Expand description

This module implements a check for CWE-119: Buffer Overflow and its variants CWE-125: Out-of-bounds Read and CWE-787: Out-of-bounds Write.

Arrays or buffers of any kind are often accessed through indices. If the index of an access is outside of the bounds of the buffer this can lead to severe consequences. In the case of out-of-bounds read accesses this often leads to exposure of sensitive information to an attacker. Out-of-bounds write accesses can often be used to hijack the control flow of a program and thus may lead to arbitrary code execution.

See https://cwe.mitre.org/data/definitions/119.html for a detailed description.

How the check works

The check uses the results of the Pointer Inference analysis to check whether any memory accesses may point outside of the bounds of the corresponding memory objects. Additionally, the check uses a lightweight dataflow fixpoint computation to ensure that for each memory object only the first access outside of its bounds is flagged as a CWE.

Currently, the check is only partially interprocedural. Bounds of parameter objects can be detected, but bounds of memory objects created in called functions (other than the standard allocation functions) will not be detected.

False Positives

  • Any analysis imprecision of the Pointer Inference analysis may lead to false positive results in this check.
  • If no exact bounds for a memory object could be inferred then the strictest (smallest) bounds found are used, which can lead to false positive warnings.

False Negatives

  • In cases where the Pointer Inference analysis could not infer any bounds at all for the memory object or the access index this check generally assumes analysis imprecision as the culprit and will not flag them as CWEs. This leads to false negatives, especially in cases where the bounds directly depend on user input.
  • The Pointer Inference analysis cannot distinguish different objects located on the same stack frame. Thus buffer overflows on the stack can only be detected if they may reach outside of the whole stack frame. This leads to false negatives, especially for buffer overflows caused by off-by-one bugs.
  • For parameters of extern calls where a corresponding call stub is defined the analysis approximates size parameters as small as possible, which can lead to false negatives. Currently, analysis imprecision would lead to too many false positives if we would approximate by larger possible size parameters.
  • For parameters of extern function calls without corresponding function stubs the check only checks whether the parameter itself may point outside of the boundaries of a memory object. But since we generally do not know what size the called function expects the pointed-to object to have this still may miss buffer overflows occuring in the called function.
  • Right now the check only considers buffers on the stack or the heap, but not buffers in global memory. Thus corresponding overflows of buffers in global memory are not detected.
  • Since the check is only partially interprocedural at the moment, it will miss object sizes of objects created in called functions. For example, if allocations are wrapped in simple wrapper functions, the analysis will miss overflows for corresponding objects, because it cannot determine their object sizes.

Statics

Functions

  • Run the check for CWE-119: Buffer Overflows.