- Buffer overflow
computer securityand programming, a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store databeyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behavior, a memory access exception, program termination (a crash), incorrect results or ― especially if deliberately caused by a malicious user ― a possible breach of system security. Buffer overflows can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits. Sufficient bounds checkingby either the programmer, the compileror the runtimecan prevent buffer overflows.
Programming languages C and
C++are most commonly associated with buffer overflows, because they provide no built-in protection against accessing or overwriting data in any part of memory and do not check that data written to an array (the built-in buffer type) is within the boundaries of that array.
A buffer overflow occurs when
datawritten to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. Most commonly this occurs when copying strings of characters from one buffer to another.
In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide.
Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B:
Although the programmer did not intend to change B at all, B's value has now been replaced by a number formed from part of the character string. In this example, on a big-endian system that uses
ASCII, "e" followed by a zero byte would become the number 25856. If B was the only other variable data item defined by the program, writing an even longer string that went past the end of B could cause an error such as a segmentation fault, terminating the process.
The techniques to exploit a buffer overflow vulnerability vary per architecture,
operating systemand memory region. For example, exploitation on the heap (used for dynamically allocated memory) is very different from on the call stack.
A technically inclined and malicious user may exploit stack-based buffer overflows to manipulate the program in one of several ways:
* By overwriting a local variable that is near the buffer in memory on the stack to change the behaviour of the program which may benefit the attacker.
* By overwriting the return address in a
stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input filled buffer.
* By overwriting a function pointer, [cite web |url=http://www.securityfocus.com/archive/1/462728/30/150/threaded |title=CORE-2007-0219: OpenBSD's IPv6 mbufs remote kernel buffer overflow |accessdate=2007-05-15] or exception handler, which is subsequently executed.
With a method called "Trampolining", if the address of the user-supplied data is unknown, but the location is stored in a register, then the return address can be overwritten with the address of an
opcodewhich will cause execution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause execution of user supplied data. The locations of suitable opcodes, or bytes in memory, can be found in DLLs or the executable itself. However the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. The Metasploit Projectis one such database of suitable opcodes, though only those found in the Windows operating system are listed. [cite web |url=http://metasploit.com/users/opcode/msfopcode.cgi |title=The Metasploit Opcode Database |accessdate=2007-05-15]
Stack-based buffer overflows are not to be confused with
A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as
mallocmeta data) and uses the resulting pointer exchange to overwrite a program function pointer.
Microsoft JPEGGDI+ vulnerability is an example of the danger a heap overflow can represent to a computer user. [cite web |url=http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx |title=Microsoft Technet Security Bulletin MS04-028 |accessdate=2007-05-15]
Barriers to exploitation
Manipulation of the buffer which occurs before it is read or executed may lead to the failure of an exploitation attempt. These manipulations can mitigate the threat of exploitation, but may not make it impossible. Manipulations could include conversion to upper or lower case, removal of
metacharactersand filtering out of non- alphanumericstrings. However, techniques exist to bypass these filters and manipulations; alphanumeric code, polymorphic code, Self-modifying codeand return to lib-C attacks. The same methods can be used to avoid detection by Intrusion detection systems. In some cases, including where code is converted into unicode, [cite web |url=http://www.nextgenss.com/papers/unicodebo.pdf |title=Creating Arbitrary Shellcode In Unicode Expanded Strings |accessdate=2007-05-15] the threat of the vulnerability have been misrepresented by the disclosers as only Denial of Service when in fact the remote execution of arbitrary code is possible.
Practicalities of exploitation
In real-world exploits there are a variety of issues which need to be overcome for exploits to operate reliably. Null bytes in addresses, variability in the location of shellcode, differences between different environments and various counter-measures in operation.
NOP sled technique
A NOP-sled is the oldest and most widely known technique for successfully exploiting a stack buffer overflow.cite paper
author = Vangelis
title = Stack-based Overflow Exploit: Introduction to Classical and Advanced Overflow Technique
publisher = Wowhacker via Neworder
date = 2004-12-08
format =text ] It solves the problem of finding the exact address to the buffer by effectively increasing the size of the target area. To do this much larger sections of the stack are corrupted with the
no-opmachine instruction. At the end of the attacker supplied data, after the no-op instructions, is placed an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer it will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shellcode.cite paper
title = Buffer Overflows Demystified
publisher = Enderunix.org
format =text ]
Because of the popularity of this technique many vendors of
Intrusion prevention systems will search for this pattern of no-op machine instructions in an attempt to detect shellcode in use. It is important to note that a NOP-sled does not necessarily contain only traditional no-op machine instructions; any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no-op. As a result it has become common practice for exploit writers to compose the no-op sled with randomly chosen instructions which will have no real effect on the shellcode execution.cite conference
first = P.
