Date: Tue, 23 Nov 1999 02:39:53 +0000 From: Crispin Cowan <crispin@CSE.OGI.EDU> Subject: Buffer Overflow Survey Paper To: BUGTRAQ@SECURITYFOCUS.COM Six weeks ago, I asked Bugtraq for responses on the question of whether buffer overflows dominate the area of security vulnerabilities as part of a paper I was writing. Numerous people asked me to post results when I'm done. On the narrow question: approximately 2/3 of respondants thought that buffer overflows do indeed dominate the problem of security vulnerabilities. The remaining 1/3 thought that mis-configuration was the dominant problem. I respect both views, but think that "misconfiguration" is not really a software problem, it's an operational problem. Thus, one could say that buffer overflows are the leading cause of software vulnerabilities, and misconfiguration is the leading operational problem. Which problem dominates overall vulnerability is unclear. On the broader question: the paper is complete. It will appear at the DARPA Information Survivability Expo ( http://schafercorp-ballston.com/discex/ ) and will also appear as an invited talk at SANS 2000 ( http://www.sans.org/newlook/events/sans2000.htm ). This paper categorizes the various kinds of buffer overflow attacks, the various kinds of defensive measure that can be employed, and shows which defenses are effective against which attacks. The paper itself is available for download here: http://immunix.org/StackGuard/discex00.pdf Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org