Pre-design: Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Strategy: Environment Hardening Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [ REF-1334 ] discusses canary-based detection in detail. Effectiveness: Defense in Depth Note: This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application.
Strategy: Environment Hardening Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [ REF-58 ] [ REF-60 ] and Position-Independent Executables (PIE) [ REF-64 ]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [ REF-1332 ] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [ REF-1335 ]. Effectiveness: Defense in Depth Note: These techniques do not provide a complete solution. For instance, exploits frequently use a bug that discloses memory addresses in order to maximize reliability of code execution [ REF-1337 ]. It has also been shown that a side-channel attack can bypass ASLR [ REF-1333 ].
Implement and perform bounds checking on input.
Strategy: Libraries or Frameworks Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
CWE-122: CWE-122: Heap-based Buffer Overflow is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
If exploited, CWE-122 (CWE-122: Heap-based Buffer Overflow) it can compromise DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) and Execute Unauthorized Code or Commands, leading to outcomes such as Scope: Availability Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop., Scope: Integrity, Confidentiality, Availability and Access Control Buffer overflows often can be used to execute arbitrary code.
Recommended mitigations for CWE-122 include: Pre-design: Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution. Strategy: Environment Hardening Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [ REF-1334 ] discusses canary-based detection in detail. Effectiveness: Defense in Depth Note: This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application.
CWE-122 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-122 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.