Stack-based Buffer Overflow| ID: 121 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
A stack-based buffer overflow condition is a condition where
the buffer being overwritten is allocated on the stack (i.e., is a local
variable or, rarely, a parameter to a function).
Likelihood of Exploit: Very High
Applicable PlatformsLanguage: CLanguage: C++
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Availability | DoS: crash / exit /
restartDoS: resource consumption
(CPU)DoS: resource consumption
(memory) | Buffer overflows generally lead to crashes. Other attacks leading to
lack of availability are possible, including putting the program into an
infinite loop. |
| IntegrityConfidentialityAvailabilityAccess_Control | Execute unauthorized code or
commandsBypass protection
mechanism | Buffer overflows often can be used to execute arbitrary code, which is
usually outside the scope of a program's implicit security
policy. |
| IntegrityConfidentialityAvailabilityAccess_ControlOther | Execute unauthorized code or
commandsBypass protection
mechanismOther | When the consequence is arbitrary code execution, this can often be
used to subvert any other security service. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Build and Compilation | Compilation or Build Hardening | Run or compile the software using features or extensions that
automatically provide a protection mechanism that mitigates or
eliminates buffer overflows.For example, certain compilers and extensions provide automatic buffer
overflow detection mechanisms that are built into the compiled code.
Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat
FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. | Defense in Depth | This is not necessarily a complete solution, since these mechanisms
can only detect certain types of overflows. In addition, an attack could
still cause a denial of service, since the typical response is to exit
the application. |
| Architecture and Design | | Use an abstraction library to abstract away risky APIs. Not a complete
solution. | | |
| Build and Compilation | | Compiler-based canary mechanisms such as StackGuard, ProPolice and the
Microsoft Visual Studio /GS flag. Unless this provides automatic bounds
checking, it is not a complete solution. | | |
| Implementation | | Implement and perform bounds checking on input. | | |
| Implementation | | Do not use dangerous functions such as gets. Use safer, equivalent
functions which check for boundary errors. | | |
| Operation | | Use OS-level preventative functionality, such as ASLR. This is not a
complete solution. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-121 ChildOf CWE-890 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This example takes an IP address from a user, verifies that it is
well formed and then looks up the hostname and copies it into a
buffer. (Demonstrative Example Id DX-1)
- While buffer overflow examples can be rather complex, it is possible
to have very simple, yet still exploitable, stack-based buffer
overflows: (Demonstrative Example Id DX-89)
White Box DefinitionsA stack-based buffer overflow is a weakness where the code path includes a
buffer write operation such that:1. stack allocation of a buffer2. data is written to the buffer where3. the expected size of the buffer is greater than the actual size of
the buffer whereexpected size is equal to size of data added to position from
which writing operation starts
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Stack overflow | |
References:
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 5, "Stack Overruns" Page 129'. Published on 2002.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 5: Buffer Overruns." Page 89'. Published on 2010.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 3, "Nonexecutable Stack", Page
76.'. Published on 2006.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 5, "Protection Mechanisms", Page
189.'. Published on 2006.
