Heap-based Buffer Overflow |
Weakness ID: 122 (Weakness Variant) | Status: Draft |
Description Summary
Scope | Effect |
---|---|
Availability | Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. |
Access Control | Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime. |
Other | When the consequence is arbitrary code execution, this can often be used to subvert any other security service. |
Example 1
Reference | Description |
---|---|
CVE-2007-4268 | Chain: integer signedness passes signed comparison, leads to heap overflow |
Pre-design: Use a language or compiler that performs automatic bounds checking. |
Phase: Architecture and Design Use an abstraction library to abstract away risky APIs. Not a complete solution. |
Pre-design through Build: Canary style bounds checking, library changes which ensure the validity of chunk data, and other such fixes are possible, but should not be relied upon. |
Implement and perform bounds checking on input. |
Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary. |
Operational: Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 633 | Weaknesses that Affect Memory | Resource-specific Weaknesses (primary)631 |
ChildOf | Weakness Base | 787 | Out-of-bounds Write | Development Concepts699 Research Concepts1000 |
ChildOf | Weakness Base | 788 | Access of Memory Location After End of Buffer | Development Concepts (primary)699 Research Concepts (primary)1000 |
MemberOf | View | 630 | Weaknesses Examined by SAMATE | Weaknesses Examined by SAMATE (primary)630 |
Heap-based buffer overflows are usually just as dangerous as stack-based buffer overflows. |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
92 | Forced Integer Overflow |
A buffer overflow where the buffer from the Buffer Write Operation is dynamically allocated |
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 5, "Heap Overruns" Page 138. 2nd Edition. Microsoft. 2002. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-08-01 | KDM Analytics | External | ||
added/updated white box definitions | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Common Consequences, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Other Notes, Relationship Notes | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Relationships |