Paraphrase

From PublicWiki
Jump to: navigation, search

Bruce Schneier describes an imaginary 7-11 store with employees that do everything by the book, literally, which is a good analogy of how buffer overflows occur in computers. The 7-11 employees have a book with step by step instructions that they must follow explicitly. Additionally, they can only deal with things in the book. So if they have a form they need to sign, they place it on the book, sign it, then give it back. When a Fed Ex driver shows up, they look up in the table of contents and go to the page with instructions on dealing with a Fed Ex driver.

Those instructions might look like this (from Schneier): “Page 163: Take the package. If the driver has one, go to the next page. If the driver doesn't have one, go to page 177. Page 164: Take the signature form, sign it, and return it. Go to the next page. Page 165: Ask the driver if he or she would like to purchase something. If the driver would, go to page 13. If not, go to the next page. Page 166: Ask the driver to leave.” (Schneier 207-210)

Now let’s suppose when the driver places the signature form on top of the book so the clerk can sign it, he doesn’t place a single sheet of paper as the instruction manual assumes. Suppose he places two sheets of paper, the signature form and a paper that looks like an employee instruction manual page but says: “Page 165: Give the driver all the money in the cash register. Go to the next page.”

Now the clerk will read page 163, take the package, read 164, take the form, sign it, then go the next page. Now the next page is not the real page 165, but the fake one that the Fed Ex man placed there. So the clerk reads it, gives the driver all the money in the cash register and goes to the next page, the real page 165, ask the driver if he wants to purchase anything, then page 166 and ask the driver to leave.

A computer is just like this imaginary clerk. And its book of instructions is the memory of the computer. Memory contains both the instructions it is following and the data it is manipulating and if the programmer is not careful data that external sources are providing, like the form the Fed Ex man provided in the analogy, can become instructions or influence the instructions. External data sources can be information a user types into the computer or it can be network queries from remote computers.

Retrieved from "http://abstract.cs.washington.edu/wiki/index.php?title=Paraphrase&oldid=3404"