A Hacking View of Access Control

Pedro A. Diaz-Gomez and Gregory Steen

Computing & Technology Department, Cameron University, Lawton, Oklahoma, USA

Abstract— The importance of computer security in order to exploitation of a software vulnerability in order to get access
maintain the confidentiality, integrity and availability of data to computers.
and information is well known. Different mechanisms have Research in buffer overflow is extensive [5], [22], [13],
been proposed in order to guarantee the security of infor- [7], [11], [25], [15]. However, we have not found research
mation like access control, encipherment, data integrity and that shows a correlation between buffer overflow and access
authentication; however, those security mechanisms have control violation. This paper presents a possible linear corre-
vulnerabilities that are exploited. This paper presents the lation between buffer overflow and access control violation
hackers’ view of access control highlighting the exploitation and as outlined before, it presents the use of this software
of the buffer overflow vulnerability as a mechanism to vulnerability as exploitation in order to get access to com-
have free access to computers and information. A possible puter resources and information.
correlation between the buffer overflow vulnerability and The organization of this paper is as follows: Section 2 is
access control violation occurrences is presented. a brief description of the hackers’ ethic, Section 3 presents
basic definitions, Section 4 describes the most common
Keywords: Access control, buffer overflow, computer security,
hacking techniques of access control including a case study
hackers’ ethic, hacking techniques
of the SQL Server 2000, Section 5 refers to Encipherment,
Section 6 compare and analyze, Section 7 refers to some
1. Introduction countermeasures to prevent buffer overflow, and Section 8
Business data and information are valuable assets for any are the conclusions and future work.
organization that needs to be protected [21] against unwanted
access, misuse and abuse. Different security mechanisms
have been proposed in order to protect data and information,
most of them supported by cryptography [23]: authenti-
2. The Hackers’ Ethic
cation, digital signature, authentication exchange, access
control and so forth. However, usually security mechanisms Levy describes the hacker’s ethic not as writing code but
are developed having in mind trusted systems [22], not as a way of living where computers play a fundamental role
the exploitation by untrusted parties or internal users. This in humanity as tools for freedom, creativity, gaming, hacking
paper focuses on a hackers’ view of exploiting software and change of living [10].
vulnerabilities in order to bypass or masquerade access The real hackers—as opposed to those that just push
control to computers. a button to execute a program, script kiddies— began at
The purpose of access control is to guarantee the use of MIT in the 60’s, some of them were students that lived the
resources for authorized users, and to guarantee the correct imperative of hands on: they wrote debuggers, compilers,
use of those resources. The security mechanisms of access word processors, games. They looked at computers as en-
control is based on three pieces: something you know, tertainment, open machines of free information where users
something you have and something you are. Something you spend long periods of time playing and hacking. The real
know such as your user ID and password, something you hackers made a tremendous impact in the technology of
have such as a smart card and something you are such as computers that we have now: real time and sharing systems,
your finger print [21]. Any security mechanism is susceptible microcomputers, networks of computers and mostly a world
of attack. For the case of the use of log in and password, collaborative community where software was free. Their
there exist brute force attacks and specialized free tools motivation was exploration not fraud [10].
like THC-Hydra perform logging and password guessing. For the real hackers any system or bureaucracy that is
If it is something you have, smart cards can be stolen; opposed to the free use of computers and information was
or if it is something you are, finger prints are susceptible outraged. Hackers developed, for example, high quality code
to false positives as well as false negatives [21]. But why for time sharing systems with no access control, they were
worry about something you know, something you have or able to have access to any users’ file. Any system that
something you are? Why not just use a software vulnerability opposes the hackers’ ethic was offensive to them and as
in order to get into a system, like by-passing the access such any access control to a computer system, needed to be
control mechanisms? This is what this paper is about, the circumvented.
3. Basic Definitions John the Ripper [22]. But, there is an easier way to go
This section is going to present some definitions used into systems without knowing the log-in and the password:
throughout this paper: exploiting vulnerabilities in the system. Buffer overflow is a
Access control. Security mechanism that regulates the vulnerability reported as a top vulnerability [19], [5], [15],
retrieval of information only to those that are authorized [18] which makes it appealling to be exploited in order to
while preventing unauthorized access [12]. get access to computer resources.
