Welcome back. As you may
remember from the first course, in 1988, the internet worm broke into a large number of
computers on the ARPANET, the predecessor of
today's internet. One of the techniques used
was to exploit the failure of a server to check the length
of an incoming message, a classic buffer overflow resulting from a failure to
check the length of an input. In this module, we'll
see why this worked, and how to prevent it, and other problems like it. This module, validation
and verification, buffer and numeric overflows, and input injections is
broken into three parts. Part one examines the issues related to validation
and verification. We will discuss meta-characters,
the heart-bleed bug, and other exploits,
and inputs, and fixes, which enable us to implement
validation and verification. Part two focuses on buffer
and numeric overflows. We will describe examples
of both types of overflows. Finally, in part
three of this module, we will describe and
demonstrate how to handle common input injections such as cross-site scripting
attacks, and SQL injections. All of these fall under
the rubric of verifying inputs, not doing so is a common error. Going back to the rules for writing secure robust programs, this falls under the guise of paranoia and maximum stupidity. Assume any input
may be malformed, and malformed in a way so as
to cause the most damage. This includes gaining
privileges or reading, and sometimes altering
confidential data. By the end of this module, you will understand how
the process of checking inputs, known as validation and
verification, works. You will be able to avoid buffer and numeric
overflows in your program. Finally, you will be able to detect various input
injection attacks, such as cross-site scripting, and SQL injections, and understand the consequences
of not examining input.