Buffer Overflow

Do an Internet search on the term buffer overflow, and you'll come up with hundreds of thousands of links, most related to security. In the National Institute of Standards and Technology's ICAT index of computer vulnerabilities, six of the top 10 involve buffer overflows. In 1999, buffer overflow was named the No. 1 computer vulnerability. Five years later, it's still a major problem.

If you've ever poured a gallon of water into a pint-size pot, you know what overflow means ——water spills all around.

Inside a computer, something similar happens if you try to store too much data in a space designed for less. Input normally goes into a temporary storage area, called a buffer, whose length is defined in the program or the operating system.

Ideally, programs check data length and won't let you input an overlong data string. But most programs assume that data will always fit into the space assigned to it. Operating systems use buffers called stacks, where data is stored temporarily between operations. These, too, can overflow.

When a too-long data string goes into the buffer, any excess is written into the area of memory immediately following that reserved for the buffer -- which might be another data storage buffer, a pointer to the next instruction or another program's output area. Whatever is there is overwritten and destroyed.

That in itself is a problem. Just trashing a piece of data or set of instructions might cause a program or the operating system to crash. But much worse could happen. The extra bits might be interpreted as instructions and executed; they could do almost anything and would execute at the level of privilege (which could be root, the highest level).

Bad Programming

Buffer overflow results from a well-known, easily understood programming error. If a program doesn't check for overflow on each character and stop accepting data when its buffer is filled, a potential buffer overflow is waiting to happen. However, such checking has been regarded as unproductive overhead - when computers were less powerful and had less memory, there was some justification for not making such checks. Moore's Law has removed that excuse, but we're still running a lot of code written 10 or 20 years ago, even inside current releases of major applications.

Some programming languages are immune to buffer overflow: Perl automatically resizes arrays, and Ada95 detects and prevents buffer overflows. However, C —— the most widely used programming language today -- has no built-in bounds checking, and C programs often write past the end of a character array.

Also, the standard C library has many functions for copying or appending strings that do no boundary checking. C++ is slightly better but can still create buffer overflows.

Buffer overflow has become one of the preferred attack methods for writers of viruses and Trojan horse programs. Crackers are adept at finding programs where they can overfill buffers and trigger specific actions running under root privilege -- say, telling the computer to damage files, change data, disclose sensitive information or create a trapdoor access point.

時(shí)文選讀

緩沖溢出

對(duì)緩沖溢出這個(gè)術(shù)語(yǔ)做一次因特網(wǎng)搜索，你將看到成千上萬(wàn)的鏈接，其中大多數(shù)與安全有關(guān)。按(美國(guó))標(biāo)準(zhǔn)與技術(shù)協(xié)會(huì)公布的 ICAT計(jì)算機(jī)安全隱患指數(shù)，在最主要的十項(xiàng)安全隱患中有六項(xiàng)涉及緩沖溢出。1999年，緩沖溢出被定為頭號(hào)計(jì)算機(jī)安全隱患。五年之后，它仍是一個(gè)重大問(wèn)題。

如果你將一加侖水倒入一品脫的壺里，就知道溢出是什么意思了 ——水灑了一地。

在計(jì)算機(jī)中，如果你試圖在設(shè)計(jì)存放較少數(shù)據(jù)的空間儲(chǔ)存太多的數(shù)據(jù)，也會(huì)發(fā)生類似的事情。正常情況下，輸入放入臨時(shí)存儲(chǔ)區(qū)域，稱作緩沖區(qū)，其長(zhǎng)度由程序或操作系統(tǒng)定義。

理想的情況是，程序檢查你的數(shù)據(jù)長(zhǎng)度，不讓你輸入過(guò)長(zhǎng)的數(shù)據(jù)串。但多數(shù)程序假設(shè)數(shù)據(jù)總是適合分配給它的空間。操作系統(tǒng)使用稱作堆棧的緩沖區(qū)，在兩次運(yùn)算之間數(shù)據(jù)暫時(shí)存放在那里。這也能產(chǎn)生溢出。

當(dāng)太長(zhǎng)的數(shù)據(jù)串進(jìn)入緩沖區(qū)時(shí)，超過(guò)部分馬上被寫(xiě)入緊跟在為緩沖區(qū)保留的存儲(chǔ)區(qū)域后面的區(qū)域，它可能是另一個(gè)數(shù)據(jù)存儲(chǔ)緩沖區(qū)、下一個(gè)指令的指針或者另一個(gè)程序的輸出區(qū)域。不管是哪一種情況，(數(shù)據(jù))都會(huì)因重寫(xiě)而被破壞。

這本身就是個(gè)問(wèn)題。弄壞一個(gè)數(shù)據(jù)或一組指令會(huì)造成程序或操作系統(tǒng)的崩潰。還會(huì)發(fā)生更壞的事情，額外的位有可能被解釋成指令而加以執(zhí)行，這些位幾乎可能做任何事情，在特權(quán)級(jí)上執(zhí)行(它可能是根，即較高級(jí))。

壞的編程

緩沖溢出源于一個(gè)眾所周知、容易理解的編程錯(cuò)誤。如果程序不檢查每個(gè)字符是否溢出，以及在緩沖區(qū)已滿時(shí)不停止接收數(shù)據(jù)，那么潛在的緩沖溢出就可能發(fā)生。但是，這樣的檢查被當(dāng)作無(wú)收益的開(kāi)銷 ——當(dāng)計(jì)算機(jī)能力不強(qiáng)、內(nèi)存不大時(shí)，不做這樣的檢查還算有些道理。摩爾定律使這個(gè)借口不復(fù)存在，但是我們?nèi)栽谶\(yùn)行一、二十年前寫(xiě)的程序，甚至有些主要應(yīng)用軟件的新版本還是如此。

有些編程語(yǔ)言對(duì)緩沖溢出具有免疫力： Perl能自動(dòng)給陣列重新定長(zhǎng)度，Ada95能檢測(cè)和避免緩沖溢出。然而，今天用得最廣的編程語(yǔ)言——C語(yǔ)言沒(méi)有內(nèi)在的超限檢查，而C語(yǔ)言的程序常常寫(xiě)得超出字符陣列的末端。

同樣，標(biāo)準(zhǔn)的 C語(yǔ)言程序庫(kù)擁有很多拷貝或添加不檢查邊緣的字符串的功能。C++稍好一些，但仍會(huì)產(chǎn)生緩沖溢出。

緩沖溢出已經(jīng)成為病毒和特洛伊木馬程序編寫(xiě)者喜愛(ài)用的攻擊方法。黑客們擅長(zhǎng)于發(fā)現(xiàn)他們能使緩沖區(qū)溢出并在根特權(quán)下觸發(fā)特定動(dòng)作的程序，比方說(shuō)，告訴計(jì)算機(jī)破壞文件、修改數(shù)據(jù)、暴露敏感信息或生成陷阱門(mén)接入點(diǎn)等。