Bad Input Bombs Your Program

 
 
By Larry Seltzer  |  Posted 2004-10-21 Print this article Print
 
 
 
 
 
 
 

Opinion: A simple "fuzzer" program shows that most Web browsers are easily crashed by malformed Web tags. Who'd have thought that Internet Explorer would be the most robust!

One of the famous arguments for open-source software, made in "The Cathedral and the Bazaar" by Eric S. Raymond, is, "Given enough eyeballs, all bugs are shallow."

The point is that open-source projects will have more people working on them and looking at the code, and therefore the chances that bugs will be recognized are greater. In the traditional centralized software company, where access to source code is restricted, great deliberate effort must be put into bug fixing, thus putting open source at an inherent advantage.

This world view is a truism to some people, conjecture to others. Id say its almost unprovable. But every now and then some evidence comes along that makes you wonder whether anyone was looking at the code in a supposedly well-scrutinized program.

The latest one is mangleme by Michal Zalewski. Its a brilliant, simple tool that does nothing but generate malformed HTML tags at pseudo-random. By running it as a CGI process and including a META REFRESH tag, you can have a browser automatically receive random erroneous input until the browser dies.

Turns out most browsers die quickly. Counter-intuitively (for most of us), Internet Explorer handled the dirty input well. "All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldnt parse," he said.

Zalewski goes on to speculate that Internet Explorer has been subjected to testing with a tool like this. Id make the same guess, but it is only a guess.

What excuse do the other browsers have? Zalewski lists, among those browsers that crash regularly, Mozilla, Netscape, Firefox, Opera, Lynx and Links. I only tested Firefox and Lynx. The former crashed; the latter locked up. Incidentally, the source for the "page" that locked up Lynx is a good example of the sort of dirty input this tool generates:

    <FORM><TEXTAREA COLS=10000000000> <KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
You can imagine how easy it is for a programmer to blow off edge cases that deal with input like this because, well, who would send something like this? Years ago that attitude might have gotten you paid and made the customer happy, but standards have changed. Programs have to be abuse-proof.

Next page: The security angle.



 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel