The best defense against buffer overflows is to write code properly to prevent them in the first place.
Buffer overflows are a common weapon in the attacker's arsenal. In a basic buffer overflow, the attacker sends a specially crafted attack to a computer running software that's known to be vulnerable to buffer overflows. This attack has more data than can be contained in a section of memory known as the buffer. The excess data flows out of the buffer and into another area of memory and changes the normal process by which the computer operates. The computer will then execute the attacker's code as if it were part of the regular application or program.
If the attacker has written the attack code correctly, the computer will follow whatever instructions are in the code, such as enabling remote access, executing a program, or getting the attacker closer to complete control of the target. If the code is flawed, the application--and possibly the computer--will crash. Thus, even an unsuccessful buffer-overflow attack can disrupt service or otherwise harm the target.
The best defense against buffer overflows is to write code properly to prevent overflows in the first place. Unfortunately, a great many software applications still are created with overflow vulnerabilities, which means other defenses must be employed. Many host-based intrusion-protection systems include buffer-overflow protection as part of a larger defense against malware.
The classic paper describing buffer overflows is titled Smashing The Stack For Fun And Profit, by Aleph One. You can find it online at www.phrack.org by searching for issue 49-14. Also check out the books Security Warrior (O'Reilly, 2004) by Cyrus Peikari and Anton Chuvakin and Building Secure Software (Addison-Wesley, 2001) by John Viega and Gary McGraw.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?