A buffer-overflow, loosely defined, is a technique malicious hackers use to compromise the security of a network. These attacks are especially devastating, since it allows the hacker to obtain administrator privileges on the victim’s computer.
Obviously, a good defense is needed to protect networks from this popular type of attack.
The Anatomy of a Buffer-Overflow Attack
A buffer-overflow attack sounds a lot more complex than it actually is. A buffer, in this case, is simply temporary storage. This temporary storage is reserved for getting input from a user. This can be anything from a username, to a password, to other sensitive data. The problem with this temporary storage is that it is limited - so overloading the field with too much data can cause an overflow of data.
What good comes from an overflow of data? Well, the extra information has to go somewhere. The extra data will usually overwrite other spaces in temporary storage, which doesn’t sound unsecure. But what if the attacker input a shell command and it is placed in another space for temporary storage? For those unfamiliar with Linux, this is essentially a command prompt that will allow the attacker to execute commands at will.
With this shell being created, full rights are gained to the attacker automatically. In many cases the attacker will upload a set of code that does a specific task, and use the shell to run it. Trojan horses, spyware, and viruses are very common to execute at this point.
Who’s at Fault Here?
While buffer-overflow attacks can be initiated from many different types of programs, most of them are programs made from the programming language named C. This programming language is notorious for allowing programmers to easily make dangerous mistakes in their programs. Since causing a buffer-overflow needs to overflow an entry field with data, good programmers will limit the amount of characters that can be input into any given field. For those who don’t, a buffer-overflow attack is being risked.
Even Microsoft has dealt with the buffer-overflow epidemic. In July of 2000, Microsoft Outlook suffered a massive attack through these means. Most email users are accustomed to ignore attachments that are deemed suspicious. Thanks to the buffer-overflow attack, users didn’t even have to open the email to become infected! The bug in Outlook only required the user to open Outlook - since the bug was in the actual header of the email. Of course Microsoft issued a patch, but many users came to find that their entire computer was under the control of a malicious hacker.
Securing Against a Buffer-Overflow Attack
Some of the best defense is a good offense. Programmers should observer proper coding techniques which do not allow buffer-overflow attacks to be initiated. Most of the focus is put on the strcopy() function in the language C. However, most network security administrators aren’t the ones writing the code - which puts an interesting spin on the problem.
One of the best solutions to solving the problem is selectively installing programs. Companies with good reputation will likely not make bad mistakes while programming. This can be further extended by disallowing new programs to be installed without the administrator’s approval. This is a very clean, precise way to handle the problem.
For a more secure solution, some operating systems have taken the initiative in defending computers against buffer-overflow attacks. One such operating system is the Linux-based operating system. Patches can be installed that nullify the exploits that attackers use to run code on a vulnerable machine. Optionally, programs such as StackGuard can be installed for an extra level of protection - with a cost of performance.
Lastly, we have application firewalls. Application firewalls are fast becoming the most popular method in preventing buffer-overflows. They act as a proxy between the internet and the user, so no direct connection between the two is ever made. If the attacker can’t find out the IP address of the computer, how can the victim’s computer get attacked?
Do I Need to Protect Myself?
In most cases, the answer is no. Home users will most likely not need extra protection. Most programs available to the general home user will observe safe programming practices. The advent of the application firewall also has rendered these attacks useless for home users. For more secure situations, considering extra protection may be a good idea. This application would be in places where high security is vital - such as a government network or high-profile company network.
With the birth of newer programming languages, C is also starting to be left out in the dust. C isn’t the only language that can easily create buffer-overflow vulnerabilities, but it is without a doubt the majority of the problem. As time goes on, and C is used less, programs will likely start to become secure by default.
For those still coding in the C language, updated libraries should be installed. Specialized compilers are also available, that will ensure that no vulnerabilities exist.
The common buffer-overflow attack will likely come from a 3rd-party source. Bigger companies such as Microsoft will very likely not create security problems related to buffer-overflows. For this reason, keep in mind that sticking to the most reputable programs is a good idea when security is a concern.
Relax, home users - most of the concern is with corporations and other large networks. For these guys, the protection probably needed. Of course, don’t forget that a totalitarian rule over what can be installed - and what can't - is a great way to administer a secure network. After all, a chain is as strong as its weakest link, and networks are no exception!