• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

securitywing

Menu
  • About
  • Must Read
      • IIS Performance Boost
      • RFID Security
      • Web App Security Testing
      • How to Secure Home Network
      • Prevent Cross-Site Scripting Attacks
      • Renew Self-Signed Certificates
      • Penetration Testing Tools
      • VPN Concentrator
      • Forensic Investigation Tools
      • Digital Certificates
      • Cloud Security Issues
      • Advanced Evasion Prevention
      • Firewall Types
      • Tips to Prevent Data Exfiltration
      • Classified Info Handling
      • MySQL Security
      • Definition of 7 Types of Malware
      • VOIP Security
      • Why Antivirus Software Fails
      • 15 Network Security Vulnerabilities
      • Web App Security
      • IT Security Standards
      • Types of Virtualization
      • Android Security
      • Digital Signature
      • Advanced Malware Protection
    • Close
  • Consultancy
  • Contact

Buffer Overflow Protection Tutorial

by wing

When you write a simple program, for example, to print user name with greetings. For this program to run you assign character string 38 in the following way

Char name (38)

Here “name” is the variable name. The above code specifies that you name or users’ input would not be more than 38 characters long because you have already assigned only 38 bit of data into the buffer. So, buffer overflow is such type of attack where the buffer memory is bombarded with more data than it can actually handle.

buffer overflow

There are two types of buffer overflow attacks:

  • Stack based
  • Heap based

A stack or heap is used to store users input until a program needs it to run an application. For storing data in static memory stacks are used whereas for storing dynamic data heaps memory is used. In a buffer overflow attack a perpetrator send a large amount of data to exhaust the storing capacity of stack memory. This is done with the help of a malicious program, which can be a pre-written codes or exploits.

What can be done to protect a system against buffer overflow?

  • First of all, you need to remember that buffer overflow occurs due to poor coding practices or programming vulnerabilities. So, you make sure that the source code of your application does not have any inherent vulnerability.
  • One of the common reasons for this type of attack is the lack of input validation. Before sending the data to the memory a program should sanitization the data by making sure that the length and format of the input satisfy the requirements of the input declared by the program. An example of input validation is website’s feedback or contact form, where the input must meet the criteria specified by the programs; users should not be allowed to send data of any length and any format.
  • Programmers should avoid using built-in functions such as strcpy (), strcat (), which are prone to butter overflow attacks.
  • If possible you can use JAVA to replaces the use of C/C++ because JAVA cannot be exploited by buffer overflow attack.
  • Whenever possible remove the cmd.exe, ftp.exe and tftp.exe from your operating systems. If you need to keep those executable files for a specific purpose then restrict their usage with access control list.
  • Isolate core JAVA servlets from the application servlets in JAVA application servers. If you place the core servlets with the application servlets in the same physical place, an attacker can use the servlets invoker to invoker.
  • If there are servlets that are physically present in your server, but are not registered then remove them or do not let them to be executed.
  • Always disable the direct invocation of application servlets by not mapping your servlets with URL because they are capable of invoking any arbitrary servlets.
  • Normally, JAVA application servers are shipped with many unnecessary example servlets. If you JAVA machines has such servlets then simply unregistered them as a counter measure to buffer overflow attacks.

 

Related Posts:

  • How Do I Know If My Computer Has Been Hacked?
  • Top 20 Windows Server Security Hardening Best Practices
  • 3 Simple Steps to Secure Gmail Account from Hackers
  • 20 Types of Database Security to Defend Against Data Breach
  • Tips for Network Security Breach Investigation

Filed Under: Internet Security and Safety Tagged With: computer, security

Primary Sidebar

CISSP Sample Test

Take a CISSP Sample Test

CISA IT governance Sample test



Twitter Follow @securitywing

Categories

  • AWS
  • containers
  • Internet Security and Safety
  • IS Audit
  • IT Security Exams
  • Network Security Tips
  • Off Track
  • Telecom
  • Tutorial

Pages

  • About
  • Best IT Security Certification Exam
  • CISA IT governance Sample test
  • CISA Sample Test
  • CISSP Sample Test Online
  • Consultancy
  • Contact

Popular Posts

  • 3 Steps to Install Miniku...
  • How to install a new Goda...
  • 63 Web Application Securi...
  • How to Renew Self-Signed...
  • How to Setup AWS CloudFro...
  • Host Based IDS vs Network...
  • 8 Effective Ways to Impro...
  • Active vs Passive FTP Mod...
  • Top 10 RFID Security Conc...
  • 3 Simple Steps to Capture...

Footer

Copyrights

Protected by Copyscape Duplicate Content Detection Software

Securitywing.com reserves the copyrights of all of its published articles.No contents of this site is permitted to be published to anywhere else in the Internet.If any contents are found in any other websites, securitywing reserves the rights to file a DMCA complaint. But you have the right to use the link of any relevant article of this site to point from your website if you consider that it might improve the quality of your article.

Tags

antivirus audit AWS backup browser check cisco cloud computer cyber data database encryption firewall home hsrp ids informaiton internet intrusion it kubernetes linux load balancing malware network protection putty risk router security security tips server ssh SSL switch tools virus vpn vulnerability web webserver website windows wordpress

Copyright © 2010-2023 ·All Rights Reserved · SecurityWing.com