Salt Lake City, Utah
June 20, 2004
June 20, 2004
June 23, 2004
9.260.1 - 9.260.11
Session Number 1520
BO (Buffer Overflow): Bad for Everyone
Kathleen M. Kaplan, D.Sc., Colleen Duran, M.B.A., Lt Col John J. Kaplan (Ph.D., J.D.) USAF
Howard University/Duran Consulting/USAF
No one wants BO, but unfortunately, software engineers have been affecting others with it since programming began. This BO is not the kind discussed in social circles, but it should be; this paper discusses the most offensive BO: Buffer Overflow.
Buffer overflow is the primary offensive tactic in many computer viruses and worms. For example, the Internet Morris Worm of November 1988 would not have been possible without the buffer overflow error in the finger command of the UNIX-based computer system. By not specifying a maximum buffer length, programmers had allowed this worm to fill the read buffer and overflow into memory until it had overwritten the return address in the stack buffer. But that was 1988, ancient history in the computer age, surely this could not happen today! Unfortunately, this is not the case. Recently, a buffer overflow was found to be the culprit in the Code Red II Worm; a buffer overflow in the indexing service used by specific Microsoft versions running on particular Windows platforms allowed remote trespassers to execute code on compromised machines.
Buffer overflow can be used by malicious intruders, but it can also cause errors without dishonest intention. The buffer overflow found in the Therac-25, a software-controlled radiation-therapy machine, caused the deaths of three patients and severely injured many more. This overflow was not affected by outsiders, but rather it was a simple programming error; a flag variable was stored in a byte and incremented. The software engineers did not consider the case of incrementing the variable the 256th time, which, too large for the byte, set the flag to zero, an indication that the device was ready.
It seems to be a simple check, “Will my result fit in the allotted space?” Why do software engineers ignore this question? The result from overlooking buffer overflow has led to costly errors, including the loss of human life. Yet, few programmers, let alone software engineers, are aware of the problem. All students who take a programming course must be exposed to the dangers of buffer overflow; only then will this programming error be eradicated.
“Proceedings of the 2004 American Society for Engineering Education Annual Conference & Exposition Copyright 2004, American Society for Engineering Education”
Duran, C., & Kaplan, J., & Kaplan, K. (2004, June), Bo (Buffer Overflow): Bad For Everyone Paper presented at 2004 Annual Conference, Salt Lake City, Utah. https://jee.org/14073
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2004 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015