The mobile app must not call functions vulnerable to buffer overflows.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-MAPP-000069	SRG-APP-000516-MAPP-000069	SRG-APP-000516-MAPP-000069_rule		Medium

Description
Buffer overflow attacks occur when improperly validated input is passed to an app overwriting memory. Buffer overflow errors stop execution of the app causing a minimum of denial of service and possibly a system call to a command shell giving an attacker access to the underlying operating system. An app that avoids buffer flow situations assures the DoD greater availability of the app due to better security against DoS attacks. Please refer to CWEs: 20, 74, 78, 88, 117, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 250, 251, 265, 415, 560, 686, 733, 787, and 805 for further information. The MAPP SRG Overview contains additional information on the use of CWEs. Further information on testing for buffer overflows can be seen at https://www.owasp.org/index.php/Reviewing_Code_for_Buffer_Overruns_and_Overflows.

Description

Buffer overflow attacks occur when improperly validated input is passed to an app overwriting memory. Buffer overflow errors stop execution of the app causing a minimum of denial of service and possibly a system call to a command shell giving an attacker access to the underlying operating system. An app that avoids buffer flow situations assures the DoD greater availability of the app due to better security against DoS attacks. Please refer to CWEs: 20, 74, 78, 88, 117, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 250, 251, 265, 415, 560, 686, 733, 787, and 805 for further information. The MAPP SRG Overview contains additional information on the use of CWEs. Further information on testing for buffer overflows can be seen at https://www.owasp.org/index.php/Reviewing_Code_for_Buffer_Overruns_and_Overflows.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000516-MAPP-000069_chk )
Perform a static program analysis to assess how the app is written to properly manage buffer overflows. The static program analysis should evaluate measures that are in place that size buffers as appropriate for the operation of the app. Also, the analysis should seek the following areas of vulnerability: - Cases where input is not checked before being copied into a buffer - Incorrect use of some of the functions listed in Appendix B of the Application Security and Development STIG - Incorrect calculations to determine buffer sizes - Incorrect calculations to determine array indexes Furthermore, for IPV6 capable apps, existing libraries must be checked to ensure they are capable of processing the increased size of IPv6 addresses to avoid buffer overflows. See section 5.4 of the Application Security and Development STIG for additional details. If any of these vulnerabilities are found, this is a finding.

Check Text ( C-SRG-APP-000516-MAPP-000069_chk )

Perform a static program analysis to assess how the app is written to properly manage buffer overflows. The static program analysis should evaluate measures that are in place that size buffers as appropriate for the operation of the app. Also, the analysis should seek the following areas of vulnerability:
- Cases where input is not checked before being copied into a buffer
- Incorrect use of some of the functions listed in Appendix B of the Application Security and Development STIG
- Incorrect calculations to determine buffer sizes
- Incorrect calculations to determine array indexes

Furthermore, for IPV6 capable apps, existing libraries must be checked to ensure they are capable of processing the increased size of IPv6 addresses to avoid buffer overflows. See section 5.4 of the Application Security and Development STIG for additional details.

If any of these vulnerabilities are found, this is a finding.

Fix Text (F-SRG-APP-000516-MAPP-000069_fix)
Modify code to remove identified or likely sources of buffer overflow vulnerabilities to include the following: - Use static analysis tools that are known to find this class of vulnerability with few false positives. - Validate all input before use, allowing only known-good input through. - Recheck all calculations to ensure buffer sizes are calculated correctly. - Recheck all array access and flow control calculations. - Use compile-time options that add compiler buffer overrun defenses.

Fix Text (F-SRG-APP-000516-MAPP-000069_fix)

Modify code to remove identified or likely sources of buffer overflow vulnerabilities to include the following:
- Use static analysis tools that are known to find this class of vulnerability with few false positives.
- Validate all input before use, allowing only known-good input through.
- Recheck all calculations to ensure buffer sizes are calculated correctly.
- Recheck all array access and flow control calculations.
- Use compile-time options that add compiler buffer overrun defenses.