More on politics and society from The Atlantic Monthly.
The Atlantic Monthly | September 2002
[From "Homeland Insecurity," by Charles C. Mann]
The Worm in the Machine
Buffer overflows (sometimes called stack smashing) are the most common form of security vulnerability in the last ten years. They're also the easiest to exploit; more attacks are the result of buffer overflows than any other problem ...
Computers store everything, programs and data, in memory. If the computer asks a user for an 8-character password and receives a 200-character password, those extra characters may overwrite some other area in memory. (They're not supposed to—that's the bug.) If it is just the right area of memory, and we overwrite it with just the right characters, we can change a "deny connection" instruction to an "allow access" command or even get our own code executed.
The Morris worm is probably the most famous overflow-bug exploit. It exploited a buffer overflow in the UNIX fingerd program. It's supposed to be a benign program, returning the identity of a user to whomever asks. This program accepted as input a variable that is supposed to contain the identity of the user. Unfortunately, the fingerd program never limited the size of the input. Input larger than 512 bytes overflowed the buffer, and Morris wrote a specific large input that allowed his rogue program to [install and run] itself ... Over 6,000 servers crashed as a result; at the time [in 1988] that was about 10 percent of the Internet.
Skilled programming can prevent this kind of attack. The program can truncate the password at 8 characters, so those extra 192 characters never get written into memory anywhere ... The problem is that with any piece of modern, large, complex code, there are just too many places where buffer overflows are possible ... It's very difficult to guarantee that there are no overflow problems, even if you take the time to check. The larger and more complex the code is, the more likely the attack.
Windows 2000 has somewhere between 35 and 60 million lines of code, and no one outside the programming team has ever seen them.
—Bruce Schneier, Secrets and Lies: Digital Security in a Networked World (2000)
Charles C. Mann, an Atlantic correspondent, has written for the magazine since 1984. He is at work on a book based on his March 2002 Atlantic cover story, "1491."
Copyright © 2002 by The Atlantic Monthly Group. All rights reserved.
The Atlantic Monthly; September 2002; Homeland Insecurity; Volume 290, No. 2; pp 81–102.