Buffer Overflow Definition, Usage, and Handling Terminology Differences #1
Description
Presentation was provided in the Aug. 28 CWE UEWG
Inconsistent Usage of “Buffer Overflow” Term
The “buffer overflow” term has been used for decades, yet there isn’t a single definition that’s shared by everybody using it. If somebody reports an issue using definition X and a user reads the report but assumes definition Y, confusion or inconsistency can result. This has CWE usability implications… especially if CWE uses the term differently.
Example of different usages (operation and position)
- WRITE of a buffer
- WRITE or of a buffer
- WRITE or READ of a buffer
- WRITE or READ or of a buffer
Results from a 2-Year-Old Twitter Poll
Audience: heavy software security, exploit writing, vuln management
- About 30% did define “buffer overflow” as only writing past the end of a buffer
- About 25% included “read” in their definition
Inconsistent Usage “In the Wild”
In early CWE days, multiple code analysis tool vendors said that their tools do not distinguish between before/after, or do not distinguish between read/write. The famous “AddressSanitizer” tool from Google flags any out-of-bounds accesses, but it reports “heap-buffer-overflow” and “stack-buffer-overflow” – but no “underflows” (there are many vague terms from AddressSanitizer that just get copy/pasted into CVE descriptions)
CWE sometimes uses the “overflow” term in names or descriptions. We are running into this inconsistency as we make usability improvements (micro-changes) to CWE names, descriptions, and supporting images
Use of CWE-122 “in the wild”
At least one CVE for a “heap underflow” was mapped to CWE-122 by a CNA experienced in CWE mapping. AddressSanitizer probably can’t distinguish between past-the-end or before-the-beginning, and some other tools probably don’t either. Using the “read or write” interpretation – mapping an “underflow” to CWE-122 would be correct. Where would “heap underflow” get mapped – the more-general CWE-787? Should a new entry be created?
- CWE-124: Buffer Underwrite ('Buffer Underflow’) - desc specifies a write “prior to the beginning of the buffer,” but not “heap” or “stack”
- CWE’s own language is inconsistent - “out-of-bounds” is used for writes, reads (CWE-125/CWE-126), “outside the buffer's intended boundary” (CWE-119)
- CWE’s own buffer-overflow model has some gaps and overlap - E.g. CWE-788: Access of Memory Location After End of Buffer
How do we move forward?
Some CWE reorganization may be needed.
Challenge: most users will not consider CWE’s own definition if they are already familiar with a term
Proposal 1: since most people interpret “buffer overflow” as “write past the end of the buffer” – use this term when applicable
This is more usable for most people, but loses technical accuracy for experts, exploit writers, and tool vendors
Proposal 2: Avoid using “buffer overflow” in names and descriptions, and use less-ambiguous “read/write” for “before/after” the buffer
More technically accurate and precise and reduces ambiguity, but does not use language that many people are familiar with
Alternate terms / glossary could be updated when needed
CWE-122, CWE-121 (stack-based overflow), CWE-120 (“classic” buffer overflow) and others might need modification
It’s Not Just Buffer Overflows
We will likely run into this issue as we move through CWE for simplification
(opinion) CWE cannot force consistent, correct terminology, but CWE must support people using CWE with different uses of the same terminology
Other examples
- Integer “wrap” (wraparound) and “overflow” are technically distinct
- “Stack overflow” could be stack exhaustion or stack-based buffer overflow
- “memory leak” could be not freeing memory after use, or disclosing the contents of memory
- “Named callable” – formally-defined CWE term used in some standards that generalizes concepts like functions, procedures, subroutines, etc.
- “Neutralization” and other terms that CWE had to “invent”
- IDOR/BOLA