Now and again we present short educational briefings on topics related to Application Security. Last time we discussed Data Breaches, read more here. Today I will present a brief overview of Buffer Overflows.

A Buffer overflow is a common software coding mistake. In order to effectively mitigate buffer overflow vulnerabilities, it is important that you first understand what buffer overflows are, what dangers they pose to your applications, and what techniques attackers use to successfully exploit these vulnerabilities.

A buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. A buffer overflow, or “buffer overrun” occurs when more data is put into a fixed-length buffer than the buffer can handle. Adjacent memory space becomes overwritten and corrupted. When this occurs – bad things happen. Usually system crashes, but also the opportunity for an attacker to run arbitrary code.

Many programming languages are prone to buffer overflow attacks. However, the extent of such attacks varies depending on the language used to write the vulnerable program. For instance, code written in Perl and JavaScript is generally not susceptible to buffer overflows. However, a buffer overflow in a program written in C, C++, Fortran, or Assembly could allow the attacker to fully compromise the targeted system.

Cyber criminals exploit buffer overflow problems. Malicious actors take advantage of this software vulnerability to alter the execution path of the application by overwriting parts of its memory. The malicious extra data may contain code designed to trigger specific actions – in effect sending new instructions to the attacked application that could result in unauthorized access to the system. Hacker techniques that exploit a buffer overflow vulnerability vary per architecture and operating system.

It's a common mistake in application development today not to allocate large enough buffers or check for overflow problems. C/C++ applications are often targets of buffer overflow attacks. C/C++ applications have no built-in protection to buffer overflows. Developers of C/C++ applications should avoid standard library functions which are not bounds checked, such as gets, scanf and strcpy.

Secure development practices should include regular testing to detect and fix buffer overflows. The most reliable way to avoid or prevent buffer overflows is to use automatic protection at the language level. Another fix is “bounds checking” enforced at run-time, which prevents buffer overrun by automatically checking that data written to a buffer is within acceptable boundaries.

We value your opinion, so please let us know if there are any concepts or topics you would like to hear about from us.

Neil is a Marketing Technologist working on the Content and Corporate teams at Veracode. He manages much of the Veracode web presence while also working on strategic interactive media projects. In his spare time you'll find him drinking the CrossFit kool-aid, getting overly competitive in a video game, or doting over his lovely wife and daughter.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu