atsec专家发现针对缓冲区溢出的最优保护措施。

2008-04-01

Buffer overflow problems have plagued software programmers for at least three decades. While many partial solutions for buffer overflow have been introduced over the years, such approaches failed to leverage the considerable overflow protection experience amassed in other engineering areas. atsec scientists analyzed the proven "non-software overflow solutions" (NSOS) defined in United States Patents No. 5632302 and 4204285 ... and have now successfully ported the principles of these technologies to finally solve one of the software world's biggest headaches.

As a prerequisite to understanding how NSOS technology was applied to solving the software problem, it is important to grasp the commonalities of the Universal Overflow Premise (OEP):

a) The source that causes the overflow cannot be controlled.
b) More input will be provided on the input line than can be held by the buffer.

The proven NSOS framework for success calls for detecting the overflow condition and then diverting the overflow (just for fun, let's call this "the additional bytes") to flow into an appropriate container (let's call this one, "a separate auxiliary buffer"). U.S. Patent 5632302 manages the diversion using a valve, while U.S. Patent 4204285 uses an outwardly extending spout with an exit level disposed below the upper surface.

Both NSOS technologies are interesting, but a software sensor triggering a software valve (the U.S. Patent 563202 technology) might be impractical to implement, so atsec has chosen a U.S. Patent 4204285-inspired solution. These are the basics:

a) All buffers that could potentially overflow shall have a spout located at the end of the buffer.
b) The buffer spout shall be connected to a separate auxiliary buffer.
c) In the case of a buffer overflow, the additional (overflow) bytes shall automatically flow into the auxiliary buffer.
d) To prevent the auxiliary buffer from overflowing, the auxiliary buffer shall be connected to a flushing mechanism, which shall automatically flush the additional bytes to an external entity. Note that for Unix-type operating systems, /dev/null may be used to flush the overflow bytes from the auxiliary buffer.

Important: The speed at which bytes can flow into the original buffer must not be greater than the speed at which bytes can flow into the auxiliary buffer and can be flushed out of the system. This can be achieved by adding a software valve in front of the input buffer that limits the byte input speed. If performance is an issue, the flow speed may be regulated depending on the fill level of the auxiliary buffer.

Note that using a shut-off valve (as suggested in U.S. Patent 4204285) might not always be acceptable in software systems.

U.S. Patent 5632302 also includes a function to notify users when an overflow condition has occurred. At this time, atsec does not recommend adopting the mechanism suggested in U.S. Patent 5632302 (blowing a horn); however, the idea is worthy of additional consideration.

atsec scientists are currently hard at work implementing an NSOS-inspired solution to solve the software buffer overflow problem, and we will soon begin accepting orders. Recognizing the very large number of software buffers that need overflow protection, atsec will offer a discount for software vendors ordering more than 100,000 buffer overflow protection devices.

The atsec China office has been tasked with locating a suitable manufacturing site.

Cited NSOS Technologies

United States Patent 4204285
An overflow protection apparatus for use with a toilet includes a bowl having an outwardly extending spout coupled by a flexible hose to a reservoir adapted to receive any excess water flowing out of the toilet. Means are also provided for closing off the water flow from the flushing source and/or the input water source so that the toilet cannot be flushed again until the cause for the overflow therein is cleared.

United States Patent 5632302
An overflow protection shut-off device for use with a water heater for shutting off a supply of water to the water heater when a leaking or an overflow condition occurs, the device including a valve mechanism coupleable to an input water line of a water heater and having an opened orientation for allowing flow of water within the input line and a closed orientation for preventing such flow; a water sensing mechanism positionable at a location proximal to the water heater for providing a signal when it is placed in contact with water when the water heater experiences the leaking or the overflow condition; and a switching mechanism coupled to the valve mechanism and the water sensing mechanism and with the switching mechanism being responsive to receipt of the signal from the water sensing mechanism for placing the valve mechanism in the closed orientation.

About atsec information security
atsec information security is an independent, standards-based information technology security services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec was founded in Munich (Germany) in 2000 and has extensive international operations with offices in the U.S., Germany and Sweden.
atsec offers evaluation and testing services leading to formal certification for IT security including evaluation under Common Criteria schemes in the U.S., Germany, and Sweden; cryptographic module and algorithm testing under the Cryptographic Module Validation Program of the National Institute of Standards and Technology (NIST) in the U.S. and Communications Security Establishment Canada (CSEC) in Canada; and compliance validation to the Payment Card Industry (PCI) Data Security Standard.
atsec also offers secure code review, ISO/IEC 27001 ISMS consulting, and penetration testing and scanning services.
atsec works with leading global companies such as IBM, HP, Oracle, Cray, BMW, SGI, Vodafone, Swisscom, RWE, and Wincor-Nixdorf.