last = Akritidis
coauthors = Evangelos P. Markatos, M. Polychronakis, and Kostas D. Anagnostakis
title = STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis.
booktitle =Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005)
publisher = IFIP International Information Security Conference
year = 2005
url = http://dcs.ics.forth.gr/Activities/papers/stride-IFIP-SEC05.pdf ]
While this method greatly improves the chances that an attack will be successful, it is not without problems. Exploits using this technique still must rely on some amount of luck that they will guess offsets on the stack that are within the NOP-sled region.cite paper
first = Christian
title = Buffer Overflow
date = 2004-09
system administratorto the attacker's activities. Another problem is that the NOP-sled requires a much larger amount of memory in which to hold a NOP-sled large enough to be of any use. This can be a problem when the allocated size of the affected buffer is too small and the current depth of the stack is shallow (i.e. there is not much space from the end of the current stack frame to the start of the stack). Despite its problems, the NOP-sled is often the only method that will work for a given platform, environment, or situation; as such it is still an important technique.
The jump to register technique
The "jump to register" technique allows for reliable exploitation of stack buffer overflows without the need for extra room for a NOP-sled and without having to guess stack offsets. The strategy is to overwrite the return pointer with something that will cause the program to jump to a known pointer stored within a register which points to the controlled buffer and thus the shellcode. For example if register A contains a pointer to the start of a buffer then any jump or call taking that register as an operand can be used to gain control of the flow of execution.cite conference
title =Writing Metasploit Plugins: from vulnerability to exploit
booktitle =Hack In The Box
year = 2006
location =Kuala Lumpur
url =http://conference.hitb.org/hitbsecconf2006kl/materials/DAY%201%20-%20Saumil%20Shah%20-%20Writing%20Metasploit%20Plugins.pdf ]
In practice a program may not intentionally contain instructions to jump to a particular register. The traditional solution is to find an unintentional instance of a suitable
opcodeat a fixed location somewhere within the program memory. In figure [http://en.wikipedia.org/wiki/
] on the left you can see an example of such an unintentional instance of the i386
jmp espinstruction. The opcode for this instruction is
FF E4.cite book
title =Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 2A: Instruction Set Reference, A-M
publisher =Intel Corporation
date = 2007-05
pages = 3-508
url =http://developer.intel.com/design/processor/manuals/253666.pdf ] This two byte sequence can be found at a one byte offset from the start of the instruction
call DbgPrintat address
0x7C941EED. If an attacker overwrites the program return address with this address the program will first jump to
0x7C941EED, interpret the opcode
FF E4as the
jmp espinstruction, and will then jump to the top of the stack and execute the attacker's code.cite paper
title =Win32 Stack BufferOverFlow Real Life Vuln-Dev Process
publisher =IT Security Consulting
When this technique is possible the severity of the vulnerability increases considerably. This is because exploitation will work reliably enough to automate an attack with a virtual guarantee of success when it is run. For this reason, this is the technique most commonly used in
Internet worms that exploit stack buffer overflow vulnerabilities.cite conference
first = Yuji
last = Ukai
coauthors = Soeder, Derek; Permeh, Ryan
title = Environment Dependencies in Windows Exploitation
booktitle = BlackHat Japan
publisher = eEye Digital Security
year = 2004
location = Japan
url = http://www.blackhat.com/presentations/bh-asia-04/bh-jp-04-ukai-eng.ppt ]
This method also allows shellcode to be placed after the overwritten return address on the Windows platform. Since executables are based at address
0x00400000and x86 is a Little Endian architecture, the last byte of the return address must be a null, which terminates the buffer copy and nothing is written beyond that. This limits the size of the shellcode to the size of the buffer, which may be overly restrictive. DLLs are located in high memory (above
0x01000000and so have addresses containing no null bytes, so this method can remove null bytes (or other disallowed characters) from the overwritten return address. Used in this way, the method is often referred to as "DLL Trampolining".
Various techniques have been used to detect or prevent buffer overflows, with various tradeoffs. The most reliable way to avoid or prevent buffer overflows is to use automatic protection at the language level. This sort of protection, however, cannot be applied to
legacy code, and often technical, business, or cultural constraints call for a vulnerable language. The following sections describe the choices and implementations available.
Choice of programming language
The choice of programming language can have a profound effect on the occurrence of buffer overflows.
