• Product

      Product

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary Webinars Whitepapers Workshops Latest Blogs Documentation
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps
      Whitepaper
      Implement Effective Next-Gen Container Runtime Security in Kubernetes and Cloud Native Apps >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
  • LOGIN
Cisco Logo Deepfactor is now part of Cisco | Learn more
Learn more
Deepfactor Logo
  • Product

      Product

      Use Cases

      Application Security Platform

      Use Cases

      Shift Left & DevSecOps Supply Chain Security Software Bill of Materials (SBOM) Container Runtime Security & Compliance Cloud Native Application Security
      What is Deepfactor and How Does It Work?
      4-Minute Video
      What is Deepfactor and How Does It Work? >
  • Pricing
    • Pricing Plans
  • Resources

      Resources

      All Resources Next-Gen AppSec Series Case Studies Demos Videos Glossary
      Webinars Whitepapers Workshops Latest Blogs Documentation
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost
      Next-Gen AppSec Series
      Next-Gen AppSec Series—Deepfactor SCA: 80% Less Noise, 50% Lower Cost >
  • Company
    • About
    • Leadership
    • Partners
    • News and Events
    • Careers
    • Contact Us
LOGIN
Deepfactor's Application Security Platform will no longer be offered for sale or renewal effective September 20, 2024.

Getting Started

  • QuickStart Guide
  • Install Deepfactor CLI
  • Deepfactor Support Matrix

Tutorials

  • SBOM & SCA
    • Artifact Releases
    • Deepfactor Scanner
    • Integrate Deepfactor scanner in your CI/CD pipelines
    • Scanning container images from private registries using Deepfactor CLI
    • Scan container images in K8s cluster
      • Scanning images from private registries in K8s cluster using Deepfactor
      • Scanning container images from private registries with basic authentication support in K8s
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate
      • Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS EC2
  • Runtime Security
    • Introduction to Deepfactor Runtime Security
    • Deepfactor CLI Reference
    • Kubernetes workload
      • Run your Kubernetes workload with Deepfactor
      • Install Deepfactor Mutating Webhook
      • Configure Deepfactor Kubernetes admission webhook
      • Install Deepfactor K8s webhook on EKS Fargate
      • Selecting the pods you want to run with Deepfactor
      • Configuring application name, component name and component version in K8s webhook
      • Install Deepfactor mutating admission webhook using Argo CD
      • Install Deepfactor portal & webhook using Argo CD and vault
      • Use image pull secret for Runtime images
    • Containers/Other orchestration platforms
      • Run your Container Images with Deepfactor
      • Run containers in ECS with Deepfactor
    • Non-containerized workloads
      • Running non-containerized applications with Deepfactor

Deepfactor Platform

  • Introduction to Deepfactor
  • Alert Policies
  • Alert States and Triaging Flows
  • Deepfactor’s Correlation Capabilities
  • Organization and Teams
  • Role Based Access Control
  • Insights Knowledge Base
    • Privilege Separation and Privilege Dropping
    • Buffer Overflow Alerts
  • Knowledge Base
    • Deepfactor scan errors
    • K8s Webhook & Runtime Troubleshooting Guide
    • Tools for viewing CycloneDX and SPDX SBOMs
    • Graceful handling of pod restarts
    • Deepfactor telemetry events
    • Deepfactor Instrumentation Warning Messages
    • Best Practices for running your applications with Deepfactor in production environments
    • Golang Specific Notes
    • How to access Deepfactor Portal in different AWS subnet types
    • How the Deepfactor Management Portal Communicates With The Outside World
    • Language Specific Agents (LSA)
    • Mixed libc environments
    • Sensitive Information and Secrets in Process Environment Remediation
    • Running HAProxy with Deepfactor
    • Augmenting Alert Evidence with Runtime Stack Traces
  • FAQs
    • General FAQs
    • Open Source Disclosure

Integrations

  • Single Sign On (SSO) for authentication to Deepfactor
  • Integrate Jira with Deepfactor
  • Integrate Slack with Deepfactor
  • Okta
  • Deepfactor HTTPS webhook

Self managed Deepfactor portal

  • Deepfactor Portal architecture & deployment options
  • Install Self managed Deepfactor portal
    • Kubernetes Cluster
      • Prerequisites for deploying Deepfactor portal in Kubernetes Cluster
      • Deploying Deepfactor Portal in your Kubernetes Cluster
      • Install Deepfactor portal using Helm
      • Customizing Deepfactor portal deployment
        • Customizing your Deepfactor Portal Deployment in K8s
        • Deploy Deepfactor Portal With Resource Limits
        • Deploying Deepfactor Portal using external IP
        • Deepfactor Portal Installation with Existing Ingress Controller
    • AWS EC2
      • Prerequisites for installing Deepfactor Portal in AWS Cloud
      • Deploying Deepfactor on AWS using CFT
      • Install AWS Certificate Manager(ACM) certificate on Deepfactor portal EC2 instance
    • VMWare vSphere
      • Deepfactor Portal Proxy Configuration for OVA deployments
      • Prerequisites for deploying Deepfactor portal in VWware vSphere
      • Deploying Deepfactor on VMware vSphere
  • Manage Deepfactor Portal
    • Using Deepfactor APIs
    • Managing Users
    • Updating your Deepfactor Portal
    • Updating Deepfactor portal certificate
  • Deepfactor Portal Certificate
    • Generate certificate using cert-manager for Deepfactor portal
    • Create self-signed certificate for Deepfactor Portal on your K8s cluster
    • Create AWS Private CA Certificate for Deepfactor Portal on your K8s cluster
    • Create Let’s Encrypt certificate for Deepfactor Portal on your K8s cluster

