1 00:00:00,000 --> 00:00:00,210 [VIDEO PLAYBACK] 2 00:00:00,210 --> 00:00:02,168 DAVID MALAN: And you can eventually overflow it 3 00:00:02,168 --> 00:00:04,470 by trying to use more memory than you should have. 4 00:00:04,470 --> 00:00:06,070 And a buffer overflow is typically-- 5 00:00:06,070 --> 00:00:06,080 [END PLAYBACK] 6 00:00:06,080 --> 00:00:08,913 DAVID MALAN: So this year, we have more overflows than ever in CS50, 7 00:00:08,913 --> 00:00:12,930 where I took care to actually enumerate a number of different types 8 00:00:12,930 --> 00:00:16,830 of overflows, buffer overflow and, of course, stack overflow, 9 00:00:16,830 --> 00:00:19,290 with a site with which students generally 10 00:00:19,290 --> 00:00:20,860 gain familiarity during the semester. 11 00:00:20,860 --> 00:00:22,290 So it's nice to give them a sense of the etymology of that. 12 00:00:22,290 --> 00:00:23,235 DOUG LLOYD: Now they know where it came from, exactly. 13 00:00:23,235 --> 00:00:23,985 DAVID MALAN: Yeah. 14 00:00:23,985 --> 00:00:26,970 But in C, we have the ability to actually have this conversation 15 00:00:26,970 --> 00:00:28,490 and actually talk about an exploit. 16 00:00:28,490 --> 00:00:31,860 So here's some sample code that Wikipedia's own page on buffer overflow 17 00:00:31,860 --> 00:00:34,461 exploits, looks at, or for stack overruns specifically, 18 00:00:34,461 --> 00:00:37,710 and even though it's a pretty contrived example, this one, where you're really 19 00:00:37,710 --> 00:00:40,260 just copying some memory into a place where it really 20 00:00:40,260 --> 00:00:43,380 shouldn't be because you're overrunning how much you've asked for, 21 00:00:43,380 --> 00:00:45,630 it does demonstrate visually what's going on. 22 00:00:45,630 --> 00:00:46,260 Which is nice. 23 00:00:46,260 --> 00:00:49,094 And it allows us to talk, albeit briefly, about return addresses 24 00:00:49,094 --> 00:00:50,760 and what it means to overflow the stack. 25 00:00:50,760 --> 00:00:54,809 And you can see graphically how those values are overriding bytes that they 26 00:00:54,809 --> 00:00:55,350 shouldn't be. 27 00:00:55,350 --> 00:00:58,240 DOUG LLOYD: Exactly. 28 00:00:58,240 --> 00:01:02,100 DAVID MALAN: In fact, my one regret is just how contrived this example is. 29 00:01:02,100 --> 00:01:07,140 And I think in reflecting on this, both now and in the recent months 30 00:01:07,140 --> 00:01:10,350 since this went live, we should probably come up with, I think, 31 00:01:10,350 --> 00:01:15,370 a better, less contrived example than just copying arbitrary memory around 32 00:01:15,370 --> 00:01:15,870 like this. 33 00:01:15,870 --> 00:01:18,290 Like hard-coding 12 is kind of hard to justify here. 34 00:01:18,290 --> 00:01:20,387 DOUG LLOYD: Yeah, well, for people who might 35 00:01:20,387 --> 00:01:23,220 be watching this that actually went through CS50 this year, our quiz 36 00:01:23,220 --> 00:01:26,100 this year actually had a question about buffer overflow-- or our test, rather, 37 00:01:26,100 --> 00:01:27,470 had a question about buffer overflow. 38 00:01:27,470 --> 00:01:28,770 DAVID MALAN: You can still read about it all too often 39 00:01:28,770 --> 00:01:30,645 when some software gets hacked or some server 40 00:01:30,645 --> 00:01:34,450 and it's because of memory bounds not being checked. 41 00:01:34,450 --> 00:01:37,322 So it's a problem that's still with us today, certainly. 42 00:01:37,322 --> 00:01:39,405 DOUG LLOYD: Yeah, this example is a bit contrived, 43 00:01:39,405 --> 00:01:41,640 but anything where you're taking input from a user 44 00:01:41,640 --> 00:01:43,740 and copying it into a buffer that has a fixed size 45 00:01:43,740 --> 00:01:48,725 is another maybe less contrived example. 46 00:01:48,725 --> 00:01:49,850 DAVID MALAN: But it's good. 47 00:01:49,850 --> 00:01:51,683 I mean, I like how our students, ultimately, 48 00:01:51,683 --> 00:01:53,767 are exiting the course even understanding 49 00:01:53,767 --> 00:01:55,350 the nuances of these kinds of attacks. 50 00:01:55,350 --> 00:01:58,641 And indeed, this is just one instance of our discussion throughout the semester 51 00:01:58,641 --> 00:02:01,160 of various security exploits. 52 00:02:01,160 --> 00:02:03,240 And we'll come to another one altogether when 53 00:02:03,240 --> 00:02:06,000 we look at SQL, when we look at web programming more generally. 54 00:02:06,000 --> 00:02:09,570 So it's kind of nice to show that even in our command line environment, 55 00:02:09,570 --> 00:02:11,025 there are threats ever present. 56 00:02:11,025 --> 00:02:12,900 DOUG LLOYD: And in years past, we've actually 57 00:02:12,900 --> 00:02:17,820 taken a lot of these security threats and actually just kind of buffered them 58 00:02:17,820 --> 00:02:20,727 until the end of the year. 59 00:02:20,727 --> 00:02:22,560 DAVID MALAN: In a separate security lecture. 60 00:02:22,560 --> 00:02:23,000 DOUG LLOYD: In a separate lecture entirely. 61 00:02:23,000 --> 00:02:25,909 DAVID MALAN: --which are now woven into the semester itself. 62 00:02:25,909 --> 00:02:28,200 DOUG LLOYD: It's good to present these things, I think, 63 00:02:28,200 --> 00:02:29,330 at the time when they're-- 64 00:02:29,330 --> 00:02:30,660 DAVID MALAN: Just like these threats. 65 00:02:30,660 --> 00:02:32,409 DOUG LLOYD: --fresh in the student's mind. 66 00:02:32,409 --> 00:02:33,620 Yeah, exactly. 67 00:02:33,620 --> 00:02:37,778