Q

What causes buffer overflows and memory leaks in a Web application?

Buffer overflows and memory leaks can cause serious harm to Web applications. In this SearchSecurity.com Q&A, application security expert Michael Cobb reveals how both can lead to security breaches and system compromises.

What do we mean by memory leaks and buffer overflows in a Web application? Can you use an example that shows how to test for them?

These two problems have always plagued Web applications. Buffer overflow exploits, such as the Code Red worm, have led to major data security breaches and system compromises. First, though, let's look at memory leakage, as this will help with your understanding of buffer overflows. A memory leak occurs when a programmer dynamically allocates memory space for a variable of some type, but then fails to free up that space before the program completes. This leaves less free memory for the system to use. Repeated running of the program or function that causes such memory loss can eventually crash the system or result in a denial of service. Here's a simple code example that results in a loss of memory:

int main(int argc, char **argv)
{ 
  char * memoryA = new char[10];
  memoryA [0] = 'A'; 
  printf("%cn", memoryA [0]);
}

This program allocates memory to the variable memoryA to store an array of 10 characters, but the program never explicitly frees it.

In order to prevent memory leakage, programmers should always free any dynamically allocated space when it is no longer required. For simple applications, you can scan your code to ensure that every new operator has a corresponding delete operator, or language-equivalent pairing. For more complex projects, you will need to run an application diagnostic tool, such as Purify or LeakTracer, that detects memory errors. Also, stress-test your application and monitor its memory consumption.

Buffer overflows can result in application or system crashes; they can even allow attackers to compromise the system and initiate unauthorized processes. A buffer overflow occurs when a program or process tries to store more data into a memory buffer than it was intended to hold. A hacker, for example, can submit data to a Web application via a form, and that data is intentionally larger than the memory buffer allocated to hold it. This extra data can overflow into adjacent memory, overwriting any valid data held in it, and often overwriting the return address that is used when the function ends. By writing a new return address, the hacker can trick the system into executing his or her own code.

You should be aware that some languages are more susceptible to buffer overflow errors and memory leaks than others. The C and C++ languages provide no built-in checks to ensure that data written to a buffer is within the boundaries of that buffer. Windows programmers should use Microsoft's strsafe.lib and strsafe.h, provided as part of Visual C++ .NET 2003, which use a library of safe string-handling functions. Applications written in Java, however, don't really suffer from buffer overflows and memory leaks, as Java is a strongly typed language. Be aware, though, that applications written in Java and other "safe" languages can still be susceptible to buffer overflows when they interact with services and libraries that are written in other languages.

The best way to prevent buffer overflow problems is to validate all input data that an application receives. You can even write your own string copy function that incorporates additional data filtering checks at the same time.

More information:

This was first published in February 2007

Dig deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close