Security

Buffer Overflows still an issue

Developers are saying they've heard enough about buffer overflows and they knwo how to prevent them. Ok, then why are we still seeing them? There is still unmanaged code out there, and we still need to pay attention to how we write it.

Ok, I often hear people say "Buffer Overflows aren't a problem anymore", and "We know how to avoid them, so why keep going on about them?" Well because people still aren't getting it.

Recently ZDNet UK ( http://www.zdnet.co.uk ) ran a story ( http://news.zdnet.co.uk/internet/security/0,39020375,39249936,00.htm ) about the recent Winamp patch to fix a 'serious security flaw' in Winamp. What was the problem? Yes, a buffer overflow in the latest version. So, if developers are tired of hearing about buffer overflows, and they know everything there is to know about preventing them, they why are we still seeing these kinds of problems on a weekly basis?

Time to face facts, not all code is done in .NET yet. There is still a significant number of applications out there that are written in C/C++. These applications are still being maintained, and there are even some new ones being written in it. Ok, so those of you writing purely managed code, and never forget to validate, verify, and sanitise your inputs and have perfect memory management might not have to worry about it. But clearly, it's still a problem.

Any time, every time, you allocate memory to store something, before you even think about putting anything into that memory, make sure that the thing you're about to put in there, is smaller than the size of the memory you allocated. Go back and read that again....

Every time you get input from any source, even your config files, check it for type, size, and malicious content. Make sure it passes your pessimistic checks. Then, and only then should you do anything with it. Especially if you forgot to develop the application to run with least privilege, but you didn't forget that did you. All of your applications are well behaved and don't' require admin rights to run...right?

Make architecture and code reviews part of your natual development cycle regardless of the methodology you use. Threat Model your apps! Trace the input paths and everywhere that input touches your code, make sure it is handled with leather gloves, lead aprons and face shields!

Editor's Picks

Free Newsletters, In your Inbox