Attack. Malicious intention to violate a security mecha- 4.1 Exploiting Buffer Overflow
nism, for example denial of service attack.
One data structure that can be exploited with buffer
Attacker. Person that violates ethic, law, security policies
overflow is the stack. The stack is used by the operating
and security mechanisms in order to gain unauthorized
system in order to hold parameters, return addresses, local
access to computers. It could be referenced with the generic
variables and intermediate operations when functions are
term as hacker.
called. If a function is called with the size of a parameter
Brute force password attack. Attack that tries multiple
longer that the one declared in the function, and the function
character, numbers and combinations of symbols in order to
does not control that situation, then a buffer overflow can
generate the matching set of characters in a password [12].
occur. If the overflow can be managed so that the return
Back door. Part of a programming code embedded and/or
address is overwritten, then the program is not going to
hidden anywhere in a script that allows access to a system
resume a normal execution path or it is going to crash. To
without utilizing the access control mechanism intended for
illustrate this problem, the reader can follow the icecast case
the users of the systems [12].
presented in [16].
Buffer overflow. Software vulnerability in which data Another method of buffer overflow is the heap overflow.
goes beyond the reserved memory space assigned by the Essentially this attack targets an overflow on memory areas
operating system. where static and dynamic data is allocated. If an attack is
Encipherment/Cryptography. Security mechanism used successful, the corresponding area in memory will be over-
in order to scramble clear text in order to safeguard its written with a pointer to a malicious code. This heap attack
content [12]. is generally more difficult to carry out than the stack-based.
Malicious code. Program that performs unauthorized ac- The principle goal is to change the program flow because
tions in a computer systems. the heap is dynamically allocated at run time. If the program
Security mechanism. Software and/or hardware used to flow can be disrupted, the attacker can hijack the program
guarantee confidentiality, integrity and availability of data and call a command shell remotely. More details about heap
and information, like encipherment and smart cards. overflows can be found at [11].
Penetration tester/Ethical hacker. Professional that per- Before a buffer overflow attack can begin, the attacker
forms attempts of unauthorized access to a secured system must know several things about the victim. Donaldson lists
with the purpose of exposing potential weaknesses that an these prerequisites as [7]:
attacker may uncover for improving security in an organiza-
1) the vulnerability must be known to the attacker;
tion [12].
2) the buffer size must be determined;
Victim computer. It is the computer under attack.
3) the data written into the buffer must be controlled;
4) instructions to execute program must reside below the
4. Access Control Attacks buffer;
Access control is the security mechanism that allows users 5) the instructions that the return address executes must
to have limited access to data and information [23], [24]. be replaced with alternate instructions.
One of the most common access to computers is the use of In the first phase or discovery phase, the attacker may
a user name and a password. Having these two pieces of data search for the vulnerability or accidentally discover it
correct an intruder can gain access. How then, can a hacker through normal operations and triggering an error referenc-
find log-ins and passwords? There are different methods, but ing memory.
say that some enterprises or applications use a log-in that is The second phase is simply done by incrementing the
part or all the e-mail address of employers, making the first number of characters by one, until the buffer overflow is
part of the access, the user ID, public. triggered. Once determined, the attacker will note this to
Once the user name is known or guessed, the next step is add to the payload.
to know the password. Two basic techniques exists: password The third phase is controlling what goes into the buffer. By
guessing and password cracking [22]. In password guessing entering a string of characters into the program that extends
a dictionary of passwords is used in conjunction with a beyond the stack, the excess characters are written into the
hacking tool like THC-Hydra [22]. In password cracking buffer. Now the control is achieved and it is time for the
the encrypted password is deciphered using a tool like next phase.
 The fourth phase is to overwrite settings under the buffer. work for the attacker, but considering the worth of the crime,
Appending the input with characters desired immediately the attacker may endure the arduous task of password crack-
following the last parameter boundary could carry this out. ing or guessing. The exploitation of a known vulnerability
By doing this, the parameter size is filled to the max. Any may be more of a guaranteed way to gain access without
characters after the boundary will overflow into the buffer the password attack. With this method, an attacker must
space. For example, in a poorly written code, if the length have somehow gained knowledge of a vulnerability in any
of an input parameter string is 8, then all characters after the software installed on a machine including the Operating
8th characters will write into the buffer. This could overwrite System. With this knowledge, an attacker may execute a
the return address of that function causing the program to buffer overflow, breaching the software and gaining access
crash, or possibly, it could change the normal flow of the to the machine through a remote shell.
