HTTP Buffer Overflows

Jeff Barr jeff@vertexdev.com
Thu, 7 Mar 2002 18:25:24 -0800 

I'll bet against this one.

The number of places where a raw HTTP buffer is processed in any given
system are going to be pretty low.

The trends are away from crispy, easy to break systems and applications
built in insecure low-level languages which make it all too easy to create
a buffer overrun, and toward flexible, dynamically typed, more secure
languages which simply do not let you scribble on arbitrary memory
addresses. Surely the implementation languages can have vulnerabilities,
but I will contend that the amount of use and inspection such systems
(Perl, Python, PHP, and so forth) get will ferret out issues pretty darned
quick.

The trends are away from closed source, brittle things and toward
flexible, open source. We've seen that open source is certainly not
immune to bugs, but that the community can usually rally quickly to put
updated system into practice.

On the other hand, since everything will be connected to everything, the
HTTP handling code in my toaster could certainly be vulnerable. But these
will be tight, dedicated systems that are lovingly hand coded.

On a more depressing note, I still see multiple unsuccessful hits every day
from  server from Nimda/Code Red. There are still lots of infected servers
out there.

Finally, I suspect that for the next couple of years, we are going to see
more
evolution than revolution. More maturation of existing products and less new
fresh bits close to the metal. I'll bet that the Apache of  2005 will be a
pretty
tight and well tested piece of code. Yet another Microsoft reimplementation
of IIS notwithstanding, I think we'll see the same in a lot of other areas.

Jeff;

----- Original Message -----
From: "Gregory Alan Bolcer" <gbolcer@endeavors.com>
To: "FoRK" <fork@xent.com>
Sent: Thursday, March 07, 2002 5:13 PM
Subject: HTTP Buffer Overflows


> Gartner saying that HTTP buffer overflow attacks will
> be very commonplace by 2005 according to John Pescatore.
> I wonder how many unsuccessful buffer overflow attacks
> aren't recorded.  I'm sure he means *successful* buffer
> overflow attacks.
>
> Is data handling really that vulnerable?
>
> Greg
>
> > Key Issues
> > How will network-based applications become safe for mission-critical
businesses during the next five years?
> > Which product approaches and practices will help enterprises achieve
higher levels of data integrity?
> >
> > Strategic Planning Assumptions
> > By 2004, 30 percent of all buffer overflow attacks will be carried over
HTTP tunneling (0.6 probability).
> > By 2006, more than 50 percent of successful Internet attacks will
exploit application data handling vulnerabilities vs. operating system and
application misconfigurations (0.7 probability).
>
>
> --
> Gregory Alan Bolcer, CTO   | work: +1.949.833.2800 | gbolcer at
endeavors.com
> Endeavors Technology, Inc. | cell: +1.714.928.5476 | http://endeavors.com
>
>
>
>
>
>
>
>
>
>
> http://xent.com/mailman/listinfo/fork
>