As of 2008, among the most popular languages are C and its derivative, C++, with an enormous body of software having been written in these languages. C and C++ provide no built-in protection against accessing or overwriting data in any part of memory; more specifically, they do not check that data written to an array (the implementation of a buffer) is within the boundaries of that array. However, the standard C++ libraries provide many ways of safely buffering data, and technology to avoid buffer overflows also exists for C.
Many other programming languages provide runtime checking and in some cases even compile-time checking which might send a warning or raise an exception when C or C++ would overwrite data and continue to execute further instructions until erroneous results are obtained which might or might not cause the program to crash. Examples of such languages include Ada, Lisp,
Modula-2, Smalltalk, OCamland such C-derivatives as Cyclone and D. The Java and .NET bytecode environments also require bounds checking on all arrays. Nearly every interpreted language will protect against buffer overflows, signalling a well-defined error condition. Often where a language provides enough type information to do bounds checking an option is provided to enable or disable it. Static code analysiscan remove many dynamic bound and type checks, but poor implementations and awkward cases can significantly decrease performance. Software engineers must carefully consider the tradeoffs of safety versus performance costs when deciding which language and compiler setting to use.
Use of safe libraries
The problem of buffer overflows is common in the C and C++ languages because they expose low level representational details of buffers as containers for data types. Buffer overflows must thus be avoided by maintaining a high degree of correctness in code which performs buffer management. It has also long been recommended to avoid standard library functions which are not bounds checked, such as
strcpy Morris wormexploited a
Well-written and tested abstract data type libraries which centralize and automatically perform buffer management, including bounds checking, can reduce the occurrence and impact of buffer overflows. The two main building-block data types in these languages in which buffer overflows commonly occur are strings and arrays; thus, libraries preventing buffer overflows in these data types can provide the vast majority of the necessary coverage. Still, failure to use these safe libraries correctly can result in buffer overflows and other vulnerabilities; and naturally, any bug in the library itself is a potential vulnerability. "Safe" library implementations include "The Better String Library" [cite web |url=http://bstring.sf.net/ |title=The Better String Library] , Vstr [cite web |url=http://www.and.org/vstr/ |title=The Vstr Homepage |accessdate=2007-05-15] and Erwin. [cite web |url=http://www.theiling.de/projects/erwin.html |title=The Erwin Homepage |accessdate=2007-05-15] The
OpenBSD operating system's C libraryprovides the strlcpyand strlcatfunctions, but these are more limited than full safe library implementations.
In September 2006, Technical Report 24731, prepared by the C standards committee, was published; it specifies a set of functions which are based on the standard C library's string and I/O functions, with additional buffer-size parameters. However, the efficacy of these functions for the purpose of reducing buffer overflows is disputable; it requires programmer intervention on a per function call basis that is equivalent to intervention that could make the analogous older standard library functions buffer overflow safe. [cite web |url=https://www.securecoding.cert.org/confluence/x/QwY |title=CERT Secure Coding Initiative |accessdate=2007-07-30]
Stack-smashing protection is used to detect the most common buffer overflows by checking that the stack has not been altered when a function returns. If it has been altered, the program exits with a
segmentation fault. Three such systems are Libsafe, [cite web |url=http://directory.fsf.org/libsafe.html |title=Libsafe at FSF.org |accessdate=2007-05-20] and the " StackGuard" [cite web |url=https://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf |title=StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks by Cowan et al. |accessdate=2007-05-20] and " ProPolice" [cite web |url=http://wiki.x.org/wiki/ProPolice |title=ProPolice at X.ORG |accessdate=2007-05-20] gcc patches.
Data Execution Preventionmode explicitly protects the pointer to the SEH Exception Handler from being overwritten. [cite web |url=http://www.uninformed.org/?v=2&a=4&t=txt |title=Bypassing Windows Hardware-enforced Data Execution Prevention |accessdate=2007-05-20]
Stronger stack protection is possible by splitting the stack in two: one for data and one for function returns. This split is present in the Forth programming language, though it was not a security-based design decision. Regardless, this is not a complete solution to buffer overflows, as sensitive data other than the return address may still be overwritten.
Buffer overflows work by manipulating pointers (including stored addresses). PointGuard was proposed as a compiler-extension to prevent attackers from being able to reliably manipulate pointers and addresses. [ [http://www.usenix.org/events/sec03/tech/full_papers/cowan/cowan_html/index.html PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities] ] The approach works having the compiler add code to automatically XOR-encode pointers before and after they are used. Because the attacker (theoretically) does not know what value will be used to encode/decode the pointer, he cannot predict what it will point to if he overwrites it with a new value. PointGuard was never released, but Microsoft implemented a similar approach beginning in Windows XP SP2 and Windows Server 2003 SP1. [ [http://blogs.msdn.com/michael_howard/archive/2006/01/30/520200.aspx Protecting Against Pointer Subterfuge (Kinda!)] ] Rather than implement pointer protection as an automatic feature, Microsoft added an API routine that can be called at the discretion of the programmer. This allows for better performance (because it is not used all of the time), but places the burden on the programmer to know when it is necessary.
