BUFFER OVERFLOW

Buffer overflows occur when a program writes more data to a buffer (a fixed-size block of memory) than it can hold, causing the excess data to overwrite adjacent memory. This is typically the result of incorrect or unsafe code, especially in low-level languages like C and C++, which lack built-in bounds checking. A buffer overflow can lead to unexpected behavior, including crashes, data corruption, or even arbitrary code execution, making it a powerful tool for attackers to manipulate a system’s execution flow. While modern compilers and operating systems have introduced memory protection mechanisms such as stack canaries, address space layout randomization (ASLR), and non-executable stacks—to reduce the risk of buffer overflows, they remain a concern in systems where such protections are limited or absent. This is especially true in embedded systems and IoT devices, where performance constraints often lead to the continued use of C, and where custom software stacks may lack modern hardening (e.g., CVE-2021-3156 in sudo, or CVE-2017-12542 in an embedded HPE web server). Notably, buffer overflows can affect not only compiled binaries but also web applications running on constrained or outdated platforms.

Modern memory protections like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) were introduced to defend against classic buffer overflow attacks. DEP prevents code execution in certain memory regions, such as the stack and heap, by marking them as non-executable. This stops attackers from injecting shellcode into these areas and executing it directly.

In response, attackers developed Return-Oriented Programming (ROP), which bypasses DEP by chaining together small code snippets, or “gadgets,” already present in executable memory. These gadgets end in return instructions and can be combined to perform arbitrary operations without injecting new code.

To counter ROP, systems implemented ASLR, which randomizes the locations of key memory segments each time a program runs. This makes it significantly harder for attackers to reliably locate useful gadgets or functions in memory. However, if an attacker can leak memory addresses, they may still defeat ASLR, so modern systems often combine DEP, ASLR, and additional protections like stack canaries and control-flow integrity (CFI) for stronger defense.