6

Possible Duplicate:
Why is it so difficult to make C less prone to buffer overflows?

I'm doing a course in college, where one of the labs is to perform buffer overflow exploits on code they give us. This ranges from simple exploits like changing the return address for a function on a stack to return to a different function, all the way up to code that changes a programs register/memory state but then returns to the function that you called, meaning that the function you called is completely oblivious to the exploit.

I did some research into this, and these kinds of exploits are used pretty much everywhere even now, in things like running homebrew on the Wii, and the untethered jailbreak for iOS 4.3.1

My question is why is this problem so difficult to fix? It's obvious this is one major exploit used to hack hundreds of things, but seems like it would be pretty easy to fix by simply truncating any input past the allowed length, and simply sanitizing all input that you take.

Community
  • 1
ankit
  • 860
  • 7
  • 11
  • C (and thereby ObjectiveC and C++) are designed in a way that makes automatic checking very hard (ie pointers are not designed for this). ObjectiveC and C++ have more functionality that can help, but also keep the unsafe ways. Lots of unsafe code is written in these languages. –  Feb 18 '12 at 09:05
  • 1
    As you say ... it isn't difficult to write code that avoids buffer overflows in the first place: it's only hard(ish) because it requires knowledge and attention. Fixing is harder: usually the fixer isn't the person who wrote the code, has to study the code base, ... – pmg Feb 18 '12 at 09:42
  • Cross-posting wasn't necessary, when the question gets migrated. I'm gonna close this one as a dupe of the other, since it has useful answers. – DeadMG Feb 18 '12 at 10:00
  • What pmg said. The only reasons fixing buggy code is hard are (1) you're not familiar with the code to begin with, and (2) the person who wrote it is probably not competent, and therefore the code is really bad and hard to fix. :-) – R.. GitHub STOP HELPING ICE Feb 19 '12 at 00:49

0 Answers0