Because XOR is linear, an attacker may be able to manipulate an encoded pointer by overwriting only the lower bytes of an address. This can allow an attack to succeed if the attacker is able to attempt the exploit multiple times and/or is able to complete an attack by causing a pointer to point to one of several locations (such as any location within a NOP sled) [ [http://www.usenix.org/publications/login/2005-06/pdfs/alexander0506.pdf Defeating Compiler-Level Buffer Overflow Protection] ] . Microsoft added a random rotation to their encoding scheme to address this weakness to partial overwrites. [ [http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx Protecting against Pointer Subterfuge (Redux)] ]
Executable space protection
Executable space protection is an approach to buffer overflow protection which prevents execution of code on the stack or the heap. An attacker may use buffer overflows to insert arbitrary code into the memory of a program, but with executable space protection, any attempt to execute that code will cause an exception.
Some CPUs support a feature called NX ("No eXecute") or XD ("eXecute Disabled") bit, which in conjunction with software, can be used to mark pages of data (such as those containing the stack and the heap) as readable and writeable but not executable.
Some Unix operating systems (e.g.
OpenBSD, Mac OS X) ship with executable space protection (e.g. W^X). Some optional packages include:
PaX[cite web |title=PaX: Homepage of the PaX team |url=http://pax.grsecurity.net |accessdate=2007-06-03]
Exec Shield[cite web |title=KernelTrap.Org |url=http://kerneltrap.org/node/644 |accessdate=2007-06-03]
Openwall[cite web |title=Openwall Linux kernel patch 2.4.34-ow1 |url=http://linux.softpedia.com/get/System/Operating-Systems/Kernels/Openwall-Linux-kernel-patch-16454.shtml |accessdate=2007-06-03]
Newer variants of Microsoft Windows also support executable space protection, called
Data Execution Prevention. [cite web |title=Microsoft Technet: Data Execution Prevention |url=http://technet2.microsoft.com/WindowsServer/en/Library/b0de1052-4101-44c3-a294-4da1bd1ef2271033.mspx?mfr=true ] Proprietary add-ons include:
* BufferShield [cite web |title=BufferShield: Prevention of Buffer Overflow Exploitation for Windows |url=http://www.sys-manage.com/english/products/products_BufferShield.html |accessdate=2007-06-03]
* StackDefender [cite web |title=NGSec Stack Defender |url=http://www.ngsec.com/ngproducts/stackdefender/ |accessdate=2007-06-03]
Executable space protection does not generally protect against
return-to-libc attacks, or any other attack which does not rely on the execution of the attackers code. However, on 64-bitsystems using ASLR, as described below, executable space protection makes it far more difficult to execute such attacks.
Address space layout randomization
Address space layout randomization (ASLR) is a computer security feature which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.
Randomization of the
virtual memoryaddresses at which functions and variables can be found can make exploitation of a buffer overflow more difficult, but not impossible. It also forces the attacker to tailor the exploitation attempt to the individual system, which foils the attempts of internet worms. [cite web |title=PaX at GRSecurity.net |url=http://pax.grsecurity.net/docs/aslr.txt |accessdate=2007-06-03] A similar but less effective method is to rebase processes and libraries in the virtual address space.
Deep packet inspection
The use of deep packet inspection (DPI) can detect, at the network perimeter, very basic remote attempts to exploit buffer overflows by use of attack signatures and heuristics. These are able to block packets which have the signature of a known attack, or if a long series of No-Operation instructions (known as a nop-sled) is detected, these were once used when the location of the exploit's payload is slightly variable.
Packet scanning is not an effective method since it can only prevent known attacks and there are many ways that a 'nop-sled' can be encoded. Attackers have begun to use alphanumeric, metamorphic, and self-modifying
shellcodes to evade detection by heuristic packet scanners and Intrusion detection systems.
History of exploitation
Buffer overflows were understood as early as 1972, when the Computer Security Technology Planning Study laid out the technique: "The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine." (Page 61) [cite web |title=Computer Security Technology Planning Study |url= http://csrc.nist.gov/publications/history/ande72.pdf |accessdate=2007-11-02] Today, the monitor would be referred to as the kernel.
