Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')| ID: 120 | Date: (C)2012-05-14 (M)2022-10-10 | | Type: weakness | Status: INCOMPLETE | | Abstraction Type: Base |
Description The program copies an input buffer to an output buffer without
verifying that the size of the input buffer is less than the size of the output
buffer, leading to a buffer overflow. Extended DescriptionA buffer overflow condition exists when a program attempts to put more
data in a buffer than it can hold, or when a program attempts to put data in
a memory area outside of the boundaries of a buffer. The simplest type of
error, and the most common cause of buffer overflows, is the "classic" case
in which the program copies the buffer without restricting how much is
copied. Other variants exist, but the existence of a classic overflow
strongly suggests that the programmer is not considering even the most basic
of security protections. Likelihood of Exploit: High to Very High Applicable PlatformsLanguage: CLanguage: C++Language: Assembly Time Of Introduction Related Attack Patterns Common Consequences | Scope | Technical Impact | Notes |
|---|
| IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | Buffer overflows often can be used to execute arbitrary code, which is
usually outside the scope of a program's implicit security policy. This
can often be used to subvert any other security service. | | Availability | DoS: crash / exit /
restartDoS: resource consumption
(CPU) | Buffer overflows generally lead to crashes. Other attacks leading to
lack of availability are possible, including putting the program into an
infinite loop. |
Detection Methods | Name | Description | Effectiveness | Notes |
|---|
| Automated Static Analysis | This weakness can often be detected using automated static analysis
tools. Many modern tools use data flow analysis or constraint-based
techniques to minimize the number of false positives.Automated static analysis generally does not account for environmental
considerations when reporting out-of-bounds memory operations. This can
make it difficult for users to determine which warnings should be
investigated first. For example, an analysis tool might report buffer
overflows that originate from command line arguments in a program that
is not expected to run with setuid or other special privileges. | High | | | Automated Dynamic Analysis | This weakness can be detected using dynamic tools and techniques that
interact with the software using large test suites with many diverse
inputs, such as fuzz testing (fuzzing), robustness testing, and fault
injection. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results. | | | | Manual Analysis | Manual analysis can be useful for finding this weakness, but it might
not achieve desired code coverage within limited time constraints. This
becomes difficult for weaknesses that must be considered for all inputs,
since the attack surface can be too large. | | |
Potential Mitigations | Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Requirements | Language Selection | Use a language that does not allow this weakness to occur or provides
constructs that make this weakness easier to avoid.For example, many languages that perform their own memory management,
such as Java and Perl, are not subject to buffer overflows. Other
languages, such as Ada and C#, typically provide overflow protection,
but the protection can be disabled by the programmer.Be wary that a language's interface to native code may still be
subject to overflows, even if the language itself is theoretically safe. | | | | Architecture and Design | Libraries or Frameworks | Use a vetted library or framework that does not allow this weakness to
occur or provides constructs that make this weakness easier to
avoid.Examples include the Safe C String Library (SafeStr) by Messier and
Viega [R.120.4], and the Strsafe.h library from Microsoft [R.120.3].
These libraries provide safer versions of overflow-prone string-handling
functions. | | This is not a complete solution, since many buffer overflows are not
related to strings. | | Build and Compilation | Compilation or Build Hardening | Run or compile the software using features or extensions that
automatically provide a protection mechanism that mitigates or
eliminates buffer overflows.For example, certain compilers and extensions provide automatic buffer
overflow detection mechanisms that are built into the compiled code.
Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat
FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. | Defense in Depth | This is not necessarily a complete solution, since these mechanisms
can only detect certain types of overflows. In addition, an attack could
still cause a denial of service, since the typical response is to exit
the application. | | Implementation | | Consider adhering to the following rules when allocating and managing
an application's memory: | | | | Implementation | Input Validation | Assume all input is malicious. Use an "accept known good" input
validation strategy, i.e., use a whitelist of acceptable inputs that
strictly conform to specifications. Reject any input that does not
strictly conform to specifications, or transform it into something that
does.When performing input validation, consider all potentially relevant
properties, including length, type of input, the full range of
acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of
business rule logic, "boat" may be syntactically valid because it only
contains alphanumeric characters, but it is not valid if the input is
only expected to contain colors such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs
(i.e., do not rely on a blacklist). A blacklist is likely to miss at
least one undesirable input, especially if the code's environment
changes. This can give attackers enough room to bypass the intended
validation. However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be
rejected outright. | | | | Architecture and Design | | For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side, in order to avoid
CWE-602. Attackers can bypass the client-side checks by modifying values
after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values
would be submitted to the server. | | | | Operation | Environment Hardening | Use a feature like Address Space Layout Randomization (ASLR) [R.120.5]
[R.120.7]. | Defense in Depth | This is not a complete solution. However, it forces the attacker to
guess an unknown value that changes every program execution. In
addition, an attack could still cause a denial of service, since the
typical response is to exit the application. | | Operation | Environment Hardening | Use a CPU and operating system that offers Data Execution Protection
(NX) or its equivalent [R.120.7] [R.120.9]. | Defense in Depth | This is not a complete solution, since buffer overflows could be used
to overwrite nearby variables to modify the software's state in
dangerous ways. In addition, it cannot be used in cases in which
self-modifying code is required. Finally, an attack could still cause a
denial of service, since the typical response is to exit the
application. | | Build and CompilationOperation | | Most mitigating technologies at the compiler or OS level to date
address only a subset of buffer overflow problems and rarely provide
complete protection against even that subset. It is good practice to
implement strategies to increase the workload of an attacker, such as
leaving the attacker to guess an unknown value that changes every
program execution. | | | | Implementation | | Replace unbounded copy functions with analogous functions that support
length arguments, such as strcpy with strncpy. Create these if they are
not available. | Moderate | This approach is still susceptible to calculation errors, including
issues such as off-by-one errors (CWE-193) and incorrectly calculating
buffer lengths (CWE-131). | | Architecture and Design | Enforcement by Conversion | When the set of acceptable objects, such as filenames or URLs, is
limited or known, create a mapping from a set of fixed input values
(such as numeric IDs) to the actual filenames or URLs, and reject all
other inputs. | | | | Architecture and DesignOperation | Environment Hardening | Run your code using the lowest privileges that are required to
accomplish the necessary tasks [R.120.10]. If possible, create isolated
accounts with limited privileges that are only used for a single task.
That way, a successful attack will not immediately give the attacker
access to the rest of the software or its environment. For example,
database applications rarely need to run as the database administrator,
especially in day-to-day operations. | | | | Architecture and DesignOperation | Sandbox or Jail | Run the code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system. This may
effectively restrict which files can be accessed in a particular
directory or which commands can be executed by the software.OS-level examples include the Unix chroot jail, AppArmor, and SELinux.
In general, managed code may provide some protection. For example,
java.io.FilePermission in the Java SecurityManager allows the software
to specify restrictions on file operations.This may not be a feasible solution, and it only limits the impact to
the operating system; the rest of the application may still be subject
to compromise.Be careful to avoid CWE-243 and other weaknesses related to jails. | Limited | The effectiveness of this mitigation depends on the prevention
capabilities of the specific sandbox or jail being used and might only
help to reduce the scope of an attack, such as restricting the attacker
to certain system calls or limiting the portion of the file system that
can be accessed. |
RelationshipsAt the code level, stack-based and heap-based overflows do not differ
significantly, so there usually is not a need to distinguish them. From the
attacker perspective, they can be quite different, since different
techniques are required to exploit them. | Related CWE | Type | View | Chain |
|---|
| CWE-120 ChildOf CWE-890 | Category | CWE-888 | |
Demonstrative Examples (Details) - In the following example, a server accepts connections from a client
and processes the client request. After accepting a client connection, the
program will obtain client information using the gethostbyaddr method, copy
the hostname of the client that connected to a local variable and output the
hostname of the client to a log file.
- The excerpt below calls the gets() function in C, which is
inherently unsafe. (Demonstrative Example Id DX-5)
- The following code asks the user to enter their last name and then
attempts to store the value entered in the last_name array.
- The following code attempts to create a local copy of a buffer to
perform some manipulations to the data. (Demonstrative Example Id DX-6)
Observed Examples - CVE-2000-1094 : buffer overflow using command with long argument
- CVE-1999-0046 : buffer overflow in local program using long environment variable
- CVE-2002-1337 : buffer overflow in comment characters, when product increments a counter for a ">" but does not decrement for "<"
- CVE-2003-0595 : By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers.
- CVE-2001-0191 : By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers.
For more examples, refer to CVE relations in the bottom box. White Box DefinitionsA weakness where the code path includes a Buffer Write Operation such
that:1. the expected size of the buffer is greater than the actual size of
the buffer where expected size is equal to the sum of the size of the
data item and the position in the bufferWhere Buffer Write Operation is a statement that writes a data item of a
certain size into a buffer at a certain position and at a certain
index Black Box Definitions None Taxynomy Mappings | Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Unbounded Transfer ('classic overflow') | | | 7 Pernicious Kingdoms | | Buffer Overflow | | | CLASP | | Buffer overflow | | | OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE_More_Specific | | OWASP Top Ten 2004 | A5 | Buffer Overflows | CWE_More_Specific | | CERT C Secure Coding | STR35-C | Do not copy data from an unbounded source to a fixed-length
array | | | WASC | 7 | Buffer Overflow | | | CERT C++ Secure Coding | STR35-CPP | Do not copy data from an unbounded source to a fixed-length
array | |
References: - M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 5, "Public Enemy #1: The Buffer Overrun" Page
127'. Published on 2002.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 5: Buffer Overruns." Page 89'. Published on 2010.
- Microsoft .Using the Strsafe.h Functions.
- Matt Messier John Viega .Safe C String Library v1.0.3.
- Michael Howard .Address Space Layout Randomization in Windows
Vista.
- Arjan van de Ven .Limiting buffer overflows with ExecShield.
- .PaX.
- Jason Lam .Top 25 Series - Rank 3 - Classic Buffer
Overflow. SANS Software Security Institute. 2010-03-02.
- Microsoft .Understanding DEP as a mitigation technology part
1.
- Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 3, "Nonexecutable Stack", Page
76.'. Published on 2006.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 5, "Protection Mechanisms", Page
189.'. Published on 2006.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "C String Handling", Page 388.'. Published on 2006.
|
