A buffer overflow or overrun is a memory safety issue where a program does not properly check the boundaries of an allocated fixed-length memory buffer and writes more data than it can hold.
This causes data to overflow to adjacent memory space, overwriting the information there, which often leads to crashes and exploitable conditions.
Buffer overflows are one of the oldest and most common causes for arbitrary code execution vulnerabilities, and applications written in programming languages like C and C++ are more prone to such coding mistakes than other languages.
To avoid them, the developer community has developed secure coding practices and major software vendors have adopted them as part of their secure development life cycles.
Buffer overflow vulnerabilities on the rise
In September 2019, The MITRE Corporation, which maintains the Common Weakness Enumeration (CWE) catalog, published a list of the top 25 types of software vulnerabilities.
The top rank went to CWE-119 or "Improper Restriction of Operations within the Bounds of a Memory Buffer," a larger class of buffer handling errors that includes buffer overflows and out-of-bound reads.
The fact that buffer overflows still rank at the top after many years of efforts to eliminate them from computer software is somewhat surprising.
However, this is the first time MITRE updated the top 25 weaknesses list since 2011 and the ranking is based on a new scoring formula that combines the frequency of vulnerabilities in the National Vulnerabilities Database (NVD) observed over 2017 and 2018 with their average severity scores.
So, the list reflects the overall risk associated with certain types of weaknesses based on both prevalence and the danger they pose.
Another reason why buffer overflows are back in the spotlight might be the rise of internet-of-things (IoT) devices, which, based on research over the past few years, have exhibited poor code quality compared to modern desktop applications from established vendors.
The firmware of embedded systems has historically been riddled with buffer overflow issues and that hasn't improved much over the years because those obscure code bases don't typically get major overhauls. What has changed is the growing number of such devices on the internet, on business networks and inside households.
Buffer overflow attack examples
Buffer overflows typically have a high severity ranking because they can lead to unauthorised code execution in cases where attackers can control the overwritten memory space outside the targeted buffer and can redirect a function pointer to their malicious code.
Even when arbitrary code execution is not possible, a buffer overflow often results in a crash, leading to a denial of service (DoS) condition that affects the availability of the application and the processes it handles. This is particularly bad on server deployments where continuous availability is needed and expected.
In certain cases, attackers can also use buffer overflows to overwrite critical settings in an application's memory, for example a flag indicating whether the user is an administrator or not. This can lead to privilege escalation in the context of the application and potentially the system itself.
Finally, improper handling of buffer boundaries can allow attackers to read data outside the buffer instead of overwriting it, leading to sensitive information disclosure. This is known as an out-of-bounds read. While it's different from a classic buffer overflow, an out-of-bounds read falls in the same category of coding mistakes.
Out-of-bound reads can also be used to obtain information that can help attackers exploit other vulnerabilities. For example, they can be used to disclose memory addresses that are protected by kernel anti-exploitation technologies such as address space layout randomisation (ASLR).
How to prevent buffer overflows
Since buffer overflows are the result of programming errors, the best way to prevent them is to train developers to avoid making those errors. Many secure coding guides and books address buffer overflows, as do secure coding certification programs.
The CERT Coordination Center and Carnegie Mellon University's Software Engineering Institute have developed coding standards for several programming languages, including C and C++.
Automated ways to prevent buffer overflows include using memory-safe programming languages or frameworks and libraries that provide safe versions of functions that are prone to cause buffer overflows.
Developers should also create applications that use features like ASLR and position-independent executables (PIE) to limit the potential impact of buffer overflows. They should also use compiler flags and extensions that detect such errors like the /GS flag in Microsoft Visual Studio, the FORTIFY_SOURCE GCC flag added by Red Hat, StackGuard and ProPolice.
Unfortunately, none of these solutions provide complete protection, so it's important to perform periodic code reviews and application security testing with both internal and external security teams, as well as integrating tools such as fuzzers into the automated testing workflows.