Buffer Overflow (BOF) Class

Definition

We define Buffer Overflow (BOF) as:

The software accesses through an array a memory location that is outside the boundaries of that array. [1]

Often referred to as a "buffer," an array is a contiguously allocated set of objects [1], called elements. An array has a definite size, that is, a definite number of elements are allocated to it. The software should not use the array name to access anything outside the boundary of the allocated elements. The elements are all of the same data type and are accessed by integer offsets.

If the software can utilize the array name (more generally, array handle) to access any memory other than the allocated objects, it falls into this class.

Type

Low-level (language related).

Taxonomy

Fig. 1 depicts BOF causes, attributes and consequences.

Attributes

Access – Read, Write.

This is the access operation causing buffer overflow.

Boundary – Below, Above.

This indicated which end of the array is violated.

Location - Heap, Stack.

This indicates what part of memory the array is allocated in.

Magnitude - Small, Moderate, Far.

This indicates how far outside the boundary the violation extends – one to a few bytes; eight to dozens bytes; or hundreds, thousands or more bytes.

Data Size - Little, Some, Huge.

This indicates how much data is accessed beyond the boundary.

Excursion - Continuous, Discrete.

This indicates whether the violating access was preceded by consecutive accesses of elements within the array (continuous) or the violation was just accessing outside of the array (discrete).

Any of the attributes may be "any," "don't care" or "unknown." For example, strict bounds checking is equally effective regardless of the location, magnitude, data size or excursion of the violation. Keeping return addresses in a separate stack helps prevent problems occurring from write accesses when the array location is the stack.

Causes

In the graph of causes, Data Exceeds Array may be caused by an Input [that is] Not Checked Properly or by an Incorrect Calculation. The specific cases of Data Exceeds Array are Array Too Small and Too Much Data. Too Much Data may be caused by No NULL Termination. Wrong Index [or] Pointer Out of Range may be caused by Incorrect Calculation, too, or by an Incorrect Conversion.

The specific cases of Incorrect Calculation are Missing Factor, Incorrect Argument, Off By One, Integer Coercion, Integer Overflow, Wrap-around and Integer Underflow.

Array Too Small indicates the array was allocated smaller than it should have been. This may occur because the programmer leaves out a factor, like the size of a header, uses the wrong variable, or forgets room for a null to terminate a string.

Too Much Data indicates more data is accessed than was anticipated. This may occur because the string is not NULL terminated or the amount of data is calculated differently than the size of the buffer (e.g. Heartbleed).

Exposition: When we examine code, we can say in some cases that the programmer allocated the array too small, such as in CVE-2015-0235 - Ghost. The code computes the size of a buffer needed, but leaves out one factor, which makes the buffer four bytes short. In other cases, too much data was accessed, such as in CVE-2014-0160 - Heartbleed. A string was stored in an array, but instead of computing the length of the string, the code used a length from the input, which was not checked against the string. This can cause the code to read far more from the buffer than was allocated. In both cases, the size of the data exceeds the size of the array. Just looking at the code, it may be difficult to determine which case it is - it needs semantic content. That's why the two are sub-causes of one cause.

Consequences

The graph of consequences shows what could happen due to the fault. Resource Exhaustion refers to Memory and CPU.

Sites

BOF may occur at the use of [ ] or the use of unary * operator with arrays in the C language. Sites also include the use of many string library functions, such as strcpy() or strcat().

Related BF Classes

BF classes related to BOF are: IEX, ATN, <<content to be added>>.

Related CWEs and SFP

CWEs related to BOF are CWE-118, CWE-119, CWE-120, CWE-121, CWE-122, CWE-123, CWE-124, CWE-125, CWE-126, CWE-127, CWE-129, CWE-680, CWE-786, CWE-787, CWE-788, CWE-823.

BF BOF description of these CWEs are provided here.

The only related SFP cluster is SFP8 Faulty Buffer Access under Primary Cluster: Memory Access.

BF Descriptions of BOF Related CWEs are provided here.

Application

Application examples are provided here.

References

[1] I. Bojanova, P. E. Black, Y. Yesha, and Y. Wu, “The Bugs Framework (BF): A Structured approach to express bugs”, Proceedings of IEEE International Conference on Software Quality, Reliability and Security (QRS), 2016, , pp. 175-182.

[2] Information Technology -- Programming Languages – C”, ISO/IEC 9899:2011. Committee Draft-April 12, 2011 N1570, The International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) Joint Technical Committee JTC 1, Information technology, Subcommittee SC 22, Programming languages, their environments and system software interfaces. Working Group WG 14 - C. Tech. Rep. 2011.