program. Now the program has been fully breached and is Though this attack method only allows access to the
under control of the attacker. machines directories, in cases where a database management
For the fifth phase, a serious attacker would insert into the system is involved, compromised data could be critical.
buffer area the function returns, after the crash, with code to Chip Andrews et al. [1] explains in detail about the leading
execute a command shell where the attacker can now work bytes that trigger overflows resulting in different types of
in the victim’s computer; compromising data. If the program problems. He wrote a WinSock application to change the
has only user level permissions, the attacker could work to standard value 0x02 sent by the utility SQLPing. The leading
elevate those permissions at this time. The attack is now bytes are sent to port 1434 of a Microsoft SQL Server
ready to be posted in the Internet. 2000. Microsoft claims that this port must be open for
optimized service. However, knowing about this “secret”
4.2 Hacking Techniques for Breaking Pass- allows specially crafted requests with customized leading
words bits to trigger certain results. For example, in the case of a
Once a successful attack is discovered, it will be avail- SQL port monitor attack, one could exploit the 0x04, 0x08,
able in specialized tools like Metasploit and Backtrack. and 0x0A leading bytes in a request packet. Under normal
Metasploit capitalizes on buffer overflows [25]. In the case conditions, a leading byte request of 0x02 would trigger a
of the Windows arsenal, Metasploit uses at least 88% of return of basic server information. By changing the leading
attacks with this vulnerability. For the Linux case, it uses at bytes to different values, different results occur. For 0x04, a
least 93% of attacks with buffer overflow and, for the Unix stack-based buffer overflow occurs. For 0x08, a heap-based
platform no cases were found. buffer overflow occurs, and for the 0x0A a Denial of Service
BackTrack is a one-source platform of tools for exploits. occurs.
It includes a number of integrated hacking tools including In the case of the 0x04 stack based overflow on MS SQL
Metasploit. The OS is normally operated from a USB drive Server 2000, the request is safe up to the 0x04 space, but
or a live CD. It has been enabled to run remotely and after that, it flows into the buffer rewriting the return address
contains a vast array of penetration testing tools. in the stack. This simply crafted exploit can then spawn a
Exploiting a vulnerability to gain access can come in many remote shell to the system at the permissions of the SQL
flavors. Hackers have different options available to carry out Server. Further-more, if the attacker sets the source port to
attacks to circumvent an authorized access. Besides previous a UDP at port 53, the request will appear to have originated
tools, L0phtcrack is one that will start from a live CD- from the DNS server bypassing any firewall in the network.
ROM, find the SAM file used to store password hashes, and For the 0x08 exploit, it is more than a stack-based over
compare hash functions to the stored values to extract the flow. This example completely changes the flow of the
passwords. This is done utilizing a method called rainbow program in the heap portion of the memory. This takes place
tables, which are out of the scope of this paper. Another at a certain level of bytes written into the request. With
tool is THC’s Hydra, this program will attempt to crack a single byte to the 1434 port over the UDP, this request
passwords and user names across a network including the would disable the SQL Server. Normally the return on this
Internet. call would return a value with a colon. Sending this request
causes the return without a colon. The SQL Server cannot
4.3 Case of SQL Server 2000 handle this exception and registers it as a null value. The
Since the most prevalent type of access control is gained null value is an unhandled exception and crashes the server.
by what is known, rather user names and passwords, the By adding a second byte to the packet, a colon is included
door is left open two ways to circumvent access control in the return but still crashes. This is because the return may
by knowing the user name/password combination or by be to an invalid address, yet it appears valid to the program.
exploiting vulnerabilities. In order to know the user name The program executes it and halts when the address is not
and password, the attacker must use one or several methods found. In the third byte sent in the request, the string sent
to gain the authentication tokens. This can involve more is large enough to create a heap overflow. This leads to a
compromised system with a remote shell [1]. Table 1: Total number of vulnerabilities, number of overflow
and access control violations per year reported on the
5. Encipherment Computer Emergency Response Team.
Security of passwords relies on encipherment, however Year # Total. # Buf.Over. # Access C.
