Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

2. Explain, in detail, the problem of buffer overflow. Be sure to explain: when

ID: 3703586 • Letter: 2

Question

2. Explain, in detail, the problem of buffer overflow. Be sure to explain: when it occurs, how it occurs and what protections you can build into your code in order to avoid it. Explain the differences in the protections you would use with Java, and a language such as C++. Why are these languages different in this regard? 3. Assume that we want to model a system where security administrators (SAS) have control over objects, and determine who (i.e., userid) is allowed to access what object. However, the security administrators are not all?wed to access the objects themselves. How would you model this, in terms of access control protections?

Explanation / Answer

1.

A buffer is a temporary area for data storage. When more data than was originally allocated to be stored in a buffer gets placed there by a program or system process, the extra data will overflow, hence the name, causing some of that data to leak out into other buffers, which can corrupt or overwrite whatever data they were holding.

In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions intended by a hacker or malicious user; for example, the data could trigger a response that damages files, changes data or unveils private information.

Hackers would use a buffer-overflow exploit to take advantage of a program that is waiting on a user's input. There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program. Stack-based buffer overflows, which are more common among hackers, exploit applications and programs by using what is known as a stack: memory space used to store user input.

A stack can only hold a certain amount of data, and if the input string is longer than the amount of space reserved, then the result is an overflow, creating a security hole. Savvy malicious hackers seek out these flaws with specially written commands that cause an overflow and trigger an attack. Once the malicious command causes the overflow, the hacker must still execute the command by indicating a return address that points to the command. The buffer overflow causes the application to crash partially, but it tries to recover by going to the return address, which has been redirected to the malicious command by the hacker.

When the buffer-overflow attack runs the command found at the new return address, the program thinks it is still running. This means that the command prompt window that has been opened is running with the program's or application's same set of executable permissions as the application that was compromised, allowing the hacker to gain full control of the operating system.

How to stop a buffer overflow from attacking applications

1. Avoid using library files: Library files, which are used in programming language and are inherently insecure, are a target for hackers during application attacks. Any weakness found by a hacker in a library file will also exist in all applications that use that library file, giving hackers a glaring target for a potential attack.

2. Filter user input: Filtering out possibly dangerous HTML code and characters that could cause database problems. For example, in ASP code, the apostrophe, quotation mark and ampersand symbols are all reserved symbols. These reserved symbols can't be included within a user's input or they will cause the application to crash. Filter them out and replace them with something else to avoid complications and problems.

3. Test applications: Be sure to test all applications prior to deployment; trying to break into every application to ensure secure coding. If the application breaks, it will be clear that there is a problem that needs to be fixed before a hacker is able to exploit it.

The point to remember is that "Buffer Overflow" is the name for a trick used to hack systems as well as the name of a common programming error.

Java protects the programmer from the common programming error called "Buffer Overflow" by consistently throwing ArrayIndexOutofBounds exceptions whenever an attempt to access an array outside its bounds is made.

Java defends the system from the common hacking technique called "Buffer Overflow" by making sure that attempts to access outside the bounds of allocated memory does not cause memory corruption.

C and C++ are vulnerable to the hacking technique called "Buffer Overflow" because they allow access of unallocated memory and merely state that the effect of this activity is undefined.

2. User {

userId

Info

permissionToAccess

}

SA extends User {

username

password

isSa = "Y"

permissionToProvideAccess = "Y"

}

Related Questions

2. Evolution of Biston betularia Color differences between the light (peppered)
Question #203320
2. Evolution of Biston betularia controlled by one main locus. Genotype ce is pe
Question #202841
2. Exam Scores. A final standard deviation of 4.2. Find I examination for a psyc
Question #3355243
2. Examine handout #4, which contains the Life Cycle of a typical Gymnosperm tre
Question #275581
2. Examine the bucky ball in figure 3.4 in your textbook. Use the scanned image
Question #2293828
2. Examine the difficulty of adding a proposed swap Rd, Rn instruction to the LE
Question #3731820
2. Examine the following mission statements. Do you think they have a true purpo
Question #365069
2. Examine the river sand in the figure and answer the following questions. Pame
Question #296427
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
2. Explain your view of the scope of an Information Systems Manager\'s roles and
Next
2. Explaining short-run economic fluctuations variables and nominal economic var

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.