01:00 PM
Connect Directly

Busted Buffer: How To Prevent It

The best defense against buffer overflows is to write code properly to prevent them in the first place.

Buffer overflows are a common weapon in the attacker's arsenal. In a basic buffer overflow, the attacker sends a specially crafted attack to a computer running software that's known to be vulnerable to buffer overflows. This attack has more data than can be contained in a section of memory known as the buffer. The excess data flows out of the buffer and into another area of memory and changes the normal process by which the computer operates. The computer will then execute the attacker's code as if it were part of the regular application or program.

If the attacker has written the attack code correctly, the computer will follow whatever instructions are in the code, such as enabling remote access, executing a program, or getting the attacker closer to complete control of the target. If the code is flawed, the application--and possibly the computer--will crash. Thus, even an unsuccessful buffer-overflow attack can disrupt service or otherwise harm the target.

The best defense against buffer overflows is to write code properly to prevent overflows in the first place. Unfortunately, a great many software applications still are created with overflow vulnerabilities, which means other defenses must be employed. Many host-based intrusion-protection systems include buffer-overflow protection as part of a larger defense against malware.

The classic paper describing buffer overflows is titled Smashing The Stack For Fun And Profit, by Aleph One. You can find it online at www.phrack.org by searching for issue 49-14. Also check out the books Security Warrior (O'Reilly, 2004) by Cyrus Peikari and Anton Chuvakin and Building Secure Software (Addison-Wesley, 2001) by John Viega and Gary McGraw.

Illustration courtesy of Andrew Shachat/Veer

Return to main story, Keep Attackers At Bay

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.