend/art/art-oertli.php.

    You might find it usefull.
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Yes, very useful. This is exactly the type of article that is needed to help coders learn the pitfalls of coding in the wrong way with specific examples and then showing them the right way (maybe with the same code corrected).
    You can learn things from Black Hat sites, but they usually only show how to exploit systems and not how to protect against it.

    Thanks!
     
Loading...
Thread Status:
Not open for further replies.