Weekly Edition
Return to the Press page
| |||||||||||||
Buffer Overflow Attacks and Their Countermeasures (Linux Journal)
Here's a security conscious Linux Journal article examining buffer
overflows. "Buffer overflow problems always have been associated
with security vulnerabilities. In the past, lots of security breaches have
occurred due to buffer overflow. This article attempts to explain what
buffer overflow is, how it can be exploited and what countermeasures can be
taken to avoid it."
(Log in to post comments)
Buffer Overflow Attacks and Their Countermeasures (Linux Journal) Posted Mar 10, 2003 22:22 UTC (Mon) by dwheeler (guest, #1216) [Link] It's not a bad intro, but it omits a lot. For example, it omits ProPolice, which is like StackGuard but works for many systems (it's what OpenBSD is moving to). If you want more detail, see my document, Secure Programming for Linux and Unix HOWTO.
Buffer Overflow Attacks and Their Countermeasures (Linux Journal) Posted Mar 11, 2003 0:12 UTC (Tue) by cjcoats (guest, #9833) [Link] As noted by another responder, the article misses a lot. On the low-tech front, the solution can be as simple asProgram it in Fortran!Not only is current-standard Fortran a nice and structured language to program in (with very mature compilers, structs, dynamic memory allocation, argument checking), it also has a safe
implementation of character strings:
Think of a string as aIt's string-handling, made safe by design! fwiw.
Well, if you're gonna say THAT... Posted Mar 11, 2003 7:05 UTC (Tue) by flewellyn (subscriber, #5047) [Link] why not just say...?Program in Common Lisp! Not only does CL do safe string and buffer allocation (dynamic by default), but it also has built in lists, true multi-dimensional arrays, hash tables, structures, lexical closures, a class system that kicks the pants off of Java's, truly useful macros that operate on parse trees, the ability to treat code as data and vice versa, good garbage collection, clean syntax (what there is of it), excellent compilers available freely as well as commercially (open source ones, too), a portable standard, optimization settings that can be specified in the source input (and aren't just compiler-specific) and varied by function, and a whole lot more! NOW how much would you pay?! All of this in an executable and core image (for CMUCL) that takes up less than half the space of what GCC requires just for headers. Nor does it need any linker or preprocessor. And it can be faster than C too, if properly optimized. As for string assignment, the semantics are like this. Binding a string to a global variable, where the string is read up to a newline from a file stream named "bar": (defvar *foo* (read-line bar)) Binding a string to a local variable, read from standard input as a Lisp object (i.e., in quotes): (let ((foo (read))) See? No worry about truncating, or measuring the size beforehand. And it's garbage collected when you don't need the object anymore. (Or if you want to make it stack-allocated, declare it dynamic-extent and make sure it isn't returned from the body of the LET.)
Buffer Overflow Attacks and Their Countermeasures (Linux Journal) Posted Mar 11, 2003 15:35 UTC (Tue) by NAR (subscriber, #1313) [Link] Not only is current-standard Fortran a nice and structured language to program in (with very mature compilers, structs, dynamic memory allocation, argument checking), it also has a safe implementation of character strings:
But if I remember well, there is no check for array indexing in Fortran: and that's what really bites in C...
|
|||||||||||||