Release Notes

  • Deepfactor Release Notes
  • Home
  • Docs
  • Deepfactor Platform
  • Insights Knowledge Base

Buffer Overflow Alerts

A buffer overflow occurs when a too many bytes are written to a data structure or variable (a “buffer”) in memory. When this happens, the content of the memory locations immediately after the variable being changed are modified. This inadvertent change can corrupt other variables in the same function, corrupt
return addresses (if the buffer being overflowed is on the stack, which is the case if a local/automatic variable is the buffer being overflowed), or damage the heap (if the buffer is a dynamically allocated area).

An attacker can exploit a buffer overflow vulnerability if an application does not perform proper length checking of input arguments (typically supplied by the attacker in these scenarios.) If a caller is allowed to provide both the input data and the size of that data to a vulnerable function, and that function trusts the length provided by the caller (attacker), the application can be fooled into overwriting the subsequent bytes in memory if it makes a copy of that input data into a local buffer/variable.

Altering neighboring bytes in memory can allow an attacker to take control of an application. This can happen through several different mechanisms:

  • If the buffer being overflowed is on the stack (eg, a local/automatic variable in C/C++), the attacker may be able to overwrite stack frames, including the return address from the function currently being called. When the function returns to the original caller, the control flow can be hijacked and directed to code of the attacker’s choice (eg, a ROP-style attack). This type of control flow hijacking is possible due to the fact that modern CPU architectures and ABIs use the stack for both local variable storage as well
    as control flow.
  • If the buffer being overflowed is on the heap (eg, a dynamically allocated variable from malloc() or new()), the attacker may be able to overwrite the heap implementation’s internal metadata. If the heap implementation uses a linked list or sequence of buffers, the attacker may be able to fool the heap implementation’s free() function to write arbitrary values elsewhere in memory. This technique can be used to write to known locations containing function pointers (such as C++ object vtables), influencing program control next time those functions are used.

Control flow hijacking is not the only danger present if the application is subject to buffer overflow vulnerabilities. By overwriting adjacent bytes with garbage or junk data, the application may crash, possibly producing a DoS (denial of service) attack.

It should also be noted that buffer overflows don’t always need to be of the “write” variety. Buffers can be overflowed in a “read” scenario as well. If a caller of a function controls the “length” or “size” parameter of data to be returned by a function, and that function does not validate that the amount of data requested is less than the actual amount (or max amount) of data available, a read operation may return bytes past the end of the correct data. This can potentially allow an attacker to retrieve data unrelated to the original request, which may include sensitive data residing in memory after the buffer.

Buffer overflows that can be used to influence control flow are typically more common in memory-unsafe languages like C/C++. Languages that manage memory via an interpreter may be more resilient to these attacks, although bugs and implementation problems in the interpreters themselves could still allow for
control flow hijacking. Memory safe languages may offer a structural barrier preventing buffer overflows, but may not be able to protect a developer against logic errors causing buffer overflows within a managed region of memory (e.g., reading 100 bytes from a 1000 byte buffer, where only 50 bytes should have been returned).

 

Mitigating Buffer Overflows #

Buffer overflow exploits can be mitigated using a number of safe programming techniques:

  • Don’t use functions that operate without buffer length checks. This includes functions like strcpy/strcat/sprintf and similar variants. These functions date from the 1970s and Better alternatives (such as strlcpy) are almost always available.
  • Use memory safe languages to provide an additional layer of safety.
  • Use fuzzing tools (during test) on functions accepting caller-provided “length” or “size” function parameters, in an attempt to discover buffer overflow susceptibility before code reaches production.
  • Practice good code reviews; always treat “length” or “size” function input parameters as suspect. Ensure these parameters are checked before any data manipulation occurs.

 

References:
https://en.wikipedia.org/wiki/Buffer_overflow
https://en.wikipedia.org/wiki/Return-oriented_programming

Was this article helpful?
Still stuck? How can we help?

How can we help?

Updated on January 25, 2021

Powered by BetterDocs

Table of Contents
  • Mitigating Buffer Overflows
Deepfactor Icon

Deepfactor is a next-gen application security platform, using static container scan data + runtime analysis to prioritize vulnerabilities to those representing true risk to a business—based on reachability, runtime usage, deployment context, and exploit maturity.

Product Pricing Resources Company Documentation Login

SUBSCRIBE TO OUR NEWSLETTER!

Sign Up
LinkedIn Icon YouTube Icon GitHub Icon Twitter Icon

© 2025 Deepfactor, Inc. All Rights Reserved.

Privacy Statement | Terms of Service | Open Source Disclosure