Buffer Underwrite

From Guidance Share

Jump to: navigation, search

Contents

Description

A buffer underwrite condition occurs when a buffer is indexed with a negative number, or pointer arithmetic with a negative value results in a position before the beginning of the valid memory location.

Applies To

  • Languages: C, C++, Assembly
  • Operating Platforms: All

Example

The following is an example of code that may result in a buffer underwrite, should find() returns a negative value to indicate that ch is not found in srcBuf:

int main() {
... 
strncpy(destBuf, &srcBuf[find(srcBuf, ch)], 1024);
...
} 

If the index to srcBuf is somehow under user control, this is an arbitrary write-what-where condition.

Impact

  • Availability: Buffer underwrites will very likely result in the corruption of relevant memory, and perhaps instructions, leading to a crash.
  • Access Control (memory and instruction processing): If the memory corrupted memory can be effectively controlled, it may be possible to execute arbitrary code. If the memory corrupted is data rather than instructions, the system will continue to function with improper changes, ones made in violation of a policy, whether explicit or implicit.
  • Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

Vulnerabilities

  • Failure to check buffer boundaries before accessing or modifying memory

Countermeasures

  • Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
  • Implementation: Sanity checks should be performed on all calculated values used as index or for pointer arithmetic.

Vulnerability Patterns

How Tos

Personal tools