Realistic risks of buffer overflows today

Question

It seems to me that buffer overflows are considered to be the most common and dangerous security flaws in programs today. But I don't understand how. Why don't developers just use find and replace function to replace all unsafe implementations of I/O with the safe ones?

Why don't big companies like Adobe and Microsoft just fix it once and for all and forever?

While a simple text search could find some buffer overflows, it could not find all. It's a lot more complicated than that. — Anders, Apr 23 '18 at 12:05
How do you "use find and replace" when you can have thousands of functions from unknown sources? What do you look for? — schroeder, Apr 23 '18 at 12:13
I would look for any case of strcpy/gets/etc function being used and replacing them with a safe alternative or explicit bounds checking. Thousands of functions or not, something like this would take a few lines of code in Python. — Gillian, Apr 23 '18 at 16:50
Not all risky actions in C are done by unsafe functions. Things like strncpy() are the exception, not the norm. For example, foo[num] = bar; — forest, Apr 24 '18 at 03:48
Also, you might find https://security.stackexchange.com/a/115508/165253 to be useful. — forest, Apr 24 '18 at 07:55
@forest Then just check that the number of elements in an array is smaller than the accessed index. Better to be safe than sorry. — Gillian, Apr 24 '18 at 09:01
@forest I read the other thread but I didn't find the information I was looking for. — Gillian, Apr 24 '18 at 09:03
@Gillian How do you check that? When code is compiled, there is no sense of the length of the array (as explained in the link). All it knows is that it's adding a pointer to an integer and accessing that address. In some simple situations, you can check that the accessed index is within bounds (e.g. it's hardcoded or the compiler is confident that the index will always be within a certain range), but most situations are not that simple and "find and replace" is completely useless. There are some mitigations (like UBSAN for C), but they come with a nasty performance hit, and aren't perfect. — forest, Apr 24 '18 at 09:10
@forest index < sizeof(a)/sizeof(a[0])? How come find and replace is useless? It's not like we're solving the halting problem, this kind of thing can be inferred from syntax. — Gillian, Apr 24 '18 at 09:24
The issue isn't like trying to solve the problem, it is trying to solve the halting problem. And the sort of check you mentioned is what UBSAN does. However it's not the only possible issue (take for example pointer arithmetic). — forest, Apr 24 '18 at 09:53
@forest Not it's not. The halting problem says that it's impossible to create a general program which would check whether a program halts or not. But with this we already know that the program works as intended - it just might be vulnerable to buffer overflows. The only limitation would be a case where it wouldn't be possible to fix the buffer overflow vulnerability. Does such case exist? — Gillian, Apr 24 '18 at 16:35

score 3 · Accepted Answer · answered Apr 23 '18 at 12:07

3

With a small loan of 100 billion dollar i think they can fix it!

The Problem is that there are to many usage of different concepts of memory allocations which all are specific for that case. To that it is that most of the Softwares out in the wild are many years old in some parts, so that a "just fix it" could be a disaster due to incompatibility and bugs. Not to speak of the amount of work time they must spend in it.

TL;DR: "just fix all bugs" is possible, if you have the amount of money, workers and time. But nobody has it

answered Apr 23 '18 at 12:07

Serverfrog

578
7
18

1

How money and time are a guarantee to fix all bugs? Humans are imperfect, it doesn't matter how rich they are etc. – user155462 Apr 23 '18 at 12:55
1
Pay people to not use your software 2) All bugs are fixed!

Monica Apologists Get Out

Apr 23 '18 at 13:11

@user155462 with the pseudo-infinite amount of money you could buy many developers who are nearly perfect. More nearly perfect developers + code reviews = nearly perfectly bugfree application – Serverfrog Apr 23 '18 at 13:29

@user155462 Generally, formally verified (mathematically proven correct) software can cost around $10,000 per line of code. – forest Apr 23 '18 at 13:42

@Serverfrog Some people have "fixed all bugs". Look into seL4, miTLS, and HTTP.sys. – forest Apr 23 '18 at 13:43

@forest, are you sure ALL bugs have been fixed? im not so sure, due the possibility to have bugs without knowing them (else things like Heartbleed where never happend) – Serverfrog Apr 23 '18 at 15:08

@forest And since the prove is done by unproven humans, it means absolutely nothing other than having some specific method how to try to avoid bugs. – user155462 Apr 23 '18 at 15:45

Why? It's just a question of syntax, a few lines of Python code to replace all occurrences of unsafe functions with their safe alternatives or bounds checking and sha-zam! – Gillian Apr 23 '18 at 16:54

@user155462 It is done by verification software, compiled with a proven correct compiler. – forest Apr 24 '18 at 02:57

@Serverfrog Formal verification proves that a program will behave according to abstract mathematical specifications. For seL4 for example, this includes a complete lack of buffer overflows, integer overflows, undefined behavior, etc. I mean the very point of formal proof is to avoid bugs without needing to discover them. It's not just "super strict code review". Their specific proof does not deal with side-channel attacks though (intentionally), but I believe they are working on that. – forest Apr 24 '18 at 03:02

Realistic risks of buffer overflows today

1 Answers1