Stack-based Buffer Overflow |
Weakness ID: 121 (Weakness Variant) | Status: Draft |
Description Summary
Stack Overflow: | "Stack Overflow" is often used to mean the same thing as stack-based buffer overflow, however it is also used on occasion to mean stack exhaustion, usually a result from an excessively recursive function call. Due to the ambiguity of the term, use of stack overflow to describe either circumstance is discouraged. |
---|
Scope | Effect |
---|---|
Availability | Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. |
Access Control | Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. |
Other | When the consequence is arbitrary code execution, this can often be used to subvert any other security service. |
Example 1
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, stack-based buffer overflows:
Phase: Requirements Use a language or compiler that performs automatic bounds checking. |
Phase: Architecture and Design Use an abstraction library to abstract away risky APIs. Not a complete solution. |
Phase: Build and Compilation Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. |
Phase: Implementation Implement and perform bounds checking on input. |
Phase: Implementation Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors. |
Phase: Operation Use OS-level preventative functionality, such as ASLR. This is not a complete solution. |
There are generally several security-critical data on an execution stack that can lead to arbitrary code execution. The most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing. The attacker can overwrite this value with some memory address to which the attacker also has write access, into which he places arbitrary code to be run with the full privileges of the vulnerable program. Alternately, the attacker can supply the address of an important call, for instance the POSIX system() call, leaving arguments to the call on the stack. This is often called a return into libc exploit, since the attacker generally forces the program to jump at return time into an interesting routine in the C standard library (libc). Other important data commonly on the stack include the stack pointer and frame pointer, two values that indicate offsets for computing memory addresses. Modifying those values can often be leveraged into a "write-what-where" condition. |
Stack-based buffer overflows can instantiate in return address overwrites, stack pointer overwrites or frame pointer overwrites. They can also be considered function pointer overwrites, array indexer overwrites or write-what-where condition, etc. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 787 | Out-of-bounds Write | Development Concepts699 Research Concepts1000 |
ChildOf | Weakness Base | 788 | Access of Memory Location After End of Buffer | Development Concepts (primary)699 Research Concepts (primary)1000 |
MemberOf | View | 630 | Weaknesses Examined by SAMATE | Weaknesses Examined by SAMATE (primary)630 |
A stack-based buffer overflow is a weakness where the code path includes a buffer write operation such that: 1. stack allocation of a buffer 2. data is written to the buffer where 3. the expected size of the buffer is greater than the actual size of the buffer where expected size is equal to size of data added to position from which writing operation starts |
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 5, "Stack Overruns" Page 129. 2nd Edition. Microsoft. 2002. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-08-01 | KDM Analytics | External | ||
added/updated white box definitions | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Applicable Platforms, Background Details, Common Consequences, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships | ||||
2009-07-17 | KDM Analytics | External | ||
Improved the White Box Definition | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations, White Box Definitions | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Relationships |