1998 262 2 0
cryptography is not a panacea [20]. Different algorithms 1999 417 10 1
have been applied in order to cypher passwords and try to 2000 1090 19 2
protect them. The Decryption Encryption Standard (DES) 2001 2437 79 18
has been extensively used. In this case, usually a constant 2002 4129 126 17
2003 3784 83 6
string 1 is encrypted using a key as the password or part of it, 2004 3780 110 5
the result of encryption is stored in a file. When the system 2005 5990 86 6
needs to check the password, the same process is applied. 2006 8064 148 16
2007 7236 135 19
If the new result matches the result stored previously in the
file, access is granted; if not, access is denied.
One way functions are commonly used too. In this case, Table 2: Total number of vulnerabilities, number of overflow
the password and possibly a random string attached to and access control violations per year reported on the
it—called salt—are hashed. Some Linux/Unix systems for National Institute of Standards and Technology.
example apply the hash function MD-5 [16]. Year # Total. # Buf.Over. # Access C.
Security of encipherment is based in part on the length of 2000 1020 1 0
2001 1677 4 2
a password, but with the computational resources of today an 2002 2156 37 4
exhaustive search is possible. If we consider a 95 printable 2003 1527 53 7
ACSII characters, a password length of 8 characters and 2004 2451 23 6
a computer executing one million decryptions per micro 2005 4932 35 4
2006 6608 49 7
seconds, then in 103 µSecs the password could be guessed. 2007 6514 408 67
Besides exhaustive search, different hacking techniques fol- 2008 5632 563 145
low other approaches as was shown in Section 4.2. 2009 5581 554 209

6. Analysis
Tables 1 through 4, as well as Figures 1 through 4 correlation between the occurrence of buffer overflow and
show the number of buffer overflows and the number of the occurrence of access control violations, but not strong.
access control violations reported on the National Institute of In order to show how confident are rxy , the Fishers’
Standards and Technology (NIST) [12], the Computer Emer- conversion r to z is applied [8]:
gency Response Team (CERT) [26], [2], the Open Source
Vulnerability Database (OSVDB) [14], and the Common 1 + rxy p 1+ρ
1/2 ln( ) ± 1.96 1/(n − 3) = 1/2 ln( ) (2)
Vulnerabilities and Exposures (CVE) [4] per year 2 . It seems 1 − rxy 1−ρ
that the two variables, the number of buffer overflow (x)
and the number of access control violations (y) reported are where rxy is the Pearson’s coefficient as in Equation 1, and
correlated, this fact that can be shown statistically using the ρ corresponds to the upper and lower bounds of rxy when
Pearson’s Coefficient in Equation 1 [9]: “infinite” data is available. If the interval defined by ρ does
P not include zero (0) then we have a statistically significant
(xi − x) (yi − y) relationship between the two variables x and y at the 95%
rxy = . (1)
(n − 1) σx σy confidence level. For the cases presented in this paper we
found 0.353 < ρ1 < 0.952, 0.779 < ρ2 < 0.987,
where xi and yi corresponds to the individual observations
0.839 < ρ3 < 0.991, and 0.359 < ρ4 < 0.952, which
of x and y, x, y are the averages, and σx , σy are the
means that there is a possible dependance between the two
corresponding standard deviations. If rxy ≈ 1.0 then there
variables the number of occurrences of buffer overflow x,
exist a positive strong linear correlation between x and y.
and the number of access control vulnerabilities y reported
If rxy ≈ −1.0 then there exist a negative strong linear
on NIST, CERT, OSVDB and CVE.
correlation between x and y.
The data obtained from NIST, CERT, OSVDB and CVE,
Applying Equation 1 to the data presented in Tables
showed a positive linear correlation between x and y, which
1 through 4, columns # Buf. Over and # Access C., we
means the possibility that the more buffer overflow vulner-
get r1xy = 0.804, r2xy = 0.945, r3xy = 0.961, and
abilities discovered, the more access control violations are
r4xy = 0.807, which means that there exist a positive linear
going to happen or vice versa. However, it is difficult to
1 some Windows systems use the constant string KGS!@#S% [16] be quite certain about this result, not only because the data
2 Different years are presented as data is available. corresponds to data reported, but because more variables
 1200 Table 3: Total number of vulnerabilities, number of overflow
# Buffer Overflow
1100 # Access Control and access control violations per year reported on Open
Number of Ocurrences Reported