The spread of personal computers in the 1980s increased the number of people who were aware of the technique. On the
Commodore PETfor instance it was a common practice to employ a rarely-used second tape buffer to store assembly language routines. Some programmers, to save a few bytes of space on a machine with a maximum of 32K RAM, avoided use of the tedious BASIC "POKE" statement by changing the print buffer start to the tape buffer to print the 6502 assembly language code (as strange looking characters) directly to the desired location. Since the actual print buffer was longer than the tape buffer, the BASIC string could easily overrun byte 1024 and interfere with the Microsoft BASIC interpreter on the PET. The bare-bones boot imageloaders of the early personal computers, including the early Mac, Commodore, Atari and all Microsoft operating systems up to Windows 95 and 98, had inadequate buffer protections and so many programmers became aware of buffer overflows.
The earliest documented hostile exploitation of a buffer overflow was in 1988. It was one of several exploits used by the
Morris wormto propagate itself over the Internet. The program exploited was a Unixservice called finger. [cite web |title="A Tour of The Worm" by Donn Seeley, University of Utah |url=http://world.std.com/~franl/worm.html |accessdate=2007-06-03] Later, in 1995, Thomas Lopatic independently rediscovered the buffer overflow and published his findings on the Bugtraqsecurity mailing list. [cite web |title=Bugtraq security mailing list archive |url=http://www.security-express.com/archives/bugtraq/1995_1/0403.html |accessdate=2007-06-03] A year later, in 1996, Elias Levy(aka Aleph One) published in " Phrack" magazine the paper "Smashing the Stack for Fun and Profit", [cite web |title="Smashing the Stack for Fun and Profit" by Aleph One |url=http://doc.bughunter.net/buffer-overflow/smash-stack.html |accessdate=2007-06-03] a step-by-step introduction to exploiting stack-based buffer overflow vulnerabilities.
Since then, at least two major internet worms have exploited buffer overflows to compromise a large number of systems. In 2001, the
Code Red wormexploited a buffer overflow in Microsoft's Internet Information Services(IIS) 5.0 [cite web |title=eEye Digital Security |url=http://research.eeye.com/html/advisories/published/AL20010717.html |accessdate=2007-06-03] and in 2003 the SQL Slammer worm compromised machines running Microsoft SQL Server 2000. [cite web |title=Microsoft Technet Security Bulletin MS02-039 |url=http://www.microsoft.com/technet/security/bulletin/ms02-039.mspx |accessdate=2007-06-03]
In 2003, buffer overflows present in licensed
Xboxgames have been exploited to allow unlicensed software, including homebrew games, to run on the console without the need for hardware modifications, known as modchips. [cite web |url=http://www.gamesindustry.biz/content_page.php?aid=1461 |title=Hacker breaks Xbox protection without mod-chip |accessdate=2007-06-03] The PS2 Independence Exploitalso used a buffer overflow to achieve the same for the PlayStation 2. The Twilight Hackaccomplished the same with the Wii, using a buffer overflow in "".
Stack buffer overflow
Security focused operating systems
Ping of death
* [http://iac.dtic.mil/iatac/download/Vol7_No4.pdf An Overview and Example of the Buffer-Overflow Exploit. pps. 16-21.]
* [https://www.securecoding.cert.org CERT Secure Coding Standards]
* [http://www.cert.org/secure-coding CERT Secure Coding Initiative]
* [http://www.cert.org/books/secure-coding Secure Coding in C and C++]
* [http://www.sans.org/reading_room/whitepapers/securecode/386.php SANS: inside the buffer overflow attack]
* [http://doc.bughunter.net/buffer-overflow/smash-stack.html "Smashing the Stack for Fun and Profit"] by Aleph One
* [http://www.awarenetwork.org/etc/alpha/?x=5 "Advances in adjacent memory overflows"] by Nomenumbra
* [http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf A Comparison of Buffer Overflow Prevention Implementations and Weaknesses]
* [http://doc.bughunter.net/buffer-overflow/ More Security Whitepapers about Buffer Overflows]
* [http://www.syngress.com/book_catalog/327_SSPC/sample.pdf Chapter 12: Writing Exploits III] from "Sockets, Shellcode, Porting & Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals" by James C. Foster (ISBN 1-59749-005-9). Detailed explanation of how to use Metasploit to develop a buffer overflow exploit from scratch.
* [http://csrc.nist.gov/publications/history/ande72.pdf Computer Security Technology Planning Study] , James P. Anderson, ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (Oct. 1972) [NTIS AD-758 206]
Wikimedia Foundation. 2010.