Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Defending C Applications Against Stack-based Buffer Overflow
Stack-based buffer overflow vulnerabilities occur when the application code incorrectly calculates or limits the amount of data being written into data structures allocated to the stack. Successful exploitation of Stack-based Buffer Overflow vulnerabilities leads to arbitrary code execution. Most platforms provide multiple defense-in-depth measures to make buffer overflow exploitation more difficult, but these measures cannot be relied on as a complete defense. In other words, Stack-based Buffer Overflow vulnerabilities are very dangerous, and memory operations have to be performed correctly even if the platform provides some protection against exploitation.
This Skill Lab provides a virtual environment that contains a vulnerable application with its complete source code for training developers to identify and remediate Stack-based Buffer Overflow vulnerabilities.
Course Overview
Learning Objectives
In this lab, the learner will receive hands-on experience testing for a Stack-based Buffer Overflow vulnerability and implementing an appropriate mitigation. The typical solutions include validating the size of data being copied before writing it to a buffer and allocating sufficiently large buffers to hold data.
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):
Competency Areas
Work Roles
Feedback
If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@mail.cisa.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.