1000 Source Vulnerability Database.

900 Year # Total. # Buf.Over. # Access C.
800 1999 934 46 84
700 2000 1428 94 117
600 2001 1742 129 164
500 2002 2927 188 203
400 2003 3195 219 311
300 2004 4898 462 556
200 2005 7647 379 404
100
2006 10821 297 289
2007 9278 177 120
0
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2008 9309 118 126
Year

Fig. 1: Number of overflow and access control violations per Table 4: Total number of vulnerabilities, number of overflow
year reported on the Computer Emergency Response Team. and access control violations per year reported on Common
Dash line is drawn to show access control violation tendency. Vulnerabilities and Exposures.
Year # Total. # Buf.Over. # Access C.
1999 1573 301 255
2000 1233 244 129
1200 2001 1564 271 153
# Buffer Overflow 2002 2419 470 207
1100 # Access Control
Number of Ocurrences Reported

1000 2003 1569 349 138

900 2004 2764 482 202
800
2005 4881 530 275
2006 7238 675 449
700
2007 6732 931 446
600
2008 7248 674 611
500
400
300
200 (vulnerabilities), out of our control, can affect access control
100 violations: the ISS Unicode exploit, the wu-ftpd string input
0
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 validation problem and the Rainforest Puppy’s RDS exploit
Year are a few examples [22].
Other topics to take into consideration is the difference
Fig. 2: Number of overflow and access control violations between the data reported to CERT, NIST, OSVDB and CVE.
per year reported on the National Institute of Standards and We are willing to show if this data reported at those sites is
Technology. Dash line is drawn to show tendency. statistically different or if it belongs to the same distribution.
In doing that, we apply the bootstrap technique, in which
we take 1, 000 samples of ten data sets, each one randomly
1200 selected with repetition from the original data sample—for
# Buffer Overflow
1100 # Access Control example, buffer overflow as in Table 2—and find the mean of
Number of Ocurrences Reported

1000
900
each one of the 1, 000 samples. Once each mean is calculated
800 for each random sample taken from the original data, we find
700 the mean—i.e., the mean of the means—and the standard
600 error, in order to compare the two distributions. Table 5
500 shows the corresponding results with µ∗ the mean of the
400
means and σ ∗ the standard error for the buffer overflow and
300
200 access control data, including a sample taken from the four
100 data sets labeled “Join” in Table 5
0 Results from Table 5 allow us to infer that for the case
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
of buffer overflow the CVE data set is statistically different
Year
from all other data sets, and that the CERT data set is
Fig. 3: Number of overflow and access control violations per different from all other data sets except the NIST data set
year reported on Open Source Vulnerability Database. Dash at the 95% confidence level. For access control violation
line is drawn to show access control violation tendency. reported, CVE is statistically different from all of them
except the OSVDB data set, and CERT is different from all
 1200
# Buffer Overflow
Software developers would follow good programming
1100 # Access Control practices like the validation of input and parameters before
Number of Ocurrences Reported

1000
calling a function, validation of pre-conditions and post-
900
800 conditions in loops and validation when doing memory al-
700 location. No assumptions should be made about the validity
600 of input or “good” intentions of users [21].
500 Modules could be compiled using tools that change the
400
way the stack function, for example, StackGuard for Linux,
300
200
inserts an extra constant field next to the return address in
100 the stack called “the canary”, if that field changes, then there
0 could be something wrong with the stack. More details about
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
tools used at compile time could be found in Skoudis’ book
Year
[22] and Donalson’s paper [7].
Fig. 4: Number of overflow and access control violations Once the software has been written, the next line of
per year reported on Common Vulnerabilities and Exposures. defense is code inspection. Code inspection is the technique
Dash line is drawn to show access control violation tendency. of analyzing the code of each module, line by line to see
if it meets the coding criteria [21]. There are automatic
code-checking tools like ITS4 that performs a search of
Table 5: Means and standard error of buffer overflow and well known vulnerable functions and can help in this step
access control violations reported at CERT, NIST, OSVDB, [22]. This task should be done by a team different from the
CVE and Join. 1, 000 data samples of each data set using developers [21] in order to guarantee the security control of
bootstrap technique. separation of duties.
