Non – Malicious Code (Program) Errors
Being human, programmers and other developers make many mistakes, most of which are unintentional and non-malicious. Many such errors cause program malfunctions but do not lead to more serious security vulnerabilities. However, a few classes of errors have plagued programmers and security professionals for decades, and there is no reason to believe they will disappear. In this section we consider two classic Malicious Code error types that have enabled many recent security breaches.
Buffer Overflows
A buffer (or array or string) is a space in which data can be held. A buffer resides in memory. Because memory is finite, a buffer’s capacity is finite. A Buffer overflow happens when you store more number of data than its capacity. For this reason, in many programming languages the programmer must declare the buffer’s maximum size so that the compiler can set aside that amount of space.
Incomplete Mediation
Incomplete mediation is another security problem that has been with us for decades. Attackers are exploiting it to cause security problems.
For example consider the sample URL through which a web server would receives an input http://www.mysite2.com/subpage/userinput&parm1=(808)555-212& parm2=2004Jan01
In this example, the page user input receives two parameters, parm1 with value (808)555-1212 (perhaps a U.S. telephone number) and parm2 with value 2004Jan01 (perhaps a date). The web browser on the caller’s machine will accept values from a user who probably completes fields on a form. The browser encodes those values and transmits them back to the server’s web site.
The two parameters look like a telephone number and a date. Probably the client’s (user’s) web browser enters those two values in their specified format for easy processing on the server’s side. What would happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many?
Something would likely fail. As with buffer overflows, one possibility is that the system would fail catastrophically, with a routine’s failing on a data type error as it tried to handle a month named “Min” or even a year (like 1800) which was out of range.
Another possibility is that the receiving program would continue to execute but would generate a very wrong result. (For example, imagine the amount of interest due today on a billing error with a start date of 1 Jan 1800.) Then again, the processing server might have a default condition, deciding to treat 1Aardvark2Many as 3 July 1947. The possibilities are endless.
Ways to Address Problems that Could Involve Malicious Code
One way to address the potential problems is to try to anticipate them. For instance, the programmer in the examples above may have written code to check for correctness on the client’s side (that is, the user’s browser). The client program can search for and screen out errors. Or, to prevent the use of nonsense data, the program can restrict choices only to valid ones. For example, the program supplying the parameters might have solicited them by using a drop-down box or choice list from which only the twelve conventional months would have been possible choices. Similarly, the year could have been tested to ensure that the value was between 1995 and 2005, and date numbers would have to have been appropriate for the months in which they occur (no 30th of February, for example).
Using these verification techniques, the programmer may have felt well insulated from the possible problems a careless or malicious user could cause.
However, the program is still vulnerable. By packing the result into the return URL, the programmer left these data fields in a place accessible to (and changeable by) the user. In particular, the user could edit the URL line, change any parameter values, and resend the line. On the server side, there is no way for the server to tell if the response line came from the client’s browser or as a result of the user’s editing the URL directly.
We say in this case that the data values are not completely mediated: The sensitive data (namely, the parameter values) are in an exposed, uncontrolled condition
Here is a link to (link to serie one)