Asee peer logo

Bo (Buffer Overflow): Bad For Everyone

Download Paper |

Conference

2004 Annual Conference

Location

Salt Lake City, Utah

Publication Date

June 20, 2004

Start Date

June 20, 2004

End Date

June 23, 2004

ISSN

2153-5965

Conference Session

Computers in Education Poster Session

Page Count

11

Page Numbers

9.260.1 - 9.260.11

Permanent URL

https://peer.asee.org/14073

Download Count

39

Request a correction

Paper Authors

author page

Colleen Duran

author page

John Kaplan

author page

Kathleen Kaplan

Download Paper |

Abstract
NOTE: The first page of text has been automatically extracted and included below in lieu of an abstract

Session Number 1520

BO (Buffer Overflow): Bad for Everyone

Kathleen M. Kaplan, D.Sc., Colleen Duran, M.B.A., Lt Col John J. Kaplan (Ph.D., J.D.) USAF

Howard University/Duran Consulting/USAF

Abstract

No one wants BO, but unfortunately, software engineers have been affecting others with it since programming began. This BO is not the kind discussed in social circles, but it should be; this paper discusses the most offensive BO: Buffer Overflow.

Buffer overflow is the primary offensive tactic in many computer viruses and worms. For example, the Internet Morris Worm of November 1988 would not have been possible without the buffer overflow error in the finger command of the UNIX-based computer system. By not specifying a maximum buffer length, programmers had allowed this worm to fill the read buffer and overflow into memory until it had overwritten the return address in the stack buffer. But that was 1988, ancient history in the computer age, surely this could not happen today! Unfortunately, this is not the case. Recently, a buffer overflow was found to be the culprit in the Code Red II Worm; a buffer overflow in the indexing service used by specific Microsoft versions running on particular Windows platforms allowed remote trespassers to execute code on compromised machines.

Buffer overflow can be used by malicious intruders, but it can also cause errors without dishonest intention. The buffer overflow found in the Therac-25, a software-controlled radiation-therapy machine, caused the deaths of three patients and severely injured many more. This overflow was not affected by outsiders, but rather it was a simple programming error; a flag variable was stored in a byte and incremented. The software engineers did not consider the case of incrementing the variable the 256th time, which, too large for the byte, set the flag to zero, an indication that the device was ready.

It seems to be a simple check, “Will my result fit in the allotted space?” Why do software engineers ignore this question? The result from overlooking buffer overflow has led to costly errors, including the loss of human life. Yet, few programmers, let alone software engineers, are aware of the problem. All students who take a programming course must be exposed to the dangers of buffer overflow; only then will this programming error be eradicated.

“Proceedings of the 2004 American Society for Engineering Education Annual Conference & Exposition Copyright  2004, American Society for Engineering Education”

Duran, C., & Kaplan, J., & Kaplan, K. (2004, June), Bo (Buffer Overflow): Bad For Everyone Paper presented at 2004 Annual Conference, Salt Lake City, Utah. https://peer.asee.org/14073

ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2004 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015