Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Status: Incomplete Compound Element ID: 120 (Compound Element Base: Composite)Summary The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Extended Description A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the program copies the buffer without checking its length at all. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections. buffer overrun Some prominent vendors and researchers use the term "buffer overrun," but most people use "buffer overflow." Unbounded Transfer Many issues that are now called "buffer overflows" are substantively different than the "classic" overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported. Availability Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. Integrity Access control (instruction processing): Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Integrity When the consequence is arbitrary code execution, this can often be used to subvert any other security service.
Architecture and Design Use an abstraction library to abstract away risky APIs. Examples include the Safe C String Library (SafeStr) by Viega, and the Strsafe.h library from Microsoft. This is not a complete solution, since many buffer overflows are not related to strings. Architecture and Design Use the <strsafe.h> library. This library has buffer overflow safe functions that will help with the detection of buffer overflows. Build and Compilation Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. This is not necessarily a complete solution, since these canary-based mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application. Implementation Programmers should adhere to the following rules when allocating and managing their applications memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space. Truncate all input strings to a reasonable length before passing them to the copy and concatenation functions Operation Use a feature like Address Space Layout Randomization (ASLR). This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. Operation Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent. This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is more common to make the workload of an attacker much higher -- for example, by leaving Resultant (where the weakness
is typically related to the presence of some other
weaknesses) Primary (where the weakness
exists independent of other weaknesses)
At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them.
A weakness where the code path includes a Buffer Write Operation such that: 1. the expected size of the buffer is greater than the actual size of the buffer where expected size is equal to the sum of the size of the data item and the position in the buffer Where Buffer Write Operation is a statement that writes a data item of a
certain size into a buffer at a certain position and at a certain
index Microsoft. "Using the Strsafe.h Functions". <http:/ Matt Messier and
John Viega. "Safe C String Library v1.0.3". <http:/ Michael Howard. "Address Space Layout Randomization in Windows
Vista". <http:/ Arjan van de Ven. "Limiting buffer overflows with ExecShield". <http:/ "PaX". <http:/ Submissions PLOVER. (Externally Mined) Modifications Eric Dalci. Cigital. 2008-07-01. (External) updated Time_of_Introduction KDM Analytics. 2008-08-01. (External) added/updated white box definitions Veracode. 2008-08-15. (External) Suggested OWASP Top Ten 2004
mapping CWE Content Team. MITRE. 2008-09-08. (Internal) updated Alternate_Terms, Applicable_Platforms,
Common_Consequences, Relationships, Observed_Example, Other_Notes,
Taxonomy_Mappings, Weakness_Ordinalities CWE Content Team. MITRE. 2008-10-10. (Internal) Changed name and description to more clearly emphasize the
"classic" nature of the overflow. CWE Content Team. MITRE. 2008-10-14. (Internal) updated Alternate_Terms, Description, Name, Other_Notes,
Terminology_Notes CWE Content Team. MITRE. 2008-11-24. (Internal) updated Other_Notes, Relationships,
Taxonomy_Mappings CWE Content Team. MITRE. 2009-01-12. (Internal) updated Common_Consequences, Other_Notes,
Potential_Mitigations, References, Relationship_Notes,
Relationships Previous Entry Names Unbounded Transfer ('Classic
Buffer Overflow') (changed
2008-10-14) |
|
Page Last Updated:
May 26, 2009
|
|
CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Contact cwe@mitre.org for more information. |
|||