Site Buffer Overflow Access Control Once the code inspection of each module has been done,
µ∗ σ∗ µ∗ σ∗
CERT 78.954 15.842 9.0242 2.3213
the next line of defense is to test the security of the
N IST 167.880 66.874 44.376 22.509 integration of each module. This step assures the integrity
OSV DB 208.85 38.578 238.65 45.331 of the flow of data between modules as well as the security
CV E 495.90 65.586 286.07 48.291 of interaction of components [21].
JOIN 236.08 35.918 145.43 24.998
The installation, maintenance and operation of the soft-
ware is part of the assurance and security process. The in-
stallation phase could be a source of vulnerabilities because
other data set except the NIST at the 95% confidence level
it is in transition from the developers’ control environment
– See Table 6 left part for CERT and right part for CVE,
to production [21]. New security threats could arise while
values > 1.96 or < −1.96 are statistically significant at
the software is in production and consequently incident
the 95% confidence level.
handling, that includes policies for application of patches,
is a mechanism to be used. Intrusion Detection Systems are
7. Preventing Buffer Overflow security mechanisms that could detect signatures of buffer
Buffer overflow is a software vulnerability that could be overflow and could be used in production environment too.
mitigated with good practices in software development [11].
Solutions to buffer overflow go from the use of “safe” library 8. Conclusions and Future Work
modules, to the use of scanning tools that perform analysis Software vulnerabilities have been addressed as one of
of source code in order to identify buffer overflows [6], [7]. the the primary reasons for computer security breaches [3]
However, secure code should be planned since the beginning which led to billions of dollars in losses per year [21]. If
of a software project and through all steps of the software there is no guarantee to deliver a software free of bugs, what
development cycle [17]. is mandatory is to improve assurance and security practices
from the new software specification, throughout the whole
life cycle of the product.
Table 6: Difference in Means of buffer overflow and access Access control is becoming more difficult to defend due to
control violations reported at CERT, NIST, OSVDB, CVE more tools available for attackers to use. The 90’s presented
and Join. an evolution from password guessing to password cracking
Site Buffer Over. Access Control Buffer Over. Access Control that required relatively little knowledge. Today, such tools
CERT − − 8.381 6.026
N IST 1.742 1.751 −254.674 9.374
as Metasploit, Core Impact, Canvas, Hydra, or John the
OSV DB 5.713 5.338 10.628 16.020 Ripper has made knowledge of programming and scripting
CV E 8.381 6.026 − − nearly unnecessary. The major players carrying out access
JOIN 7.826 6.015 8.757 6.037 control violations tend to be tools capable of executing a
buffer overflow. In short, the sophistication of software to [7] M. E. Donaldson, “Inside the buffer overflow attack: Mechanism,
exploit this vulnerability allows more attackers to carryout method, & prevention,” 2002, accessed December 2009.
[Online]. Available: http://www.sans.org/reading_room/whitepapers/-
buffer overflows with little programming knowledge. This securecode/inside_the_buffer_overflow_attackme-
puts more attackers out there in the Internet cloud to defend chanism_method_prevention_386
against. [8] GISS, “GISS Goddard Institute for Space Studies.”
2009, accessed December 2009. [Online]. Available:
The impact of buffer overflow over access control viola- http://icp.giss.nasa.gov/education/statistics/page-3.html
tion was shown in this paper with the possible linear corre- [9] D. D. Jensen and P. R. Cohen, “Multiple comparisons in induction
lation between these two variables. However, there are more algorithms,” Machine Learning, vol. 38, no. 3, pp. 309–338, 2000.
[10] S. Levy, Hackers Heroes of the Computer Revolution. Penguin Books,
variables that affects access control violations as discussed 2001.
