R345. Establish protections against overflows

Requirement

The system must have protection mechanisms against the different types of overflow (stack, buffer, heap, integer, etc.).

Description

An overflow occurs when an application receives a value outside of the range that it is prepared to handle. It can happen when a program tries to process an excessively big number or if it attempts to read a memory address outside of its assigned buffer. An overflow can cause a program to stop working, which can lead to a Denial of Service (DoS). Therefore, systems should use data structures and mechanisms that help reduce the chances that an overflow will arise, such as memory-safe strings, safe memory copy and pointer arithmetic.

References

  1. CAPEC-123: Buffer Manipulation. An adversary manipulates an application’s interaction with a buffer in an attempt to read or modify data they shouldn’t have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer.

  2. CAPEC-153: Input Data Manipulation. An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.

  3. CWE-120: Classic Buffer Overflow. The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

  4. CWE-134: Use of Externally-Controlled Format String. The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

  5. CWE-190: Integer Overflow or Wraparound. The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value.

  6. OWASP-ASVS v4.0.1 V5.4 Memory, String, and Unmanaged Code Requirements.(5.4.1) Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows.

  7. OWASP-ASVS v4.0.1 V5.4 Memory, String, and Unmanaged Code Requirements.(5.4.2) Verify that format strings do not take potentially hostile input, and are constant.

  8. OWASP-ASVS v4.0.1 V5.4 Memory, String, and Unmanaged Code Requirements.(5.4.3) Verify that sign, range, and input validation techniques are used to prevent integer overflows.

  9. PCI DSS v3.2.1 - Requirement 6.5.2 Address common coding vulnerabilities in software-development processes such as buffer overflows.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy