Thursday, November 09, 2006

Buffer Overflows and Security

Buffer overflows and security are very common topics these days and Dr Dobb's just ran an article on it Illusion of Safety. They also ran a follow up article on The Unsecured Integer. The first article presents two options which can be used to prevent buffer overflows brute force and prevention by design. Brute force requires some form of verifying that all incoming data is verified for length before copying with problematic functions. Prevention by design pushes the responsibility to verify that the data doesn't overflow to the edges of the system and has the possibilities to make applications simpler, smaller and run faster, but it requires that each data flow be traced and verified. Preventions is harder to enforce than the brute force method but provides possible efficiency improvements.

One other related article Integral Security . There are 3 variants on integer errors overflow, sign errors and trundication. They reference a special publication 500-262 from NIST as a reference for how to handle Integer Safety.

Also of interesting note they referenced Secure Coding in C and C++, by Robert C. Seacord which appears to be an interesting reference book.

No comments: