You know more than you think about buffer overflows. Take Code Red. If you speak English, and ran Microsoft IIS in 2001, the only thing that saved you from that worm was it’s own self-limiting code.

For the uninitiated, a buffer overflow is the computer version of a bucket overflow. The bucket’s simply not big enough to hold all the water you’re pouring into it. In the bucket’s case, the excess spills to the ground. In the buffer’s case, the excess data is often written over data in other buffers, with predictable results: Computer program confusion. Attackers try to exploit this confused state to grab control of the computer. And quite often, they succeed.

Because programmers don’t like seeing their C and C++ mistakes headlined as CERT advisories, a number of buffer overflow checkers have popped up, including ARCHER, BOON, CSSV, Daikon, ESC, Houdini, MECA, PolySpace C Verifier and Splint. Savvy programmers run programs like these against their code before unleashing it on John Q. Public. Unfortunately, Microsoft engineers claim each falls short:

  • CSSV lacks the customizable coverage that manual annotation offers;
  • Daikon conclusions based on its test suite apply only to the suite;
  • ESC/Java has trouble with loop-intensive buffer manipulation;
  • Houdini uses brute-force guessing, which takes quite a while for large programs;
  • MECA can’t comprehensively check for operations that lead to buffer overflows;
  • Splint’s heurisitics-based checker delivers high false positives;
  • ARCHER, BOON and PolySpace C Verifier lack precise interprocedural analysis.

The solution? Microsoft’s modular checking system. Of course. While it requires a lot of upfront code annotation to work, Microsoft gurus say it offers a near-perfect balance of customization, scalability and convenience. Their reviews show that, on the high side, the modular checker can “infer 75% of the correct annotations for a code base, with only a 3% false positive rate.”

While these stats won’t impress many who deal with spam, viruses, phishers, or even spell checkers, Microsoft engineers feel they’re a long way down the road from where they were. It’s getting better all the time.

In related news… This in from CERT:

RE: Vulnerabilities in Microsoft Plug and Play, Microsoft Collaboration Data Objects, Microsoft Windows Shell, Microsoft DirectShow, Microsoft Distributed Transaction Coordinator, Microsoft COM+, Microsoft Internet Explorer

Exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges or with the privileges of the user. If the user is logged on with administrative privileges, the attacker could take complete control of an affected system. An attacker may also be able to cause a denial of service…

The vulnerabilities? Mostly buffer overruns. Sigh.

Refs: