Thursday, January 19, 2012

Memory Overflow: C versus Java

Memory overflow (a.k.a buffer overflow, buffer overrun, overflow) is a vulnerability in applications causes by programming errors or ignorant of security by developers [1], [2], [3]. Memory overflow is a vulnerability whereby an attackers or hackers can exploit a code in programs that can trigger overflow in Computer's memory system (stack, heap, BSS, and data segment) [4], [5], [6], [7], [8], [9]. Between all programming, this issue is significant in C and Java [10], [11], [12], [13]. Between C and Java, the issue is more critical in C than Java [14], [15], [16]. Table below shows the comparison that I've done between those two.

Table 1: C versus Java





















References:
[1] Viega, J., & McGraw, G. (2002). Building Secure Software: How to Avoid Security Problems the Right Way (2nd Printing ed.). Addison-Wesley.

[2] Seacord, R. (2005). Secure Coding in C and C++. United States of America: Addison-Wesley Professional.

[3] Kaspersky Lab ZAO. (n.d.). Software vulnerabilities . Retrieved November 19, 2011, from Securelist: http://www.securelist.com/en/threats/vulnerabilities?chapter=35

[4] Sycracuse University. (2011). Buffer-Overflow Vulnerabilities and Attacks.

[5] Kratkiewicz, K., & Lippmann, R. (2005). A Taxonomy of Buffer Overflows for Evaluating Static and Dynamic Software Testing Tools. NIST Workshop on Software Security Assurance Tools, Techniques, and Metrics. Long Beach, California.

[6] Fayolle, P. -A., & Glaume, V. (2002). A Buffer Overflow Study: Attacks and Defenses. Unpublished, SecurityFocus.

[7] Kundu, A., & Bertino, E. (2011). A New Class of Buffer Overflow Attacks. Proceedings of the 2011 31st International Conference on Distributed Computing Systems (pp. 730 - 739). Minneapolis: IEEE Computer Society.

[8] Conover, M., & Team, w. S. (1999, January). w00w00 on Heap Overflows. Retrieved November 28, 2011, from CGSecurity: http://www.cgsecurity.org/exploit/heaptut.txt

[9] Shao, Z., Zhuge, Q., He, Y., & Sha, E. H.-M. (2003). Defending Embedded Systems Against Buffer Overflow via Hardware/Software. Proceedings of the 19th Annual Computer Security Applications Conference. Washington, DC, USA: IEEE Computer Society.

[10] Cenzic Inc. (2009, November 9). Cenzic Web Application Security Trends Report Shows Increase in Hacker Attacks on Web Sites Exploiting Faults in Popular Web Browsers and Software. Retrieved January 30, 2011, from http://www.cenzic.com/pr/200911091/

[11] MITRE Corporation. (2012). Vulnerability Search. Retrieved January 10, 2012, from CVE Details - The ultimate security vulnerability datasource: http://www.cvedetails.com/vulnerability-search.php

[12] MITRE Corporation. (2012). Vulnerability Search - Java Overflow. Retrieved January 10, 2012, from CVE Details - The ultimate security vulnerability datasource: http://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=Java&cveid=&cweid=&cvssscoremin=&cvssscoremax=&psy=&psm=&pey=&pem=&usy=&usm=&uey=&uem=&opdos=1&opec=1&opmemc=1&opov=1

[12] Mandalia, R. (2011, December 07). Microsoft Holds Java Vulnerabilities Responsible in Nearly Half of All Attacks. Retrieved January 10, 2012, from ITProPortal - 24/7 Tech Commentary & Analysis: http://www.itproportal.com/2011/12/07/microsoft-holds-java-vulnerabilities-responsible-nearly-half-all-attacks/

[14] Baker, & Graeme. (2008, January 11). Schoolboy hacks into city's tram system. Retrieved November 17, 2011, from The Telegraph: http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html

[15] Chen, T. M. (2010). Stuxnet, the Real Start of Cyber Warfare. IEEE Network , 24 (6), 2 - 3.

[16] Carty, D. (2010, February 3). Apple's Wozniak: Toyota Has Software Problem. (CBS Interactive Inc) Retrieved November 18, 2011, from CBS News: http://www.cbsnews.com/8301-503983_162-6169804-503983.html

[17] One, A. (1996). Smashing the Stacks for Fun and Profit. Phrack Magazine , 7 (49).

[18] Viega, J., Bloch, J., Kohno, Y., & McGraw, G. (2000). ITS4: a static vulnerability scanner for C and C++ code. 16th Annual Conference of Computer Security Applications (ACSAC), (pp. 257 - 267). New Orleans, LA , USA.

[19] Krsul, I. V. (1998). Software Vulnerability Analysis. Phd Thesis, Purdue University.

 [20] Alhazmi, O. H., Woo, S. W., & Malaiya, Y. K. (2006). Security Vulnerability Categories in Major Software Systems. 3rd IASTED International Conference on Communication, Network, and Information Security (CNIS), (pp. 138 - 143).

[21] Howard, M., LeBlanc, D., & Viega, J. (2010). 24 Deadly Sins of Software Security - Programming Flaws and How to Fix Them. McGraw-Hill.

[22] Howard, M., LeBlanc, D., & Viega, J. (2005). 19 Deadly Sins of Software Security - Programming Flaws and How To Fix Them. Emeryville, California, USA: McGraw-Hill/Osborne.

[23] Andersen, L. O. (1994). Program Analysis and Specialization for the C Programming Language. PhD Thesis, University of Copenhagen, Computer Science Department.

[24] National Institute of Standards and Technology. (2012, 16 01). Vulnerability Summary for CVE-2012-0266. Retrieved 16 01, 2012, from National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0266

[25] Open Source Vulnerability Database (OSVDB). (2012, 01 11). 78252 : NTR ActiveX Control Boundary Error Multiple Method Parameter Handling Overflow . Retrieved 01 16, 2012, from OSVDB: http://osvdb.org/show/osvdb/78252

[26] National Institute of Standards and Technology. (2008, October 09). Vulnerability Summary for CVE-2000-0146. Retrieved January 10, 2012, from National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0146

[27] IBM X-Force. (2011). IBM X-Force 2010 Trend and Risk Report. Technical Report, IBM.

 [28] Martin, B., Brown, M., Parker, A., & Kirby, D. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. (S. Christey, Ed.) Retrieved September 28, 2011, from Common Weakness Enumeration (CWE): http://cwe.mitre.org/top25/

 [29] HewlettPackard. (2011). 2010 Full Year Top Cyber Security Risks Report - In-depth analysis and attack data from HP DVLabs. Technical Report, HP.

 [30] Cenzic Inc. (2010, March 2). Cenzic Web Application Security Trends Report Reveals 90 Percent of Web Applications Vulnerable, Adobe One of The Most Vulnerable. Retrieved January 30, 2011, from https://cenzic.com/pr_20100302/

[31] Chechik, D. (2011, December 16). Prevalent Exploit Kits Updated with a New Java Exploit. Retrieved January 10, 2012, from M86 Security Labs: http://labs.m86security.com/tag/java/

[31] Open Source Vulnerability Database (OSVDB). (2012). The Open Source Vulnerability Database. Retrieved January 10, 2012, from OSVDB: http://osvdb.org/

[33] MITRE Corporation. (2012). CVE Details. Retrieved January 10, 2012, from CVE Details: http://www.cvedetails.com

[34] IBM. (2012). Retrieved January 10, 2012, from IBM Internet Security System: http://xforce.iss.net

[35] Secunia. (2012). Retrieved January 10, 2012, from Secunia - Stay Secure: http://secunia.com/advisories/

[36] National Institute of Standards and Technology. (2012). Common Vulnerability Scoring System Version 2 Calculator. Retrieved January 10, 2012, from National Vulnerability Database: http://nvd.nist.gov/cvss.cfm?calculator&version=2

[37] Oracle Corporation. (2010). Secure Computing with Java: Now and the Future. Retrieved January 10, 2012, from ORACLE - Sun Developer Network (SDN): http://java.sun.com/security/javaone97-whitepaper.html

[38] Oracle Corporation. (2012). Java SE Security. Retrieved January 10, 2012, from ORACLE: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html

[39] Fritzinger, S. J., & Mueller, M. (1996). Java™ Security. White paper, Sun Microsystems, Inc.

[40] Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011). Taxonomy of C Overflow Vulnerabilities Attack. In Z. Jasni Mohamad, W. Mohd, & E.-Q. Eyas (Ed.), International Conferences on Software Engineering and Computer Systems. 180, pp. 376 - 390. Kuantan, Pahang: Springer.

[41] University of Maryland. (2011, December 21). FindBugs™ - Find Bugs in Java Programs. Retrieved January 10, 2012, from FindBugs: http://findbugs.sourceforge.net/

[42] SourceForge.net. (2011, November 04). PMD. Retrieved January 10, 2012, from PMD: http://pmd.sourceforge.net/

[43] Parasoft. (2012). Jtest - Java Static Analysis, Code Review, Unit Testing, Runtime Error Detection. Retrieved January 10, 2012, from Parasoft: http://www.parasoft.com/jsp/products/jtest.jsp/

[44] Coverity, Inc. (2012). Coverity Static Analysis. Retrieved January 10, 2012, from Coverity: http://www.coverity.com/products/static-analysis.html

[45] Henzinger, T. A., Beyer, D., Majumdar, R., & Jhala, R. (2008, 07 11). BLAST: Berkeley Lazy Abstraction Software Verification Tool. Retrieved November 27, 2011, from MTC - Models and Theory of Computation: http://mtc.epfl.ch/software-tools/blast/index-epfl.php

[46] National Science Foundation. (2010, August 4). Retrieved November 25, 2011, from Splint - Annotation Assisted Lightweight Static Checking: http://www.splint.org/

[47] Cousot, P., Cousot, R., Feret, J., Miné, A., & Rival, X. (2006, July 7). The Astrée Static Analyzer. Retrieved November 20, 2011, from The Astrée Static Analyzer: http://www.astree.ens.fr/

[48] MathWorks, Inc. (2011). Retrieved November 18, 2011, from Polyspace Client for C/C++: http://www.mathworks.com/products/polyspaceclientc/?s_cid=global_nav

0 comments :

Share It

Gadget

This content is not yet available over encrypted connections.

Popular Posts