CISA, FBI urge manufacturers to eliminate buffer overflow vulnerabilities with secure-by-design practices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI (Federal Bureau of Investigation) rolled out Wednesday a Secure by Design alert, ‘Eliminating Buffer Overflow Vulnerabilities,’ as part of their cooperative ‘Secure by Design’ alert series—an ongoing series aimed at advancing industry-wide best practices to eliminate entire classes of vulnerabilities during the design and development phases of the product lifecycle. The agencies recognize buffer overflow vulnerabilities as a prevalent type of memory safety software design defect that regularly leads to system compromise. They urge manufacturers to take immediate action to prevent these vulnerabilities from being introduced into the products.
The alert describes proven techniques to prevent or mitigate buffer overflow vulnerabilities through secure-by-design principles and best practices. These buffer overflow vulnerabilities are a prevalent type of defect in memory-safe software design that can lead to system compromise. These vulnerabilities pose serious security risks, as they may lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution. Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.
The agencies identified that buffer overflow vulnerabilities arise when threat actors access or write information in the wrong part of a computer’s memory (i.e., outside the memory buffer). These vulnerabilities can occur in two main memory regions in which buffers are managed: stack-based overflows (allocated on a memory stack), and heap-based overflows (allocated on a memory heap).
The CISA and FBI noted that manufacturers can prevent buffer overflow vulnerabilities by using secure-by-design practices Software manufacturer senior executives and business leaders should ask their product and development teams to document past buffer overflow vulnerabilities and how they are working to eliminate this class of defect. Also, the agencies recommend that software customers ensure manufacturers demonstrate adherence to the safe software development practices contained in the alert by requesting that manufacturers provide a Software Bill of Materials (SBOM) and a secure software development attestation.
To prevent buffer overflow vulnerabilities, some of the components technical leaders should implement where feasible the use of memory-safe languages when developing software to shift the burden of memory management from the developer to the programming language’s built-in safety features. They recognize that it is possible to disable or override the memory safety guarantees of some memory-safe languages; developers must avoid doing so to prevent buffer overflow vulnerabilities. Also, using a memory-safe language for one part of a software package does not fix memory-unsafe code in other libraries.
The authoring agencies recognize there is significant effort required to rewrite codebases in memory-safe languages. Therefore, they recommend manufacturers develop and implement a phased transition plan for increasing memory-safe language usage. Ideally, this plan should include using memory-safe languages to develop new code and, over time and when feasible, transition their software’s most highly privileged/exposed code to memory-safe languages. Also, while transitioning to memory-safe languages, manufacturers should consider leveraging technologies to limit memory safety vulnerabilities in their existing code bases, enable compiler flags that implement compile time and runtime protections against buffer overflows, and implement canaries that alert if an overflow occurs.
Also, technical leaders should run unit tests with an instrumented toolchain such as AddressSanitizer and MemorySanitizer that exercises source code with runtime checks for buffer overflows and other memory safety issues. In a codebase with significant unit test coverage, such tools can detect many (but not all) memory safety-related issues before they become a vulnerability.
They must also conduct aggressive adversarial product testing, including static analysis, fuzzing, and manual reviews (as needed) to ensure the quality and security of code throughout the development lifecycle; and publish a memory-safety roadmap outlining how the manufacturer plans to develop new products with memory-safe languages and migrate code to memory safe languages in a prioritized manner.
The alert also prescribed conducting root cause analysis of past vulnerabilities, including buffer overflows, to spot trends and patterns. Where possible, take actions to eliminate entire classes of vulnerabilities across products, rather than the superficial causes.
The CISA and FBI alert said that products that are secure by design reasonably protect against malicious cyber actors exploiting the most common and dangerous classes of product defect. Incorporating security at the outset of the software development lifecycle (beginning in the design phase and continuing through development, release, and updates) reduces the burden on customers and risks to the public. Despite this finding, buffer overflow vulnerabilities remain a prevalent class of defect.
Further, where feasible, manufacturers should work to eliminate buffer overflow vulnerabilities by developing new software using memory-safe languages and the best practices described in this alert. Eliminating buffer overflow vulnerabilities can help reduce the prevalence of other memory safety issues, such as format string, off-by-one, and use-after-free vulnerabilities.
Manufacturers are encouraged to adopt the three Secure by Design principles developed by 17 global cybersecurity agencies to enhance software security. They should take ownership of customer security outcomes by addressing vulnerabilities, such as buffer overflows, during the software development lifecycle. This includes using secure building blocks, automated safeguards, static analysis tools, and rigorous code reviews to prevent flaws before deployment, rather than relying on post-release fixes.
Manufacturers must also transparently disclose vulnerabilities through programs like the Common Vulnerabilities and Exposures (CVE) and use Common Weakness Enumeration (CWE) to track defect classes. They should establish robust vulnerability disclosure programs (VDPs) and product security incident response teams (PSIRTs) to address root causes and eliminate memory safety issues.
Lastly, they must build organizational structure and leadership to achieve these goals. Executives should treat software security as a strategic investment, recognizing its long-term cost savings and broader impact on customers, the economy, and national security. Examples include adopting memory-safe programming languages (e.g., Google’s Android team) and proactively eliminating vulnerability classes. Leaders must allocate resources, monitor progress, and embed security as a core business priority.
The agencies recommended that software manufacturers should consider taking the Secure by Design Pledge to demonstrate their commitment to building their products to be secure by design. The pledge lays out seven key goals that signers commit to demonstrate measurable progress in making their products secure by design, including reducing systemic classes of vulnerability like buffer overflows.
Customers should demand that software is secure by design. Organizations looking to acquire software that is secure by design should refer to the agencies’ Secure by Demand guidance and incorporate product security considerations into their procurement lifecycle. Before procurement, they should ask questions to understand how each software manufacturer ensures product security; during procurement integrate the organization’s product security requirements into contract language; and following procurement, they must continually assess product security and security outcomes.
link