in Section 6 and that could be discussed in future research. [11] Matt Conover and w00w00 Security Team, “Heap over-
Buffer overflow, however, is just a needle in a haystack flows.” 1999, accessed December 2009. [Online]. Available:
http://www.w00w00.org/files/articles/heaptut.txt
of the software vulnerability problem. Statistics presented [12] National Institute of Standars and Technology NIST,
in Section 6 show that 5.71% of the total correspond to “Nist ir 7298 glossary of key information secu-
buffer overflow. Work has been done elsewhere [5] in the rity terms,” 2009, accessed November 2009. [On-
line]. Available: http://csrc.nist.gov/publications/nistir/NISTIR-
classification of vulnerabilities and countermeasures in order 7298_Glossary_Key_Infor_Security_Terms.pdf
to see what efforts must be done in prevention, but we [13] M. Ogorkiewicz and P. Frej, “Analysis of buffer
need to have in mind that any countermeasure is susceptible overflows attacks,” 2004, accessed November 2009. [On-
line]. Available: http://www.windowsecurity.com/articles/Analysis-
of attack [20], [11] and that assurance and security of of_Buffer_Overflow_Attacks.html
computers is complex and any solution proposed must be [14] OSVDB, “OSVDB The Open Source Vulnerability Database.” 2009,
systematic [20]. accessed December 2009. [Online]. Available: http://osvdb.org/
[15] QUALYS, “QUALYS research & development,”
2009, accessed September 2009. [Online]. Available:
http://www.qualys.com/research/rnd/top10
9. Hacking [16] SANS Institute, “Security 560 network penetration testing and ethical
hacking. exploitation,” 2008, course offered by the SANS Institute.
Hacking is illegal, and as such is penalized by law. [17] ——, “Common weakness enumeration.” 2009,
However, there are penetration testers and ethical hackers accessed September 2009. [Online]. Available:
that use hacking techniques to test computer and network http://cwe.mitre.org/top25/pdf/2009_cwe_sans_top-_25.pdf
[18] ——, “CWE/SANS TOP Most Dangerous Programming
systems for organizations. Errors,” 2009, accessed September 2009. [Online]. Available:
http://www.sans.org/top20/2000
[19] ——, “The top 20 most critical internet security theats - 2000-2001
10. Thanks archive,” 2009, accessed September 2009. [Online]. Available:
http://www.sans.org/top25errors
Thanks to Professor Mary Penick and Professor Mark [20] B. Schneier, Secrets & Lies. USA: Wiley Computer Publishing, 2000.
Polson, from the Computing and Technology Department [21] C. Schou and D. Shoemaker, Information Assurance for the Enter-
prise. A Roadmap to Information Security. USA: McGraw Hill,
at Cameron University, for helping us in proof reading this 2007.
paper. [22] E. Skoudis, Counter Hack. A Step-by-Step Guide to Computer Attacks
and Effective Defenses. USA: Prentice Hall, 2002.
Thanks to Dr. Dean F. Hougen for allowing us to use [23] W. Stallings, Cryptography and Network Security. USA: Prentice
resources from the Robotics, Evolution, Adaptation, and Hall, 2003.
Learning Laboratory (REAL Lab) from the School of Com- [24] ——, Network Security Essentials. USA: Pearson Prentice Hall,
2007.
puter Science at the University of Oklahoma. [25] SYMANTEC, “Buffer overflow stack silver bul-
let.” accessed December 2009. [Online]. Avail-
able: http://www.symantec.com/connect/articles/buffer-overflowstack-
References silver-bullet
[26] United States Computer Emergency Readiness Team US-CERT,
[1] C. Andrews et al., SQL Server Security. USA: McGraw Hill, 2003. “Vulnerabilty notes database,” 2009, accessed November 2009.
[2] Carnegie Mellon University. Computer Emergency Response Team [Online]. Available: http://www.kb.cert.org/vuls/
CERT, “Cert statistics (historical),” 2009, accessed November 2009.
[Online]. Available: http://www.cert.org/stats/
[3] H. Cavusoglu, H. Cavusoglu, and S. Raghunathan, “Efficiency of vul-
nerability disclosure mechanisms to disseminate vulnerability knowl-
edge,” IEEE Trans. Software Eng., vol. 33, no. 3, pp. 171–185, 2007.
[4] CVE, “CVE Common Vulnerabilities and Exposures.” 2009, accessed
December 2009. [Online]. Available: http://cve.mitre.org/
[5] CWE, “CWE Common Weakness Enumeration. A Community-
Developed Dictionary of Software Weakness Types,”
2009, accessed September 2009. [Online]. Available:
http://cwe.mitre.org/data/published/cwe_v1.5.pdf
[6] ——, “CWE Common Weakness Enumeration. A Community-
Developed Dictionary of Software Weakness Types,”
2009, accessed December 2009. [Online]. Available:
http://cwe.mitre.org/top25/#CWE-119