-4

It seems to me that buffer overflows are considered to be the most common and dangerous security flaws in programs today. But I don't understand how. Why don't developers just use find and replace function to replace all unsafe implementations of I/O with the safe ones?

Why don't big companies like Adobe and Microsoft just fix it once and for all and forever?

Gillian
  • 492
  • 1
  • 3
  • 13
  • 3
    While a simple text search could find some buffer overflows, it could not find all. It's a lot more complicated than that. – Anders Apr 23 '18 at 12:05
  • 1
    How do you "use find and replace" when you can have thousands of functions from unknown sources? What do you look for? – schroeder Apr 23 '18 at 12:13
  • I would look for any case of strcpy/gets/etc function being used and replacing them with a safe alternative or explicit bounds checking. Thousands of functions or not, something like this would take a few lines of code in Python. – Gillian Apr 23 '18 at 16:50
  • Not all risky actions in C are done by unsafe functions. Things like `strncpy()` are the exception, not the norm. For example, `foo[num] = bar;` – forest Apr 24 '18 at 03:48
  • Also, you might find https://security.stackexchange.com/a/115508/165253 to be useful. – forest Apr 24 '18 at 07:55
  • @forest Then just check that the number of elements in an array is smaller than the accessed index. Better to be safe than sorry. – Gillian Apr 24 '18 at 09:01
  • @forest I read the other thread but I didn't find the information I was looking for. – Gillian Apr 24 '18 at 09:03
  • @Gillian How do you check that? When code is compiled, there is no sense of the length of the array (as explained in the link). All it knows is that it's adding a pointer to an integer and accessing that address. In some simple situations, you can check that the accessed index is within bounds (e.g. it's hardcoded or the compiler is confident that the index will always be within a certain range), but most situations are not that simple and "find and replace" is completely useless. There _are_ some mitigations (like UBSAN for C), but they come with a nasty performance hit, and aren't perfect. – forest Apr 24 '18 at 09:10
  • @forest `index < sizeof(a)/sizeof(a[0])`? How come find and replace is useless? It's not like we're solving the halting problem, this kind of thing can be inferred from syntax. – Gillian Apr 24 '18 at 09:24
  • 1
    The issue isn't _like_ trying to solve the problem, it _is_ trying to solve the halting problem. And the sort of check you mentioned is what UBSAN does. However it's not the only possible issue (take for example pointer arithmetic). – forest Apr 24 '18 at 09:53
  • @forest Not it's not. The halting problem says that it's impossible to create a general program which would check whether a program halts or not. But with this we already know that the program works as intended - it just might be vulnerable to buffer overflows. The only limitation would be a case where it wouldn't be possible to fix the buffer overflow vulnerability. Does such case exist? – Gillian Apr 24 '18 at 16:35
  • 2
    "Halt" can be replaced with "reach any arbitrary state". – forest Apr 24 '18 at 23:09

1 Answers1

3

With a small loan of 100 billion dollar i think they can fix it!

The Problem is that there are to many usage of different concepts of memory allocations which all are specific for that case. To that it is that most of the Softwares out in the wild are many years old in some parts, so that a "just fix it" could be a disaster due to incompatibility and bugs. Not to speak of the amount of work time they must spend in it.

TL;DR: "just fix all bugs" is possible, if you have the amount of money, workers and time. But nobody has it

Serverfrog
  • 586
  • 7
  • 18
  • 1
    How money and time are a guarantee to fix all bugs? Humans are imperfect, it doesn't matter how rich they are etc. – user155462 Apr 23 '18 at 12:55
  • 1
    1) Pay people to not use your software 2) All bugs are fixed! – Monica Apologists Get Out Apr 23 '18 at 13:11
  • @user155462 with the pseudo-infinite amount of money you could buy many developers who are nearly perfect. More nearly perfect developers + code reviews = nearly perfectly bugfree application – Serverfrog Apr 23 '18 at 13:29
  • @user155462 Generally, formally verified (mathematically proven correct) software can cost around $10,000 per line of code. – forest Apr 23 '18 at 13:42
  • @Serverfrog Some people have "fixed all bugs". Look into seL4, miTLS, and HTTP.sys. – forest Apr 23 '18 at 13:43
  • @forest, are you sure ALL bugs have been fixed? im not so sure, due the possibility to have bugs without knowing them (else things like Heartbleed where never happend) – Serverfrog Apr 23 '18 at 15:08
  • @forest And since the prove is done by unproven humans, it means absolutely nothing other than having some specific method how to try to avoid bugs. – user155462 Apr 23 '18 at 15:45
  • Why? It's just a question of syntax, a few lines of Python code to replace all occurrences of unsafe functions with their safe alternatives or bounds checking and sha-zam! – Gillian Apr 23 '18 at 16:54
  • @user155462 It is done by verification software, compiled with a proven correct compiler. – forest Apr 24 '18 at 02:57
  • @Serverfrog Formal verification proves that a program will behave according to abstract mathematical specifications. For seL4 for example, this includes a complete lack of buffer overflows, integer overflows, undefined behavior, etc. I mean the very point of formal proof is to avoid bugs without needing to discover them. It's not just "super strict code review". Their specific proof does _not_ deal with side-channel attacks though (intentionally), but I believe they are working on that. – forest Apr 24 '18 at 03:02