345 – Establish protections against overflows

Summary

The system must have protection mechanisms against the different types of overflow (stack, buffer, heap, integer, etc.).

Description

An overflow occurs when an application receives a value outside of the range that it is prepared to handle. It can happen when a program tries to process an excessively big number or if it attempts to read a memory address outside of its assigned buffer. An overflow can cause a program to stop working, which can lead to a Denial of Service (DoS). Therefore, systems should use data structures and mechanisms that help reduce the chances that an overflow will arise, such as memory-safe strings, safe memory copy and pointer arithmetic.

Supported In

Advanced: True

References

• CAPEC-24. Filter failure through buffer overflow
• CAPEC-123. Buffer manipulation
• CAPEC-153. Input data manipulation
• CWE-120. Buffer copy without checking size of input ("classic buffer overflow")
• CWE-134. Use of externally-controlled format string
• CWE-170. Improper null termination
• CWE-190. Integer overflow or wraparound
• OWASPM10-M7. Poor code quality
• AGILE-9. Continuous attention to technical excellence and good design
• CERTC-INT32-C. Ensure that operations on signed integers do not result in overflow
• CERTJ-NUM00-J. Detect or prevent integer overflow
• MITRE-M1013. Application developer guidance
• PADSS-5_2_2. Buffer Overflow
• SANS25-1. Out-of-bounds Write
• SANS25-7. Out-of-bounds read
• SANS25-12. NULL pointer dereference
• SANS25-14. Integer overflow or wraparound
• SANS25-17. Improper restriction of operations within the bounds of a memory buffer
• CMMC-CA_L2-3_12_2. Plan of action
• IEC62443-RA-7_1. Denial of service protection
• WASC-A_03. Integer overflows
• WASC-A_10. Denial of service
• WASC-A_26. HTTP request smuggling
• ISSAF-P_6_3. Host security - Linux security (buffer overflows)
• ISSAF-P_6_4. Host security - Linux security (stack based overflows)
• ISSAF-P_6_5. Host security - Linux security (heap based overflows)
• ISSAF-P_6_6. Host security - Linux security (integer overflows)
• ISSAF-T_16_2. Web application assessment - Input Validation (test buffer overflow)
• ISSAF-V_11. Application security - Source code auditing (buffer overflows)
• PTES-6_7_1_1. Exploitation - Zero day angle (buffer overflows)
• OWASPSCP-1. Input validation
• OWASPSCP-13. Memory management
• CWE25-119. Improper restriction of operations within the bounds of a memory buffer
• CWE25-125. Out-of-bounds read
• CWE25-190. Integer overflow or wraparound
• CWE25-476. NULL pointer dereference
• CWE25-787. Out-of-bounds Write
• OSAMM-ST. Security Testing
• ASVS-5_4_3. Memory, string, and unmanaged code
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIG-I_2_1. Application security
• OWASPAPI-API4. Lack of Resources & Rate Limiting

Last updated

2024/02/09