This Article 
 Bibliographic References 
 Add to: 
A Taxonomy of Buffer Overflow Characteristics
May/June 2012 (vol. 9 no. 3)
pp. 305-317
Matt Bishop, University of California, Davis, Davis
Sophie Engle, University of San Francisco, San Francisco
Damien Howard, Northwestern University School of Law, Chicago
Sean Whalen, University of California, Davis, Davis and Lawrence Berkeley National Laboratory, Berkeley
Significant work on vulnerabilities focuses on buffer overflows, in which data exceeding the bounds of an array is loaded into the array. The loading continues past the array boundary, causing variables and state information located adjacent to the array to change. As the process is not programmed to check for these additional changes, the process acts incorrectly. The incorrect action often places the system in a nonsecure state. This work develops a taxonomy of buffer overflow vulnerabilities based upon characteristics, or preconditions that must hold for an exploitable buffer overflow to exist. We analyze several software and hardware countermeasures to validate the approach. We then discuss alternate approaches to ameliorating this vulnerability.

[1] M.W. Eichin and J.A. Rochlis, "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988," Proc. IEEE Symp. Security and Privacy, pp. 326-343, 1989.
[2] D. Seeley, "A Tour of the Worm," Proc. Winter USENIX Conf., pp. 287-304, 1989.
[3] E.H. Spafford, "Crisis and Aftermath," Comm. ACM, vol. 32, no. 6, pp. 678-687, 1989.
[4] CERT, "W32/Blaster Worm," CERT Advisory CA-2003-20, , Aug. 2003.
[5] CERT, "MS-SQL Server Worm," CERT Advisory CA-2003-04, , Jan. 2003.
[6] CERT, "Apache/mod_ssl Worm," CERT Advisory CA-2002-27, , Oct. 2002.
[7] CERT, "'Code Red' Worm Exploiting Buffer Overflow in IIS Indexing Service DLL," CERT Advisory CA-2001-19, , July 2001.
[8] CERT, "Continuing Threat of the 'Code Red' Worm," CERT Advisory CA-2001-23, , July 2001.
[9] S. Christey, "Common Vulnerabilities and Exposures," http:/, Apr. 2011.
[10] R. Abbott, J. Chin, J. Donnelley, W. Konigsford, S. Tokubo, and D. Webb, Security Analysis and Enhancements of Computer Operating Systems, ICET, Nat'l Bureau of Standards NBSIR 76-1041, Apr. 1976.
[11] T. Aslam, "A Taxonomy of Security Faults in the Unix Operating System," master's thesis, Dept. of Computer Sciences, Purdue Univ., Aug. 1995.
[12] R. BisbeyII and D. Hollingsworth, "Protection Analysis: Final Report," Technical Report ISI/SR-78-13, Information Sciences Inst., Univ. of Southern California, May 1978.
[13] C.E. Landwehr, A.R. Bull, J.P. McDermott, and W.S. Choi, "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, vol. 26, no. 3, pp. 211-254, 1994.
[14] M. Bishop, "Vulnerability Analysis," Proc. Second Int'l Symp. Recent Advances in Intrusion Detection, pp. 125-136, 1999.
[15] C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole, "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade," Proc. Foundations of Intrusion Tolerant Systems, pp. 227-237, 2003.
[16] AlephOne, "Smashing the Stack for Fun and Profit," Phrack, vol. 7, no. 49, 1996.
[17] M. Conover, "w00w00 on Heap Overflows," http://www. , 1999.
[18] Skypher, "Internet Explorer IFRAME src&name Parameter BoF Remote Compromise," bjweveradvisory_iframe.html.php , 2004.
[19] D. Blazakis, "Interpreter Exploitation: Pointer Interference and JIT Spraying," technical report, Semantiscope, http://www. BHDC2010BHDC-2010-Paper.pdf, 2010.
[20] A. Sotirov, "Heap Feng Shui in Javascript," Proc. Black Hat Europe, FSotirov/Presentation bh-eu-07-sotirov-apr19.pdf, 2007.
[21] S. Esser, "Samba 3.x QFILEPATHINFO Unicode Filename Buffer Overflow," e-matters GmbH, Security Advisory 13/2004, Nov. 2004.
[22] T. Newsham, "Format String Attacks," technical report, Guardent, Inc., Sept. 2000.
[23] AMD64 Architecture Programmer's Manual Volume 2: System Programming, Advanced Micro Devices, June 2010.
[24] Intel®64 and IA-32 Architectures Software Developer's Manual, Volume 3A: System Programming Guide, Part 1, Intel Corp., May 2007.
[25] S. Engle, "A Policy-Based Vulnerability Analysis Framework," PhD dissertation, Dept. of Computer Science, Univ. of California, Davis, June 2010.
[26] K.J. Biba, "Integrity Considerations for Secure Computer Systems," Technical Report MTR-3153, The MITRE Corporation, June 1975.
