Heap Overflow

From Guidance Share

Jump to: navigation, search

Contents

Description

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated dynamically at runtime using a call such as malloc or new.

Applies To

  • Languages: C, C++, Fortran, Assembly
  • Operating platforms: All, although partial preventative measures may be deployed depending on environment.
  • Note on managed code: Buffer overruns can occur in .NET managed code when calling into native code or if the managed code is marked with the unsafe keyword.

Example

There are many real-world Examples of buffer overflows, including many popular “industrial” applications, such as E-mail servers (Sendmail) and web servers (Microsoft IIS Server). In code, here is a simple example:

#define BUFSIZE 256
int main(int argc, char **argv) {
char *buf;
buf = (char *)malloc(BUFSIZE);
strcpy(buf, argv[1]);
}

Since argv[1] can be of any length, more than 256 characters can be copied into the variable buf.

Impact

  • Availability: Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
  • Access control (memory and instruction processing): Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy.
  • Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

Vulnerabilities

Failure to check heap buffer boundary on copy Failure to check heap buffer boundary on concatenation

Countermeasures

  • Pre-design: Use a language or compiler that performs automatic bounds checking.
  • Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.
  • Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
  • Implementation: Check heap buffer boundaries before copy or concatenation.
  • Operational: Use OS-level preventative functionality. Not a complete solution.

Vulnerability Patterns

How Tos

Personal tools