Monday, March 26, 2007

The Band-aid Approach

There was a comment posted asking why I was against the approach of shuffling buffers around in my post entitled Exploit Longevity (

Before I can answer I need to make sure that we have a common understanding of buffers and buffer overflows.

What is a Buffer?

A buffer is a portion of memory where a program stores information that changes. Every time a web site address is typed into a web browser the address is stored in a buffer.

What is a Buffer Overflow?

Buffers do not have an unlimited size, and that fact can be exploited. By providing too much information to the program and overflowing the buffer. When a buffer is overflowed one of two things happen the program crashes or runs what the perpetrator wants it to.

When the program crashes that is a Denial of Service (DoS) attack.

When the program executes what the attacker intended that is an exploit. For a little more meat, e.g. technical explanation. The attacker will usually uses a series of NoOp* instructions to create a "NoOp slide"before the exploit code. Once the program tries to execute the code that was after the buffer it will "slide down" the NoOps to the exploit.

Is Moving the Buffer a Cure?

Consider finding out that someone with the right tool, a "slim jim," can open your car door and steal the car. The manufacture sends has all the cars modified to move the "weak link" over 5 inches, but not protect it. Since everyone knows the fix it simply takes car thieves a short time to adjust and continue stealing cars.

Of course its different with software patches... Not.

For the exploiter the patch is simply the instruction manual for finding the new location of the buffer.

In essence this type of patch is a band-aid not a cure.

* A single byte machine code that performs no operations. Originally used to remove code from machine code with out having to rewrite major portions of the program.

What is a buffer overflow

What prevents a buffer overflow

Why moving a buffer isn't a fix

With securely written programs buffer overflows can't happen.

No comments: