The mobile application must not call functions vulnerable to buffer overflows.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35751	SRG-APP-999999-MAPP-00069	SV-47038r1_rule		Medium

Description
Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Buffer overflow errors stop execution of the application causing a minimum of denial of service and possibly a system call to a command shell giving an attacker access to the underlying operating system. An application that avoids buffer flow situations assures DoD greater availability of the application due to better security against DoS attacks. Please refer to CWEs: 20, 74, 78, 88, 117, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 250, 251, 265, 415, 560, 686, 733, 787, and 805 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.

Description

Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Buffer overflow errors stop execution of the application causing a minimum of denial of service and possibly a system call to a command shell giving an attacker access to the underlying operating system. An application that avoids buffer flow situations assures DoD greater availability of the application due to better security against DoS attacks. Please refer to CWEs: 20, 74, 78, 88, 117, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 250, 251, 265, 415, 560, 686, 733, 787, and 805 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44095r2_chk )
Perform a static program analysis to assess how the application is written to properly manage buffer overflows. The static program analysis should evaluate measures that are in place that size buffers as appropriate for the operation of the application. Also, the analysis should seek the following areas of vulnerability: Cases where input is not checked before being copied into a buffer. - Incorrect use of some of the functions listed in Appendix B of the Application security and development STIG. - Incorrect calculations to determine buffer sizes. - Incorrect calculations to determine array indexes. Furthermore, for IPV6 capable applications, existing libraries must be checked to ensure they are capable of processing the increased size of IPv6 addresses to avoid buffer overflows. See section 5.4 of the Application Security and Development STIG for additional details.

Check Text ( C-44095r2_chk )

Perform a static program analysis to assess how the application is written to properly manage buffer overflows. The static program analysis should evaluate measures that are in place that size buffers as appropriate for the operation of the application. Also, the analysis should seek the following areas of vulnerability: Cases where input is not checked before being copied into a buffer.
- Incorrect use of some of the functions listed in Appendix B of the Application security and development STIG.
- Incorrect calculations to determine buffer sizes.
- Incorrect calculations to determine array indexes.

Furthermore, for IPV6 capable applications, existing libraries must be checked to ensure they are capable of processing the increased size of IPv6 addresses to avoid buffer overflows. See section 5.4 of the Application Security and Development STIG for additional details.

Fix Text (F-40296r2_fix)
Modify code to remove identified or likely sources of buffer overflow vulnerabilities to include the following: - Use static analysis tools that are known to find this class of vulnerability with few false positives. - Validate all input before use, allowing only known-good input through. - Recheck all calculations to ensure buffer sizes are calculated correctly. - Recheck all array access and flow control calculations. - Use compile-time options that add compiler buffer overrun defenses.

Fix Text (F-40296r2_fix)

Modify code to remove identified or likely sources of buffer overflow vulnerabilities to include the following:
- Use static analysis tools that are known to find this class of vulnerability with few false positives.
- Validate all input before use, allowing only known-good input through.
- Recheck all calculations to ensure buffer sizes are calculated correctly.
- Recheck all array access and flow control calculations.
- Use compile-time options that add compiler buffer overrun defenses.