Buffer overflow—in which memory is overwritten—is a particularly common kind of bug that frequently causes system crashes and can be exploited by an adversary to gain control over a target system.

Dealing with buggy code is arguably the oldest unsolved problem in computer science, and there is no particular reason to think that it can be solved once and for all by any sort of crash project. Nevertheless, two areas of research seem to be particularly important in a security context:

  1. Security-oriented tools for system development. Tools can be designed to audit source code for certain classes of common flaws.25 Better programming languages may help as well. (For example, Java and similarly type-safe languages are more resistant to buffer overflows than are other languages.26) More tools that support security-oriented development would be useful.

  2. Trustworthy system upgrades and bug fixes. It often happens that a system bug is identified and a fix to repair it is developed. Obviously, repairing the bug may reduce system vulnerability, so system administrators and users should have some incentive to install the patch. However, with current technology, the installation of a fix or a system upgrade carries many risks—a nontrivial chance of causing other problems, a break in existing functionality, or possibly the creation of other security holes, even when the fix is confined to a module that can be reinstalled.27 The essential reason for this problem is that while fixes are tested, the number of operational configurations is much larger than the number of test configurations that are possible. Research is thus needed to find ways of testing bug fixes reliably and of developing programming interfaces to modularize programs that cannot be bypassed.

Misconfigured Systems. Because existing permission and policy mechanisms are hard to understand, use, and verify, many problems are caused by their improper administration.28 There is also a trade-off between granularity of access control and usability. For example, an entire group of people may be given access privileges when only one person in that group should have them. Or a local system administrator may install a modem on the system he or she administers with the intent of obtaining access from home, but this also provides intruders with an unauthorized access point. The ability to generate a crisp, clear description of actual security policies in place and to compare them with desired security

25  

Wagner, D.A. 2000. “Static Analysis and Computer Security: New Techniques for Software Assurance,” Ph.D. dissertation, University of California, Berkeley.

26  

Type-safe languages allow memory accesses only to specifically authorized locations. For example, programs written in type-safe languages cannot read or write to memory locations that are associated with other programs.

27  

Brooks, Frederick P. 1975. The Mythical Man-Month. Addison-Wesley, Boston, Mass.

28  

CSTB (1990, 1999b).



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement