We'll give bitcoin a break today Let's learn about something different Suppose a benevolant hacker has found a vulnerability: What exactly has been found? Often, a buffer overflow vulnerability! That's not the only kind of vulnerability Could, for example, find an SQL injection vulnerability It's a good example type, though Remember, a vulnerability is something very specific A simple example: The null-terminated string We'll use C++ for those of you in 211 or 311 "string" vs. "char[]" Efficient and simple solutions are faster They're also more power efficient Maximize battery life Minimize memory use Lots of reasons to like them! Intro to this issue for people not in 211: 108 or 111: C++ is just letting us use the computer here We're not using an idealized version of the computer Nor are we using an emulator, or vm, or whatnot Let's set up a vulnerabile program Yes, this is contrived We're trying to put a major security vulnerability in 10 lines... Mitigation: Since this isn't a super complicated attack, we can prevent it Just check how long our string is! Or limit how much of it we're comparing Or how much we're copying Or don't copy it at all Or use a C++ string Alright, how about another scenario? Can we return to a different spot? Might take a few tries to get this right! Mitigation: Don't let the attacker add code to the program How could they anyway? embedded scripts, etc. How would anybody find something like this? Try putting input into a program that wouldn't normally be expected Just because we can crash a program doesn't mean we can control the system Suppose a buffer can be overflowed by 1 byte If there's nothing important stored there, it's probably not exploitable If we discover a vulnerability, and let the company know, we're "white hat" I think cars might have caused the demise of the hat https://www.infosecurity-magazine.com/news/doj-white-hat-hackers-prosecution/ If we discover a vulnerability and use it to build a botnet, we're "black hat" What if we build a botnet to help find more vulnerabilityes? Or produce an exploit to prompt a fix? Or find lots of bugs to damage a company's reputation?