[27] D. Wagner, J.S. Foster, E. Brewer, and A. Aiken, "A First Step towards Automated Detection of Buffer Overrun Vulnerabilities," Proc. Symp. Network and Distributed Systems Security, pp. 3-17, 2000.
[28] E. Haugh and M. Bishop, "Testing C Programs for Buffer Overflow Vulnerabilities," Proc. Network and Distributed System Security Symp., pp. 123-130, 2003.
[29] K.-S. Lhee and S.J. Chapin, "Buffer Overflow and Format String Overflow Vulnerabilities," Software: Practice and Experience, vol. 33, no. 5, pp. 423-460, 2003.
[30] O. Ruwase and M.S. Lam, "A Practical Dynamic Buffer Overflow Detector," Proc. Symp. Network and Distributed System Security, pp. 159-169, 2004.
[31] Z. Shao, Q. Zhuge, Y. He, and E. Sha, "Defending Embedded Systems against Buffer Overflow via Hardware/Software," Proc. 19th Ann. Computer Security Applications Conf., pp. 351-361, 2003.
[32] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, "Stackguard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. Seven USENIX Security Symp., 1998.
[33] C. Cowan, S. Beattie, J. Johansen, and P. Wagle, "${\rm Pointguard}^{\rm TM}$ : Protecting Pointers from Buffer Overflow Vulnerabilities," Proc. 12th Conf. USENIX Security Symp., pp. 91-104, 2003.
[34] J. Xu, Z. Kalbarczyk, S. Patel, and R.K. Iyer, "Architecture Support for Defending against Buffer Overflow Attacks," Proc. Workshop Evaluating and Architecting System Dependability, 2002.
[35] T.-C. Chiueh and F.-H. Hsu, "RAD: A Compile-Time Solution to Buffer Overflow Attacks," Proc. 21st Int'l Conf. Distributed Computing Systems, pp. 409-417, 2001.
[36] F. Gadaleta, Y. Younan, B. Jacobs, W. Joosen, E.D. Neve, and N. Beosier, "Instruction-Level Countermeasures against Stack-Based Buffer Overflow Attacks," Proc. First EuroSys Workshop Virtualization Technology for Dependable Systems, pp. 7-12, 2009.
[37] S. Bhatkar, R. Sekar, and D.C. DuVarney, "Efficient Techniques for Comprehensive Protection from Memory Error Exploits," Proc. 14th USENIX Security Conf., pp. 255-270, 2005.
[38] S. Chen, J. Xu, Z. Kalbarczyk, and R.K. Iyer, "Security Vulnerabilities: From Analysis to Detection and Masking Techniques," Proc. IEEE, vol. 94, no. 2, pp. 407-418, Feb. 2006.
[39] S. Forrest, A. Somayaji, and D.H. Ackley, "Building Diverse Computer Systems," Proc. Sixth Workshop Hot Topics in Operating Systems, pp. 67-72, 1997.
[40] J. Xu, Z. Kalbarczyk, and R.K. Iyer, "Transparent Runtime Randomization for Security," Proc. 22nd Int'l Symp. Reliable Distributed Systems, pp. 260-269, 2003.
[41] G.S. Kc, A.D. Keromytis, and V. Prevelakis, "Countering Code-Injection Attacks with Instruction-Set Randomiztion," Proc. 10th ACM Conf. Computer and Comm. Security, pp. 272-280, 2003.
[42] P. Ratanaworabhan, B. Livshits, and B. Zorn, "NOZZLE: A Defense against Heap-Spraying Code Injection Attacks," Proc. 18th USENIX Security Symp., pp. 169-186, 2009.
[43] M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, "Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks," Proc. Sixth Int'l Conf. Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 88-106, 2009.
[44] F. Gadaleta, Y. Younan, and W. Joosen, "BuBBle: A Javascript Engine Level Countermeasure against Heap-spraying Attacks," Proc. Second Int'l Symp. Eng. Secure Software and Systems, pp. 1-17, 2010.
[45] D. Litchfield, "Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server," White Paper, NGS Secure Document_Downloads Defeating_the_Stack_Based_Buffer_ Overflow_Prevention_Mechanism_of_Microsoft_Windows_ 2003_Server.sflb.ashx , Sept. 2003.
[46] M. Miller, "Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP," http://www.blogs. 2009/02/02preventing-the- exploitation-of-seh-overwrites-with-sehop.aspx , 2009.
[47] S. Designer, "Linux Kernel Patch from the Openwall Project," .
[48] C.H.S. Dik, "RE: Binary Security Attacks," unix, 2011.
[49] S.J. Templeton and K. Levitt, "A Requires/Provides Model for Computer Attacks," Proc. New Security Paradigms Workshop, pp. 31-38, 2000.

Index Terms:
Protection mechanisms, software/program verification, security and privacy, arrays.
Matt Bishop, Sophie Engle, Damien Howard, Sean Whalen, "A Taxonomy of Buffer Overflow Characteristics," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 3, pp. 305-317, May-June 2012, doi:10.1109/TDSC.2012.10
Usage of this product signifies your acceptance of the Terms of Use.