New Windows Buffer Overflow!

CERT ^ | Mar 17th | Me

[supercat]

If it was really known since 1971...why haven't computer science courses in colleges across the fruited plain (and elsewhere) taught people how to write good, tight, overflow-resistant code? Because it's practically impossible using C/C++:

What's so difficult? Make pointers eight bytes, with the first word pointing to the base of the memory object and the second word being an offset. To be sure, the performance penalty would have been severe in 1971 or even 1991, but with well-designed code running on today's superscalar architectures the penalty today should be minor compared with all the other junk computers waste cycles on.

BTW, it'd be nice if someone came up with a slight extension of the x86 segment architecture to allow hardware assistance to mitigate these problems. For programs which need less than 32,000 memory chunks, the 386's six-bit pointers could provide this level of protection at the hardware level. A slight extension to allow 32-bit segment descriptors would allow segmentation to be incorporated into OS's language compilers as a general feature.

[Bush2000]

Rediculous! Let me guess, you recomment Visual Basic??

First, it's spelled "ridiculous". And second, I didn't recommend against using C/C++. I use both on a daily basis. But that doesn't mean that the language isn't inherently vulnerable to these kinds of issues. Flexibility = greater odds of screwup.

[Poohbah]

I guess what I was trying to get at is that when I was learning how to program, none of the course material I took mentioned the buffer overflow issue.

When I was a young Marine recruit, I was taught how to handle a rifle safely. I learned the art of safe small arms handling in excruciating detail LONG (no, that's not a variable type :o) before I ever learned how to actually shoot the damn thing--and the safety aspects were reinforced throughout my time in boot camp.

Yes, you still get a some NDs (negligent discharges) every year. But you get a lot less than you otherwise would with that many youngsters handling that many weapons.

It seems to me that something analogous might be needed in computer programming courses.

[Bush2000]

OK. So one even one comment is too much? I'll remember that. Of course, you DO realize, then, that you have broken your own rule by the flood of attacks?

I have no such rule.

[buckster]

THIS IS VEY VEY SERIES!!!! THIS IS HUGH!

[6ppc]

Generally the gory details of such things as embalming, food preparation and software development are best left uncovered.

[6ppc]

covered=hidden

[TechJunkYard]

.. when I was learning how to program, none of the course material I took mentioned the buffer overflow issue.

When I learned assembler it was a pretty hot topic... likely because it was so easy to prevent and/or correct in assembler.

But using (cough) high-level languages puts you at the mercy of the code generator in the compiler. It's scary to realize how much vulnerability can be introduced into executables by processes that the programmer has no control over.

[Bush2000]

When I learned assembler it was a pretty hot topic... likely because it was so easy to prevent and/or correct in assembler.

To pick a small nit, you learned assembly language. You used an assembler tool to produce object code. People use these terms interchangeably -- but there is a technical difference.