The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections. 900 Category ChildOf 865 800 Category ChildOf 802 1000 699 Weakness ChildOf 119 711 Category ChildOf 722 711 Category ChildOf 726 1000 Weakness CanPrecede 123 631 Category ChildOf 633 700 Weakness ChildOf 20 734 Category ChildOf 741 868 Category ChildOf 875 888 Category ChildOf 890 At the code level, stack-based and heap-based overflows do not differ significantly, so there usually is not a need to distinguish them. From the attacker perspective, they can be quite different, since different techniques are required to exploit them. Resultant Primary buffer overrun Some prominent vendors and researchers use the term "buffer overrun," but most people use "buffer overflow." Unbounded Transfer Many issues that are now called "buffer overflows" are substantively different than the "classic" overflow, including entirely different bug types that rely on overflow exploit techniques, such as integer signedness errors, integer overflows, and format string bugs. This imprecise terminology can make it difficult to determine which variant is being reported. Implementation High to Very High Integrity Confidentiality Availability Execute unauthorized code or commands Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service. Availability DoS: crash / exit / restart DoS: resource consumption (CPU) Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. Automated Static Analysis This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report buffer overflows that originate from command line arguments in a program that is not expected to run with setuid or other special privileges. High Detection techniques for buffer-related errors are more mature than for most other weakness types. Automated Dynamic Analysis This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Manual Analysis Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large. Requirements Language Selection Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe. Architecture and Design Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [R.120.4], and the Strsafe.h library from Microsoft [R.120.3]. These libraries provide safer versions of overflow-prone string-handling functions. This is not a complete solution, since many buffer overflows are not related to strings. Build and Compilation Compilation or Build Hardening Run or compile the software using features or extensions that automatically provide a protection mechanism that mitigates or eliminates buffer overflows. For example, certain compilers and extensions provide automatic buffer overflow detection mechanisms that are built into the compiled code. Examples include the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice. Defense in Depth This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. Implementation Consider adhering to the following rules when allocating and managing an application's memory: Double check that your buffer is as large as you specify. When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string. Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space. If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions. Implementation Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. Architecture and Design For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Operation Environment Hardening Use a feature like Address Space Layout Randomization (ASLR) [R.120.5] [R.120.7]. Defense in Depth This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application. Operation Environment Hardening Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [R.120.7] [R.120.9]. Defense in Depth This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software's state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application. Build and Compilation Operation Most mitigating technologies at the compiler or OS level to date address only a subset of buffer overflow problems and rarely provide complete protection against even that subset. It is good practice to implement strategies to increase the workload of an attacker, such as leaving the attacker to guess an unknown value that changes every program execution. Implementation Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. Moderate This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131). Architecture and Design Enforcement by Conversion When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. Architecture and Design Operation Environment Hardening Run your code using the lowest privileges that are required to accomplish the necessary tasks [R.120.10]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. Architecture and Design Operation Sandbox or Jail Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails. Limited The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed. Explicit The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array. C char last_name[20]; printf ("Enter your last name: "); scanf ("%s", last_name); The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total. The following code attempts to create a local copy of a buffer to perform some manipulations to the data. C void manipulate_string(char* string){ char buf[24]; strcpy(buf, string); ... } However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and blindly copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter. The excerpt below calls the gets() function in C, which is inherently unsafe. C char buf[24]; printf("Please enter your name and press <Enter>\n"); gets(buf); ... } However, the programmer uses the function gets() which is inherently unsafe because it blindly copies all input from STDIN to the buffer without restricting how much is copied. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition. In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file. C C++ ... struct hostent *clienthp; char hostname[MAX_LEN]; // create server socket, bind to server address and listen on socket ... // accept client connections and process requests int count = 0; for (count = 0; count < MAX_CONNECTIONS; count++) { int clientlen = sizeof(struct sockaddr_in); int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen); if (clientsocket >= 0) { clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET); strcpy(hostname, clienthp->h_name); logOutput("Accepted client connection from host ", hostname); // process client request ... close(clientsocket); } } close(serversocket); ... However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method. CVE-2000-1094 buffer overflow using command with long argument CVE-1999-0046 buffer overflow in local program using long environment variable CVE-2002-1337 buffer overflow in comment characters, when product increments a counter for a ">" but does not decrement for "<" CVE-2003-0595 By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers. CVE-2001-0191 By replacing a valid cookie value with an extremely long string of characters, an attacker may overflow the application's buffers. Memory Management Memory M. Howard D. LeBlanc Writing Secure Code Chapter 5, "Public Enemy #1: The Buffer Overrun" Page 127 2nd Edition Microsoft 2002 Michael Howard David LeBlanc John Viega 24 Deadly Sins of Software Security "Sin 5: Buffer Overruns." Page 89 McGraw-Hill 2010 Microsoft Using the Strsafe.h Functions http://msdn.microsoft.com/en-us/library/ms647466.aspx Matt Messier John Viega Safe C String Library v1.0.3 http://www.zork.org/safestr/ Michael Howard Address Space Layout Randomization in Windows Vista http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx Arjan van de Ven Limiting buffer overflows with ExecShield http://www.redhat.com/magazine/009jul05/features/execshield/ PaX http://en.wikipedia.org/wiki/PaX Jason Lam Top 25 Series - Rank 3 - Classic Buffer Overflow SANS Software Security Institute 2010-03-02 http://software-security.sans.org/blog/2010/03/02/top-25-series-rank-3-classic-buffer-overflow/ Microsoft Understanding DEP as a mitigation technology part 1 http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx Sean Barnum Michael Gegick Least Privilege 2005-09-14 https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/351.html Mark Dowd John McDonald Justin Schuh The Art of Software Security Assessment Chapter 3, "Nonexecutable Stack", Page 76. 1st Edition Addison Wesley 2006 Mark Dowd John McDonald Justin Schuh The Art of Software Security Assessment Chapter 5, "Protection Mechanisms", Page 189. 1st Edition Addison Wesley 2006 Mark Dowd John McDonald Justin Schuh The Art of Software Security Assessment Chapter 8, "C String Handling", Page 388. 1st Edition Addison Wesley 2006 Unbounded Transfer ('classic overflow') Buffer Overflow Buffer overflow Unvalidated Input A1 CWE_More_Specific Buffer Overflows A5 CWE_More_Specific Do not copy data from an unbounded source to a fixed-length array STR35-C Buffer Overflow 7 Do not copy data from an unbounded source to a fixed-length array STR35-CPP A weakness where the code path includes a Buffer Write Operation such that: 1. the expected size of the buffer is greater than the actual size of the buffer where expected size is equal to the sum of the size of the data item and the position in the buffer Where Buffer Write Operation is a statement that writes a data item of a certain size into a buffer at a certain position and at a certain index 10 100 14 24 42 44 45 46 47 67 8 9 92 PLOVER Eric Dalci Cigital 2008-07-01 updated Time_of_Introduction KDM Analytics 2008-08-01 added/updated white box definitions Veracode 2008-08-15 Suggested OWASP Top Ten 2004 mapping CWE Content Team MITRE 2008-09-08 updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities CWE Content Team MITRE 2008-10-10 Changed name and description to more clearly emphasize the "classic" nature of the overflow. CWE Content Team MITRE 2008-10-14 updated Alternate_Terms, Description, Name, Other_Notes, Terminology_Notes CWE Content Team MITRE 2008-11-24 updated Other_Notes, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2009-01-12 updated Common_Consequences, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships CWE Content Team MITRE 2009-07-27 updated Other_Notes, Potential_Mitigations, Relationships CWE Content Team MITRE 2009-10-29 updated Common_Consequences, Relationships CWE Content Team MITRE 2010-02-16 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type CWE Content Team MITRE 2010-04-05 updated Demonstrative_Examples, Related_Attack_Patterns CWE Content Team MITRE 2010-06-21 updated Common_Consequences, Potential_Mitigations, References CWE Content Team MITRE 2010-09-27 updated Potential_Mitigations CWE Content Team MITRE 2010-12-13 updated Potential_Mitigations CWE Content Team MITRE 2011-03-29 updated Demonstrative_Examples, Description CWE Content Team MITRE 2011-06-01 updated Common_Consequences CWE Content Team MITRE 2011-06-27 updated Relationships CWE Content Team MITRE 2011-09-13 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2012-05-11 updated References, Relationships CWE Content Team MITRE 2012-10-30 updated Potential_Mitigations Unbounded Transfer ('Classic Buffer Overflow')