[WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths

Dinis Cruz dinis at ddplus.net
Thu Mar 16 18:44:48 EST 2006


Humm Andrew, I don't agree that Buffer Overflows are over-hyped.

For example what guarantees you have that the .Net Framework doesn't
contain several buffer overflows?

Take for example the ones I found in ILDASM and ILASM (in .Net 1.1) , or
the 'unmanaged to managed' data conversion error I found in asp.net's
IIS pipeline (which was not exploitable (I think) but is a good example
of the types of vulnerabilities that might exist in .Net environments).

Most enterprise solutions will have places where BO can be created, and
probably the main reason we are not seeing more cases are:

   a) most audits are done without access to the source code (or when
such access is provided, not enough time to really find BOs)
   b) on non mass deployed apps, the vulnerabilities discovered by
security consultants are not publicly disclosed (so you never know)

Remember that Full Trust .Net code (or Java without a security manager)
can be as dangerous as unmanaged code

Dinis Cruz
Owasp .Net Project
www.owasp.net

Andrew van der Stock wrote:
> I have back in January, but it has been a long time between drinks. I
> found no buffer overflows in the reviews I conducted in 2005, and only
> IIRC one in 2004. I did maybe 20-30 app reviews a year prior to 2005,
> and in 2005 I started doing massive reviews of major systems, looking
> at very large code bases.
>
> What surprised me was how incredibly resistant the developer from my
> January review was about fixing them, even though they are completely
> preventable. Only when we showed how trivial it was to exploit them
> did they fix only the demo overflows we crafted. This is yet another
> reason why I think languages like C++ and C have had their day,
> particularly in relation to enterprise class apps.
>
> Compared to say validation, authorization and injection issues, buffer
> overflows are completely over-hyped. When I finish Guide 2.1, my next
> target is to revitalize the Top 10, and buffer overflows are out.
>
> thanks,
> Andrew
>
> On 16/03/2006, at 1:23 AM, Ory Segal wrote:
>
>> Hi,
>>
>> Another interesting thing to note, which I totally agree with is:
>>
>> Quote: "While technically possible, the truth is that they are just
>> not seen in the real world. Our experience at WhiteHat Security,
>> having assessed hundreds of Web sites and identified thousands of
>> vulnerabilities, shows that statistically, buffer overflows appear
>> near the bottom of the list of total discovered issues."
>>
>> I've been around for quite a while, and I can't remember the last
>> time I have seen a Buffer Overflow in a custom-built web application.
>> Anyone else?
>>
>> -Ory
>>




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list