Security.com

How to prevent buffer overflow attacks

By Sharon Shea

Buffer overflow attacks can cause serious damage to an organization by enabling an attacker to assault an application and gain control of the corporate network.

These attacks are far from new -- the first documented buffer overflow attack was 1988's Morris worm. Yet, despite their longevity and well-known tactics, they can be difficult to defend against.

To successfully mitigate buffer overflow attacks, it is important to understand how they unfold. Read on to learn how they work and then identify best practices during software development and post-deployment that help stop a buffer overflow vulnerability from compromising your enterprise's network and applications.

What is a buffer overflow and how does it work?

A buffer is a temporary area for data storage. When the amount of allocated data exceeds the capacity of the buffer, the extra data will overflow -- hence the name buffer overflow. This may cause data to leak out into other buffers, which can then corrupt or overwrite their contents.

In a buffer overflow attack, a malicious actor exploits vulnerable software. There are two main types of buffer overflows. Heap-based overflow attacks, which are difficult to execute and less common, infiltrate an application by flooding the memory space reserved for a program. The more common stack-based buffer overflow attack exploits an application's stack, the memory space that stores user input.

If a malicious actor sends more data to a buffer stack than it can hold, legitimate data may be displaced by malware that can damage files, change data or expose private information. This act of using an input string longer than the amount of space reserved causes a security hole. Hackers use scanning tools to find applications vulnerable to overflow and then trigger an attack. Once malicious code causes an overflow, the hacker executes the command by indicating a return address that points to the command. The buffer causes the application to crash partially, but it tries to recover by going to the return address that has been redirected to the malicious command by the hacker.

When the buffer overflow attack runs the command found at the new return address, the program thinks it is still running. This means the command prompt window that has been opened is running with the application's same set of executable permissions as the application that was compromised, enabling the hacker to gain full control of the OS.

Other types of buffer overflows include the following:

How to prevent buffer overflow attacks

After understanding how a buffer overflow attack works, organizations can better grasp how to prevent them from infiltrating their systems and taking control of their applications.

To bulk up enterprise defenses, ensure secure coding practices, and prevent buffer overflow vulnerabilities by adhering to the following:

It is critical to also test applications and websites for buffer overflow vulnerabilities post-deployment. Enterprises must ensure the following steps are taken:

  1. Install vendor-issued patches and software updates in a timely manner.
  2. Test websites and applications with manual and automated vulnerability scanning tools.
  3. Block IP addresses associated with malicious actors.
  4. Use intrusion detection and prevention systems that block known buffer overflow exploits.
  5. Use deep packet inspection to monitor network traffic.

25 Mar 2020

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement