
Hijacking is Buffer Overflow (2001) - eropple
http://paulgraham.com/hijack.html
======
ajarmst
Bruce Schneier has often made the observation that air travel is much safer
now, but not because of any of the "Security Theatre" antics of the TSA.
Because of two facts: passengers know they should fight back, and cockpits are
now behind locked sturdy bulkheads.

~~~
MichaelGG
To make it exceedingly clear: many taxis were better protected than planes.
Taxis often have a shield between the passengers and driver, ensuring driver
safety and integrity. Planes didn't.

------
gweinberg
Bad analogy. Hijacking isn't caused/enabled by a plane having more passengers
than it was designed to carry. Why do people admire this sort of thing? If he
wants to argue that we should focus on strengthening cockpit doors rather than
passenger screening, fine. But does anyone actually think the spurious analogy
to buffer makes his argument more compelling?

~~~
MichaelGG
Yeah! Hijacking is a failure of type systems due to dynamic dispatch. Plane
control should have been restricted to only statically defined pilot values.

Yeah! Hijacking is a failure of type systems due to command injection.
Properly typed planes world fail to allow passenger actions to be interpreted
as pilot actions.

To prevent these threats, the TSA should confiscate bad analogy guns or at
least validate strict isomorphism.

(And as far as the article goes, it's not even correct. Your "data" includes
closures/function pointers/whatever and if that data gets corrupted you could
get the program to call into the wrong function.)

~~~
Rangi42
Analogies are a good spur for creativity, even if they have to be sanity-
checked afterward. Someone who didn't already know that cockpits are sealed
might consider it by relating hijacking to buffer overflows. Your own
analogies both suggest that some way of binding "pilotability" to the actual
pilot would be useful -- maybe a retinal scan or DNA check before activating
the controls.

~~~
superuser2
The only thing worse than an aircraft controlled by a hijacker is an aircraft
piloted by no one at all because the security system locked out the legitimate
pilots. I'd give this a resounding NOPE.

------
joe_the_user
Hmm, If one wishes a broad formulation for computer Hijacking, I would say
that it's a mismatch between input-scanning and interpreter behavior. This
view would include both SQL-injection and buffer-overruns (while the
interpreter is the chip itself).

Of course something like Heartbleed is a bit different because it's around
extract data that shouldn't have been there in the first place.

But still, some kind of "interpreter" is needed for any language and challenge
is to make sure that user-input remains "data" as the interpreter understands
it. This "sanitizing" is an ultimately hard problem even as each version of
the problem (preventing buffer overruns, prevent sql-injection, etc) seems
easy.

Security similarly is hard in that finding all weak points and strengthening
them is hard even as strength weak-point-X may seem easy.

------
staunch
A few terrorists among hundreds of good people have little chance now. Too
many canaries. Terrorists will only have their corrupt data invalidated.

From
[http://en.wikipedia.org/wiki/Buffer_overflow_protection#Cana...](http://en.wikipedia.org/wiki/Buffer_overflow_protection#Canaries)

 _Canaries or canary words are known values that are placed between a buffer
and control data on the stack to monitor buffer overflows. When the buffer
overflows, the first data to be corrupted will usually be the canary, and a
failed verification of the canary data is therefore an alert of an overflow,
which can then be handled, for example, by invalidating the corrupted data._

------
TazeTSchnitzel
> The defense that doesn't work is to check the data on the way in, to make
> sure it isn't longer than the memory set aside for it.

This defense is only one that needs to be done if you use a language without
memory safety in the first place.

------
akkartik
Wow, how have I not seen this one before?!

~~~
Jasper_
Because he removed it from all traces of his site, except for the index.

------
amelius
The problem is that when a program contains a JIT compiler, then suddenly,
code == data.

~~~
joe_the_user
When a program runs on a CPU and a buffer is overrun, then code==data, when it
runs on a JIT, isn't it (eq, code, data)?

