Study says "buffer overflow" is most common security bug

It's not the Y2K bug, according to computer science and security analysts, but a security weakness known as the buffer overflow. Unlike the Y2K bug, which threatens to cripple computers unable to distinguish years written in two-digit shorthand, this vulnerability opens computers to attacks by malicious hackers, who can use the bug to commandeer the targeted computer.

In a buffer overflow, the attacker floods a field, typically an address bar, with more characters than it can accommodate. The excess characters in some cases can be run as "executable" code, effectively giving the attacker control of the computer without being constrained by security measures.

"Buffer overflows have been the most common form of security vulnerability for the past 10 years," according to a new paper published by the Oregon Graduate Institute of Science & Technology (OGI) and funded in part by the Defense Advanced Research Projects Agency (DARPA). "Because these kinds of attacks enable anyone to take total control of a host, they represent one of the most serious classes of security threats."

Security analysts agree that the first step in cutting down on buffer overflow bugs is for people to engage in more careful computer programming.

Programmers can protect their products against buffer overflow attacks simply by including instructions for handling overlong strings, according to Alan Paller, director of research for the System Administration, Networking and Security Institute (SANS).

"It all comes back to one programmer being careless," Paller said. "You wrote a program, asked someone for input, gave them space for a certain amount of characters, and didn't check to see if the program could take more. You are incompetent, and you are the problem. One guy making that mistake is creating all the work for the rest of us."

The OGI paper identified careful coding as the first line of defense against buffer overflows, but it said that was easier said than done considering today's programming languages and sloppy programming culture.

"Writing correct code is a laudable but remarkably expensive proposition, especially when writing in a language such as C that has error-prone idioms," the authors wrote. They also cited "a culture that favors performance over correctness."

To combat careless coding, programmers have developed debugging tools that search out buffer overflow vulnerabilities, according to the paper. Other defenses the paper cites prevent code from being executed in the address space or establish boundaries that prevent excess characters from moving to locations where they can be executed.

The paper's conclusions recommend implementing a combination of defenses against the vulnerability.

Software vendors are ultimately responsible for the buffer overflow problem, and customers should hold them accountable, Paller said.

"Liability goes back to [Microsoft chief executive] Bill Gates and [Sun Microsystems chief executive] Scott McNealy," Paller said. "Until people stop being so generous with the suppliers, this problem isn't going away."

Sun concurred that the buffer overflow problem is both common and preventable but defended its efforts to prevent coding errors and to respond to bugs once they come to light.

"It's quite correct that the problem stems from programming methodologies, and in our case we have been implementing a fairly comprehensive program to go through our software and check it out for vulnerabilities like buffer overflows," said Tom Goguen, group manager for Sun's Solaris Web server for commercial sites. "We're also developing tools to do some automated checking of the software and tools to prevent any further problems like this."

Goguen downplayed the hazard posed by most buffer overflows encountered by Sun. He said they tended to open servers up to denial-of-service attacks, which cause computers to crash and shut off service to users, rather than open them up to invasion and control by the attacker.

Microsoft, which last week patched a buffer overflow issue in its Windows operating system, was not immediately available for comment.

Part of the problem is that programmers have let down their guard against a long-recognized hazard, according to one academic.

"We're not learning the lessons of the past," said Matt Bishop, associate professor of computer science at the University of California at Davis and author of an upcoming book on computer security. "We knew how to handle buffer overflows in the 1960s and '70s. But the solutions that were required typically either used hardware or were implemented within the program itself. Some felt it made the program go too slow, so a lot of programs went out there without buffer checks, and now we're paying the price."

The OGI paper will be read at DARPA's Information Survivability Expo at Hilton Head Island, S.C., and at the SANS 2000 event in Orlando, Fla.

The lead author for the OGI study, Crispin Cowan, in September became chief technology officer of WireX, a server software firm that will sell StackGuard, one of the buffer overrun solutions described in the paper. Cowan remains a part-time professor at OGI.